diff --git a/doc/user/duo_agent_platform/security.md b/doc/user/duo_agent_platform/security.md
new file mode 100644
index 0000000000000000000000000000000000000000..fbc7f1f3d6cba0c8ac2fb4d1e2cc8ef7cbb1d312
--- /dev/null
+++ b/doc/user/duo_agent_platform/security.md
@@ -0,0 +1,26 @@
+---
+stage: AI-powered
+group: Duo Workflow
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+title: GitLab Duo Agent Platform authentication and authorization
+---
+
+GitLab Duo Agent Platform uses a service account to perform actions on behalf of a user.
+
+The token that authenticates requests is a composite of two identities:
+
+- The primary author, which is the Duo Agent Platform [service account](../profile/service_accounts.md).
+  This service account is instance-wide and has the Developer role
+  on the project where the Duo Agent Platform was used. The service account is the owner of the token.
+- The secondary author, which is the human user who submitted the quick action.
+  This user's `id` is included in the scopes of the token.
+
+This composite identity ensures that any activities authored by Duo Agent Platform are
+correctly attributed to the Duo Agent Platform service account.
+At the same time, the composite identity ensures that there is no
+[privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) for the human user.
+
+This [dynamic scope](https://github.com/doorkeeper-gem/doorkeeper/pull/1739)
+is checked during the authorization of the API request.
+When authorization is requested, GitLab validates that both the service account
+and the user who originated the quick action have sufficient permissions.
diff --git a/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue b/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue
index 39c4bb61f7bdbf6f7e06b31be6894fe389901a97..d7e46cda2ca99e7465feb0f6e948e5cb08208687 100644
--- a/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue
+++ b/ee/app/assets/javascripts/ai/settings/components/duo_workflow_settings.vue
@@ -12,6 +12,7 @@ import { s__, sprintf } from '~/locale';
 import axios from '~/lib/utils/axios_utils';
 import { createAlert } from '~/alert';
 import { visitUrlWithAlerts } from '~/lib/utils/url_utility';
+import { helpPagePath } from '~/helpers/help_page_helper';
 
 export default {
   name: 'DuoWorkflowSettings',
@@ -37,6 +38,11 @@ export default {
       isLoading: false,
     };
   },
+  computed: {
+    serviceAccountHelpPath() {
+      return helpPagePath('user/duo_agent_platform/security');
+    },
+  },
   methods: {
     enableWorkflow() {
       this.isLoading = true;
@@ -201,7 +207,11 @@ export default {
                 'AiPowered|When you turn on GitLab Duo Agent Platform, a service account is created.',
               )
             }}
-            <gl-link href="#" class="gl-ml-1" data-testid="service-account-link">
+            <gl-link
+              :href="serviceAccountHelpPath"
+              class="gl-ml-1"
+              data-testid="service-account-link"
+            >
               {{ s__('AiPowered|What is the Duo Agent Platform service account?') }}
             </gl-link>
           </p>