Skip to content

Whitepaper · THE ACTION LAYER · Part 2

The Authorization Chain

Why agent authorization is a chain, not a check

A. Watts··14 min·patent-pending architecture

Abstract

Treating agent authorization as a single permit/deny check is the source of a predictable class of failures. Authorization is better understood as a chain of linked components, each answering a different question and held by a different authority. This paper makes the case for the chain, validates it against how financial systems, operating systems, and payment networks already work, and argues that a system without it is not insecure — it is incomplete.

First published with Execution Protocol. Read the version of record ↗


Most systems treat agent authorization as a single question with a yes/no answer: is this allowed? That collapses a structure into a checkbox, and it is the source of a predictable class of failures. Today, models receive identities, identities receive tools, tools receive credentials — and the agent quietly becomes the principal. An identifier is not authority.

Authorization is not a check. It is a chain: a sequence of linked components, each answering a different question and each held by a different authority. Skip a link and the system can no longer tell you who decided, what authority they held, what was permitted, or what was actually done.

The six links

1

Principal

Who owns the authority?
The human or organization that actually holds the right to act.
2

Delegation

What was granted, and how far?
A bounded grant — scope, limits, expiry — handed to an agent. Not a blank cheque.
3

Subject

Which agent is acting?
A registered, identifiable agent — a subject distinct from the principal, never collapsed into it.
4

Boundary

Is this specific action allowed?
Deterministic enforcement against the structured request, before anything commits.
5

Proof

What actually happened?
A signed receipt for the outcome — including the actions that were refused.
6

Signed execution

Was it carried out as authorized?
The committed action, attested — so the record and the reality match.

This is not a novel demand. Financial clearing, operating-system privilege separation, and payment networks all keep the principal and the subject as different things, and all keep a record distinct from the act. Agent systems are the outlier in collapsing them.

What the chain is not

  • Not a centralized identity provider — the links are held by different authorities on purpose.
  • Not a workflow tool or an approval queue.
  • Not a credential vault — isolating secrets is one link, not the chain.
  • Not a single product's feature. The significance is in the composition.

A system without this chain is not insecure. It is incomplete — it cannot answer the questions that matter the instant something goes wrong.

Cite this

Watts, A. (2026). The Authorization Chain: Why agent authorization is a chain, not a check. Antoni Watts. https://www.executionprotocol.dev/whitepapers/the-authorization-chain

Version of record ↗

DOI pending — Zenodo mint on release (see docs/concept/02_CONTENT_MODEL.md)

Antoni Watts · CC BY 4.0 · part of an ongoing research series