Delegation as Contract, Not Token
A June 2026 framework proposes treating agentic delegation as a contractual term rather than a static consent credential. The distinction matters more than the terminology suggests.
On June 2, 2026, two authors posted an arXiv preprint proposing a compositional governance framework for authorization in agentic AI systems, arguing that existing identity and access management infrastructure, including OAuth 2.0, "fail to fully capture" what the paper calls "this notion of agency." The paper's diagnosis is precise about what is missing: existing systems lack "mechanisms for recursive delegation, contextual boundaries, and dynamic scoping as executable governance primitives." The phrase "executable governance primitives" is doing specific work. It distinguishes a policy that exists as written guidance from a policy that exists as a construct a running system can evaluate and enforce at the moment of an action.
The paper's core distinction is stated directly: "unlike access delegation standards such as OAuth 2.0, we treat delegation as a contractual term rather than merely a static token-based consent credential." OAuth 2.0 and comparable standards were designed for a world in which a human grants a bounded, mostly static scope of access to an application, once, at authorization time. That scope typically does not need to account for the granted application itself further delegating a subset of its access to a second application, which delegates to a third, with each layer needing its own accountability trace back to the original grant.
What breaks when delegation chains recurse
Agentic systems break this model routinely. An agent acting on a human's behalf may delegate a subtask to a second agent, which may delegate a further subtask to a third, each delegation potentially narrowing or altering the scope of what is permitted. The paper frames the requirement directly: "agents must inherit and delegate permissions, act under time-limited authority, and coordinate through shared protocols." A static token, minted once and presented at each hop, does not naturally encode who narrowed the scope at which step, or whose accountability a given action traces back to when three or four delegation hops separate the acting agent from the original human principal.
The paper's proposed remedy has two conceptual pieces. The first defines "types of delegation and their permissions and accountability implications," treating delegation itself as a typed relation rather than an undifferentiated grant of access. The second introduces what the paper calls "resource scope attenuation to bound agentic access envelopes," a formal mechanism ensuring that each delegation step can narrow the scope of access but never widen it beyond what the delegating party itself held.
The compositional operator, and what it does not require
The paper's most specific technical contribution is a compositional operator that, according to the abstract, "overlays new agentic semantics, such as recursive delegation chains, onto existing relational policies without rewriting them." This is an integration claim as much as a theoretical one. It asserts that an enterprise with an existing relational access-control policy, the kind already governing databases, financial systems, or internal tooling, does not need to discard that policy and rebuild it from scratch to accommodate agentic delegation. The new semantics compose on top of the old policy.
Whether that composability claim holds outside the paper's own formal proofs and its stated application to financial systems is a separate, harder question. Existing relational access-control systems in large enterprises are rarely uniform; they accumulate exceptions, legacy grants, and undocumented dependencies over years of operation. A compositional operator proven correct against a clean formal model of a policy is not automatically proven correct against the actual, historically accumulated policy running in production.
Accountability as the stated goal, not merely access control
The paper frames its ultimate aim as producing "a formal yet practical foundation for accountable authorization in agentic AI systems." Accountability, in this framing, means more than granting or denying access at each step. It means that after an action has occurred, three or four delegation hops removed from the original principal, it is possible to reconstruct which party authorized which narrowing of scope, and therefore which party bears responsibility if the action turns out to have exceeded what should have been permitted.
This ambition sits adjacent to a separate line of work on receiver-side attestation of agent actions, which addresses a related but distinct problem: verifying what an agent actually did, independent of the agent's own self-reported logs. The compositional authorization framework addresses a prior question, what an agent and its delegates were permitted to do at each step, which is a necessary but not sufficient condition for accountability. Knowing what was permitted does not by itself establish what actually happened.
The delegation chain as the unit that needs governing
The paper's framing implies a shift in what the object of governance should be. Rather than treating each individual agent as the unit whose permissions need to be checked, the framework treats the delegation chain itself, the recursive structure connecting an original principal to however many layers of delegated agents act on their behalf, as the structure that must be typed, scoped, and made accountable. That shift mirrors a broader pattern across recent agentic-security proposals: authorization checked once, at a single point, is increasingly treated as insufficient once delegation, rather than direct action, becomes the dominant mode by which agentic systems get work done.
Open Questions
- Does the compositional operator's proof of correctness against a formal relational policy model transfer to the accumulated, exception-laden access-control policies actually running in large enterprise financial systems?
- When a delegation chain spans multiple organizations, each running its own authorization infrastructure, who is responsible for verifying that resource scope attenuation was correctly enforced at every hop, rather than merely claimed?
- What happens when a delegate several hops removed from the original principal exceeds its narrowed scope, and the narrowing at an intermediate hop was itself improperly recorded? Which party's accountability does the framework assign the failure to?
- How does typed delegation interact with time-limited authority when a delegation chain outlives the time window of an intermediate grant, but the downstream agent has already acted on it?
- Does treating delegation as a contractual term, rather than a token, require legal or regulatory recognition of that contract for the accountability claim to hold in a dispute, and if so, does any such recognition currently exist?
- What auditing standard would confirm, independent of the framework's own formal proofs, that a live multi-organization deployment is actually enforcing the typed delegation and scope attenuation the paper specifies?
The governance artifact is retained. The governance function is not.