Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure

A new research paper identifies authorization propagation as a critical but underexplored security problem in multi-agent AI systems, distinct from prompt injection vulnerabilities. The paper argues that identity governance must become foundational infrastructure in AI orchestration, with seven structural requirements for maintaining authorization invariants across distributed agent interactions.

Multi-agent AI systems introduce a novel authorization challenge that existing security frameworks fail to address adequately. As AI agents delegate tasks, retrieve data, and aggregate results across system boundaries, maintaining consistent authorization becomes increasingly complex. This problem emerges from the fundamental architecture of agentic systems rather than adversarial attack vectors alone, making it a systemic infrastructure concern rather than a tactical security patch.

The research identifies three specific sub-problems driving authorization propagation failures: transitive delegation (agents granting access they themselves possess), aggregation inference (reconstructing restricted information from authorized fragments), and temporal validity (authorization revocation across distributed workflows). Classical access-control models like RBAC and ABAC were designed for static, human-centric systems and cannot enforce authorization properties across asynchronous, multi-step agent interactions.

Production evidence from an enterprise AI platform demonstrates that ordinary system operation—not just malicious actors—already triggers these failures. This suggests the problem will intensify as enterprises scale AI orchestration. The field shows emerging consensus on partial solutions: invocation-bound capability tokens, task-scoped envelopes, and dependency-graph enforcement mechanisms. However, no complete architectural standard exists, creating risk for organizations deploying multi-agent systems without these protections.

For AI infrastructure developers and enterprise adopters, this research signals that authorization governance must be prioritized alongside model safety and prompt robustness. Organizations building or deploying multi-agent AI systems should evaluate whether their identity and access-control layers can enforce authorization across agent boundaries at scale.

• →Authorization propagation is a distinct infrastructure problem in multi-agent AI systems that existing access-control models cannot fully address.
• →The problem manifests through transitive delegation, aggregation inference, and temporal validity failures during normal system operation, not just adversarial attacks.
• →Identity governance must be designed as foundational infrastructure before orchestration logic scales, not retrofitted afterward.
• →Production evidence shows organizations already experiencing authorization failures in deployed multi-agent AI systems.
• →Emerging partial solutions exist but no complete architectural standard has been established across the industry.