The previous article ended by naming an object that does not cleanly exist: a way for an agent to carry its authority with it, portable across the systems it touches. This article is about that object, which the current stack only approximates in fragments. The argument is narrow and, I think, the most useful thing to say about agentic systems right now: the unsolved primitive is not how well the agent reasons, it is the mandate under which it acts. Reasoning is improving on a steep curve and was never the binding constraint. Authority has barely moved, because almost nobody builds it as a portable object. They build a pile of per-system settings and call the pile a platform.
A mandate, in the sense I mean, is not a permission flag. It is the full answer to a single question every consequential agent action raises and no current standard answers end to end: who is this agent acting for, to do what, within what bounds, until when, with what way to pull it back, and who is answerable when it is wrong. In a human-operated system that question never had to be packaged, because the human's presence answered all of it at once. Delegate the action to software and the answer has to become an artifact. That artifact is the missing primitive.
Core claim
- The unsolved object in agentic systems is not intelligence. It is a portable mandate: a machine-readable authority object that travels with the agent.
- A mandate binds six things into one object — principal, scope, expiry, revocation path, accountability, and spend semantics. Today these live as separate settings in separate systems, reassembled by hand per deployment.
- The stack is not primitive-poor. It is fragmented. Each mature primitive covers one field of the mandate inside one trust domain, and none makes the whole object portable across domains.
- Identity answers who the agent is. Authority answers what it may do, for whom, and for how long. Most of the stack solves the first and assumes the second.
- The dominant near-term failure is not a strange model output. It is mis-scoped action under ambiguous authority, and that is a property of the control plane, not the model.
What a mandate actually is
Pull the question apart and it has six load-bearing parts. The parts matter less individually than as a bound set: a mandate is not six fields, it is six fields that have to stay attached to each other as the action moves, because the moment one of them drops the rest stop meaning anything. A scope that loses its expiry is a hole. An expiry with no revocation path is a promise you cannot keep. Accountability with no principal is a trace with no defendant. Each part is trivial when a human is present and hard when the human has delegated, and the object only does its job when all six travel together and stay consistent.
Principal. On whose authority is this happening. Not which API key was presented, but which accountable party stands behind the action. In a delegated chain the principal is often two or three steps removed from the call: a human authorized a class of actions, an orchestrator decomposed it, a sub-agent executed it. The principal has to be carried through that chain, not inferred at the last hop.
Scope. What the agent may actually do under this grant. A human's scope is bounded by attention; you do the thing you sat down to do. A delegated agent has no such bound, so scope has to be stated, and stated narrowly, because "complete this task" silently authorizes every action the agent judges instrumentally useful unless something forbids it.
Expiry. How long the grant holds. Human authority is renewed continuously by presence. A mandate persists in the principal's absence, which makes an unbounded mandate a standing liability waiting for the context underneath it to change. Expiry is not a nicety. It is the difference between a grant and a permanent hole.
Revocation. How the grant is withdrawn, and crucially, what happens to effects already in motion when it is. Withdrawing future authority is the easy half. The hard half is that a delegated agent may have already acted, propagated state into other tools, and triggered downstream work that never heard about the withdrawal.
Accountability. Who is answerable, provably, after the fact. Not a log of what happened, but a record of who had legitimate standing to make it happen. These are different objects, and the gap between them is where disputes between organizations go to die.
Spend and settlement semantics. When the action moves value, the mandate has to carry the economic envelope: what can be spent, against what, with what conditions for release. This is the field that is least developed and the one that turns a control problem into a money problem.
The reason to treat these as one object rather than six settings is the same reason a passport is one document rather than six separate notes: the value is in the binding, and a binding that comes apart in transit is worthless. Today these fields do not travel together. They are reassembled, partially, inside each domain the agent happens to be operating in, which is exactly why the object is missing even though most of its parts already exist.
Identity is not authority
The single distinction to carry out of this piece is the one the market most often blurs. Identity answers who the agent is. Authority answers what this agent may do, for whom, and for how long. They are different problems, and the mature part of the stack mostly solves the first.
Workload identity is genuinely solved. SPIFFE gives software a verifiable identity across heterogeneous and organizational boundaries, with short-lived identity documents and federation, so one service can prove to another what it is even across company lines. This is real, deployable, and load-bearing. It is also not a mandate. Knowing with certainty that a request comes from a specific agent tells you nothing about whether that agent should be making this request, for this principal, on this task. Identity is the subject of the sentence. Authority is the verb and the object, and most of the difficulty lives there.
This is why "we have strong authentication for our agents" is a true statement that answers the wrong question. Authentication establishes the principal field and nothing else. The other five fields of the mandate are still unaddressed, and they are the ones that decide whether a delegated action is legitimate.
The stack is not primitive-poor. It is fragmented.
Here is the part that cuts against both the crypto-native reflex and the enterprise sales deck. The reflex says the agent authority problem is unsolved and therefore needs a new substrate. The deck says it is solved and ships today. Both are wrong in the same way. Inside a single trust domain, a surprising amount of the mandate already exists as mature, deployable primitives. What does not exist is the object that binds them and carries them across a boundary.
Walk the fields again, this time as a map of what is shipping.
Scope is solved locally. OpenFGA models agents as first-class principals and carries task-based authorization, the clearest public sign that the real production problem is bounded delegation rather than open autonomy, and OPA decouples policy from enforcement across APIs, services, and infrastructure. Both are production-grade, and both are by design scoped to one administrative domain. They bound what an agent may do inside the house. Neither emits a grant another organization can read and enforce, so scope does not cross the boundary intact.
Expiry and revocation are solved locally, by a mature standard that is honest about its own limit. OAuth revocation, RFC 7009, invalidates tokens in the domain that issued them. It works, it is everywhere, and it stops at the domain boundary. It does nothing about the downstream tool that already acted on the grant, the job mid-flight, or the side effect already landed in a system that was never part of the auth conversation. The grant dies at the issuer and lives on everywhere it had already reached.
Task and state exchange is maturing fast and is deliberately silent on authority. A2A gives agents stateful, long-running tasks with context continuity and standard web auth, while keeping identity at the transport layer and pushing authorization out to the serving agent or a surrounding gateway. That is the correct engineering decision and also a tell: it coordinates work across systems and does not carry the mandate, because the interoperability layer drew a clean line around what it solves and authority sits on the far side of it.
Durable execution and human approval are the quiet proof that the production frontier is bounded delegation, not autonomy. Temporal persists execution as durable, replayable history; LangGraph normalizes explicit interrupts before consequential actions, where a human confirms, edits, or cancels. Teams reach for these because an unbounded agent is not yet something you point at money and walk away from. They solve durability and control locally, one workflow at a time, and that is the catch: the mandate is being hand-rolled as gates and checkpoints inside each system rather than carried as one object between them.
Accountability has the best instrument in the stack solving a different problem than people think. OpenTelemetry correlates work across services into a single coherent trace. A trace explains what executed and in what order. It does not establish who had legitimate standing to authorize it. Traceability is necessary and it is not the same thing, and conflating them is how a multi-agent system ends up perfectly observable and completely undefended the moment a cross-party dispute arrives.
Read together, this is not a poor stack. It is a strong stack with a hole in the middle exactly where the fields are supposed to bind into one portable thing. Every primitive listed is real and most are shipping. The mandate is missing not because the pieces are immature but because nobody owns the object that unifies them and survives a trip across the boundary.
Where the fragments stop
The boundary is specific and worth stating precisely, because it is the line that decides when the existing stack is enough. Inside one trust domain, you can assemble most of a mandate by hand. SPIFFE proves the agent, OpenFGA and OPA scope it, OAuth bounds and revokes its tokens, Temporal makes its execution durable, LangGraph gates its risky steps, OpenTelemetry traces the whole thing. For an enterprise-internal assistant or orchestrator, that assembly is genuinely sufficient, and saying otherwise is selling something.
The assembly fails when authority has to cross a boundary, and there is not one boundary but several, each of which strips a different field. Cross an organizational line and the principal and scope blur, because A2A keeps identity out of the payload and authorization becomes a bilateral arrangement nobody standardized. Cross a tool or system line and the grant arrives as whatever the receiving system can reconstruct, which is usually less than was issued. Cross a time or persistence line and expiry quietly stops being enforced by anything. Cross an economic line and the spend envelope has no native place to live. Ask, after the fact, who was answerable, and the accountability field turns out never to have crossed at all, because traces record execution and not legitimacy. None of these is a tooling deficiency a better dashboard closes. They are one deficiency seen from five angles: the mandate is not a portable object, so each boundary crossing degrades it into whatever the receiving side can rebuild.
That degradation is the whole problem. A mandate that loses its expiry when it crosses a tool is a permanent grant in that tool. A mandate that loses its principal when it is handed to a sub-agent is an action with no defendant. A mandate that loses its revocation path downstream is a withdrawal that does not withdraw. Portability is not a luxury feature of the object. It is the property that makes it an object at all.
The failure modes are the proof
If this sounds abstract, the failure modes make it concrete, and they are the reason the control plane matters more than the model. Each one is a field of the mandate going missing at a boundary.
Authority mismatch. The agent can technically call the tool, and does, for a principal or a task it had no standing to act on. Nothing errors. The action succeeds, looks routine in the logs, and is wrong in the only way that matters: it was taken on authority that did not exist. This is the principal and scope fields failing to travel together, and the mitigation, modeling agents as principals and scoping permissions to tasks, works inside a domain and not yet across one.
Revocation gap. You revoke the grant and assume you are safe. You are not. The effects that already propagated past the revoking authority keep running: payments keep settling, jobs keep firing, and the withdrawal you issued never reaches them. Short-lived credentials and explicit cancellation paths narrow the window. They do not close a gap that is, at bottom, the absence of a revocation field that travels with the action instead of staying behind at the issuer.
Task drift. A refined instruction mutates the wrong artifact or restarts the wrong work, because task identity and artifact lineage were never first-class. Immutable tasks and explicit context references mitigate it. The deeper cause is a mandate that did not bind itself to a specific task in a way the downstream systems could honor.
Observability without accountability. When something expensive goes wrong across two organizations, you will have a complete trace and no defensible answer to the only question that matters in the room: who authorized this, and were they allowed to. You can reconstruct every step and still not prove legitimate standing. Traces plus explicit principal and mandate records are the only combination that closes it, and almost no one is producing the second half.
Asset-delegation catastrophe. A delegate or session-key grant conveys far broader control than anyone intended, because the spend field was drawn too wide with no tight scope, expiry, or target bound. At the asset layer the mistake does not page you, it drains the account. This is the most expensive failure in the set because it is denominated directly in money and is usually irreversible by the time it surfaces.
The common thread is not that the model said something wrong. It is that an action was taken at the wrong scope under authority no one could cleanly establish. That is why I keep saying the interesting engineering is the control plane around the agent, not the intelligence inside it. A better model takes mis-scoped actions faster.
The asset layer is a fragment, not an answer
There is one place where something close to a portable, programmable mandate is starting to appear, and it is worth naming precisely so it is not oversold. At the asset layer, programmable accounts already let you delegate narrowly scoped, time-bounded authority that is enforced where value actually moves. ERC-4337 gives smart accounts, sponsored execution, and programmable validation. Session keys and delegation modules let an account grant a bounded right to act. EIP-7702 makes account delegation a live, security-critical primitive, and its own guidance warns that a badly drawn delegate can hand over near-complete control of an account.
That is genuinely interesting, because it is the one field of the mandate, spend and settlement, beginning to exist as an enforceable object rather than a setting. Read it precisely: this is partial enforceability of one field, not a finished mandate, and not a verdict that one substrate has won. The crypto-native reader who concludes the answer is ERC-4337 and the skeptic who concludes the article is smuggling in blockchain are making the same mistake from opposite sides. The delegation covers one field of six, it is wallet-specific and unstandardized, and it does not, by itself, carry a principal, a task binding, or an accountability record across an enterprise boundary. I am flagging it as evidence that the missing object is buildable, not as a claim about where to build it. When asset-layer enforcement actually earns its cost against conventional alternatives is a real and narrow question, and it deserves its own article rather than a paragraph that smuggles in a conclusion. The honest statement is smaller and sharper: the spend field has an early enforceable form, the other five do not, and none of them yet travel together.
Why "Agent" Is No Longer a Usable Category
Step back and the shape of the cycle becomes clear. The first article moved the question from how agents think to what they are allowed to do. This one names the object that question requires and shows that the object is fragmented rather than absent. That fragmentation is the actual state of the art, and it is more useful to say than either "agents are unsolved" or "the platform is here."
The mandate is also not equally needed everywhere, and that is the thread into what comes next. An internal assistant that drafts text for a human to send barely needs one; the human is still the authority. An orchestrator coordinating tools inside a domain needs part of one, assembled from the primitives above. A system that acts as an economic actor, committing value across organizations on a standing grant, needs the whole object and needs it portable, and that is exactly where nothing clean exists today. Treating all three as "agents" hides the only distinction that determines how much authority machinery a system actually requires.
So the next question is not technical, it is taxonomic. The mandate a system needs depends entirely on what kind of actor it is, which means the word "agent" is now doing too much work to reason with. Until the classes underneath it, assistant, orchestrator, operator, economic actor, are pulled apart, every conversation about agent authority stays structurally confused, arguing about a category that bundles a text-drafting helper and a standing economic actor as if they posed the same problem. They do not. That separation is the next article.