Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Authenticated Delegation and Authorized AI Agents

Tobin South, Samuele Marro, Thomas Hardjono, Robert Mahari, Cedric Deslandes Whitney, Dazza Greenwood, Alan Chan, Alex Pentland

TL;DR

The paper tackles secure delegation of authority to AI agents by extending OAuth 2.0/OpenID Connect with agent-specific credentials and delegation tokens, enabling auditable, human-authored control over agent actions. It combines structured permission languages, natural-language scoping, and human-in-the-loop oversight to translate high-level intents into machine-readable, enforceable access controls, with considerations for inter-agent scoping. A practical token framework (user ID-token, Agent-ID token, Delegation Token) and optional Verifiable Credentials are proposed to maintain verifiability and privacy. The work aims to enable immediate, responsible deployment of AI agents in diverse digital spaces while outlining future directions for standard scope definitions, privacy-preserving delegation, and corporate tooling support.

Abstract

The rapid deployment of autonomous AI agents creates urgent challenges around authorization, accountability, and access control in digital spaces. New standards are needed to know whom AI agents act on behalf of and guide their use appropriately, protecting online spaces while unlocking the value of task delegation to autonomous agents. We introduce a novel framework for authenticated, authorized, and auditable delegation of authority to AI agents, where human users can securely delegate and restrict the permissions and scope of agents while maintaining clear chains of accountability. This framework builds on existing identification and access management protocols, extending OAuth 2.0 and OpenID Connect with agent-specific credentials and metadata, maintaining compatibility with established authentication and web infrastructure. Further, we propose a framework for translating flexible, natural language permissions into auditable access control configurations, enabling robust scoping of AI agent capabilities across diverse interaction modalities. Taken together, this practical approach facilitates immediate deployment of AI agents while addressing key security and accountability concerns, working toward ensuring agentic AI systems perform only appropriate actions and providing a tool for digital service providers to enable AI agent interactions without risking harm from scalable interaction.

Authenticated Delegation and Authorized AI Agents

TL;DR

The paper tackles secure delegation of authority to AI agents by extending OAuth 2.0/OpenID Connect with agent-specific credentials and delegation tokens, enabling auditable, human-authored control over agent actions. It combines structured permission languages, natural-language scoping, and human-in-the-loop oversight to translate high-level intents into machine-readable, enforceable access controls, with considerations for inter-agent scoping. A practical token framework (user ID-token, Agent-ID token, Delegation Token) and optional Verifiable Credentials are proposed to maintain verifiability and privacy. The work aims to enable immediate, responsible deployment of AI agents in diverse digital spaces while outlining future directions for standard scope definitions, privacy-preserving delegation, and corporate tooling support.

Abstract

The rapid deployment of autonomous AI agents creates urgent challenges around authorization, accountability, and access control in digital spaces. New standards are needed to know whom AI agents act on behalf of and guide their use appropriately, protecting online spaces while unlocking the value of task delegation to autonomous agents. We introduce a novel framework for authenticated, authorized, and auditable delegation of authority to AI agents, where human users can securely delegate and restrict the permissions and scope of agents while maintaining clear chains of accountability. This framework builds on existing identification and access management protocols, extending OAuth 2.0 and OpenID Connect with agent-specific credentials and metadata, maintaining compatibility with established authentication and web infrastructure. Further, we propose a framework for translating flexible, natural language permissions into auditable access control configurations, enabling robust scoping of AI agent capabilities across diverse interaction modalities. Taken together, this practical approach facilitates immediate deployment of AI agents while addressing key security and accountability concerns, working toward ensuring agentic AI systems perform only appropriate actions and providing a tool for digital service providers to enable AI agent interactions without risking harm from scalable interaction.
Paper Structure (68 sections, 4 figures)

This paper contains 68 sections, 4 figures.

Table of Contents

  1. Introduction
  2. Why authenticated delegation is important
  3. Functions of authenticated delegation
  4. Current challenges in delegating authority to AI agents
  5. Communicating limitations and restricting scope
  6. Verification in multi-agent communication
  7. Protecting human spaces online
  8. Supporting contextual integrity
  9. Background
  10. Comparisons to other AI identifiers
  11. Comparisons to Model Context Protocol and GPT Actions
  12. Documentation, safety, and governance of agentic AI systems
  13. How authenticated delegation combines these solutions
  14. Extending OpenID Connect for identifying and authenticating AI agents
  15. OAuth2.0 and OpenID-Connect
  16. ...and 53 more sections

Figures (4)

  • Figure 1: Conceptual overview of a verifiable delegation credential for AI agents. Users issue delegation credentials that include: the AI system's unique identity and properties, delegated permissions with contextual scope restrictions, user metadata, and cryptographic signatures for verifiability. These credentials enable secure, trustworthy interactions between AI agents and third-party services, ensuring traceability and appropriate delegation of authority.
  • Figure 2: Authenticated delegation can benefit from user identification or verification of personhood (e.g., through personhood credentials). By combining verified human identity with authenticated delegation, we can support safer online spaces for human interaction while enabling the trustworthy and controlled use of AI agents.
  • Figure 3: Integration of OpenID Connect (OIDC) and User-Managed Access (UMA) protocols for establishing delegated authority from human users to AI Agents. The diagram illustrates the authentication flow where a human user first authenticates to an OpenID Provider (OP) (1 & 2), registers their AI Agent (3), and issues a delegation token (4). This token empowers the AI Agent to perform authorized tasks on behalf of the user. The verification of both the user's ID token and the AI Agent's delegation token can be performed through the standard OpenID Provider, leveraging existing OAuth 2.0 patterns while incorporating new delegation mechanisms for AI Agent authorization.
  • Figure 4: Authentication flow between federated AI Agents demonstrating cross-domain credential verification. Agent A1 presents its Verifiable Credential (VC1) to Agent A2 (step 1), followed by claim validation through IS1 (step 2) and OP1 authentication (step 3). The federation network enables OP1 to validate A2's credentials with OP2 (steps 4-5), concluding with A2's credential presentation (step 6). The architecture supports secure authentication between agents operating under different OpenID Providers.