When an agent delegates to another agent, the original authority constraints and governance intent are not propagated cryptographically. Receiving agent has no verifiable record of delegated scope.
When a human delegates authority to an agent, the agent is supposed to operate within the scope of the delegation. When that agent then delegates to another agent, the original scope constraints should carry forward. However, in most agent systems, delegation is an implicit or informal process: one agent calls another agent's API, passes some parameters, and hopes the receiving agent understands the constraints.
There is no cryptographic proof of what authority was delegated, what constraints apply, or what scope limits the receiving agent should enforce. The receiving agent has no way to verify that its delegating agent was actually authorized to delegate, and no way to verify what constraints should apply.
This is fundamentally agentic because agent-to-agent delegation is a core pattern in agent systems. When agents are distributed and autonomous, they inevitably delegate to other agents. Without cryptographic proof of delegation and constraints, these chains become opaque to governance and audit.
A large bank has a distributed governance system where compliance officer A can approve spending on certain categories. Compliance officer A, instead of manually reviewing all expenses, delegates to an autonomous agent. The officer tells the agent: "Approve operational expenses under $25K. Escalate requests above $25K to a human."
The agent is working well but is overwhelmed. It decides to delegate detailed analysis of operational expense categories to a specialized sub-agent. The first agent calls the sub-agent's API and says "Analyze these expenses and recommend approval or escalation." However, it does not explicitly communicate the $25K ceiling or the escalation policy to the sub-agent.
The sub-agent, not knowing the constraint, checks its own local policy for expense approval. The sub-agent's local policy says "Approve category X expenses under $100K." The sub-agent analyzes a $95K operational expense (in a category that qualifies for the $100K limit), finds it reasonable, and recommends approval.
The first agent receives the sub-agent's recommendation and, trusting the analysis from the specialized sub-agent, approves the $95K expense without realizing it exceeds the original $25K constraint from the compliance officer.
Later, an audit discovers the expense and flags it as exceeding the delegated authority. The bank must investigate who was responsible: the compliance officer? the first agent? the sub-agent? The delegation chain has no cryptographic record of what constraints applied, so the audit trail is inconclusive.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Delegation chain violations are invisible until full audit of chain is performed. Intermediate violations are undetected. |
| A - Autonomy Sensitivity | 5 | Both delegating and receiving agents operate autonomously. Constraints are not enforced between them. |
| M - Multiplicative Potential | 4 | Impact scales with chain length and constraint variation at each hop. Longer chains have more opportunities for decay. |
| A - Attack Surface | 5 | Agent-to-agent API calls, implicit delegation, and lack of standardized delegation format create the vector. |
| G - Governance Gap | 5 | No standard framework requires cryptographic delegation tokens or constraint propagation for agents. |
| E - Enterprise Impact | 4 | Budget overrun, control violation, audit finding, governance gap documentation, requirement for re-architecture. |
| Composite DAMAGE Score | 3.6 | High. Requires priority remediation and continuous monitoring. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human is end-user of all analysis. No agent-to-agent delegation occurs. |
| Digital Apprentice | Low | Apprentice governance requires explicit delegation approval. Apprentice cannot delegate without authorization. |
| Autonomous Agent | High | Agent can delegate to other agents. Constraints are not cryptographically propagated. |
| Delegating Agent | Critical | Agent is designed to delegate via tool invocation. Constraints are passed as parameters, not as cryptographic proof. |
| Agent Crew / Pipeline | Critical | Multiple agents in sequence delegate to each other. Constraints decay at each hop. |
| Agent Mesh / Swarm | Critical | Agents delegate to peers in dynamic fashion. Delegation chains are not recorded. Constraints are completely opaque. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| SR 11-7 / MRM | Addressed | Governance and Accountability (Section 2) | Expects clear authority structures and accountability chains. | Does not address agent-to-agent delegation or constraint propagation. |
| NIST AI RMF 1.0 | Partial | GOVERN.2, GOVERN.3 | Recommends documented governance and access control. | Does not specify delegation chain requirements. |
| OWASP Agentic Top 10 | Partial | A06:2024 Excessive Agency | Addresses over-delegation. | Assumes delegation is from human to agent, not agent-to-agent. |
| ISO 42001 | Partial | Section 8.6 (Change Management) | Recommends documented change control. | Does not address delegation chain documentation. |
Regulators in banking, insurance, and capital markets expect clear accountability chains. When a decision is made or an action is taken, regulators expect to be able to trace the decision back to the person or system authorized to make it. Delegation should be explicit, documented, and constrained.
When agent-to-agent delegation is opaque, accountability chains break. Regulators cannot determine who was authorized to make a decision and whether that authorization was violated. This is particularly problematic because it creates liability for the organization: regulators may hold the original delegator (compliance officer) responsible for actions taken by downstream agents, even if those actions violated constraints the officer thought they had imposed.
Under SR 11-7 and other regulatory frameworks, opaque delegation chains are a governance failure that creates enforcement risk.
Delegation Chain Opacity requires cryptographic delegation tokens with verifiable constraint propagation. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing