An Agent Should Have Less Authority Than the Person Who Sponsors It

Automation should narrow delegated power. It should not inherit every credential, exception and relationship available to the human who configured it.

The answer

The dangerous shortcut in agent design is to give the system the sponsor’s account. It is fast, compatible and institutionally absurd. A human’s authority is surrounded by judgement, social accountability, employment duties and the ability to recognise that the situation is strange.

The dangerous shortcut in agent design is to give the system the sponsor’s account. It is fast, compatible and institutionally absurd.

A human’s authority is surrounded by judgement, social accountability, employment duties and the ability to recognise that the situation is strange. An agent has none of those by default. Giving it identical technical access creates authority without the human context that justified it.

Delegate the task, not the identity

An agent should receive a purpose-specific identity, the minimum data and tools required, transaction limits, prohibited actions, an expiry and a named sponsor. Its actions should be distinguishable from the human’s.

Reserve powers the agent cannot exercise

- Create or alter its own permissions.

- Change recovery methods or identity evidence.

- Approve its own output or exceptions.

- Move irreversible value beyond a narrow threshold.

- Delete the evidence required to reconstruct its activity.

For higher-consequence workflows, the agent may prepare an action but a person or separate control executes it. The reviewer must see the actual consequence, not a vague “continue” button.

The position

The sponsor remains accountable, but accountability is not a control if the system can act too quickly to interrupt. Technical authority must be narrower than personal authority, and it must shrink further as autonomy rises.

An agent that inherits a human’s full account is not a colleague. It is an unbounded copy of their access without their life.

Sources

  1. NIST Zero Trust ArchitectureNIST Zero Trust Architecture

    Primary authority

  2. NIST — AI RMF Generative AI ProfileNIST

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry
An AI Agent Should Have Less Authority Than Its Sponsor