MCP subagents and delegated permissions: where does authority live?

TL;DR: When Claude Code subagents call MCP tools, permission ownership can drift away from the parent session, creating gaps between token context, approval surfaces and runtime authority, according to PermitIO. The key security failure is assuming delegated actors can safely inherit access when access review, consent and tool intent all need to be re-evaluated per call.

NHIMG editorial — based on content published by PermitIO: When AI Subagents Call MCP Tools, Who Owns the Permission Decision?

Questions worth separating out

Q: How should teams govern MCP subagents that call sensitive tools?

A: Treat each subagent as a delegated identity with its own runtime authorisation decision.

Q: Why do parent agent permissions not safely extend to subagents?

A: Because parent continuity is not identity continuity.

Q: What breaks when MCP security depends only on an allowlist?

A: The allowlist tells you which servers are reachable, but not whether a specific tool call is authorised for this child, this action and this consent state.

Practitioner guidance

• Separate tool reachability from runtime authorisation Treat the MCP server allowlist as connectivity only.
• Bind credentials to the delegated child principal Disable silent token inheritance by default and issue child-bound credentials with short effective TTLs whenever a subagent is approved for a specific action window.
• Log delegated approval and execution as two records Store the approval decision, approver, token binding, policy version and outcome separately from the execution metadata so incident response can prove legitimacy and impact.

What's in the full article

PermitIO's full blog covers the operational detail this post intentionally leaves for the source:

• The delegated approval event schema and audit contract used to make subagent decisions portable across systems.
• The implementation blueprint for a brokered authorisation path with bounded token issuance and explicit escalation.
• The design distinctions between token inheritance, token brokering and runtime authorisation in MCP workflows.
• The control-plane implementation pattern for enforcing child-specific rules at every MCP call boundary.

👉 Read PermitIO's analysis of MCP subagent permission ownership and runtime authorization →

MCP subagents and delegated permissions: where does authority live?

Explore further

View Full Forum →  |  NHI Foundation Course →