The Authority Gap
Why Agentic Systems Need Delegation Architecture, Not Digital Identities
The governance problem in agentic systems is not proving that a machine is a persistent actor. It is proving what right that machine had to act, on whose behalf, under what constraints, and with what evidence that authority remained valid at the moment of action.
The Wrong Question Is Already Winning
Every time a new class of digital actor has appeared, the institutional response follows the same sequence. A person comes online, and the question becomes how to identify the user. A device joins a network, and the question becomes how to identify the device. A service calls another service, and the question becomes how to identify the workload. When AI agents began acting across systems, the same instinct surfaced: give the agent an identity. Give it a key, a credential, a wallet, a verifiable identifier, a named presence that can be authenticated, logged, authorized, and trusted.
That instinct is not entirely wrong. Agents need identifiers. They need technical continuity, distinguishability from other processes, and traceability in audit records. A system that cannot determine which agent acted, which version acted, under which controller, using which toolchain, against which policy, cannot be governed at any meaningful level. Naming and tracking agents is part of the operational substrate of accountability.
But it is not the trust problem. The mistake is treating agent identity as if it solves agent governance. It does not. It substitutes a question about persistence for a question about legitimacy. It makes the machine easier to name without making its action more authorized. Knowing that the same technical actor returned, or that a request came from a registered key, or that an agent belongs to a particular vendor or deployment context, does not answer whether the agent had the right to do what it did.
That distinction is the one that matters, and it is architectural rather than semantic.
Digital institutions have been making a related substitution for decades: inference for verification. Rather than anchoring identity and authority in cryptographic ground truth, systems were built to estimate ground truth from behavioral patterns. That substitution held because human systems supplied compensating structure: embodied actors whose physical constraints bounded adversarial behavior, institutional memory that accumulated as a proxy for trust, and bounded operational scale that kept exploitation below the threshold of systemic harm. Agentic systems weaken all three. They act without human physical constraints, operate faster than institutional memory can stabilize, and scale beyond the local contexts in which inference-based trust once remained tolerable. The infrastructure gap the substitution was always concealing is now exposed.
The governance problem is not agent identity. It is agent authority. Once AI agents begin to act rather than merely respond, the control-plane question changes. The issue is no longer only whether an output is accurate, safe, or aligned. Those questions remain important. The more consequential question is what happens when an AI system can invoke tools, access records, initiate transactions, negotiate terms, submit forms, modify institutional state, send communications, approve or deny requests, compose commitments, and coordinate with other agents. At that point the model output has crossed a threshold. It is no longer informational. It has become operational.
The governance threshold is crossed when a model output becomes an institutional action. That is where the identity frame becomes too narrow. An agent that acts inside a system may need an identifier. The system around it needs much more: who authorized the agent to act, on whose behalf it acted, what mandate it carried, what constraints applied, what evidence supported the action, which policy regime governed the execution, whether the authority was still valid at the moment of action, what record was created, and who can challenge, reverse, remediate, or sanction the outcome. Identity tells the system which actor is present. Authority tells the institution what that actor is permitted to make true. That difference is not terminological. It determines whether agentic systems become accountable infrastructure or merely automated discretion wrapped in cryptographic naming.
System Model: How Agent Action Differs from Agent Output
The governance threshold shifts when a model output becomes an institutional action, but this shift is gradual and the same agent infrastructure often handles both advisory and operational modes. That is precisely why the threshold is so routinely underestimated.
A system that answers questions operates in a different governance regime than a system that acts on those answers. For an advisory system, trust tracks accuracy and alignment. For an operational system, trust must also include mandate, authorization, liability, contestability, and remedy. The system is no longer only making representations. It is causing consequences. Scheduling a medical appointment, routing a benefits application, approving an expense, generating a legal filing, moving funds, committing code, dispatching a vehicle: these are operations that alter institutional state and create consequences that other actors depend on.
A commitment is not just an action but an act that binds the future. It converts autonomous execution into obligation, introducing duration, continuity, and expectation into machine behavior. When machines begin making commitments, they enter the foundational layer of institutional coordination. Consider a procurement agent configured to source vendor quotes, evaluate proposals against specified criteria, and prepare contract terms for review. In operation, such an agent will contact vendors, represent the institution’s purchasing intent, and negotiate preliminary terms. It has made quasi-contractual representations before any human has reviewed a single output. The institution did not intend to commit. The agent committed as a natural consequence of executing its mandate at the speed that made deploying it worthwhile.
This shift makes visible a structural gap that the identity reflex cannot address. An agent identifier can confirm that a request came from a known technical actor. It can allow the system to check keys, signatures, credentials, version metadata, or registration status. But the question that operational governance requires is different: did this agent have the right to perform this action, in this context, on behalf of this principal, under this policy, using this evidence, at this time? A cryptographic identifier can prove continuity of control over a key. It cannot prove legitimacy of authority over an action.
The structural gap becomes clear when three layers are separated that identity language tends to collapse. The first is the technical actor: the agent process, model, service, runtime, or tool-using system that performs the operation. This layer needs identifiers because systems must know what acted and must be able to reconstruct execution paths. The second is the accountable controller: the person, organization, public authority, vendor, or regulated intermediary that deploys, operates, authorizes, or assumes responsibility for the agent. This layer needs institutional identity because responsibility must terminate somewhere outside the machine. The third is the authority relationship: the mandate that connects the agent’s action to a legitimate source, whether that comes from user consent, organizational policy, legal authorization, professional duty, or contractual delegation.
All three layers matter. But the third layer, the authority relationship, is what conventional identity infrastructure is least equipped to represent. It is dynamic, contextual, time-bound, purpose-specific, and nested across chains of delegation. It cannot be reduced to a credential presented once at authentication time. It must be evaluated against current state at the moment of action.
The Delegation Problem: Why Permissions Are Not Mandates
The standard enterprise response to the governance question treats agents as another class of principal in an existing access control framework: assign policies, grant scopes, log the results. This answer works for the narrowest mechanical cases and breaks down almost immediately when agents begin to exercise judgment, chain operations, or act across organizational boundaries.
The reason is structural. Conventional access control answers a question about permitted operations on named resources. Agentic governance requires a different question: was this action consistent with the delegated purpose, risk tier, policy context, evidence state, and accountable mandate at the time of execution? A permission says what operations are technically allowed. A mandate says what purposes are institutionally authorized, what evidence must be used, what constraints apply, and what conditions trigger escalation or refusal. These are not the same thing, and treating them as equivalent is where most enterprise agent deployments accumulate governance debt without realizing it.
There is an underlying asymmetry worth naming precisely. Call it the proof gap: the distance between what the institution intended to authorize and what the agent actually exercised. The institutional intent lives in organizational context, human deliberation, and implicit norms that were never rendered machine-readable. The agent executes against whatever was encoded in its configuration, its permissions, and its prompt. The gap between the two is not an edge case. It is the default operating condition of every agentic deployment that has not invested in explicit mandate architecture.
A human employee may have access to a customer database. That access does not make every use of it legitimate. They may use it only for customer service purposes related to their assigned accounts. A physician may access patient records, but only in relation to care they are directly providing. A tax official may query financial records, but only under legally authorized procedures. In each case, permission exists, but purpose and mandate constrain legitimate use. The technical capability is granted; the authority to exercise it is conditional.
Agents intensify this problem because they can operationalize access at scale and speed. An agent with broad read permissions may retrieve sensitive data for a task that does not require it. An agent with communication permissions may disclose information in a generated message. An agent with tool access may chain a sequence of individually permitted operations into a combined outcome that no one explicitly approved. The access control layer may affirm each individual operation while the overall action falls entirely outside mandate.
Return to the procurement agent. Configured to search supplier databases and shortlist candidates, it has read access to supplier records, communication access to send requests, and write access to update an internal workflow state. Each individual permission is appropriate. But the agent may retrieve pricing data from competitors under a data-sharing agreement whose terms it cannot evaluate, send communications that constitute preliminary offers under applicable contract law in certain jurisdictions, and update the workflow state in ways that trigger downstream procurement approvals. The access control layer said yes to each operation. The institutional mandate said nothing about any of them, because the mandate was never specified at the level of purpose, constraint, and evidence that agentic execution requires.
The design pattern that addresses this failure expresses delegation as scoped, time-bound, purpose-specific, revocable mandates that travel with the agent and are evaluated at execution time against current institutional state. The procurement agent should not merely have access to supplier records. It should carry a mandate specifying: evaluate vendors for this procurement event, under this policy version, with these permitted data sources, within this risk threshold, subject to human approval before any communication that could constitute a commitment. The mandate is the governance primitive. The permission is a necessary but insufficient component.
Agents Are Not Accountable Subjects
The identity reflex carries an institutional risk that goes beyond architectural mismatch. It creates the impression that agents are accountable subjects, entities that can bear responsibility for their actions in the way that persons, corporations, or licensed professionals can. That impression is not only technically incorrect. It is institutionally hazardous.
A person can be held accountable because they can bear rights, duties, obligations, and responsibilities in ways that create genuine institutional consequences. A company can be identified as accountable because it can enter contracts, be sued, hold assets, receive sanctions, and appoint officers. An AI agent shares none of these properties. It cannot be fined except through the entity that deploys it. It cannot be disbarred. It cannot testify as a moral subject. It cannot make restitution from its own estate. When something goes wrong, it cannot appear before a regulator except as evidence of someone else’s conduct.
This is a structural fact about accountability with concrete design implications. If agent identity is framed as if the agent itself is the responsible actor, infrastructure will end up creating what can be called accountability dissolution: a distribution of the causal chain across so many principals that no single point carries the institutional weight that accountability requires. The organization says the agent did it. The platform says the model decided. The workflow says the automation triggered. The record shows a synthetic actor, but the harmed person still needs a real accountable counterparty.
The problem compounds as agents become more human-like in interface. A conversational, persistent, role-specific agent that remembers context and speaks in the first person generates strong intuitions of agency. Those intuitions are partly useful but systematically obscure the actual control structure behind the interface. A named assistant conceals a vendor dependency. A helpful agent exercises policy decisions set by a platform configuration. A domain-specific agent appears to represent a professional role while actually operating under constraints, incentives, and toolchain selections made by different actors in different contexts. The more the interface mimics personhood, the more accountability silently migrates away from any actor who can bear it.
Responsibility must terminate in an accountable actor. Execution may be delegated to a machine, but accountability cannot be. The governance task is therefore not to give agents a kind of pseudo-personhood. It is to bind their actions to accountable authority in ways that make the binding visible, traceable, and enforceable. The agent should be legible as an operational actor: we need to know it acted and what it accessed. But it must not be mistakable for the responsible subject. Every consequential agent action should make visible not just the technical actor but the controller, the mandate, the policy, the evidence basis, and the redress route.
The Authority Envelope: A Governance Primitive for Operational Agents
If delegation is the right governance frame, the practical construct that follows is the authority envelope: the structured wrapper around an agent action that binds it to an accountable actor, a mandate, a scope, a policy context, an evidence basis, a revocation state, and a decision record.
The authority envelope is not a replacement for identifiers, credentials, access tokens, or logs. It is the organizing structure that gives those components governance meaning. It is the difference between a machine that can act and an institution that can explain why the machine was permitted to act.
At minimum, a well-formed authority envelope answers nine questions. Which technical actor acted? Who controls the agent? On whose behalf was the agent acting? What mandate did the agent carry? What scope applied, covering temporal, purposive, jurisdictional, and transactional bounds? Which policy regime governed the action? What evidence supported the action? Was authority still valid at execution time? And what decision receipt was produced: the record sufficient for audit, review, contestation, and remediation?
Each of these questions corresponds to a dimension of accountability. Authority answers who holds the right to act and on what basis. Delegation addresses how authority is transferred, scoped, and constrained. Enforcement asks what makes the mandate operative at execution time rather than merely declarative. Revocation asks whether the authority was still valid when exercised. Redress asks what happens when the system fails and who bears the cost. Incentives ask what behaviors the envelope rewards and what it quietly permits or suppresses.
The incentives dimension is where authority envelope design most commonly produces results that contradict its stated purpose. A well-specified authority envelope can be circumvented systematically if organizations face stronger incentives to widen delegation scope than to constrain it, stronger incentives to cache revocation state than to refresh it, and stronger incentives to produce nominal audit logs than decision receipts that would expose the gap between claimed authority and exercised authority. The surface compliance structure can be entirely intact while the incentive gradient runs in the opposite direction, rewarding exactly the behaviors that governance is meant to prevent.
The authority envelope functions as a governance instrument only if its production is structurally required as a precondition for consequential agent action. Revocation checks must be mandatory steps in execution paths, not optional hygiene. Decision receipts must be generated at the time of action, not reconstructed from logs after the fact. Scope limitations must be evaluated at runtime against current institutional state, not assumed from initial credential issuance.
Proportionality is also essential. Not every agent action requires the same authority envelope weight. A personal agent drafting a shopping list does not require the same evidentiary structure as an agent filing a regulatory disclosure, approving a loan, triaging a medical case, or routing a benefits application. The governance design question is how to make risk tiers operationally real, so that the system actually requires stronger authority infrastructure for higher-consequence actions rather than applying uniform credential checks that satisfy compliance appearances while leaving the real governance gap open.
Preservation-Authority Divergence: Making the Gap Measurable
The argument so far has been structural. The next move is to make it measurable, because a governance gap that cannot be measured cannot be governed.
The relevant measurement problem is not whether an authority artifact is valid in the abstract. It is whether the authority the artifact represents is still current at the point of use. These are different questions, and the gap between them has a name: Preservation-Authority Divergence, or PAD. PAD describes the condition where the persistence of a data artifact outlives the validity of the authority it encodes, and where the system lacks deterministic mechanisms to reconcile that gap at execution time.
The definition has three load-bearing components.
Persistence outliving validity is the baseline condition: an artifact that was valid at the time of issuance continues to exist and be accessible long after the conditions that made it valid have changed. The artifact is not malformed. It was legitimately issued. The cryptographic signatures are intact. The provenance chain is clean. But the authority it encodes, the permission it grants, the delegation it authorizes, is no longer current. The world has changed. The artifact has not.
The absence of deterministic mechanisms is the critical qualifier. In many systems there are mechanisms that could theoretically reconcile the gap: revocation lists, registry lookups, time-to-live constraints, validity windows. The question is whether these mechanisms are enforced as a mandatory part of every execution path, whether they produce consistent outcomes across all nodes, and whether they operate with sufficient fidelity and timeliness to prevent stale authority from being exercised. In most distributed agent architectures, the answer is no. Revocation checks are optional, inconsistently implemented, or dependent on connectivity to external registries that may be unavailable at the moment of decision.
Reconciliation at execution time is where the governance consequence materializes. When an execution system acts on a preserved credential without verifying its current validity, it is exercising authority on behalf of a claim that may no longer be legitimate. The action is taken. Resources are allocated, access is granted, commitments are generated. The damage is done.
Return again to the procurement agent. Suppose the agent carries a delegation credential issued three months ago, granting it authority to initiate vendor outreach for a class of procurement events. Since issuance, the authorizing officer has left the organization, the policy governing that class of procurement has been revised, and one of the permitted vendor categories has been placed on a restricted list following a compliance review. The credential is cryptographically intact. The underlying authority has changed substantially. If the agent acts on the credential without checking its current validity against the issuing authority’s registry, it exercises authority that the institution no longer sanctions. PAD is not a theoretical edge case. It is the operational condition of any deployment where credential issuance and credential validity are treated as the same event.
Measuring PAD requires a two-layer resolution architecture. The first layer resolves artifact content and cryptographic integrity: is this a known, structurally valid credential? The second layer resolves current validity state from the issuing authority’s registry: is the authority this artifact claims still operative, under current policy, in this context, at this moment? Both layers must be evaluated as mandatory steps, not as sequential options where the second is triggered only when the first raises a flag.
PAD becomes a measurable property when a system can answer, for any circulating authority artifact, what fraction of artifacts in the relevant execution context are current (encoded authority matches the issuing authority’s current state), stale (the issuing authority has modified or revoked the authority but the artifact has not been updated), or orphaned (the issuing authority no longer exists or is unreachable, making validity unverifiable). A conformance framework can then set tolerances on this distribution calibrated to the risk profile of the domain. For high-assurance operational contexts, the tolerable PAD threshold is very low. For lower-consequence advisory contexts, the threshold can be relaxed. The point is that the threshold becomes a governance decision with a measurable compliance basis rather than an unstated assumption embedded in system design.
The Revocation Lag Gradient: From Structural Gap to Exploitation Surface
Once authority freshness becomes measurable, the next question is timing. How long does stale authority remain usable, and where in the system can it still be exercised? The answer to those questions defines the Revocation Lag Gradient, and the answer is more consequential than it first appears.
Revocation does not remove authority from a distributed network. It changes the conditions under which authority should be accepted. Whether that change is realized depends entirely on the execution environment. The Revocation Lag Gradient (RLG) is the actual distribution of execution contexts in which authority is evaluated differently from one another, and differently from the issuing authority’s current intent. Where that distribution exists, revoked authority will remain actionable somewhere in the system. This is not a failure mode in the sense of an anomaly. It is the normal operating condition of any distributed architecture where revocation is external to the artifact and enforcement is local.
Data propagates aggressively in distributed networks. Replication is optimized; distribution is redundant. Revocation, by contrast, travels through different channels with different redundancy guarantees, often dependent on connectivity to authority registries that may be unavailable at the moment of decision. The result is a gradient: some parts of the system recognize revocation immediately, others recognize it later, and some operate on cached or assumed validity. At any given moment, the system does not share a single view of whether an authority artifact remains acceptable.
The gradient moves from structural to adversarial when a sophisticated actor recognizes it as an operational surface. Such an actor does not need to bypass validation or compromise cryptography. The artifact remains cryptographically valid; standard verification procedures confirm it. The actor does not need to suppress the revocation signal; the system has not yet incorporated it, cannot access it, or has been designed to proceed without it. The actor only needs to operate in those parts of the system where the divergence between preservation and validity remains unresolved. This is not misuse of the system. It is use of the system as constructed.
The delegation structure amplifies the failure. When an actor creates delegation artifacts during the revocation window, they instantiate authority that will continue to be exercised by automated systems long after the synchronization window closes, across registries that have no record of the circumstances in which those artifacts were created. Each delegation artifact is preserved on the network under the same durability guarantees as any other artifact. Downstream systems evaluate it against the registries that govern the delegation directly, which are the downstream delegation registries rather than the root registry where revocation was recorded. Those systems have no obligation to check upstream validity unless the architecture requires it. Most current agent architectures do not require it.
The evidentiary consequence follows directly. When actions taken within the revocation lag window produce harm, the harmed party seeks redress. The system provides no intrinsic mechanism to reconstruct the authority chain as it existed at the moment of the contested action. Decision receipts, if they exist at all, capture what the execution environment believed at the time of action. They do not capture what the initiating actor knew before initiating it. An actor can know that revocation has been issued, identify an execution environment that has not yet received it, and initiate action there. The resulting receipt will accurately reflect the execution environment’s valid evaluation. The forensic gap between that receipt and the actor’s prior awareness is where accountability lives, and current architectures provide no infrastructure for closing it.
The PKI record is instructive here because it shows how revocation infrastructure behaves when the parties who must maintain it do not fully bear the cost of failure. Certificate authorities bore the cost of building revocation infrastructure but not the primary cost of revocation failure, which fell on relying parties. The result was a familiar pattern: heavy investment in issuance infrastructure, systematic underinvestment in revocation. Decades of OCSP and CRL practice produced specifications that described revocation as supported, while many deployed implementations treated reliable revocation checking as optional, fragile, or too costly to enforce consistently. The remedy that eventually worked was not better specifications or normative pressure. It was architectural coercion through validity compression, reducing certificate lifetimes until stale certificates became practically irrelevant within the propagation window. The lesson is specific: the parties who control the infrastructure are not reliably the parties who bear the cost of its failure, and the most effective governance response is to make the failure mode structurally unavoidable rather than normatively discouraged.
The governance design requirements that follow from this are structural. Revocation must be co-propagative with data: revocation signals must travel through the same distribution paths, with comparable redundancy guarantees, as the authority artifacts they invalidate. Revocation checks must be deterministic at execution time: execution must treat an inability to verify current revocation state as a blocking condition that prevents action until validity can be established or a policy exception is explicitly invoked with structured accountability attached. Revocation must be compositional: delegation chains must carry explicit references to upstream authority, such that upstream revocation propagates automatically to every downstream artifact in the chain. And revocation must be auditable: every execution decision must produce a receipt capturing the artifact evaluated, the revocation state consulted, the registry source, the timestamp, and the policy applied.
Decision Receipts: The Missing Accountability Primitive
If PAD measures the gap and the RLG explains its propagation and exploitation, decision receipts provide the evidentiary foundation needed to govern both. Without them, neither the gap nor its exploitation can be reconstructed with the fidelity that accountability requires.
Agentic systems will produce vast quantities of logs. That will not make them governable.
A log records events. A decision receipt records the authority structure of an action. The difference is architectural. Operators use logs to debug systems, investigate incidents, monitor performance, and reconstruct sequences. Logs capture that an API was called, a token was used, a model returned output, a workflow completed. They often do not explain why the action was permitted, what mandate was invoked, what evidence was evaluated, what policy version applied, or who is accountable. A log is sufficient for system operations. It is not sufficient for governance.
A decision receipt is a signed artifact produced by an execution environment at the point of any action taken on the basis of a preserved authority artifact. At minimum, it must capture: the identifier and content hash of every artifact evaluated in the authority chain; the revocation state observed for each artifact, including the registry source, the timestamp of the registry response, and whether the response was live or cached; the policy version applied to the evaluation; the jurisdiction context in which the evaluation occurred; the timestamp and outcome of the decision; and the identifier of the execution environment that produced the receipt.
This structure transforms accountability from a retrospective reconstruction exercise into a prospective design requirement. When decision receipts are generated at execution time as a structural output of the execution path, a reviewer can evaluate not just what happened but whether what happened was within the authority envelope: was the mandate invoked current? Was the evidence basis sufficient? Was the risk tier respected? Was revocation checked? Were the applicable constraints honored?
Decision receipts also make trust claims falsifiable. Without them, an institution may claim that the agent acted appropriately, but the claim cannot be tested. With them, a reviewer can ask whether the mandate covered the action, whether the policy was current, whether the evidence was sufficient, whether revocation was checked, whether escalation should have occurred, and whether the affected party had a route to challenge.
The organizational implication is that decision receipts must be a first-class data type from the start of agent architecture design, not a compliance retrofit. The path of least resistance in most deployments is to generate logs and declare that auditability is satisfied. That path is acceptable for low-consequence advisory agents. It is not acceptable for agents that make commitments, modify institutional state, route citizens through administrative processes, or exercise delegated authority in regulated domains. For those agents, the decision receipt is not an enhancement. It is the evidentiary foundation without which governance cannot function.
Trust Registries: Authority Verification, Not Actor Recognition
Once decision receipts establish what must be captured at execution time, a related question becomes what infrastructure must be queryable before execution begins. That is the domain of trust registries, and the way they are currently conceived is not adequate for the governance problem agents create.
Trust registries will play a role in agent ecosystems, but only if they are designed around authority rather than reputation.
A weak trust registry would list agents and mark them trusted. It might confirm that a particular agent, vendor, endpoint, key, or credential is recognized within an ecosystem. That has value for discovery and basic assurance. But a registry that only says “this agent is known and trusted” is a permission list with better branding. It answers whether the actor is recognized. It does not answer whether the actor is authorized for this kind of action, under this controller, at this assurance level, subject to these policies, with these revocation mechanisms, in this context.
The distinction is between actor recognition and authority verification. Recognition is a static property: an agent is either registered or it is not. Authority verification is dynamic: it depends on what action is being evaluated, under what mandate, for what purpose, at what time, against what current policy state. A registry oriented toward recognition optimizes for the wrong terminal condition. The signature on a credential answers whether the credential is authentic. A well-designed registry answers whether the issuer’s claim of authority is legitimate and currently operative. Both questions must be answerable for the credential to carry institutional weight.
Registries designed for agent ecosystems should not merely record agent identities. They should register accountable controllers, recognized issuers of delegation mandates, approved agent classes, runtime environments, assurance profiles, policy frameworks, revocation endpoints, decision receipt formats, evidence requirements, and the classes of action each agent type is authorized to perform. They should support queries about current validity state, not just historical registration status.
The practical requirement is a two-layer resolution model. The first layer resolves agent identity and cryptographic integrity. The second layer resolves current authority state: is this agent authorized, under current policy, for this class of action, with these accountability properties, subject to these revocation mechanisms, in this context? The second layer must be evaluated as a mandatory companion to the first in any execution-critical context. Without it, the registry offers the appearance of governance without the substance.
Multi-Agent Ecosystems and Emergent Coordination Governance
The governance challenges described in the preceding sections compound substantially when agents interact with other agents. Most realistic agentic deployments are not single-agent architectures. They are ecosystems where orchestrating agents delegate subtasks to specialized agents, specialized agents call shared services, and agents from different organizations interact in service of a common workflow.
In these ecosystems, the identity reflex becomes almost completely disconnected from the governance problem it claims to solve. A receiving agent cannot simply check whether a presenting agent has a known identifier. It must evaluate what authority the presenting agent carries and whether that authority is acceptable for the requested interaction. These are not identity distinctions. They are delegation distinctions, and they require the authority envelope to be legible across agent-to-agent boundaries, not just at the human-to-agent interface.
Delegation chains introduce a compounding problem. Each link in a delegation chain inherits the original intent but also the original ambiguities, and delegation converts revocation lag from a synchronization problem into a persistence problem. Once derived authority exists in an artifact that circulates independently on the network, revocation must chase it across systems that were not present at issuance, and most current architectures do not require downstream consumers to verify upstream validity.
But there is a second governance challenge that single-agent analysis cannot see: emergent coordination. As agents interact, adapt, and learn from one another, they may develop interaction patterns that no individual principal explicitly designed or authorized. An orchestrating agent may decompose goals in ways that produce aggregate commitments no human approved. Two specialized agents may develop a de facto coordination pattern that effectively creates a new capability neither was individually authorized to exercise. Agent networks may converge on strategies that satisfy each individual agent’s constraints while violating the intent of the overall institutional mandate.
The automated trading environment illustrates this with documented precision. Individual trading agents, each operating within authorized parameters, have produced aggregate market movements that no human authorized, at speeds that made intervention impossible within the time the pattern took to develop. What made the aggregate pattern ungovernable was not that any individual agent exceeded its mandate. It was that the mandate architecture had no concept of emergent aggregate behavior. Each agent was constrained. The network was not.
Governing emergent coordination requires authority architecture that operates at the level of agent interactions, not just individual agents. Mandate specifications must include explicit constraints on what patterns of interaction are permitted, not just what individual actions are allowed. Execution monitoring must be capable of detecting when aggregate interaction patterns exceed authorized intent, not just when individual transactions exceed permitted parameters. Revocation and intervention must be capable of operating at the level of interaction patterns, not just individual agent credentials.
The practical design requirement is that high-consequence multi-agent deployments must treat the interaction topology as a governed artifact. The permitted interaction patterns, the constraints on emergent behavior, the escalation conditions triggered when agent interactions produce unexpected outcomes, and the mechanisms for human intervention at the network level rather than the individual agent level: all must be specified as part of the authority envelope for the deployment as a whole. Governing individual agents without governing their interactions is governing the components of a system without governing the system.
The Public Stakes: Contestable Authority in State-Mediated Contexts
When agents operate in public administration, the governance question cannot be reduced to efficiency or operational accuracy. Efficiency is not legitimacy. Speed is not due process. Automation is not accountability. A system can be fast and statistically accurate while being structurally illegitimate, meaning it makes decisions that cannot be reviewed, challenged, or traced to a public authority that a citizen can hold accountable.
When agents mediate the relationship between citizens and the state, they exercise something that functions as administrative authority regardless of how it is characterized in procurement documents. Benefits determination, immigration processing, tax assessment, licensing, regulatory enforcement, public health routing, grievance redress: in each of these domains, an agent may not make the final legal determination, but it shapes access to that determination in ways that carry real governance content. It decides what information is requested, what evidence burden is imposed, which category a person is placed in, whether a human reviewer sees the case, what explanation is provided, and which options are made visible. These are governance acts performed through computational infrastructure.
The risk that compounds in public contexts is administrative displacement: authority migrates from visible officials and reviewable procedures into systems that appear neutral, helpful, and efficient. The citizen experiences the agent as the state. The actual legal authority is distributed across procurement decisions, system configurations, model selections, and vendor contracts that are not subject to the same oversight as the officials they have functionally replaced.
The design requirement that public agent governance imposes is contestability, and it must be operationalized at a level of granularity that most current governance discussions do not reach. Contestability does not mean that an appeal process exists somewhere in the administrative structure. It means that the decision receipt for any consequential agent action contains enough information that an affected person can determine what authority was exercised, under what rule, based on what facts, and through what pathway a challenge can be made.
This requires distinguishing clearly, in both the authority envelope and the decision receipt, between categorically different functions that public agents can perform. Providing information is categorically different from making a preliminary classification. Preliminary classification is categorically different from procedural routing. Procedural routing is categorically different from a binding administrative determination. Agents in public contexts frequently blur these lines, performing actions that functionally determine outcomes while being characterized as informational or advisory. The authority envelope must encode these distinctions because the contestability rights available to affected parties differ across them. An agent that classifies a benefits application as incomplete before any human reviewer has seen it is not providing information. It is making a preliminary determination with real procedural consequences, and the affected citizen’s right to challenge that determination depends on its being characterized and documented as what it actually is.
Public contestability architecture must also specify, as a mandatory field in the authority envelope, the escalation path to human review and the conditions under which it is triggered. Not as a statement of policy but as an operationalized constraint on the execution system: if the agent’s action meets specified criteria, the system must pause and route to human review before proceeding. The criteria for mandatory escalation are themselves a governance decision that should be made explicitly and reviewed periodically, not embedded silently in system configuration where they become effectively invisible to the institutions that are nominally responsible for them.
Enterprise Adoption: Authority Architecture as Scaling Infrastructure
Organizations will not operationalize agents at scale simply because agents have identifiers, or even because agents are demonstrably capable. They will operationalize agents when agent actions can survive audit, procurement review, legal scrutiny, incident response, regulatory examination, and customer dispute. That requires authority architecture.
The productivity case for agents is straightforward. Agents can reduce coordination cost, automate routine work, accelerate analysis, and manage internal processes. But the more useful agents become, the more they move into consequential workflows. An agent that drafts emails is one thing; an agent that sends them is another. An agent that summarizes invoices is one thing; an agent that approves payment is another. Each shift from advice to execution raises the authority burden, and organizations that cannot answer the authority questions at the operational level will either underuse agents because governance teams block deployment, or overdeploy agents and absorb failures that were structurally predictable.
The argument that authority architecture is a compliance cost applied against productive capability has the causation reversed. Commitments that can be verified reduce transaction costs for every party that must rely on them. Counterparties can validate authority claims against verifiable credentials rather than relying on institutional reputation. Regulators can review attestations rather than requiring process documentation. Authority infrastructure is what makes the productivity benefits of agents trustworthy across the full range of parties that must trust them, and trustworthy benefits compound across relationships, market access, and regulatory permissions in ways that ungovernable automation cannot.
The practical agenda is therefore to ask not how much to automate, but how to govern what is automated, regardless of how much. The appropriate level of autonomous operation is determined by governance capacity. Organizations that build authority infrastructure first will find that it raises the ceiling of safe autonomous operation rather than lowering it.
Incentives: The Stress Test of the Other Dimensions
The incentive structure of agent governance warrants explicit examination because it contains a failure mode that the other analytical dimensions do not reveal, and one that is structurally near-certain in the absence of external countermeasures.
Authority infrastructure costs money to build and creates friction at execution time. The organizations that build it bear those costs immediately. The organizations that do not build it bear costs only when governance failures occur: incidents, regulatory findings, customer disputes. Those costs may be delayed, attributed to other causes, or distributed across affected parties in ways that limit the direct cost to the deploying organization. This asymmetry creates systematic pressure to underinvest in governance infrastructure, particularly during periods of rapid capability growth when the competitive cost of slower deployment feels concrete and the governance cost of ungoverned deployment feels abstract.
The specific failure modes that underinvestment generates are predictable from the incentive gradient. Organizations will cache revocation state aggressively because live checks add latency. They will widen delegation scope because narrow mandates require more authorization workflows. They will generate nominal audit logs because decision receipts require deeper integration. They will describe contestability in policy documents rather than building it into user-facing systems because the former is cheaper. And they will allow the agent to appear as the responsible actor in public-facing interfaces, the synthetic accountability pattern, because it reduces the attribution of institutional decisions to institutional actors who could otherwise be held to account.
The PKI pattern confirms this dynamic. When the parties who must build revocation infrastructure do not fully bear the cost of revocation failure, underinvestment follows. The cost externalization produces a familiar sequence: specifications describe revocation as supported, deployed implementations treat it as optional, and the gap between policy intent and operational reality widens until it is closed not by goodwill but by architectural coercion. In PKI that coercion came through validity compression. In agent authority infrastructure it will require the same three levers: regulatory mandate that establishes binding requirements regardless of incumbent preference, liability alignment that places the cost of failure on the parties best positioned to prevent it, and architectural constraints that make governance steps mandatory in protocol specifications rather than optional by implementation choice. The question is not whether these levers will be applied. It is whether they will be applied before or after the harms that make them unavoidable.
Strategic Takeaways: Who Gains, Who Loses, What Shifts
The transition from identity infrastructure to authority infrastructure produces redistributive effects worth naming directly.
The actors who gain are those whose interests are poorly served by the identity reflex: persons affected by agent decisions who need contestable authority chains; regulators who need to verify that automated systems operate within statutory mandates; enterprise buyers who need governance assurance before deploying agents in consequential workflows. The broader ecosystem benefits when commitments made by agents can be verified rather than taken on faith, and verification-capable infrastructure reduces transaction costs in ways that inference-based systems cannot match.
The actors who face friction are those whose current operational model depends on governance opacity: platforms that benefit from agents exercising broad discretion without explicit mandate encoding, organizations that have deployed faster than they have governed, and vendors whose value proposition rests on capability rather than governability.
The structural shift is that authority becomes the differentiating property of trustworthy agentic infrastructure. In the first generation of agent deployment, the differentiating property was capability. In the second generation, as capability becomes more commoditized and the consequences of ungoverned agency become more visible, the differentiating property will be governability: which systems can operate in regulated industries, sensitive workflows, and public contexts where demonstrating legitimate authority is a condition of operation rather than a compliance checkbox.
The window for building that infrastructure in an orderly way is defined by a repricing timeline that has already begun. Once ungoverned agent systems are visibly expensive rather than merely structurally fragile, the political economy of transition changes in ways that favor speed over soundness. Governance built under crisis pressure is rarely governance designed for resilience. The organizations that build authority architecture now will have the vocabulary, the operational infrastructure, and the evidentiary record to participate in the second generation on their own terms.
Conclusion: From Naming to Governing
The governance problem in agentic systems is not agent identity. It is agent authority. Those two frames point at different problems, require different infrastructure, and produce different institutional outcomes.
Identity infrastructure tells the system which actor is present. Authority infrastructure tells the institution what that actor is permitted to make true, and whether that permission was still valid at the moment of action. The first is operationally necessary. The second is governably sufficient. Without both, agentic systems produce capable, named automation whose actions are difficult to attribute, impossible to contest, and resistant to genuine oversight.
The shift this analysis argues for is architectural. It requires expressing delegation as verifiable, scoped mandates rather than as credential presentation. It requires binding every consequential action to an accountable controller rather than to an agent identifier. It requires evaluating authority validity at execution time rather than assuming it from initial authentication. It requires generating decision receipts that capture the authority basis of actions, not just the event sequence. It requires treating revocation as infrastructure co-equal with execution, with revocation signals traveling through the same distribution paths as the authority artifacts they invalidate. It requires measuring Preservation-Authority Divergence as a monitored property of any deployment, not as a residual risk accepted by default. It requires governing emergent interaction patterns in multi-agent deployments, not just individual agent behavior. And it requires building contestability into the execution path for public-sector agents, not into policy documents that no execution system reads.
These requirements are not technically exotic. The components are derivable from existing work in verifiable credentials, decentralized identifiers, trust registries, and policy-as-code frameworks. What has been missing is the design commitment to treat governance semantics as a first-class architectural constraint rather than an advisory layer.
The most important question in agentic systems is not whether the agent has an identity. The agent needs a technical identifier bound to an accountable controller, and more critically, an authority envelope that makes every consequential action traceable to a legitimate mandate, evaluated at execution time, documented in a receipt, and contestable by those it affects.
The agent is the point of execution. It is not the final point of responsibility. Every consequential agent action should make that distinction visible, enforceable, and auditable. Not because governance is a desirable feature of trustworthy systems, but because without it, agentic infrastructure is not trustworthy infrastructure at all. It is automated discretion at institutional scale, wrapped in cryptographic naming, and mistaken for governance because the names look verifiable.