## Sources

1. [Who Authorized That? The Delegation Problem in Multi-Agent AI](https://www.oreilly.com/radar/who-authorized-that-the-delegation-problem-in-multi-agent-ai/)

---

### **Who Authorized That? The Delegation Problem in Multi-Agent AI – Sunil Prakash**

**Main Arguments**
*   **The Authority Gap:** While protocols like Anthropic’s MCP and Google’s A2A have solved the **connectivity problem** (allowing agents to talk to each other), they have not yet solved the **authority problem** [1, 2]. Enterprises are connecting agents faster than they are adapting their authorization models [2].
*   **Delegation as the Security Boundary:** In multi-agent systems, the critical security question is no longer just "who is calling," but whether a **specific downstream action** was legitimately derived from an upstream human instruction [3-5].
*   **Limitations of Current Tools:** Traditional security measures are insufficient for multi-agent chains:
    *   **OAuth 2.1:** Designed for a human "resource owner" to authorize a single client; it fails when Agent A delegates to Agent B, who then spawns Agent C, leading to either **overprivileged token reuse** or untracked actions [6].
    *   **Static API Keys and Service Accounts:** These identify a workload or service but do not capture **intent** or distinguish which agent is acting when multiple agents share an account [3].
*   **The Principle of Least Privilege in Chains:** Privilege should ideally sit only with the agent interacting with the outside world; subagents should receive **strictly fewer permissions** (attenuation) than their parents [7, 8].

**Key Takeaways**
*   **Authorization Leaks:** Authorization often "leaks silently" through agent chains rather than failing loudly, meaning security teams cannot always answer who authorized a specific sub-agent to access sensitive data [1].
*   **Structural Gap:** There is a missing layer in the current technology stack that specifically handles **delegated authority**—verifying that a downstream action follows narrowed constraints with a verifiable chain back to a human [3].
*   **Intent vs. Access:** Identity (knowing who an agent is) is not the same as **accountable authority** (knowing if they are authorized for a specific task) [9].
*   **Delegation-Aware Models:** A robust model must solve four elements simultaneously: **Identity** (cryptographic credentials), **Attenuation** (narrowing permissions), **Purpose** (binding access to a specific task), and **Audit** (reconstructing the decision chain) [8, 10].

**Important Details and Failure Categories**
*   **Ghost Permissions:** This occurs when an agent’s privileges effectively "travel" with a request to a subagent that was never explicitly granted those permissions by a policy engine [11].
*   **Scope Drift:** Even with narrow initial permissions, delegation can widen scope; for example, a charting agent might call an external API, causing internal data to leave the organization through **implicit trust hops** [11].
*   **Broken Audit Trails:** In multi-agent systems, logs often fragment across different protocols and services, making it impossible for compliance teams to trace a final action back to a specific human decision [12].
*   **Emerging Solutions:**
    *   **Agent Identity Protocol (AIP):** An emerging standard for **invocation-bound tokens** that carry identity and attenuated permissions through a chain [13].
    *   **Behavioral Credentials:** These involve continuously reauthorizing agents based on **runtime behavior** rather than just initial static permissions [14].
*   **Actionable Steps for Enterprises:**
    *   **Map Delegation Chains:** Organizations must document which agents call which others and what permissions are used [15].
    *   **Enforce Scope Attenuation:** Orchestration layers should be configured so subagents never receive more permission than their parent [16].
    *   **Pre-emptive Auditing:** Build full delegation logging (initiator, permissions passed, subagents invoked) before regulators ask for it [16].
    *   **Test New Tooling:** Experiment with capability-token designs and agent identity frameworks in nonproduction environments to identify gaps in current models [4].