A potential LinkedIn post
0 views
Skip to first unread message
Alan Karp
Nov 17, 2025, 7:10:11 PM (yesterday) Nov 17
to <friam@googlegroups.com>
I have a couple of posts on LinkedIn trying to make the point that knowing an AI agent's identity isn't as important as most people make it out to be. I'd like some feedback before posting the 3rd installment.
--------------
Alan Karp
------------------------------
How to Make Delegation Hard
Attenuated delegation is critical to the way we work in the physical world. Without delegation, every private in the army would be saying, "Yes sir, Mr. President." Without attenuation, that private would end up with permission to launch nukes. Unfortunately, most of today's systems make delegation harder than it needs to be. The culprit is using the identity of the invoker as part of the access decision.
Consider a simple case. You give me permission to use your service to query and update a database. On many systems, I authenticate when I make a request. A component on your system verifies the authentication and looks up if the request is authorized.
What if instead of invoking your service myself, I want an agent to do queries on my behalf. Your service never heard of my agent, so the agent identity is useless. I could share my credentials with the agent, but then it would also have permission to update. Systems tie themselves in knots with mechanisms like federating identities trying to solve this problem.
The solution is straightforward. After I authenticate to you, you give me an access token, such as a zcap, granting query and update permissions. That zcap can contain an identifier that lets you know who to hold responsible for the use of those permissions. I can then present this token along with my request, and you can check the signature to make sure I'm authorized.
That's the easy part. What would be the hard part is just as easy. I can delegate query permission to my agent and include an identifier so I can track its use of the permission. My agent makes a request of your service, which verifies that the delegation authorizes the request. You don't have to use my agent's identity in the access decision. If something goes wrong you know to hold me responsible.
Bottom line: If you want to make delegation hard, focus on the identity of the invoker. You'll spend many happy hours trying to handle all the corner cases that strategy creates.
Attenuated delegation is critical to the way we work in the physical world. Without delegation, every private in the army would be saying, "Yes sir, Mr. President." Without attenuation, that private would end up with permission to launch nukes. Unfortunately, most of today's systems make delegation harder than it needs to be. The culprit is using the identity of the invoker as part of the access decision.
Consider a simple case. You give me permission to use your service to query and update a database. On many systems, I authenticate when I make a request. A component on your system verifies the authentication and looks up if the request is authorized.
What if instead of invoking your service myself, I want an agent to do queries on my behalf. Your service never heard of my agent, so the agent identity is useless. I could share my credentials with the agent, but then it would also have permission to update. Systems tie themselves in knots with mechanisms like federating identities trying to solve this problem.
The solution is straightforward. After I authenticate to you, you give me an access token, such as a zcap, granting query and update permissions. That zcap can contain an identifier that lets you know who to hold responsible for the use of those permissions. I can then present this token along with my request, and you can check the signature to make sure I'm authorized.
That's the easy part. What would be the hard part is just as easy. I can delegate query permission to my agent and include an identifier so I can track its use of the permission. My agent makes a request of your service, which verifies that the delegation authorizes the request. You don't have to use my agent's identity in the access decision. If something goes wrong you know to hold me responsible.
Bottom line: If you want to make delegation hard, focus on the identity of the invoker. You'll spend many happy hours trying to handle all the corner cases that strategy creates.
William ML Leslie
Nov 17, 2025, 8:59:57 PM (22 hours ago) Nov 17
to fr...@googlegroups.com
On Tue, 18 Nov 2025 at 10:10, Alan Karp <alan...@gmail.com> wrote:
I have a couple of posts on LinkedIn trying to make the point that knowing an AI agent's identity isn't as important as most people make it out to be. I'd like some feedback before posting the 3rd installment.
Ooh. Work on education and outreach is always appreciated. I love the post; just one suggestion.
We are a bumper-sticker society, and nowhere is this clearer than on linkedin. The first sentence is often the only one you see in the summary email, and given just how much fluff is on there, it's often the only one people read. You say something important in your first sentence, but I don't think people will realise how important it is before reading the rest of your post. So it might be worth making the first sentence state Why it's worth reading.
William ML Leslie
Alan Karp
12:00 PM (7 hours ago) 12:00 PM
to fr...@googlegroups.com
Thanks for the suggestion. I've moved the Bottom Line to the front. The post now starts with
If you want to make delegation hard, focus on the identity of the invoker. You'll spend many happy hours trying to handle all the corner cases that strategy creates.
--------------
Alan Karp
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAHgd1hEPc22h-5sA_%2BiV5ir_WP-7UuvmD5UzjfANkePrTvR%3D1g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages