--- title: "Secure Delegation for AI Agents" author: "Cristian Lepore" email: "cristianlepore24@gmail.com" --- # Executive Summary > When Alice asks ChatGPT to book a Tokyo trip, ChatGPT delegates to a Lufthansa autonomous agent, which delegates payment to Stripe. Both agents may access Alice's calendar, email, and contacts, with limited visibility into who holds this access. I propose the **Agentic Delegation Framework (ADF)**, a capability-based approach enabling restricted and verifiable permissions, ensuring agents operate within their delegated scope with full traceability. > --- # Research Problem AI agents delegate tasks across organizational boundaries, forming multi-hop chains. When Alice asks ChatGPT to book a Tokyo trip, ChatGPT delegates to Lufthansa with full calendar, email, and contact access. Lufthansa delegates payment to Stripe with complete credit card details—to charge a single \$750 flight. Both agents retain excessive privileges with no visibility into who holds what access (Salah et al., 2025).  Many mainstream OAuth-based integrations expose coarse-grained scopes and lack native support for contextual, time-bounded, or intent-bound permissions. Token vault approaches isolate credentials but typically rely on upstream OAuth scopes and do not enforce runtime intent-level constraints. (Martinez & Sasidharan, 2025). MCP does not coordinate agents (Venkiteela & Padmanabham, 2025). Identity-based approaches (Singh et al., 2025; Garzon et al., 2025) cannot specify "calendar access: Feb 10-20" or "payment: \$750 one-time, no retention" and fail with ephemeral agents. --- # Proposed Solution I propose the **Agentic Delegation Framework (ADF)**, a capability-based system enabling fine-grained control when autonomous agents form cross-organizational delegation chains. #### Technical approach Instead of identity credentials (refresh tokens with full access), ADF delegates cryptographically verifiable *capabilities* specifying exactly what an agent can access and for how long. Capabilities are attenuated at each delegation hop—a parent agent's authorization becomes narrower sub-capabilities for downstream agents—and cryptographically bound to the user for end-to-end traceability. #### Components 1. Agentic Protocol (**AgPr**) for cryptographic delegation 2. **FIDO2-Extension** for user binding 3. **Legal-Grade Layer** for compliance #### Concrete example Alice authenticates via FIDO2 and receives "travel booking, budget \$2000, 24h, calendar-only". ChatGPT delegates to Lufthansa "book Tokyo flights, max \$800, 2h, flight preferences" → Stripe "pay flight XY123, exact \$750, one-time, no retention". Each step is cryptographically verifiable: Lufthansa cannot access email, Stripe cannot exceed \$750 or store payment details, and all actions trace to Alice.  #### Validation Formalized via operational semantics, validated through proof-of-concept with formal security analysis and open-source release. --- # ROI & Timeline The project delivers up to **5 publications** in tier-1/2 venues over 24 months, structured in **three phases**: --- ## Phase 1 — Core Framework (Months 1–9) #### Activities: - Formalization of the Agentic Delegation Framework (ADF) - Development of AgPr protocol (operational semantics, proof-of-concept) #### Planned Publications: | ID | Title / Focus | Target Venues | |-----|---------------------------------------------|-------------------------------------------| | P1 | Formal model with proven security properties | IEEE S\&P, USENIX Security, CCS | | P2 | Architecture and implementation | ARES, ACSAC, ESORICS | --- ## Phase 2 — Authentication Extensions (Months 10–16) #### Activities: - Integration of FIDO2 and W3C Verifiable Credentials - Implementation of reversed logic for capability-based authentication #### Planned Publications: | ID | Title / Focus | Target Venues | |-----|--------------------------------|---------------------------------------------| | P3 | Capability-based authentication | IEEE Communications Standards Magazine, W3C Workshop | --- ## Phase 3 — Compliance & Scalability (Months 17–24) #### Activities: - Extension for legal compliance - Performance analysis and benchmarking #### Planned Publications: | ID | Title / Focus | Target Venues | |-----|--------------------------------------|------------------------------------------------| | P4 | Legal-grade delegation (booking case study) | Computer Law & Security Review | | P5 | Performance evaluation | EuroSys, Middleware, ACM SIGMETRICS | --- #### Deliverables: - Peer-reviewed papers - Open-source implementation - Formal specifications - Benchmark datasets  --- # References - Juan Cruz Martinez and Deepu K Sasidharan. *Auth0 Token Vault: Secure Token Exchange for AI Agents*. Auth0, October 9, 2025. [https://auth0.com/blog/auth0-token-vault-secure-token-exchange-for-ai-agents/](https://auth0.com/blog/auth0-token-vault-secure-token-exchange-for-ai-agents/). Accessed: February 2026. - Venkiteela, Padmanabham. "The New Interoperability Paradigm Model Context Protocol (MCP), APIs, and the Future of Agentic AI." Comput. Fraud Sec 8.1 (2025): 1259-1271. - Mohamed Amine Ben Haj Salah, Romain Laborde, Daniele Canavese, Abdelmalek Benzekri, Mohamed Ali Kandi, Afonso Ferreira. *XCId: An SSI-Based Cross-Cloud Identity Wallet*. In: *2025 IEEE Conference on Communications and Network Security (CNS)* - Aditi Singh, Abul Ehtesham, Mahesh Lambe, Jared James Grogan, Abhishek Singh, Saket Kumar, Luca Muscariello, Vijoy Pandey, Guillaume Sauvage De Saint Marc, Pradyumna Chari, et al. *Evolution of AI Agent Registry Solutions: Centralized, Enterprise, and Distributed Approaches*. arXiv preprint arXiv:2508.03095, 2025. [https://arxiv.org/abs/2508.03095](https://arxiv.org/abs/2508.03095) - Sandro Rodriguez Garzon, Awid Vaziry, Enis Mert Kuzu, Dennis Enrique Gehrmann, Buse Varkan, Alexander Gaballa, Axel Küpper. *AI Agents with Decentralized Identifiers and Verifiable Credentials*. arXiv preprint arXiv:2511.02841, 2025. [https://arxiv.org/abs/2511.02841](https://arxiv.org/abs/2511.02841)