Audor / Agent Authority Control ← Writing
Manifesto

Permissions Are Not Authority

Every enterprise deploying AI agents is about to relearn a lesson the security industry learned decades ago with humans: access control tells you what someone can do. It says nothing about what they should do.

We solved this for people with a lattice of context: job descriptions, approval chains, spending limits, separation of duties, audit. An accountant can wire money; whether a specific wire is authorized depends on an invoice, an approval, a limit, a policy. Nobody confuses the keycard with the mandate.

Then we gave the keycard to software that improvises.

An AI agent holds valid credentials, approved OAuth scopes, and access to real tools. Every permission check passes. And none of those checks can answer the only question that matters when the agent acts: is this specific action justified by the objective a human actually approved?

The industry's own leaders already describe the problem precisely. Okta's CEO compares deployed agents to "an insider threat... given all the access it needs." Microsoft's CEO says agents need identities, sandboxes, and policies to govern them. Forrester tells CISOs to "secure intent, not just infrastructure." The identity layer — who is this agent, what are its scopes — is being built right now, and it is necessary. It is also not sufficient. A valid token can still take an unauthorized action.

The gap has a shape

Watch real agent workflows and the failures are not exotic. They follow patterns:

None of these trip a permission check. None look anomalous. They are failures of authority — the layer between what an agent can do and what it was asked to do. That layer today is, in most deployments, nothing but hope and a system prompt.

What the authority layer must do

It must capture the chain — the human objective, each delegation that narrows it, every action taken under it — because authority is a chain, not an attribute. Delegation must narrow, never widen.

It must verify each action against that chain: within scope, outside every exclusion, inside every cumulative envelope — and explain its verdict by citing the chain, because an unexplained verdict is just another opinion.

It must treat uncertainty as escalation, never as approval. The one unforgivable failure is the silent allow.

And it must earn trust the way any control does: watch first. Monitor and produce evidence before shadowing, shadow before requiring approvals, approve before enforcing. Teams should adopt authority control the way they adopted every control they now rely on — gradually, with receipts.

Why we're building this

We believe autonomous agents are the biggest productivity unlock since the spreadsheet — and that enterprises will keep them on a short leash until someone can prove, action by action, that the leash isn't needed. Today the blocker isn't capability. It's that no one can answer "what did the agent do, and was it authorized?" with evidence instead of vibes.

That answer shouldn't be proprietary magic. We've published our taxonomy of authority drift — the chain modes and the drift classes — because an industry can only govern what it can name. We build the verifier, the evidence trail, and the benchmark that measures whether any of this actually works; the vocabulary belongs to everyone.

This is the beginning of a longer arc. First, see what agents do. Then, verify it against what was authorized. Then, prove it — cryptographically, if it matters enough. Somewhere down that road, "the agent might do something harmful" stops being a reason to say no, because the risk is measured, bounded, and auditable.

Permissions are not authority. The sooner we build the layer that knows the difference, the sooner we get to say yes to agents — confidently, and with proof.

Sources