The Story
Enterprise agents stopped being cute demos when they started filing tickets, moving money, and editing documents on behalf of users. Every action is a delegation problem: who authorized it, for how long, under what constraints, and how do you revoke it when something goes wrong? Spring 2026 accelerates a pattern that security architects have advocated quietly for years: treat agent permissions like capability tokens—short-lived, narrowly scoped, auditable credentials—rather than like ambient superuser sessions wrapped in a chat UI. The terminology varies by vendor, but the shape is stabilizing: identity for the human, identity for the agent, a policy engine in the middle, and an event log that can reconstruct a chain of custody after an incident.
Why It Matters
Agents amplify mistakes and abuse. A phishing email that tricks a human is bad; an agent that autonomously executes ten downstream steps after a single bad approval is worse. Traditional role-based access control (RBAC) assumes relatively stable sessions and human-paced decisions. Agentic workflows violate those assumptions with burst activity, tool chaining, and ambiguous accountability. If security models do not adapt, organizations will either block agents entirely—leaving value on the table—or run them with excessive privilege—inviting catastrophic incidents. Capability-style delegation offers a middle path: enough power to be useful, enough structure to be governable.
Anatomy of a Capability Token
In mature designs, a capability token binds several ideas together. First, subject: which agent runtime and which user context initiated the request. Second, action family: read versus write, which API surface, which risk tier. Third, resource scope: a specific customer record, a repository, a calendar window—not “the whole org.” Fourth, time bounds: minutes or hours, not months. Fifth, step limits: how many tool calls may chain before reconfirmation is required. Sixth, proof of user intent: how the human approved the delegation—explicit click, step-up authentication, or policy-based pre-approval for low-risk classes.
Tokens should be non-transferable where possible: bound to a runtime attestation or workload identity so exfiltration is less useful. They should be auditable: each use writes a structured event with hashes linking to prompts, policies, and outcomes. They should be revocable: compromise response must be able to cut off a class of tokens without taking down the entire platform.
Human-in-the-Loop Without Theater
The worst version of human oversight is a modal that users click without reading. Better versions tie approvals to consequences: show what will change, show blast radius, and require step-up for irreversible operations. Policy engines can classify actions dynamically: summarizing email may be automatic, issuing a purchase order may require a second factor, deleting data may require a manager approval. Agents should inherit those classifications rather than inventing parallel paths that bypass enterprise controls.
Designers face a tension: too many prompts erode productivity; too few prompts erode safety. The emerging compromise is risk-budgeted autonomy. An agent may act freely within a daily budget of low-risk operations but must stop for explicit approval when cumulative risk crosses a threshold. This mirrors how corporate cards work: small purchases flow, large purchases escalate.
Multi-Agent Systems and Delegation Chains
When multiple agents collaborate, delegation chains multiply. Agent A may request a plan from Agent B, which calls tools on behalf of a user. Without explicit chain semantics, auditors see spaghetti. Mature platforms model delegation depth and intent propagation: each hop carries the original user context, policy constraints tighten rather than loosen down-chain, and cyclic delegation is forbidden. These are well-understood ideas from distributed systems; applying them to LLM agents is overdue.
Vendor Landscape and Interoperability Pressure
Large vendors integrate capability models into their suites because they own identity, productivity tools, and cloud APIs. Startups differentiate with specialized policy languages or vertical templates. Enterprises, however, want portable concepts even when implementations differ. They do not want five incompatible agent permission models across five products. That pressure pushes the industry toward de facto standards: shared claim names, shared risk taxonomies, and interoperable audit exports. Full standardization is slow; alignment on basics—token lifetime, scope encoding, revocation endpoints—moves faster.
Threat Model Updates
Attackers adapt quickly. Prompt injection attempts to coerce an agent into exfiltrating data or misusing tools. Capability tokens do not eliminate injection, but they limit blast radius if scopes are tight and step-up is enforced for sensitive tools. Supply-chain risk matters too: compromised plugins or tool adapters can abuse tokens. Runtime integrity checks, signed plugins, and separation of duties between planning and execution reduce exposure. Red teams report that the most dangerous failures combine over-scoped tokens with unbounded chaining: the agent can pivot from reading to writing without a new approval.
Operational Playbooks
Security operations centers need runbooks that speak agent language. When an alert fires, analysts must see: which token was used, which policies authorized it, which tools were invoked, and what data crossed boundaries. Traditional logs that only show HTTP status codes are insufficient. Organizations should invest in correlation IDs that stitch LLM traces to downstream API calls without storing excessive prompt content in insecure logs. Privacy teams must be involved: logging everything can violate commitments even when security wants visibility.
Outlook
Expect capability tokens to become as ordinary as OAuth scopes—initially messy, eventually boring. Boring is the goal. When delegation is explicit, security teams say yes more often because risk is measurable. When delegation is implicit, they say no, and innovation stalls.
Signals Worth Watching
Adoption of workload identity for agent runtimes, frequency of step-up prompts in production telemetry, mean time to revoke compromised tokens, and enterprise procurement language requiring “scoped, short-lived agent credentials.” Those metrics tell you whether governance is catching up to capability.
Bottom Line for Leaders
If your agent roadmap assumes “we will use the user’s existing SSO session,” you are likely under-modeling risk. Upgrade the conversation from authentication to delegated authorization with explicit scopes, expirations, and auditability. That single shift separates experiments from systems you can defend in front of a board after an incident.
Treat agent permissions as living policy: review scopes quarterly, tighten defaults after incidents, and never let “temporary” elevated access become permanent because a launch deadline made exceptions convenient.