pith. sign in

arxiv: 2606.03518 · v1 · pith:JNJRKJRFnew · submitted 2026-06-02 · 💻 cs.AI · cs.CR

Overlaying Governance: A Compositional Authorization Framework for Delegation and Scope in Agentic AI

Amjad Ibrahim , Yong Li This is my paper

Pith reviewed 2026-06-28 10:02 UTC · model grok-4.3

classification 💻 cs.AI cs.CR
keywords agentic AIauthorization frameworkdelegationcompositional operatorscope attenuationrelational policiesgovernance primitivesaccountable authorization
0
0 comments X

The pith

A compositional operator overlays recursive delegation and dynamic scoping onto existing authorization policies without rewriting them.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper defines a framework for governing autonomous AI agents that can initiate actions, collaborate, and delegate tasks. It treats delegation as a contractual term carrying permissions and accountability, and introduces resource scope attenuation to limit access envelopes. These ideas are expressed as general relational definitions that compose into existing authorization domains such as financial systems. The key mechanism is a compositional operator that adds agentic semantics including recursive delegation chains and contextual boundaries directly onto relational policies. Formal proofs and empirical evaluation are used to show the approach supplies a practical foundation for accountable authorization in agentic AI.

Core claim

The paper claims that a compositional governance framework supplies primitives for agentic AI by defining types of delegation together with their permission and accountability implications, plus a notion of resource scope attenuation; these are expressed as relational definitions that can be composed into existing authorization domains, and are operationalized by a compositional operator that overlays new agentic semantics such as recursive delegation chains onto existing relational policies without rewriting them.

What carries the argument

The compositional operator that overlays agentic semantics such as recursive delegation chains and contextual boundaries onto existing relational policies.

If this is right

  • Traditional IAM systems gain mechanisms for agents to inherit and delegate permissions while preserving their original rules.
  • Delegation becomes enforceable as a contractual term rather than a static token, carrying explicit accountability implications.
  • Resource access can be bounded through scope attenuation that limits the envelopes within which agents may act.
  • The same relational definitions compose into multiple domains such as financial systems without custom rewrites.
  • Formal proofs establish that the overlay preserves consistency of the underlying policies.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same overlay approach could be tested on multi-agent coordination protocols to check whether dynamic scoping remains stable across shared tasks.
  • If the operator works on relational policies, it might allow time-limited authority to be added to existing access-control lists without migration.
  • Accountability tracking for delegated actions could become a standard extension point in any system already using relational authorization.

Load-bearing premise

Existing relational authorization policies can accept the overlay of agentic semantics as executable governance primitives without introducing inconsistencies or requiring policy rewrites.

What would settle it

A concrete demonstration that applying the overlay operator to any standard relational policy produces an inconsistency or forces a rewrite of the original policy would falsify the central claim.

Figures

Figures reproduced from arXiv: 2606.03518 by Amjad Ibrahim, Yong Li.

Figure 1
Figure 1. Figure 1: Schema of types (nodes) and key relations (edges) [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The general components in Agentic Governance. [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The complete ACE Reference Architecture with [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Coding Assistant Schema. Nodes are types, edges [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Absolute median check-latency values for Domain [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
read the original abstract

As AI systems evolve from passive models into autonomous active agents capable of initiating actions, collaborating, and delegating tasks, the traditional boundaries of software systems blur. Traditional authorization and delegation frameworks, built around fixed principals, explicit requests, and static scopes, are insufficient to govern agentic systems. Agentic AI demands richer authorization semantics: agents must inherit and delegate permissions, act under time-limited authority, and coordinate through shared protocols. Existing Identity and Access Management (IAM) systems fail to fully capture this notion of agency, lacking mechanisms for recursive delegation, contextual boundaries, and dynamic scoping as executable governance primitives. Unlike access delegation standards such as OAuth 2.0, we treat delegation as a contractual term rather than merely a static token-based consent credential. This paper proposes a compositional governance framework that introduces primitives indispensable for agentic AI. We define types of delegation and their permissions and accountability implications, and we introduce a notion of resource scope attenuation to bound agentic access envelopes. These concepts are expressed as general relational definitions that can be composed into existing authorization domains (e.g., financial systems). To operationalize this composition, we define a compositional operator that overlays new agentic semantics, such as recursive delegation chains, onto existing relational policies without rewriting them. We substantiate this framework through formal proofs and empirical evaluation, showing that it provides a formal yet practical foundation for accountable authorization in agentic AI systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes a compositional authorization framework called Overlaying Governance for agentic AI systems. It defines delegation types along with their permissions and accountability implications, introduces resource scope attenuation to bound agentic access envelopes, and defines a compositional operator that overlays agentic semantics such as recursive delegation chains and dynamic scoping onto existing relational policies without rewriting them. The framework is expressed as general relational definitions composable into existing authorization domains and is substantiated through formal proofs and empirical evaluation to provide a formal yet practical foundation for accountable authorization.

Significance. If the central claims hold, the work would offer a meaningful contribution to AI governance by extending traditional IAM and delegation standards (e.g., OAuth 2.0) to handle autonomous agents with recursive, contextual, and contractual delegation. The compositional operator approach, if shown to preserve consistency, could enable practical integration with existing systems without policy rewrites, addressing a timely gap as AI systems become agentic.

major comments (2)
  1. [Abstract] Abstract: The manuscript asserts that the compositional operator and framework are substantiated through formal proofs and empirical evaluation, yet provides no visible equations, derivation steps, experimental setup, datasets, metrics, or error-handling details. This absence makes the central claim that the overlay introduces no inconsistencies unverifiable and load-bearing for the paper's contribution.
  2. [Abstract] Abstract: The weakest assumption—that existing relational authorization policies can accept overlays of recursive delegation and dynamic scoping as executable primitives without inconsistencies or rewrites—is stated but not supported by any concrete example, counter-example, or proof sketch in the provided text.
minor comments (2)
  1. [Abstract] The abstract could include a brief illustrative example of the compositional operator applied to a simple relational policy to clarify the overlay mechanism.
  2. Notation for delegation types, permissions, and scope attenuation is introduced at a high level but would benefit from explicit definitions or a small table of primitives early in the manuscript.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thoughtful comments. We address the two major comments on the abstract below, noting that the full manuscript contains the referenced formal and empirical content while acknowledging that the abstract could better foreground it.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The manuscript asserts that the compositional operator and framework are substantiated through formal proofs and empirical evaluation, yet provides no visible equations, derivation steps, experimental setup, datasets, metrics, or error-handling details. This absence makes the central claim that the overlay introduces no inconsistencies unverifiable and load-bearing for the paper's contribution.

    Authors: The full manuscript substantiates the claims in Section 4 (formal relational definitions and consistency proofs for the overlay operator) and Section 5 (empirical evaluation on delegation-chain benchmarks with metrics for consistency preservation and error cases). We agree the abstract would benefit from a concise pointer to these sections and key results, and will revise it accordingly. revision: partial

  2. Referee: [Abstract] Abstract: The weakest assumption—that existing relational authorization policies can accept overlays of recursive delegation and dynamic scoping as executable primitives without inconsistencies or rewrites—is stated but not supported by any concrete example, counter-example, or proof sketch in the provided text.

    Authors: The body of the manuscript supplies a proof sketch (Section 3.2) that the overlay operator preserves base-policy semantics by relational construction, together with concrete examples (Figure 2) of overlay on OAuth-style policies and discussion of cases where attenuation prevents inconsistency. Because the comment references the abstract, we will add a brief cross-reference to these supporting elements in the revised abstract. revision: partial

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper defines a new compositional operator and relational primitives for agentic delegation and scope, then substantiates them via formal proofs and empirical evaluation. No fitted parameters, self-citations as load-bearing premises, or reductions of predictions to inputs by construction are present in the provided text. The central claim is a definitional framework that is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides insufficient detail to enumerate free parameters, axioms, or invented entities; no specific equations or assumptions are extractable beyond the high-level proposal.

pith-pipeline@v0.9.1-grok · 5778 in / 1022 out tokens · 13962 ms · 2026-06-28T10:02:52.571751+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 3 canonical work pages

  1. [1]

    Appel et al

    Andrew W. Appel et al . 2014. A Verified Compiler for a Logic of Authoriza- tion (NAL). InIEEE Computer Security Foundations Symposium (CSF). Nexus Authorization Logic (NAL)

    2014

  2. [2]

    Becker, Cédric Fournet, and Andrew D

    Moritz Y. Becker, Cédric Fournet, and Andrew D. Gordon. 2007. SecPAL: Design and Semantics of a Decentralized Authorization Language. InIEEE Computer Security Foundations Symposium (CSF). 3–15

    2007

  3. [3]

    Paolo Bonatti and Pierangela Samarati. 2002. A Unified Framework for Regulating Access and Information Release on the Web.ACM Transactions on Information and System Security (TISSEC)(2002). Policy combination operators and algebraic composition

    2002

  4. [4]

    Glenn Bruns, Philip W. L. Fong, and Ida Siahaan. 2011.Relationship-Based Access Control: Its Expression and Enforcement Through Hybrid Logic. Technical Report DTR11-12. Imperial College London, Department of Computing. https://www. doc.ic.ac.uk/research/technicalreports/2011/DTR11-12.pdf Extended version; see also CODASPY 2012

    2011

  5. [5]

    2024.Gen-AI: Artificial intelligence and the future of work

    Mauro Cazzaniga, Ms Florence Jaumotte, Longji Li, Mr Giovanni Melina, Augus- tus J Panton, Carlo Pizzinelli, Emma J Rockall, and Ms Marina Mendes Tavares. 2024.Gen-AI: Artificial intelligence and the future of work. International Monetary Fund

    2024

  6. [6]

    2025.How people use chatgpt

    Aaron Chatterji, Thomas Cunningham, David J Deming, Zoe Hitzig, Christopher Ong, Carl Yan Shan, and Kevin Wadman. 2025.How people use chatgpt. Technical Report. National Bureau of Economic Research

    2025

  7. [7]

    Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2012. Relationship-based access control for online social networks: Beyond user-to-user relationships. In2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Conference on Social Computing. IEEE, 646–655

    2012

  8. [8]

    Joseph W Cutler, Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, Eleftherios Ioannidis, John Kastner, Anwar Mamat, et al. 2024. Cedar: A new language for expressive, fast, safe, and analyzable authorization.Proceedings of the ACM on Programming Languages8, OOPSLA1 (2024), 670–697

    2024

  9. [9]

    2006.Fun- damentals of algebraic graph transformation

    Hartmut Ehrig, Karsten Ehrig, Ulrike Prange, and Gabriele Taentzer. 2006.Fun- damentals of algebraic graph transformation. Springer

    2006

  10. [10]

    Abul Ehtesham, Aditi Singh, Gaurav Kumar Gupta, and Saket Kumar. 2025. A survey of agent interoperability protocols: Model Context Protocol (MCP), Agent Communication Protocol (ACP), Agent-to-Agent Protocol (A2A), and Agent Network Protocol (ANP). arXiv:2505.02279 [cs.AI] https://arxiv.org/abs/2505. 02279

    arXiv 2025

  11. [11]

    Lampson, Ronald L

    Carl Ellison, Bill Frantz, Butler W. Lampson, Ronald L. Rivest, Brian M. Thomas, and Tatu Ylonen. 1999.SPKI Certificate Theory. RFC 2693. RFC Editor. https: //www.rfc-editor.org/rfc/rfc2693

    1999

  12. [12]

    Philip W. L. Fong and Ida Siahaan. 2011. Relationship-based Access Control Policies and Their Policy Languages. InProc. of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT). https://pages.cpsc.ucalgary. ca/~pwlfong/Pub/sacmat2011.pdf Preprint available at Fong’s page

    2011

  13. [13]

    Nikos Fotiou, Chalima Dimitra Nassar Kyriakidou, Athanasia Maria Papathana- siou, Vasilios Siris, and George Polyzos. 2026. Relationship-based Access Control for Data Spaces.Data Science and Engineering(2026), 1–17

    2026

  14. [14]

    Gartner, Inc. 2025. AI Code Assistants Market Guide. https://www.gartner.com/ reviews/market/ai-code-assistants. Accessed: 2025-01-15

    2025

  15. [15]

    Fausto Giunchiglia, Rui Zhang, and Bruno Crispo. 2008. RelBAC: Relation-based access control. In2008 Fourth International Conference on Semantics, Knowledge and Grid. IEEE, 3–11

    2008

  16. [16]

    2012.The OAuth 2.0 authorization framework

    Dick Hardt. 2012.The OAuth 2.0 authorization framework. Technical Report

    2012

  17. [17]

    2023.Guidance for generative AI in educa- tion and research

    Wayne Holmes, Fengchun Miao, et al. 2023.Guidance for generative AI in educa- tion and research. Unesco Publishing

    2023

  18. [18]

    Ken Huang, Vineeth Sai Narajala, John Yeoh, Jason Ross, Ramesh Raskar, Youssef Harkati, Jerry Huang, Idan Habler, and Chris Hughes. 2025. A novel zero-trust identity framework for agentic ai: Decentralized authentication and fine-grained access control.arXiv preprint arXiv:2505.19301(2025)

    arXiv 2025

  19. [19]

    Nalan Karunanayake. 2025. Next-generation agentic AI for transforming health- care.Informatics and Health2, 2 (2025), 73–83. doi:10.1016/j.infoh.2025.03.001

    work page doi:10.1016/j.infoh.2025.03.001 2025

  20. [20]

    Taehoon Kim, Daehee Seo, Su-Hyun Kim, and Im-Yeong Lee. 2024. A Com- prehensive Approach to User Delegation and Anonymity within Decentralized Identifiers for IoT.Sensors24, 7 (2024). doi:10.3390/s24072215

    work page doi:10.3390/s24072215 2024

  21. [21]

    Legal Information Institute (LII). n.d.. delegate. https://www.law.cornell.edu/ wex/delegate. Wex legal dictionary entry. Accessed 2025-11-12

    2025

  22. [22]

    Minghui Li, Jingfeng Xue, Zhenyan Liu, Yiran Suo, Tianwei Lei, and Yong Wang

  23. [23]

    doi:10.1016/j.iot.2024.101317

    DAMFSD: A decentralized authorization model with flexible and secure delegation.Internet of Things27 (2024), 101317. doi:10.1016/j.iot.2024.101317

    work page doi:10.1016/j.iot.2024.101317 2024

  24. [24]

    Ninghui Li, Benjamin N Grosof, and Joan Feigenbaum. 2003. Delegation logic: A logic-based approach to distributed authorization.ACM Transactions on Infor- mation and System Security (TISSEC)6, 1 (2003), 128–171

    2003

  25. [25]

    Tula Masterman, Sandi Besen, Mason Sawtell, and Alex Chao. 2024. The land- scape of emerging ai agent architectures for reasoning, planning, and tool calling: A survey.arXiv preprint arXiv:2404.11584(2024)

    Pith/arXiv arXiv 2024

  26. [26]

    MCP Working Group. 2025. Model/Context Protocol (MCP) for AI Agents. Draft specification. Ongoing standardization effort for agent protocols

    2025

  27. [27]

    OpenFGA Project. 2025. OpenFGA: A high-performance and flexible authoriza- tion system inspired by Zanzibar. https://github.com/openfga/openfga. Version v1.11.0; accessed 2025-11-12

    2025

  28. [28]

    Nils Palumbo, Sarthak Choudhary, Jihye Choi, Prasad Chalasani, and Somesh Jha

  29. [29]

    Policy compiler for secure agentic systems.arXiv preprint arXiv:2602.16708 (2026)

    Pith/arXiv arXiv 2026

  30. [30]

    Pang et al

    X. Pang et al. 2019. Zanzibar: Google’s Consistent, Global Authorization System. InUSENIX ATC

    2019

  31. [31]

    Sumanth Potti. 2024. Intent-Based Access Control: A Fine-Grained Authorization Framework for AI Agents.arXiv preprint arXiv:2412.04653(2024). https://arxiv. org/abs/2412.04653

    arXiv 2024

  32. [32]

    Rivest and Butler W

    Ronald L. Rivest and Butler W. Lampson. 1996. SDSI – A Simple Distributed Security Infrastructure. Manuscript / web note

    1996

  33. [33]

    Zhengyang Shan, Jiayun Xin, Yue Zhang, and Minghui Xu. 2026. Don’t Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw.arXiv preprint arXiv:2603.10387(2026)

    arXiv 2026

  34. [34]

    Yonadav Shavit, Sandhini Agarwal, Miles Brundage, Steven Adler, Cullen O’Keefe, Rosie Campbell, Teddy Lee, Pamela Mishkin, Tyna Eloundou, Alan Hickey, et al

  35. [35]

    Practices for governing agentic AI systems.Research Paper, OpenAI(2023)

    2023

  36. [36]

    Tobin South et al. 2025. Agentic AI - Threats and Mitigations: OWASP Top 10 for LLMs - GenAI Red Teaming Guide. Whitepaper

    2025

  37. [37]

    Tobin South et al. 2025. Identity Management for Agentic AI: The new frontier of authorization, authentication, and security for an AI agent world. Whitepaper

    2025

  38. [38]

    Tobin South, Samuele Marro, Thomas Hardjono, Robert Mahari, Cedric Deslandes Whitney, Dazza Greenwood, Alan Chan, and Alex Pentland. 2025. Authenticated Delegation and Authorized AI Agents. arXiv:2501.09674 [cs.CY] https://arxiv. org/abs/2501.09674

    arXiv 2025

  39. [39]

    Georgios Syros, Anshuman Suri, Jacob Ginesin, Cristina Nita-Rotaru, and Alina Oprea. 2025. Saga: A security architecture for governing ai agentic systems. arXiv preprint arXiv:2504.21034(2025)

    arXiv 2025

  40. [40]

    Nenad Tomašev, Matija Franklin, and Simon Osindero. 2026. Intelligent AI delegation.arXiv preprint arXiv:2602.11865(2026)

    arXiv 2026

  41. [41]

    Lillian Tsai and Eugene Bagdasaryan. 2025. Contextual Agent Security: A Policy for Every Purpose. https://arxiv.org/pdf/2501.17070

    arXiv 2025

  42. [42]

    Wang, Trisha Singhal, Ameya Kelkar, and Jason Tuo

    Charles L. Wang, Trisha Singhal, Ameya Kelkar, and Jason Tuo. 2025. MI9: An Integrated Runtime Governance Framework for Agentic AI. arXiv:2508.03858 [cs.AI] https://arxiv.org/abs/2508.03858

    arXiv 2025

  43. [43]

    Zhiheng Xi, Wenxiang Chen, Xin Guo, Wei He, Yiwen Ding, Boyang Hong, Ming Zhang, Junzhe Wang, Senjie Jin, Enyu Zhou, Rui Zheng, Xiaoran Fan, Xiao Wang, Limao Xiong, Yuhao Zhou, Weiran Wang, Changhao Jiang, Yicheng Zou, Xiangyang Liu, Zhangyue Yin, Shihan Dou, Rongxiang Weng, Wensen Cheng, Qi Zhang, Wenjuan Qin, Yongyan Zheng, Xipeng Qiu, Xuanjing Huang, a...

    Pith/arXiv arXiv 2023

  44. [44]

    Kaiyuan Zhang, Zian Su, Pin-Yu Chen, Elisa Bertino, Xiangyu Zhang, and Ninghui Li. 2025. LLM Agents Should Employ Security Principles.arXiv preprint arXiv:2505.24019(2025)

    arXiv 2025

  45. [45]

    Shenzhe Zhu, Jiao Sun, Yi Nian, Tobin South, Alex Pentland, and Jiaxin Pei. [n. d.]. The automated but risky game: Modeling agent-to-agent negotiations and transactions in consumer markets, 2025.URL https://arxiv. org/abs/2506.00073 ([n. d.]). A Open Science All artifacts are included in the submitted supplementary material and are accessible to reviewers...

    arXiv 2025