Authorization Propagation in Multi-Agent AI Systems

Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure Krti Tallam Kamiwaza AI krti@kamiwaza.ai (May 2026) Abstract The security discussion around agentic AI focuses heavily on prompt injection. This paper argues that multi-agent systems also create a distinct authorization problem: maintaining authorization invariants as non-human principals retrieve data, delegate tasks, and synthesize results across changing boundaries. We call this problem authorization propagation . It is not reducible to prompt injection and is not fully addressed by classical access-control models such as RBAC, ABAC, or ReBAC. The paper formalizes authorization propagation as a workflow-level property, identifies three sub-problems (transitive delegation, aggregation inference, and temporal validity), and derives seven structural requirements for authorization architectures in multi-agent AI systems. Recent work on invocation-bound capability tokens (Prakash, 2026 ) , task-scoped authorization envelopes (Sharma et al. , 2026 ) , dependency-graph policy enforcement (Palumbo et al. , 2026 ) , and execution-count revocation (Parakhin, 2026 ) demonstrates that the field is converging on the problem, but not yet on a complete architecture. The central claim is that identity governance must be treated as infrastructure: evaluated continuously, enforced at every interaction boundary, and designed into the system before orchestration logic is allowed to scale. Preliminary implementation evidence from a production enterprise AI platform shows that ordinary system behavior, not only adversarial action, already produces the failures this model predicts. Keywords: agentic AI, authorization, access control, delegation, aggregation inference, identity governance 1 Introduction As AI systems evolve from single-model inference to multi-agent orchestration, the security discourse has concentrated heavily on prompt injection. This is understandable. Prompt injection is the mechanism by which an adversary subverts an agent’s behavior by manipulating the content it processes. It is well-documented, broadly applicable, and — as of this writing — not fully solved at the model level. The resulting industry posture treats prompt injection as the central, sometimes only, novel security problem in agentic AI. A common argument, articulated informally but widely held, runs approximately as follows: prompt injection is to agentic AI what SQL injection was to web applications. Fix it architecturally — separate data from instructions, as parameterized queries separated data from SQL — and the remaining security problems reduce to known primitives: authentication, authorization, network isolation, secrets management. Nothing novel. This paper argues that the analogy is partially correct but materially incomplete. Prompt injection is the novel attack vector . But there is a distinct novel architectural problem that persists even under the assumption that prompt injection is fully solved: the problem of maintaining authorization invariants as non-human principals make chains of autonomous decisions. We call this problem authorization propagation . Consider a concrete scenario. An orchestrating agent receives a user query. It decomposes the task and delegates sub-tasks to specialized agents. Agent A retrieves data from Dataset X. Agent B retrieves data from Dataset Y. Agent C synthesizes the results from A and B into a response for the user. Even with perfect prompt injection defense — no agent can be tricked by the content it processes — the system must answer: • Did Agent A have the right to access Dataset X? • Did Agent B have the right to access Dataset Y? • Does Agent C have the right to see the combined results? • Does the user have the right to see the synthesized output? • Does the combination of X and Y reveal information that neither dataset alone would expose? These are authorization questions, not prompt injection questions. They arise from the structure of the system, not from adversarial content. And they have no established equivalent of “parameterized queries” — no single architectural primitive that resolves them. Why this matters now is that enterprise agents no longer merely retrieve documents on behalf of a visible human operator. They increasingly mediate the entire evidentiary path: decomposition, retrieval, tool invocation, synthesis, and delivery. In that setting, authorization is no longer just a question of whether an individual access is permitted. It is a question of whether the full delegated workflow preserves the authority, scope, and boundary conditions that make the final result governable. This paper formalizes authorization propagation, distinguishes it from prompt injection, and identifies what it demands of authorization architectures. 2 Background and Related Work 2.1 Prompt Injection and Agent Security Prompt injection was first characterized as a distinct vulnerability class in 2022 (Gruskovnjak, 2023 ) and has since been the subject of extensive research (Greshake et al. , 2023 ) . Google DeepMind’s “AI Agent Traps” taxonomy (Google DeepMind, 2026 ) identifies six categories of agent-directed attacks: content injection, semantic manipulation, cognitive state attacks, tool misuse induction, goal hijacking, and multi-agent collusion. These categories are useful but share a common structure: an adversary manipulates the content, context, or memory that an agent processes in order to alter its behavior. The defense literature has correspondingly focused on content-level mitigations: input filtering, output validation, trusted/untrusted content separation, and instruction hierarchy enforcement. What this literature does not address in depth is the authorization architecture that determines what data and actions are available to agents in the first place. The implicit assumption is that if agents can be made robust to adversarial content, the remaining security properties can be handled by conventional access control. Recent empirical work challenges this assumption. Anonymous ( 2026 ) evaluate the Claude Code permission system and find an 81.0% false negative rate on deliberately ambiguous authorization scenarios, with 36.8% of state-changing actions bypassing the classifier entirely via file edits. Debenedetti and others ( 2026 ) demonstrate that prompt injection can be reframed as role confusion, with 60% attack success on StrongREJECT via spoofed reasoning — arguing that “security is defined at the interface but authority is assigned in latent space.” These results suggest that even well-resourced content-level defenses are insufficient, reinforcing the need for architectural authorization enforcement. 2.2 Classical Access Control Models The access control literature provides foundational models that inform but do not fully address authorization propagation. Bell and LaPadula ( 1973 ) formalize mandatory access control with the ⋆ \star -property (no write-down) and simple security property (no read-up), preventing information flow from high-classification to low-classification subjects. Biba ( 1977 ) provides the dual integrity model: no read-down, no write-up. Clark and Wilson ( 1987 ) shift focus to well-formed transactions and separation of duty, requiring that data modifications pass through certified transformation procedures. Sandhu et al. ( 1996 ) formalize role-based access control (RBAC), which assigns permissions to roles rather than directly to subjects. XACML (OASIS, 2013 ) extends attribute-based access control with obligation policies — actions that must be performed upon access denial or grant. These models address important properties: confidentiality (Bell-LaPadula), integrity (Biba), transaction correctness (Clark-Wilson), administrative scalability (RBAC), and policy expressiveness (XACML). Contemporary risk frameworks (National Institute of Standards and Technology, 2023 ; International Organization for Standardization, 2023 ) acknowledge that AI systems introduce novel authorization challenges, but delegate the specifics to implementation standards that do not yet exist for multi-agent architectures. The classical models share assumptions that do not hold in multi-agent AI systems: human principals, static resources, synchronous access decisions, and well-defined trust boundaries. The authorization propagation problem arises precisely where these assumptions break down. 2.3 Relationship-Based Access Control Relationship-based access control (ReBAC) originates from Google’s Zanzibar system (Pang et al. , 2019 ) , which models authorization as a graph of typed relationships between subjects and objects. A subject’s permissions are determined not by static role assignments (as in RBAC) or attribute predicates (as in ABAC), but by the existence and type of relationships in a tuple store. This enables fine-grained, context-sensitive authorization that can express ownership, delegation, group membership, and organizational hierarchy. ReBAC has been implemented in several open systems (SpiceDB, OpenFGA, Authzed) and is well-suited to multi-tenant enterprise environments where access patterns are relational rather than role-based. However, the Zanzibar model and its descendants were designed for human principals interacting with static resources through well-defined API surfaces. They do not natively address: • non-human principals that autonomously chain authorization decisions • transitive delegation where one agent acts on behalf of another • synthesized outputs where the result is derived from multiple authorized sources but the combination may not itself be authorized • temporal validity where authorization state may change between the start and end of a multi-step agent workflow 2.4 Emerging Agent Authorization Frameworks The period from late 2025 through early 2026 has seen a rapid emergence of authorization frameworks specifically designed for agentic AI systems. We survey t