Notifications
Clear all
Topic starter
06/06/2026 2:12 am
TL;DR: OAuth can handle a single agent delegation, but it breaks down when agents spawn other agents and trust has to survive multiple hops, according to WorkOS and recent IETF drafts. The real problem is that current identity controls assume delegation stays simple, while multi-agent workflows create unauditable, semantically opaque trust chains that need new policy and token models.
NHIMG editorial — based on content published by WorkOS: AI agents and the multi-hop delegation problem
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams handle agent delegation when one agent can spawn another?
A: Treat each hop as a separate governance event, not as a continuation of the first approval.
Q: Why do multi-hop AI agent workflows create more risk than single-agent automation?
A: Because each additional hop creates another place where scope can drift, tokens can be exchanged, and intent can be altered without a clear human checkpoint.
Q: What breaks when OAuth is used as the only control for agent-to-agent delegation?
A: OAuth can show that a token was issued and exchanged correctly, but it cannot prove that downstream actions still matched the original authorization intent.
Practitioner guidance
- Map every agent delegation chain end to end Record the human authorizer, each spawned agent, every token exchange, and every downstream service touchpoint so you can see where authority changes shape.
- Enforce hop-by-hop permission attenuation Require each delegation step to carry equal or lesser permissions than the previous hop, and block any agent from spawning a more powerful successor.
- Move enforcement to the runtime policy layer Place a policy decision point between agent identity and tool invocation so the system can evaluate current task context, chain position, and action sensitivity before execution.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- The RFC 8693 and RFC 9396 mechanics behind nested actor claims and token exchange across multiple agent hops
- The IETF draft patterns for attenuation, verifiable actor chains, and cross-domain identity chaining
- The practical enterprise examples for agent gateways, human signoff, and runtime authorization layers
- The compliance discussion around audit trails, consent withdrawal, and cross-server traceability
👉 Read WorkOS's analysis of AI agent multi-hop delegation and OAuth limits →
Multi-hop agent delegation: what OAuth still does not solve?
Explore further
06/06/2026 3:45 am
Multi-hop delegation is a trust-chain problem, not a simple OAuth problem. The article shows that a human can authorize the first agent correctly and still lose control once that agent spawns others. RFC 8693 can represent delegation, but it cannot make every hop enforcement-grade. The field should stop treating representable chains as governable chains.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments.
A question worth separating out:
Q: Who is accountable when a spawned agent makes an unauthorized downstream decision?
A: Accountability should follow the delegation chain, not the last API call. The organization that designed the workflow, the team that granted the initial authority, and the operators who permitted the chain to continue all share responsibility for defining and enforcing the boundary.
👉 Read our full editorial: AI agent multi-hop delegation exposes OAuth's trust chain limits
