Building the next generation of authorization for autonomous AI agents.
Autonomous AI agents are beginning to collaborate across organizational boundaries. Rather than completing every task themselves, they decompose complex objectives into smaller activities and delegate responsibilities to specialized agents operated by different organizations.
Today's identity and authorization systems were designed for human users rather than autonomous software. Existing mechanisms such as OAuth, refresh tokens and API keys grant broad permissions with little control once delegation begins.
The Agentic Delegation Framework (ADF) is an ongoing project exploring a capability-based authorization model for autonomous AI agents. Instead of sharing identity credentials, agents exchange cryptographically verifiable capabilities describing exactly what actions may be performed, under which conditions and for how long.
The objective is to build secure, interoperable and accountable authorization mechanisms for future multi-agent ecosystems.
Current digital identity systems assume stable identities, fixed endpoints and direct interaction between users and online services. Protocols such as OpenID Connect authenticate human users before establishing authenticated sessions with applications.
Autonomous AI agents behave differently.
They receive high-level objectives such as "Organize my trip to Tokyo." They autonomously decompose those objectives into multiple subtasks before delegating responsibilities to specialized agents, frequently managed by independent organizations.
Consider a practical example.
Alice asks her AI assistant to organize a trip to Tokyo. The assistant delegates flight booking to an airline agent, hotel reservation to a hospitality agent and payment processing to a payment provider.
A delegation chain naturally emerges across multiple organizations.
Once Agent A delegates to Agent B and Agent B delegates to Agent C, Alice progressively loses visibility over which autonomous systems are acting on her behalf.
Every delegated agent should satisfy three fundamental properties.
Unfortunately, traditional authorization mechanisms fail in each of these aspects.
OAuth refresh tokens and API keys grant broad permissions that remain valid for extended periods of time. A payment token often authorizes unrestricted access to a user's credit card even when the intended authorization concerns only a single transaction.
Existing protocols also fail to preserve a cryptographic delegation chain linking every action back to the originating human authority. Consequently, accountability becomes extremely difficult whenever unexpected behaviour occurs.
The project investigates three fundamental questions.
RQ1. Which security risks emerge when traditional authorization mechanisms are applied to cross-domain agent-to-agent interactions?
RQ2. How can users maintain continuous supervision while autonomous agents build dynamic cross-organizational delegation chains?
RQ3. Which trust mechanisms enable secure collaboration among autonomous agents operating across independent domains?
The objective is to develop a capability-based authorization framework capable of providing formal guarantees of security, traceability and accountability for autonomous multi-agent ecosystems.
The Agentic Delegation Framework (ADF) explores a capability-based approach to secure delegation among autonomous AI agents. Rather than delegating identity credentials such as refresh tokens, ADF delegates cryptographically verifiable capabilities describing exactly what an agent is allowed to do, under which conditions and for how long.
Capabilities are intentionally restrictive. They describe permissions instead of identities and can be progressively attenuated as delegation moves from one autonomous agent to another. Every delegated permission remains cryptographically linked to the originating user, preserving traceability throughout the entire delegation chain.
Instead of granting an airline agent unrestricted access to payment credentials, ADF allows users to delegate permissions such as:
Book flights to Tokyo.
Maximum budget: $800.
Validity: 2 hours.
Single transaction only.
The receiving agent cannot exceed the delegated authority, extend its validity or reuse the capability for unrelated operations.
ADF is organized around three complementary building blocks.
| Component | Purpose |
|---|---|
| Agentic Delegation Protocol (ADP) | Defines cryptographic delegation, attenuation and verification between autonomous agents. |
| FIDO2 Capability Extension | Cryptographically binds delegated capabilities to the originating human user through strong authentication. |
| Legal Delegation Layer | Supports compliance, auditing and legal accountability for delegated actions. |
Consider again Alice's travel booking request.
Alice authenticates using FIDO2 and authorizes her personal AI assistant to organize a trip to Tokyo.
Instead of receiving unrestricted access to Alice's digital identity, the assistant receives a capability describing exactly what it is allowed to perform.
Travel booking.
Budget: $2,000.
Validity: 24 hours.
The assistant subsequently delegates a reduced capability to an airline agent.
Book Tokyo flights.
Maximum amount: $800.
Validity: 2 hours.
The airline agent delegates an even narrower capability to a payment provider.
Pay flight XY123.
Amount: $750.
Single execution.
No credential retention.
Every delegation step remains cryptographically verifiable and directly traceable to Alice. No delegated agent can exceed the permissions received from its parent, preventing privilege escalation across the delegation chain.
The project is currently focused on four complementary directions.
Future work will investigate interoperability with decentralized identity ecosystems, formal security verification and legal accountability mechanisms for autonomous decision-making.
Most authorization systems today remain identity-centric. They determine who is requesting access, but provide limited control over what may actually be delegated once autonomous agents begin collaborating.
ADF proposes a different perspective.
Rather than delegating identities, autonomous agents exchange capabilities describing concrete permissions. This shifts authorization from static identity management toward dynamic delegation, enabling secure cooperation across organizational boundaries while preserving user control.
As AI systems continue evolving into collaborative ecosystems, capability-based delegation offers a promising foundation for building trustworthy, interoperable and accountable agentic infrastructures.
Written by
Cristian Lepore