pith. machine review for the scientific record. sign in

arxiv: 2605.05440 · v1 · submitted 2026-05-06 · 💻 cs.AI

Recognition: unknown

Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure

Krti Tallam
Authors on Pith no claims yet

Pith reviewed 2026-05-08 16:34 UTC · model grok-4.3

classification 💻 cs.AI
keywords authorization propagationmulti-agent AIidentity governanceaccess controldelegationworkflow securityenterprise AI platforms
0
0 comments X

The pith

Authorization propagation in multi-agent AI systems requires treating identity governance as continuous infrastructure enforced at every boundary.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper identifies authorization propagation as a distinct problem in multi-agent AI where non-human principals must maintain authorization invariants while retrieving data, delegating tasks, and synthesizing results across changing boundaries. This issue is separate from prompt injection and not fully solved by classical models such as RBAC, ABAC, or ReBAC. The authors formalize it as a workflow-level property, break it into three sub-problems of transitive delegation, aggregation inference, and temporal validity, and derive seven structural requirements for authorization architectures. They conclude that identity governance must be designed into the system as infrastructure before orchestration scales, with evidence from ordinary operation in a production enterprise platform confirming the predicted failures.

Core claim

The central claim is that identity governance must be treated as infrastructure: evaluated continuously, enforced at every interaction boundary, and designed into the system before orchestration logic is allowed to scale. Authorization propagation is formalized as a workflow-level property that produces three sub-problems during normal multi-agent operation, and recent approaches such as invocation-bound capability tokens and dependency-graph policy enforcement show partial convergence without a complete architecture.

What carries the argument

Authorization propagation as a workflow-level property, decomposed into the sub-problems of transitive delegation, aggregation inference, and temporal validity, together with the seven structural requirements derived for multi-agent authorization architectures.

If this is right

  • Authorization architectures must enforce invariants continuously at every interaction boundary rather than relying on initial grants.
  • Orchestration logic in multi-agent systems cannot safely scale until identity governance infrastructure is already in place.
  • Solutions using task-scoped authorization envelopes and execution-count revocation must be evaluated against the full set of seven requirements.
  • Ordinary delegation and result synthesis in production systems will continue to produce authorization failures without the infrastructure treatment.
  • The field is converging on components such as capability tokens and dependency-graph enforcement but requires a unified architecture to address propagation completely.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The framework could extend to non-AI multi-agent systems such as robotic swarms where delegation chains create similar validity and inference risks.
  • Integration with prompt-level defenses might produce layered security that treats both injection and propagation as first-class infrastructure concerns.
  • Open multi-agent platforms could be instrumented to test the seven requirements and measure reduction in unauthorized data synthesis.
  • The emphasis on continuous evaluation suggests identity tracking must become a native layer in agent runtimes rather than an add-on policy engine.

Load-bearing premise

That the described authorization failures arise from ordinary system behavior in multi-agent setups and are not fully addressed by existing models like RBAC, ABAC, ReBAC or prompt injection defenses.

What would settle it

Observe whether a multi-agent system built to satisfy the seven structural requirements eliminates the three sub-problems of authorization propagation during ordinary non-adversarial operation.

read the original abstract

The security discussion around agentic AI focuses heavily on prompt injection. This paper argues that multi-agent systems also create a distinct authorization problem: maintaining authorization invariants as non-human principals retrieve data, delegate tasks, and synthesize results across changing boundaries. We call this problem authorization propagation. It is not reducible to prompt injection and is not fully addressed by classical access-control models such as RBAC, ABAC, or ReBAC. The paper formalizes authorization propagation as a workflow-level property, identifies three sub-problems (transitive delegation, aggregation inference, and temporal validity), and derives seven structural requirements for authorization architectures in multi-agent AI systems. Recent work on invocation-bound capability tokens, task-scoped authorization envelopes, dependency-graph policy enforcement, and execution-count revocation demonstrates that the field is converging on the problem, but not yet on a complete architecture. The central claim is that identity governance must be treated as infrastructure: evaluated continuously, enforced at every interaction boundary, and designed into the system before orchestration logic is allowed to scale. Preliminary implementation evidence from a production enterprise AI platform shows that ordinary system behavior, not only adversarial action, already produces the failures this model predicts.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper claims that multi-agent AI systems introduce a distinct problem of 'authorization propagation'—maintaining workflow-level authorization invariants across transitive delegation, aggregation inference, and temporal validity—that is not reducible to prompt injection or fully addressed by classical models (RBAC, ABAC, ReBAC). It formalizes the problem, identifies three sub-problems, derives seven structural requirements for authorization architectures, notes convergence in recent work on capability tokens and dependency-graph policies, and concludes that identity governance must be treated as infrastructure (continuously evaluated and enforced at every boundary) before orchestration scales. Preliminary evidence from one production enterprise platform is cited to show that ordinary (non-adversarial) behavior already triggers the predicted failures.

Significance. If the central claim holds, the work would be significant for AI security by identifying a scalable authorization gap that current models do not close, potentially informing infrastructure-level designs for agentic systems. It explicitly credits convergence in recent literature on invocation-bound tokens, task-scoped envelopes, and execution-count revocation, and supplies preliminary implementation evidence from a production platform as an existence proof for the predicted failures.

major comments (2)
  1. [Abstract / Requirements derivation] Abstract and the section deriving the seven requirements: the claim that authorization propagation 'is not fully addressed by classical access-control models such as RBAC, ABAC, or ReBAC' is asserted without an explicit counterexample, formal gap analysis, or demonstration that augmented ReBAC (e.g., with dependency-graph policies) fails to maintain the three workflow invariants; this non-reducibility step is load-bearing for the conclusion that identity governance must be re-architected as infrastructure.
  2. [Implementation evidence] The section presenting preliminary implementation evidence: the claim that 'ordinary system behavior, not only adversarial action, already produces the failures' rests on a single production platform with no reported methods, data, controls, or metrics; this weakens the empirical support for treating the formalization as predictive.
minor comments (1)
  1. [Abstract] The abstract is dense and would benefit from a brief parenthetical example of one sub-problem (e.g., how aggregation inference differs from standard ReBAC inference) to improve accessibility for readers outside security.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The two major comments identify areas where the manuscript's argumentation and evidence presentation can be strengthened without altering the core claims. We address each point below and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [Abstract / Requirements derivation] Abstract and the section deriving the seven requirements: the claim that authorization propagation 'is not fully addressed by classical access-control models such as RBAC, ABAC, or ReBAC' is asserted without an explicit counterexample, formal gap analysis, or demonstration that augmented ReBAC (e.g., with dependency-graph policies) fails to maintain the three workflow invariants; this non-reducibility step is load-bearing for the conclusion that identity governance must be re-architected as infrastructure.

    Authors: We agree that the non-reducibility claim would benefit from an explicit demonstration rather than being carried implicitly by the requirements derivation. In the revised manuscript we will insert a dedicated subsection that provides a concrete counterexample: a workflow in which an agent aggregates results from two delegated sub-tasks whose individual authorizations are valid under a dependency-graph policy, yet the aggregated output violates the original principal's temporal validity constraint because the policy cannot re-evaluate the composite authorization at the aggregation boundary. This example will be tied directly to the three sub-problems and will show why even augmented ReBAC fails to satisfy all seven structural requirements without continuous infrastructure-level enforcement. revision: yes

  2. Referee: [Implementation evidence] The section presenting preliminary implementation evidence: the claim that 'ordinary system behavior, not only adversarial action, already produces the failures' rests on a single production platform with no reported methods, data, controls, or metrics; this weakens the empirical support for treating the formalization as predictive.

    Authors: We accept that the current description of the implementation evidence is insufficiently detailed. In the revision we will expand the section to outline the platform architecture at a high level, the specific non-adversarial failure modes observed (unauthorized cross-agent data aggregation and temporal drift in delegated workflows), and the existing controls that were active. We will add an explicit limitations paragraph stating that the data constitute an existence proof rather than a controlled empirical study and that full metrics cannot be disclosed for proprietary reasons. This will clarify the evidentiary role of the example while preserving confidentiality. revision: partial

Circularity Check

0 steps flagged

No significant circularity; derivation remains self-contained

full rationale

The paper formalizes authorization propagation as a workflow-level property, identifies three sub-problems, and states that seven structural requirements follow from that formalization. No equations, fitted parameters, or self-referential definitions appear in the abstract or description; the requirements are presented as derived rather than presupposed. No self-citation chains, ansatzes smuggled via prior work, or renaming of known results are invoked as load-bearing steps. The claim of non-reducibility to RBAC/ABAC/ReBAC is asserted rather than proven, but assertion is not circularity. Preliminary implementation evidence is offered as external support, not as the source of the model itself. The chain is therefore independent of its inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on domain assumptions about multi-agent behavior and the insufficiency of prior models; no free parameters or invented entities with independent evidence are introduced beyond the new framing.

axioms (2)
  • domain assumption Multi-agent AI systems involve non-human principals that retrieve data, delegate tasks, and synthesize results across changing boundaries in ways that create authorization invariants.
    Stated directly in the abstract as the setting for the distinct problem.
  • domain assumption Classical access-control models such as RBAC, ABAC, or ReBAC and prompt-injection defenses do not fully address the authorization propagation problem.
    Explicitly asserted in the abstract as the motivation for the new formalization.
invented entities (1)
  • authorization propagation no independent evidence
    purpose: To name and formalize the workflow-level authorization problem in multi-agent systems as distinct from prompt injection.
    Introduced as the core new concept; no independent falsifiable evidence outside the paper is provided in the abstract.

pith-pipeline@v0.9.0 · 5495 in / 1388 out tokens · 96010 ms · 2026-05-08T16:34:34.742665+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

31 extracted references · 9 canonical work pages · 2 internal anchors

  1. [1]

    2026 , note =

    Machine-Speed Accountability: A Constraint-Aware Reference Model for Oversight-Heavy AI , author =. 2026 , note =

    2026

  2. [2]

    2026 , note =

    Fail-and-Report: A Missing Authorization Primitive for Agentic AI Systems , author =. 2026 , note =

    2026

  3. [3]

    2026 , note =

    Partial Evidence Bench: Benchmarking Authorization-Limited Evidence in Agentic Systems , author =. 2026 , note =

    2026

  4. [4]

    2026 , note =

    Execution Envelopes: A Shared Admission Contract for Backend AI Execution Requests , author =. 2026 , note =

    2026

  5. [5]

    2026 , note =

    From Can to Would: Identity-Conditioned Authorization for Delegated Agentic Action , author =. 2026 , note =

    2026

  6. [6]

    2026 , note =

    Layered Mutability: Identity Drift and Governance in Self-Modifying AI Agents , author =. 2026 , note =

    2026

  7. [7]

    2026 , howpublished =

    2026

  8. [8]

    USENIX Annual Technical Conference (ATC) , year =

    Zanzibar: Google's Consistent, Global Authorization System , author =. USENIX Annual Technical Conference (ATC) , year =

  9. [9]

    2023 , institution =

    Artificial Intelligence Risk Management Framework (. 2023 , institution =

    2023

  10. [10]

    2023 , institution =

    2023

  11. [11]

    2023 , howpublished =

    Indirect Prompt Injection via Web Search , author =. 2023 , howpublished =

    2023

  12. [12]

    Not What You've Signed Up For: Compromising Real-World

    Greshake, Kai and Abdelnabi, Sahar and Mishra, Shailesh and Endres, Christoph and Holz, Thorsten and Fritz, Mario , booktitle =. Not What You've Signed Up For: Compromising Real-World

  13. [13]

    Agent Identity Protocol: Invocation-Bound Capability To- kens for Delegation Chains,

    Prakash, Sunil , year =. 2603.24775 , archivePrefix =

    work page arXiv

  14. [14]

    2603.17170 , archivePrefix =

    Sharma, Aditya and Jiang, Ruoyu and Lin, Zheng and Chen, Linda , year =. 2603.17170 , archivePrefix =

    work page arXiv

  15. [15]

    2026 , eprint =

    The Bureaucracy of Speed: Capability Coherence Systems for Agent Authorization , author =. 2026 , eprint =

    2026

  16. [16]

    Formal Policy Enforcement for Real-World Agentic Systems

    Palumbo, Alessandro and Jha, Somesh and others , year =. 2602.16708 , archivePrefix =

    work page internal anchor Pith review arXiv

  17. [17]

    AITH: A Post-Quantum Continuous Delegation Protocol for Human-AI Trust Establishment

    Chen, Zhaoliang , year =. 2604.07695 , archivePrefix =

    work page internal anchor Pith review Pith/arXiv arXiv

  18. [18]

    and Sands, David , year =

    Garby, Sebastian and Gordon, Andrew D. and Sands, David , year =. 2602.20064 , archivePrefix =

    work page arXiv

  19. [19]

    Preprint at https://arxiv.org/abs/2603.19469, arXiv:2603.19469

    Song, Dawn and others , year =. Formalizing. 2603.19469 , archivePrefix =

    work page arXiv

  20. [20]

    2025 , eprint =

    Agentic Identity Whitepaper , author =. 2025 , eprint =

    2025

  21. [21]

    OWASP Foundation

    Benameur, Azzedine and others , year =. 2509.25974 , archivePrefix =

    work page arXiv

  22. [22]

    2026 , eprint =

    Semantic Intent Fragmentation: Aggregation Attacks on Agentic. 2026 , eprint =

    2026

  23. [23]

    2026 , eprint =

    Agentic Deanonymization , author =. 2026 , eprint =

    2026

  24. [24]

    Healthcare Zero Trust: Production Deployment of Autonomous

    Maiti, Saikat , year =. Healthcare Zero Trust: Production Deployment of Autonomous. 2603.17419 , archivePrefix =

    work page arXiv

  25. [25]

    2026 , eprint =

    Prompt Injection as Role Confusion , author =. 2026 , eprint =

    2026

  26. [26]

    Deterministic Architectural Boundaries for Agentic

    Bhattarai, Prabin and Vu, Tuan , year =. Deterministic Architectural Boundaries for Agentic. 2602.09947 , archivePrefix =

    work page arXiv

  27. [27]

    1973 , institution =

    Secure Computer Systems: Mathematical Foundations , author =. 1973 , institution =

    1973

  28. [28]

    1977 , institution =

    Integrity Considerations for Secure Computer Systems , author =. 1977 , institution =

    1977

  29. [29]

    A Comparison of Commercial and Military Computer Security Policies , author =. Proc. IEEE Symposium on Security and Privacy , year =

  30. [30]

    IEEE Computer , volume =

    Role-Based Access Control Models , author =. IEEE Computer , volume =

  31. [31]

    2013 , institution =

    2013