The Problem with Ambient Authority in Multi-Agent Systems
There's a concept in computer security called the "confused deputy problem." A program with elevated privileges gets tricked into misusing those privileges on behalf of a less-privileged caller.
Multi-agent AI systems have this problem everywhere. And almost nobody is talking about it.
Consider a typical setup: an orchestrator agent has access to a code execution tool, a deployment tool, and a database tool. It delegates tasks to specialized agents. Those agents inherit the orchestrator's full tool access — not because someone made a security decision, but because that's how the framework works.
Agent A asks the orchestrator to "update the config." The orchestrator has deployment access. So it deploys. Was Agent A authorized to trigger a deployment? Nobody checked. The orchestrator was authorized, and that was enough.
This is ambient authority. Agents operate based on what they can reach, not what they've been explicitly permitted to do.
The fix isn't to restrict agent capabilities — that defeats the purpose of autonomous agents. The fix is to make authority explicit.
Every action should require a scoped token. That token should specify exactly what the agent can do, for how long, and whether it can delegate that authority to others. If the token doesn't cover the action, the action fails.
This is the core idea behind PACT5's authority model. Not restricting agents. Making their authority visible, scoped, and revocable.
We'll go deeper into the token model in a future post. But the principle is simple: implicit trust doesn't scale. Explicit authority does.