Whitepaper · THE ACTION LAYER · Part 2
The Authorization Chain
Why agent authorization is a chain, not a check
Abstract
Treating agent authorization as a single permit/deny check is the source of a predictable class of failures. Authorization is better understood as a chain of linked components, each answering a different question and held by a different authority. This paper makes the case for the chain, validates it against how financial systems, operating systems, and payment networks already work, and argues that a system without it is not insecure — it is incomplete.
First published with Execution Protocol. Read the version of record ↗
Most systems treat agent authorization as a single question with a yes/no answer: is this allowed? That collapses a structure into a checkbox, and it is the source of a predictable class of failures. Today, models receive identities, identities receive tools, tools receive credentials — and the agent quietly becomes the principal. An identifier is not authority.
Authorization is not a check. It is a chain: a sequence of linked components, each answering a different question and each held by a different authority. Skip a link and the system can no longer tell you who decided, what authority they held, what was permitted, or what was actually done.
The six links
Principal
Who owns the authority?Delegation
What was granted, and how far?Subject
Which agent is acting?Boundary
Is this specific action allowed?Proof
What actually happened?Signed execution
Was it carried out as authorized?This is not a novel demand. Financial clearing, operating-system privilege separation, and payment networks all keep the principal and the subject as different things, and all keep a record distinct from the act. Agent systems are the outlier in collapsing them.
What the chain is not
- Not a centralized identity provider — the links are held by different authorities on purpose.
- Not a workflow tool or an approval queue.
- Not a credential vault — isolating secrets is one link, not the chain.
- Not a single product's feature. The significance is in the composition.
A system without this chain is not insecure. It is incomplete — it cannot answer the questions that matter the instant something goes wrong.
Cite this
Watts, A. (2026). The Authorization Chain: Why agent authorization is a chain, not a check. Antoni Watts. https://www.executionprotocol.dev/whitepapers/the-authorization-chain
DOI pending — Zenodo mint on release (see docs/concept/02_CONTENT_MODEL.md)
Antoni Watts · CC BY 4.0 · part of an ongoing research series