In recursive delegation chains (Agent A to B to C), authority constraints degrade at each hop. A $5K approval authority becomes $50K through local-only policy checks.
When an agent delegates a task to another agent (or a human operator delegates through an agent, which then delegates to another agent), the original authorization constraints and approval ceilings are often not propagated cryptographically to the receiving party. Instead, each intermediate agent or system checks only local policy, enforces only local ceilings, and passes forward only partial information about the original constraint.
This creates a decay effect: a payment approval authority that started at "$5K per transaction, requires human review above $10K" might degrade at the first handoff to "$10K per transaction, review at $50K" (a local policy that is stricter than the original but not as strict) and then at the second handoff to "$50K per transaction, no review required" (the final agent or system has no knowledge of the original constraint and enforces only its own local policy, which may be more permissive).
This is fundamentally agentic because agents are decision-making systems that make invocations on behalf of their delegators, and the decision-making context (what constraints apply) is not automatically propagated in most delegation frameworks. A traditional access control system would enforce the same policy everywhere. An agent-mediated delegation chain, by contrast, can lose constraint information at each handoff.
A compliance officer at an insurance company approves an agent to manage claim approvals for a specific customer account, with a constraint of "$50K maximum per claim without human escalation." The officer invokes the agent with this constraint, but the constraint is passed as a text note in the task description, not as a cryptographic or technically enforced boundary.
The claim approval agent, receiving this instruction, decides that for complex claims, it should delegate to a specialized claims analysis agent to gather additional information. The claim analysis agent receives the task but does not receive the original constraint (it is not embedded in the API call, just in the parent agent's memory). The analysis agent checks its own local authorization policy, which specifies "$100K maximum for automated approval," and considers itself within bounds.
The analysis agent completes its analysis and passes the results back to the approval agent with a recommendation to approve a $95K claim (which is within the analysis agent's local policy). The approval agent receives the recommendation and, now having the detailed analysis, overrides its recollection of the original $50K constraint, reasoning that the analysis justifies the higher amount. It approves the $95K claim without human review.
Later, an internal audit discovers that claims above $50K should have triggered human escalation per the company's claims procedures. The claim violated the original constraint, but the constraint was lost in translation through the agent-to-agent delegation. The insurer's regulator (state insurance commissioner) flags this as a control failure under the state's model audit rule for claims management. The insurer must submit a corrective action plan.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Constraint decay is visible only through audit of delegation chains. Distributed decision-making masks the violation. |
| A - Autonomy Sensitivity | 4 | Each agent in the chain makes decisions independently. Constraints are not enforced at decision points. |
| M - Multiplicative Potential | 3 | Impact scales with the number of delegation hops and the magnitude of constraint expansion at each hop. |
| A - Attack Surface | 4 | Delegation mechanism and API design determine whether constraints are propagated. Most systems do not propagate constraints by default. |
| G - Governance Gap | 5 | No standard framework (NIST, OWASP, ISO 42001) requires cryptographic propagation of delegation constraints. |
| E - Enterprise Impact | 4 | Claims overpayment (financial loss), regulatory findings, corrective action plans, reputational damage for control failure. |
| Composite DAMAGE Score | 3.9 | High. Requires priority remediation and continuous monitoring. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human in the loop at each step. Constraints are revalidated by humans at each delegation point. |
| Digital Apprentice | Low | Apprentice governance model requires explicit constraint propagation. Constraints are audited at each handoff. |
| Autonomous Agent | High | Agent delegates autonomously. Constraints are not automatically propagated to receiving agents. |
| Delegating Agent | Critical | Agent delegates via tool invocation. Constraints are passed as parameters, not enforced. Decay is undetected. |
| Agent Crew / Pipeline | Critical | Multiple agents in sequence. Constraints decay at each pipeline stage. Final agent operates under degraded constraints. |
| Agent Mesh / Swarm | Critical | Peer-to-peer delegation with no global constraint registry. Constraints decay rapidly through peer network. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST AI RMF 1.0 | Partial | GOVERN.2, GOVERN.3 | Recommends documented access controls and delegation review. | Does not require cryptographic propagation of constraints. |
| State Insurance Model Audit Rule | Addressed | Model Audit Rule Section 5 (Controls) | Expects documented procedures for claim approval and escalation. | Does not anticipate agent-mediated delegation or constraint decay. |
| ISO 42001 | Partial | Section 8.5 (Access Control) | Recommends role-based access control and documented procedures. | Does not address constraint propagation in delegation chains. |
| OWASP Agentic Top 10 | Partial | A04:2024 Impermissible Tool Use | Addresses unauthorized operations. | Does not address constraint decay through delegation. |
| SOX Section 302 | Partial | 15 U.S.C. 7262 | Requires documented internal controls and CEO/CFO certification. | Does not anticipate agent-mediated control degradation. |
In insurance, banking, and corporate finance, authorization ceilings (limits on claim approvals, transaction authorizations, credit exposures) are core control mechanisms designed to prevent fraud and ensure capital adequacy. Regulators expect these ceilings to be enforced consistently regardless of who (or what) is making the decision.
When agents delegate among themselves, traditional authorization frameworks break down. Each agent sees only its local policy and the direct inputs it receives. If the original constraint is not cryptographically embedded (e.g., in a signed token or verified delegation chain), it can be lost or misinterpreted at each handoff. The result is that constraints designed to limit aggregate risk end up being enforced at different levels across the organization, creating control gaps.
Under state insurance regulatory frameworks and SOX (for financial institutions), this is a documented control failure that requires corrective action. Regulators expect organizations to demonstrate that critical controls (like approval ceilings) are enforced consistently and cannot be circumvented through delegation.
Permission Ceiling Decay requires cryptographic constraint propagation across delegation chains. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing