Your AI agent booked a gathering, summarized a monetary report, and emailed the highlights to 3 stakeholders. To do that, it known as a calendar agent, a doc evaluation agent, and an e mail agent. Every accessed inner methods, made selections about what to incorporate, and acted in your behalf.
Right here’s the query your safety workforce can’t reply: Who approved the e-mail agent to learn that monetary report?
In most present architectures, the trustworthy reply is nobody explicitly. The logs could present {that a} service known as one other service. However they will’t present that the delegation itself was approved. The authorization didn’t fail loudly. It leaked silently by means of the chain.
That is the delegation downside in multi-agent AI. As enterprises join brokers by means of protocols resembling MCP and A2A, they’re fixing the connectivity downside sooner than they’re fixing the authority downside. The result’s a brand new safety boundary that almost all enterprise architectures haven’t but modeled, exactly as a result of most organizations nonetheless deal with it as orchestration relatively than authorization.
Brokers are connecting sooner than authorization is adapting
The agent ecosystem has moved quick over the previous two years. Anthropic’s MCP gave model-powered purposes a normal manner to connect with instruments, knowledge sources, and providers. Google’s A2A protocol gave brokers a normal technique to talk and coordinate throughout methods. Frameworks and SDKs resembling LangChain, CrewAI, and Google’s ADK made it simpler to construct multi-agent workflows the place one agent orchestrates a number of others.
What these protocols don’t but present, not less than not as a mature frequent layer, is a delegation-aware authorization mannequin.
MCP describes a protected server as an OAuth 2.1 useful resource server, with the MCP shopper performing as an OAuth shopper making requests on behalf of a useful resource proprietor. That’s a well-known and well-understood sample, however it was designed for a world the place a human clicks “Enable” and a single shopper will get a scoped token. It doesn’t tackle what occurs when Agent A receives that token, delegates a subtask to Agent B, and Agent B spawns Agent C to deal with a part of it. Every hop in that chain both reuses the unique token (overprivileged) or has no token in any respect (untracked).
A2A was constructed for interoperability: impartial, doubtlessly opaque agent methods speaking and coordinating actions throughout enterprise platforms. That’s the appropriate downside to unravel. However communication and delegation governance are completely different layers. A2A helps brokers uncover, describe, and talk with each other. That is crucial infrastructure, however it isn’t the identical as delegated authority. It doesn’t inform you whether or not a particular downstream motion was legitimately derived from an upstream instruction.
Static API keys are even weaker for this downside. A key grants entry to a service. It says nothing about who’s utilizing it, what they’re utilizing it for, or whether or not the entity presenting it’s the similar one it was issued to. Service accounts determine a workload, not an intent. When three brokers share a service account, each motion appears to be like the identical in your logs.
None of those instruments are damaged. They remedy completely different issues. The hole is structural. Authentication solutions which agent is asking. Authorization defines what that agent could entry. The more durable query, and the one most enterprise architectures aren’t but designed to reply, is whether or not a particular downstream motion was legitimately derived from an upstream instruction, beneath narrowed constraints, with a verifiable chain again to a human choice. That’s the delegation query, and it sits in a layer that at present’s stack doesn’t actually have.
In a clear model of this image, privilege ought to sit solely with the agent that touches the skin world. If a payer (A) asks a bookkeeper agent (B) to make a cost, and the bookkeeper asks a banking agent (C) to execute the switch, solely the banking agent wants banking authority. The bookkeeper doesn’t want to maneuver cash. It solely must know the request got here from a certified payer. The banking agent solely must know the request got here from a certified bookkeeper. That is the precept of least privilege, an idea the safety neighborhood has lived with for many years, utilized to delegation chains. The issue is that at present’s agent stacks make it laborious to implement.
What breaks within the chain
Contemplate a treasury reporting workflow in a regulated financial institution. A planning agent is allowed to learn liquidity projections and produce a each day abstract for senior finance customers. To finish the duty, it delegates chart technology to a visualization agent and narrative assessment to a communications agent. The visualization agent doesn’t want entry to uncooked account-level knowledge. The communications agent doesn’t want entry to the underlying liquidity mannequin. But until the delegation layer attenuates permissions, each could obtain extra context than their process requires. The end result isn’t a dramatic breach, however it’s a quiet enlargement of entry that the access-control mannequin by no means explicitly accredited.
The danger isn’t restricted to internet-facing brokers. Many delegation failures occur totally contained in the enterprise boundary. An inner agent could name one other inner agent, which calls an inner device, which sends knowledge to an accredited SaaS service. Each particular person step could look acceptable. The danger seems within the composition: The ultimate knowledge motion or motion could exceed the intent of the unique authorization.
This sample creates three classes of failure that enterprises could have to clarify to regulators, auditors, or prospects.
Ghost permissions. A finance analyst assistant has been given entry to a buyer transactions database to assist quarterly reporting. It calls a summarization agent: “summarize latest transactions for these accounts.” The summarization agent now operates in opposition to buyer information, although no coverage engine granted it that entry. The analyst assistant’s privileges successfully traveled with the request. The permission is a ghost. It exists in observe however not in any authorization system.
Scope drift. Even when an agent begins with slim permissions, delegation tends to widen scope relatively than slim it. An agent approved to learn Q1 income knowledge delegates to a charting agent, which calls an exterior rendering API, which now has the income figures. The info left the group by means of three hops of implicit belief. Every agent acted inside what it understood as its scope. The mixture end result exceeded what any human would have accredited.
Damaged audit trails. Regulated industries require the power to reply “who did what and why” for any consequential motion. In a single-agent system, that is manageable. In a multi-agent chain, the audit path fragments throughout brokers, protocols, and providers. When a compliance workforce asks why a selected buyer communication was despatched, the reply would possibly contain 4 brokers throughout two protocols, none of which logged the delegation chain. The motion is traceable to a system however to not a call.
These aren’t edge circumstances. They’re a standard end result when delegation isn’t modeled explicitly. The delegation downside isn’t a bug in any specific framework. It’s a niche within the layer between them.
What a delegation-aware mannequin requires
A delegation-aware authorization mannequin has to unravel 4 issues without delay, which is a part of why no present layer covers it cleanly.
The primary is id. The downstream agent wants a cryptographic credential that the receiving system can confirm independently, not only a hostname or an API key. Hostnames lie. API keys journey. An actual id is one the calling system can not fabricate.
The second is attenuation. When an agent delegates a process, the subagent ought to obtain strictly fewer permissions than the dad or mum—by no means the identical set, and positively by no means extra. That is the precept of least privilege utilized to delegation chains, and virtually no present tooling enforces it by default.
The third is goal. “Learn this report back to summarize liquidity publicity for the CFO” is a unique authorization from “learn this report and ship chosen figures to an exterior charting service.” It might be the identical knowledge and the identical agent, however it’s two very completely different danger profiles. And not using a goal binding, the authorization layer has no technique to distinguish them.
The fourth is audit. The group ought to have the ability to reconstruct, after the very fact, who delegated what, beneath which constraints, and what proof every agent produced at completion. Not simply which methods had been known as however which selections had been made and on whose authority.
It’s doable for brokers to authenticate efficiently even after they don’t have accountable authority. They will show who they’re and nonetheless execute actions that no human ever approved.
Rising approaches
A number of efforts tackle elements of this downside: workload id requirements, agent metadata in tokens, OAuth-based MCP authorization, A2A authentication patterns, and agent id frameworks. These are helpful constructing blocks, however id is just not the identical as delegated authority. A signed agent card may help set up an agent’s declared id and capabilities. An OAuth token can inform you what a shopper could entry. Neither, by itself, proves {that a} particular downstream motion was approved by a particular upstream choice beneath narrowed constraints.
One rising sample is delegation-bound functionality tokens: short-lived credentials that bind an invocation to an agent id, a constrained permission set, and a provenance report. One instance is the Agent Identification Protocol (AIP), which I’ve been engaged on as an Web-Draft and open supply implementation. AIP continues to be early, however it illustrates the form of 1 doable reply: invocation-bound tokens that carry id, attenuated permissions, and provenance by means of a delegation chain. The token chain itself turns into a part of the audit proof relatively than one thing reconstructed after the very fact from fragmented logs.
Complementary approaches are additionally rising. Behavioral credentials, the concept brokers needs to be repeatedly reauthorized based mostly on runtime habits relatively than simply preliminary permissions, tackle a associated however distinct downside. Delegation tokens inform you who approved what. Behavioral monitoring tells you whether or not the agent continues to be performing inside its approved profile. A whole resolution will doubtless want each.
None of those approaches have reached mainstream adoption. However the truth that they’re rising concurrently, from completely different corners of the trade, indicators that the delegation hole is actual and acknowledged.
What enterprise groups ought to do now
You don’t want to attend for requirements to mature earlier than addressing the delegation downside. There are concrete steps that safety, platform, and structure groups can take at present.
Map your delegation chains. Most groups deploying multi-agent workflows haven’t documented which brokers name which different brokers, with what permissions, by means of which protocols. Begin there. In case you can’t draw the graph, you may’t safe it.
Audit implicit permissions. For each agent-to-agent interplay, ask: Was this entry explicitly granted, or is the downstream agent inheriting permissions by proximity? If the reply is inheritance, you will have a ghost permission that wants a coverage choice.
Require scope attenuation. Set up an architectural rule: When an agent delegates a process, the subagent should obtain fewer permissions than the dad or mum, by no means extra. Present tooling doesn’t implement this robotically, however you may implement it in your orchestration layer.
Construct the audit path earlier than the auditor asks. In case your group is in a regulated trade, the query “Who approved this agent motion?” will ultimately be requested. The time to instrument delegation logging is earlier than that query arrives, not after. Log the complete chain: which agent initiated the duty, what permissions had been handed, which subagents had been invoked, and what each accessed.
Take a look at with actual tooling. Delegation-aware approaches, together with capability-token designs, workload id requirements, and agent id frameworks, are early however practical. Operating one in a nonproduction setting will expose gaps in your present authorization mannequin that structure assessment alone is not going to floor.
Delegation is the safety boundary
The primary part of enterprise agent adoption was about connectivity: Can the agent attain the device, the API, the database, or the opposite agent? The following part will probably be about accountable delegation: Ought to this agent be allowed to ask that agent to do that particular factor, with this knowledge, beneath these constraints?
That query received’t be answered by immediate engineering. It belongs within the authorization layer, the platform layer, and the audit path.
Enterprises don’t want to unravel the whole requirements downside at present. However they do must cease treating delegation as an implementation element. In multi-agent methods, delegation is the safety boundary.
