arxiv: 2605.11487 · v1 · submitted 2026-05-12 · 💻 cs.CR · cs.AI· cs.MA

Recognition: no theorem link

Digital Identity for Agentic Systems: Toward a Portable Authorization Standard for Autonomous Agents

Partha Madhira

Authors on Pith no claims yet

Pith reviewed 2026-05-13 01:58 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.MA

keywords autonomous agentsauthorization modelportable permissionsdigital identityconstraint algebradelegation attenuationAI agentsidentity standards

0 comments

The pith

Autonomous agents need explicit authorization payloads that any receiver can interpret the same way across trust boundaries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Enterprise systems are moving from copilots to autonomous agents that execute workflows and negotiate across organizational lines. Identity alone does not tell a receiver what the agent may actually do, and existing models leave gaps in constraint, audit, and consistent enforcement. The paper examines insurance claims and supply-chain scenarios to show where current approaches fall short. It proposes a model built on issuer-written authorization payloads, typed constraint rules, delegation limits, and fail-closed evaluation that keeps the permission meaning separate from any particular credential format. This separation lets JWT, verifiable credentials, OAuth requests, or policy engines all carry the same authority intent without custom translation at each boundary.

Core claim

The paper claims that a portable authorization model for autonomous agents can be built from issuer-authored authorization payloads, typed constraint algebra, decision-consistent evaluation semantics, delegation attenuation, governed semantic resolution, fail-closed processing, and pre-flight discovery. By keeping credential containers, authorization payload semantics, and enforcement engines distinct, different technical profiles preserve a single authorization meaning as agents move between organizations.

What carries the argument

The separation of credential containers from authorization payload semantics and enforcement engines, which carries the common authorization meaning across profiles such as JWT/JWS or Verifiable Credentials.

If this is right

Agents can delegate authority only with explicit attenuation so limits travel with the delegation.
Fail-closed processing blocks any action whose permission is not clearly granted.
Pre-flight discovery lets an agent learn its effective permissions before starting a workflow.
Insurance and supply-chain workflows gain consistent enforcement without building new point-to-point integrations.
Existing identity formats can be reused while the authorization rules stay portable and auditable.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Agent platforms may need to embed the evaluation semantics directly so that constraints are checked before any external call is made.
Audit logs could record the exact constraint algebra that produced each decision, easing regulatory review of agent actions.
The model suggests that revocation lists or status checks can be tied to the authorization payload rather than the underlying credential alone.
Testing with real cross-organization agent runs would show whether the semantic resolution rules prevent conflicting interpretations in practice.

Load-bearing premise

Independent receivers will apply the typed constraint rules and evaluation semantics in exactly the same way without extra shared standards or implementation agreements.

What would settle it

Two separate implementations receive identical authorization payloads for the same agent action and reach different allow-or-deny decisions.

Figures

Figures reproduced from arXiv: 2605.11487 by Partha Madhira.

**Figure 2.** Figure 2: Agentic Supply Chain Integrity in Defense and Aerospace use case: a component moves across [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 3.** Figure 3: The proposed contribution is not the credentials, delegation, policy engines, or audit in isolation; [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗

**Figure 4.** Figure 4: Three-layer authorization architecture separating the credential container, authorization payload, [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗

**Figure 5.** Figure 5: This paper distinguishes service invocation from delegation and recommends service invocation [PITH_FULL_IMAGE:figures/full_fig_p018_5.png] view at source ↗

**Figure 6.** Figure 6: Authorization is re-evaluated by the receiving system at each interaction; any failed stage results [PITH_FULL_IMAGE:figures/full_fig_p021_6.png] view at source ↗

**Figure 7.** Figure 7: Pre-flight discovery uses a published, signed governance manifest to support advisory compatibility [PITH_FULL_IMAGE:figures/full_fig_p030_7.png] view at source ↗

**Figure 8.** Figure 8: Illustrative reference architecture for published governance contracts, sender-side compatibility [PITH_FULL_IMAGE:figures/full_fig_p031_8.png] view at source ↗

**Figure 9.** Figure 9: Stateful enforcement of cumulative limits through an external state authority. The credential signs [PITH_FULL_IMAGE:figures/full_fig_p038_9.png] view at source ↗

**Figure 10.** Figure 10: Verifiable state proofs as an advanced profile for cumulative governance. An agent carries the [PITH_FULL_IMAGE:figures/full_fig_p039_10.png] view at source ↗

read the original abstract

Enterprise AI is shifting from copilots to autonomous agents capable of executing workflows, negotiating outcomes, and making decisions with limited human oversight. As these systems extend across organizational boundaries, identity alone is insufficient: an agent's authority must also be explicit, constrained, auditable, revocable, and consistently interpretable by independent receivers. This paper analyzes representative enterprise use cases in insurance claims processing and supply chain integrity to surface structural gaps in existing identity and access models. It proposes a portable authorization model for autonomous agents based on issuer-authored authorization payloads, typed constraint algebra, decision-consistent evaluation semantics, delegation attenuation, governed semantic resolution, fail-closed processing, and pre-flight discovery. The model separates credential containers, authorization payload semantics, and enforcement engines, allowing profiles such as JWT/JWS, Verifiable Credentials, OAuth Rich Authorization Requests, or policy-engine bindings to preserve a common authorization meaning across trust boundaries.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

A high-level proposal for agent authorization that flags real problems but leaves the key mechanisms undefined and untested.

read the letter

This paper proposes a portable authorization model for autonomous agents but doesn't deliver the details needed to make it work. It does a good job pointing out the limitations of existing identity standards when agents operate across trust boundaries. The use cases around insurance claims processing and supply chain show why authority needs to be explicit, constrained, and consistently interpretable. Breaking out the authorization payload from the credential container is a useful distinction, and the idea of supporting multiple profiles like JWT or Verifiable Credentials makes sense for adoption. The main weakness is that the new elements—typed constraint algebra, delegation attenuation, governed semantic resolution—are introduced without definitions or rules. The paper claims these will ensure decision consistency and close gaps in current models, but there's no algebra, no evaluation procedure, and no evidence that independent systems would agree on outcomes. The stress-test concern holds: without those specifications, the consistency promise is just an assumption. This work is for people designing or standardizing security for enterprise AI agents. Readers interested in the practical barriers to scaling agentic systems will see the problem clearly laid out. It could serve as a starting point for discussion on what such a standard should include. I wouldn't cite it in its current form. I wouldn't bring it to a reading group either, as there's little to analyze beyond the high-level ideas. It does not deserve peer review until the authors add formal definitions for the proposed constructs and some way to validate the consistency claims.

Referee Report

2 major / 2 minor

Summary. The paper analyzes gaps in existing identity and access models for autonomous enterprise AI agents operating across organizational boundaries, using insurance claims processing and supply chain integrity as motivating use cases. It proposes a portable authorization model built on issuer-authored authorization payloads, typed constraint algebra, decision-consistent evaluation semantics, delegation attenuation, governed semantic resolution, fail-closed processing, and pre-flight discovery. The model separates credential containers (e.g., JWT/JWS, Verifiable Credentials, OAuth RAR) from payload semantics and enforcement engines to enable consistent authorization meaning and decisions across trust boundaries.

Significance. If the proposed components can be formalized and shown to produce identical decisions at independent receivers, the work would offer a practical path toward interoperable authorization standards for agentic systems. The use-case analysis usefully surfaces real enterprise requirements for constrained, auditable, and revocable authority; the separation of concerns is a sound architectural principle that could reduce fragmentation if the semantics are made precise.

major comments (2)

[Proposed portable authorization model (as described in the abstract and model overview)] The central claim that profiles such as JWT/JWS, Verifiable Credentials, and OAuth Rich Authorization Requests 'preserve a common authorization meaning across trust boundaries' rests on the unformalized 'typed constraint algebra' and 'decision-consistent evaluation semantics'. No operators, typing rules, axioms, or canonical evaluation procedure are supplied for the algebra, so nothing enforces that two independent receivers compute the same outcome for a given payload even under fail-closed processing. This directly weakens the assertion of consistent interpretation without additional standardization.
[Proposed portable authorization model (as described in the abstract and model overview)] Delegation attenuation and governed semantic resolution are listed as core mechanisms yet receive no operational definitions or rules for how attenuation is computed or how semantic resolution is governed. Without these, the claim that the model supports revocable and constrained authority across receivers cannot be evaluated.

minor comments (2)

[Use-case analysis] The use-case descriptions in insurance claims and supply chain would be strengthened by at least one concrete example showing a specific failure mode of an existing model (e.g., JWT scope or VC attribute) that the proposed elements would resolve.
[Throughout] Terminology such as 'pre-flight discovery' and 'fail-closed processing' should be defined on first use or in a glossary to aid readers unfamiliar with the proposed terminology.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive review. The comments correctly identify areas where the manuscript would benefit from greater precision in the proposed model's formal elements. We address each major comment below and will revise the manuscript to incorporate additional detail.

read point-by-point responses

Referee: [Proposed portable authorization model (as described in the abstract and model overview)] The central claim that profiles such as JWT/JWS, Verifiable Credentials, and OAuth Rich Authorization Requests 'preserve a common authorization meaning across trust boundaries' rests on the unformalized 'typed constraint algebra' and 'decision-consistent evaluation semantics'. No operators, typing rules, axioms, or canonical evaluation procedure are supplied for the algebra, so nothing enforces that two independent receivers compute the same outcome for a given payload even under fail-closed processing. This directly weakens the assertion of consistent interpretation without additional standardization.

Authors: We agree that the manuscript introduces the typed constraint algebra and decision-consistent evaluation semantics at a conceptual level without supplying a complete set of operators, typing rules, or a canonical evaluation procedure. The paper's primary contribution is the architectural separation of credential containers from payload semantics and the identification of required properties (including fail-closed processing) to support portability. To strengthen the central claim, the revised manuscript will include an expanded model section that defines a core set of operators for the constraint algebra, basic typing rules, and a high-level canonical evaluation procedure sufficient to demonstrate decision consistency under the stated semantics. revision: yes
Referee: [Proposed portable authorization model (as described in the abstract and model overview)] Delegation attenuation and governed semantic resolution are listed as core mechanisms yet receive no operational definitions or rules for how attenuation is computed or how semantic resolution is governed. Without these, the claim that the model supports revocable and constrained authority across receivers cannot be evaluated.

Authors: We concur that operational definitions are necessary to evaluate the claims about delegation attenuation and governed semantic resolution. The manuscript currently presents these as essential mechanisms for supporting revocable and constrained authority but does not provide the computational rules or governance procedures. In the revision we will add dedicated subsections that supply operational definitions, including rules for computing attenuation (such as constraint intersection and reduction) and governance for semantic resolution (such as reference to issuer-controlled vocabularies or discovery registries). This will make the support for cross-boundary revocable authority more rigorously assessable. revision: yes

Circularity Check

0 steps flagged

Conceptual proposal with no derivation chain or self-referential reduction

full rationale

The manuscript is a design proposal that introduces concepts such as issuer-authored authorization payloads, typed constraint algebra, delegation attenuation, and governed semantic resolution to address gaps in existing identity models. No equations, fitted parameters, or predictive derivations are present. The text does not invoke self-citations as load-bearing justifications, nor does it define any element in terms of another element it claims to derive. The separation of credential containers, payload semantics, and enforcement engines is presented as an architectural choice rather than a result forced by prior definitions or fits. This is a standard non-circular outcome for a standards-oriented proposal paper.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 4 invented entities

The proposal rests on domain assumptions about agent capabilities and gaps in current systems, plus several newly introduced concepts without independent evidence or formal definitions in the abstract.

axioms (2)

domain assumption Enterprise AI is shifting from copilots to autonomous agents capable of executing workflows with limited human oversight.
Opening premise of the abstract used to motivate the need for new authorization.
domain assumption Existing identity and access models have structural gaps for agent authority across organizational boundaries.
Claim based on analysis of insurance and supply chain use cases.

invented entities (4)

typed constraint algebra no independent evidence
purpose: To express and evaluate constraints on agent actions in a structured way.
Introduced as a core component of the authorization model.
delegation attenuation no independent evidence
purpose: To reduce or limit authority when permissions are passed to other agents.
Proposed mechanism for safe delegation.
governed semantic resolution no independent evidence
purpose: To ensure consistent interpretation of authorization meanings across systems.
Feature for cross-boundary compatibility.
fail-closed processing no independent evidence
purpose: To default to denial when authorization checks are ambiguous.
Safety mechanism in the model.

pith-pipeline@v0.9.0 · 5447 in / 1562 out tokens · 40712 ms · 2026-05-13T01:58:47.880453+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages

[1]

JSON Web Token (JWT),

M. Jones, J. Bradley, and N. Sakimura, “JSON Web Token (JWT),” RFC 7519, IETF, May 2015. A vailable: https://www.rfc-editor.org/rfc/rfc7519

work page 2015
[2]

The OAuth 2.0 Authorization Framework,

D. Hardt, “The OAuth 2.0 Authorization Framework,” RFC 6749, IETF, October 2012. A vailable: https://www.rfc-editor.org/rfc/rfc6749

work page 2012
[3]

OAuth 2.0 Rich Authorization Requests,

T. Lodderstedt, D. Fett, and J. Schaar, “OAuth 2.0 Rich Authorization Requests,” RFC 9396, IETF, May 2023. A vailable: https://www.rfc-editor.org/rfc/rfc9396 44

work page 2023
[4]

OAuth 2.0 Token Exchange,

M. Jones, A. Nadalin, B. Campbell, J. Bradley, and C. Mortimore, “OAuth 2.0 Token Exchange,” RFC 8693, IETF, January 2020. A vailable: https://www.rfc-editor.org/rfc/rfc8693

work page 2020
[5]

OAuth 2.0 Demonstrat- ing Proof-of-Possession at the Application Layer (DPoP),

D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, and D. Waite, “OAuth 2.0 Demonstrat- ing Proof-of-Possession at the Application Layer (DPoP),” RFC 9449, IETF, September 2023. A vailable: https://www.rfc-editor.org/rfc/rfc9449

work page 2023
[6]

JSON Web Key (JWK),

M. Jones, N. Sakimura, and J. Bradley, “JSON Web Key (JWK),” RFC 7517, IETF, May 2015. A vailable: https://www.rfc-editor.org/rfc/rfc7517

work page 2015
[7]

Verifiable Credentials Data Model v2.0,

World Wide Web Consortium (W3C), “Verifiable Credentials Data Model v2.0,” W3C Recommendation,

work page
[8]

A vailable: https://www.w3.org/TR/vc-data-model-2.0/

work page
[9]

Well-Known Uniform Resource Identifiers (URIs),

M. Nottingham, “Well-Known Uniform Resource Identifiers (URIs),” RFC 8615, IETF, May 2019. A vail- able: https://www.rfc-editor.org/rfc/rfc8615 Informative References

work page 2019
[10]

Agent Identity Protocol: Agentic Authentication and Authorized Policy Enforcement,

J. Cao and C. Arango Gutierrez, “Agent Identity Protocol: Agentic Authentication and Authorized Policy Enforcement,” Internet-Draft draft-aip-agent-identity-protocol-00, IETF, March 2026. A vailable: https://datatracker.ietf.org/doc/html/draft-aip-agent-identity-protocol-00

work page 2026
[11]

Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents,

S. Ramachandran, N. Kothapalli, et al., “Agentic JWT: A Secure Delegation Protocol for Autonomous AI Agents,” arXiv, 2025. A vailable: https://arxiv.org/abs/2509.13603

work page arXiv 2025
[12]

User-Controlled Authorization Network (UCAN) Specification,

B. Zelenka et al., “User-Controlled Authorization Network (UCAN) Specification,” Version 1.0.0-rc.1,

work page
[13]

A vailable: https://github.com/ucan-wg/spec

work page
[14]

Biscuit Authorization Token: Specification and Documentation,

Biscuit Auth, “Biscuit Authorization Token: Specification and Documentation,” accessed April 2026. A vailable: https://www.biscuitsec.org/

work page 2026
[15]

eXtensible Access Control Markup Language (XACML) Version 3.0,

OASIS, “eXtensible Access Control Markup Language (XACML) Version 3.0,” OASIS Standard, January

work page
[16]

A vailable: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

work page
[17]

Policy Language Reference,

Open Policy Agent, “Policy Language Reference,” accessed April 2026. A vailable: https://www.openpolicyagent.org/docs/latest/policy-language/

work page 2026
[18]

Cedar Policy Language Reference Guide,

Cedar Policy, “Cedar Policy Language Reference Guide,” accessed April 2026. A vailable: https://docs.cedarpolicy.com/

work page 2026
[19]

Zanzibar: Google’s Consistent, Global Authoriza- tion System,

R. Pang, R. Caceres, M. Burrows, Z. Chen, P. Dave, N. Germer, A. Golynski, K. Graney, N. Kang, L. Kissner, J. Korn, A. Parmar, C. Richards, and M. Wang, “Zanzibar: Google’s Consistent, Global Authoriza- tion System,” in Proceedings of the 2019 USENIX Annual Technical Conference (USENIX ATC ’19) , 2019. A vailable: https://www.usenix.org/conference/atc19/p...

work page 2019
[20]

Authorization - Model Context Protocol,

Anthropic and contributors, “Authorization - Model Context Protocol,” Model Context Protocol Speci- fication, 2025. A vailable: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

work page 2025
[21]

SPIFFE ID Specification,

SPIFFE Project, “SPIFFE ID Specification,” accessed April 2026. A vailable: https://spiffe.io/docs/latest/spiffe-specs/spiffe-id/

work page 2026
[22]

Agent Discovery: The Agent Card,

Google, “Agent Discovery: The Agent Card,” Agent2Agent (A2A) Protocol Specification, accessed April

work page
[23]

A vailable: https://google-a2a.github.io/A2A/latest/topics/agent-discovery/

work page
[24]

Project NANDA Repository,

Project NANDA, “Project NANDA Repository,” accessed April 2026. A vailable: https://github.com/projnanda/projnanda

work page 2026
[25]

Authorization API 1.0,

OpenID Foundation, “Authorization API 1.0,” OpenID Final Specification, January 2026. A vailable: https://openid.net/specs/authorization-api-1_0.html

work page 2026
[26]

ODRL Information Model 2.2,

R. Iannella and S. Villata, “ODRL Information Model 2.2,” W3C Recommendation, February 2018. A vailable: https://www.w3.org/TR/odrl-model/ 45

work page 2018
[27]

Authorization Capabilities for Linked Data v0.3,

W3C Credentials Community Group, “Authorization Capabilities for Linked Data v0.3,” draft specifi- cation, accessed April 2026. A vailable: https://w3c-ccg.github.io/zcap-spec/

work page 2026
[28]

Incubation Specifications,

W3C Credentials Community Group, “Incubation Specifications,” accessed April 2026. A vailable: https://w3c-ccg.org/specifications/incubation/

work page 2026
[29]

OpenID Shared Signals Framework Specification 1.0,

OpenID Foundation, “OpenID Shared Signals Framework Specification 1.0,” OpenID Final Specification, August 2025. A vailable: https://openid.net/specs/openid-sharedsignals-framework-1_0-final.html

work page 2025
[30]

Building infrastructure for the Internet of Agents,

AGNTCY, “Building infrastructure for the Internet of Agents,” accessed April 2026. A vailable: https://agntcy.org/

work page 2026
[31]

Cedar Profile for OAuth 2.0 Rich Authorization Requests,

S. Cecchetti, “Cedar Profile for OAuth 2.0 Rich Authorization Requests,” Internet-Draft draft-cecchetti- oauth-rar-cedar-02, IETF, February 2024. A vailable: https://www.ietf.org/archive/id/draft-cecchetti-oauth- rar-cedar-02.html

work page 2024
[32]

Authenticated Delegation and Authorized AI Agents,

T. South, S. Marro, T. Hardjono, R. Mahari, C. D. Whitney, D. Greenwood, A. Chan, and A. Pent- land, “Authenticated Delegation and Authorized AI Agents,” arXiv:2501.09674, January 2025. A vailable: https://arxiv.org/abs/2501.09674 46

work page arXiv 2025