AUDREY
← Back to blog
FoundationsDec 2025

The Agent Trust Stack: Delegation → Enforcement → Receipts

The Agent Trust Stack: Delegation → Enforcement → Receipts

Autonomous agents are moving from "chatting" to "acting", placing calls, changing account settings, initiating workflows, and touching money. Once an agent can execute, trust failures stop being theoretical. They become outages, fraud events, compliance incidents, and support nightmares.

Most modern stacks were designed for two extremes:

  • humans using apps (interactive sessions, consent screens, predictable intent)
  • machines using APIs (service accounts, fixed quotas, stable behavior)

Agents are neither. They behave like humans at scale, and like machines with unpredictable intent.

The three failures that show up first

1) Delegation failure: authority without clear responsibility

In practice, agent authority is often implemented as:

  • a shared API key in an environment variable
  • a broad OAuth token minted for a service account
  • a "tool wrapper" that inherits developer credentials
  • a long-lived refresh token stored in a database

This creates ambiguity at the worst moment, after something goes wrong:

  • Which human authorized this authority to exist?
  • Was this agent meant to have that scope, or did it inherit it accidentally?
  • Was the agent acting for a user, a team, or "the system"?
  • If the same credentials are reused across agents, which one actually executed the action?

When attribution is unclear, incident response devolves into guesswork.

2) Enforcement failure: safe at login, unsafe at runtime

Even when identity looks "valid," many failures are behavioral and time-dependent:

  • retry loops that turn into traffic storms
  • sudden volumetric spikes (accidental or malicious)
  • high-risk actions repeated with slight parameter changes
  • prompt injection that redirects tools toward unintended targets
  • automation patterns that trip abuse, fraud, or spam systems

Most enforcement in typical systems is coarse and static:

  • rate limits at the edge, usually per API key
  • permission checks that assume requests are intentional
  • fraud checks tuned for humans, not autonomous workers

Agents frequently bypass the assumptions these controls rely on:

  • actions are triggered without a user session
  • sequences of actions can compound within seconds
  • errors amplify behavior (retries, fallbacks, alternate routes)

This is why systems "work fine" in small tests, then fail catastrophically at scale.

3) Audit failure: logs exist, but accountability does not

When agents touch real-world systems, disputes become common:

  • "Who approved this transfer?"
  • "Why did this email go out to these recipients?"
  • "Why did the agent call this list at this time?"
  • "Was this action triggered by a user, or by an autonomous loop?"

Traditional logs are not designed to answer these questions reliably because:

  • logs are distributed across vendors and services
  • correlation IDs are inconsistent or missing
  • timestamps drift and ordering is ambiguous
  • retention differs by system, some data is sampled or dropped
  • logs are writable by administrators, meaning integrity is disputable

The practical pain is not "lack of data," it is lack of a verifiable narrative.

Why existing identity tooling does not map cleanly to agents

IAM stacks like SSO and OAuth are strong at:

  • authenticating a user
  • authorizing an application
  • provisioning roles and group permissions

They struggle when the executor is an autonomous process that:

  • acts outside an interactive session
  • chains tools across multiple systems
  • needs fine-grained constraints per action type
  • produces outcomes that must be attributed to a human principal

This gap is why teams end up with fragile, ad hoc controls that break under real-world pressure.

The public consequence: infrastructure defaults to blocking

When accountability, enforcement, and auditability are weak, downstream systems respond with blunt instruments:

  • carriers label or block calls
  • banks freeze accounts or deny transactions
  • SaaS platforms throttle API clients
  • security teams disable integrations entirely

Legitimate automation gets treated like abuse because, from the outside, it is indistinguishable.

Conclusion

The agent economy is not constrained by model capability first. It is constrained by trust failure modes:

  • unclear delegation and attribution
  • weak runtime behavioral control
  • audit trails that cannot support disputes and incident response

Until those pain points are addressed at the ecosystem level, agents will continue to be blocked, flagged, and treated as hostile automation.