Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure

πŸ“… 2026-05-06
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF

career value

235K/year
πŸ€– AI Summary
This study addresses the challenge of maintaining authorization invariance when non-human agents in multi-agent AI systems operate across trust boundariesβ€”a problem inadequately handled by existing access control models. The work formally defines this issue for the first time, modeling it as a workflow-level property and identifying three core challenges: transitive delegation, aggregate inference, and temporal validity. It articulates seven architectural requirements, emphasizing that identity governance must serve as foundational infrastructure, enforced at every interaction boundary and prioritized over orchestration logic. The authors propose a novel authorization architecture incorporating capability-bound tokens, task-scoped authorization envelopes, dependency-graph-driven policy enforcement, and revocation based on execution counts. An initial implementation on an enterprise AI platform demonstrates that routine operations can readily trigger authorization violations, thereby validating the necessity and forward-looking nature of the proposed model.
πŸ“ Abstract
The security discussion around agentic AI focuses heavily on prompt injection. This paper argues that multi-agent systems also create a distinct authorization problem: maintaining authorization invariants as non-human principals retrieve data, delegate tasks, and synthesize results across changing boundaries. We call this problem authorization propagation. It is not reducible to prompt injection and is not fully addressed by classical access-control models such as RBAC, ABAC, or ReBAC. The paper formalizes authorization propagation as a workflow-level property, identifies three sub-problems (transitive delegation, aggregation inference, and temporal validity), and derives seven structural requirements for authorization architectures in multi-agent AI systems. Recent work on invocation-bound capability tokens, task-scoped authorization envelopes, dependency-graph policy enforcement, and execution-count revocation demonstrates that the field is converging on the problem, but not yet on a complete architecture. The central claim is that identity governance must be treated as infrastructure: evaluated continuously, enforced at every interaction boundary, and designed into the system before orchestration logic is allowed to scale. Preliminary implementation evidence from a production enterprise AI platform shows that ordinary system behavior, not only adversarial action, already produces the failures this model predicts.
Problem

Research questions and friction points this paper is trying to address.

authorization propagation
multi-agent AI systems
identity governance
access control
non-human principals
Innovation

Methods, ideas, or system contributions that make the work stand out.

authorization propagation
multi-agent AI systems
identity governance
task-scoped authorization
capability tokens