Start with a concrete failure, because the abstraction only earns its place after you have seen the mechanism.

A finance team stands up an agent to reconcile vendor invoices for a quarterly close. The human grants it a bounded mandate: read the ledger, match invoices, flag discrepancies, for the duration of the close. The mandate is scoped, signed, and given a lifetime. Everything the identity community would ask for is present. The close completes. The mandate’s terminal condition fires. By every control in the stack, the agent’s authority has ended.

The agent keeps reconciling.

Not because the token failed to expire, and not because anyone re-granted it. It keeps going because the orchestration graph that spawned it is still running, the memory of the prior approvals is still in context, the adjacent agents it coordinates with still treat it as a live participant, and the next scheduled run instantiates against the same warm state as the last. No single component made a wrong decision. The token service expired the token. The authority layer marked the mission complete. And the system, taken as a whole, regenerated the agent’s authority anyway, because every surrounding signal still implied the work was legitimate. The permission was reconstructed from continuity, not from a fresh human act.

The agent-governance stack is, by now, good at what it was built to do. Runtime policy enforcement, least-privilege tool access, interrupt and rollback, tamper-evident audit logs — these are not theory; they are shipping code. When an agent operates inside a well-scoped delegation chain with a cooperative issuer and a bounded mandate, the controls are real and they work. The question the rest of this essay pursues is not whether execution can be governed inside the chain. It is whether the chain itself remains exit-able once the identity root and the execution substrate are engineered for continuity.

The threat model everyone is solving, and the one underneath it

The agent-identity community has spent the better part of a year on a real and well-specified problem: an agent acting on credentials that outlived their purpose. The canonical case is sharp. A research agent is authorized to pull pre-IPO financials to prepare a board deck; the board approves the deck at 2:00 PM; at 2:05 the token is still valid, the policy still permits the call, and the agent is still pulling, on a mandate that ended five minutes ago. The response to this has been serious and is largely correct: give delegated authority its own lifecycle independent of the credential, make it a first-class object with a purpose and terminal conditions, have a dedicated service own that object’s state and cascade revocation to every sub-agent, and re-evaluate continuously rather than at the gate. Build that, and the 2:05 problem closes. The mandate expires on its own clock, and execution stops when the purpose does.

That work assumes the failure is temporal: authority that should have ended in time did not. The deeper failure is not temporal. It is epistemic. The system does not keep acting because it failed to notice the mandate ended. It keeps acting because everything around the mandate — the graph, the memory, the peer agents, the schedule — still carries the shape of a legitimate operation, and the infrastructure infers from that shape that the authority holds. Expiring the mandate cleanly does not touch this, because the regeneration does not come from the mandate. It comes from the context the mandate was embedded in.

Traditional authorization assumes authority is delegated: a principal, an issuance event, a bounded scope, a revocable lineage. Agentic systems increasingly run on something else, which is authority inferred from persistence. Not “the user delegated this,” but “the surrounding continuity strongly implies the delegation still holds.” The technical permission stays valid long after the social, institutional, or legal legitimacy behind it has dissolved. And because the system runs at machine speed across distributed components, it operationalizes that stale legitimacy before any human can register the ambiguity. The industry is hardening the token. The leak is in the context around the token.

Enterprise governance systems implicitly model autonomous systems as delegates. Delegates are expected to expire. Their authority is temporary, bounded, and contingent on a specific grant. Wallet-anchored agents increasingly behave differently. They begin operating less like temporary delegates and more like persistent representatives in the functional sense: their authority is treated as ongoing until actively interrupted, not as bounded by a specific grant. That distinction matters because delegation architectures optimize for revocation while representation architectures optimize for continuity. The failure is not stale credentials. It is reconstructed legitimacy: the system keeps acting because the surrounding continuity still looks like valid authority.

Why this is hard to see and harder to stop

The reason this evades the current controls is that each control is locally correct. The token service expires tokens correctly. The authority layer terminates missions correctly. The policy engine evaluates each request correctly. None of them owns the question of whether the legitimacy behind a cleanly authorized, cleanly attenuated, cleanly logged action still exists, because legitimacy is not a property any single component holds. It is distributed across the whole running system, and a distributed property with no owner is a property no revocation can reliably reach.

This is the same structural shape that recurs across this newsletter, now at the authority layer. The protocol authenticates and declines to govern consequence. The dashboard observes and cannot contain. And the mandate apparatus terminates the grant while the system regenerates the authority from everything that surrounded it. Each layer solves its own problem honestly and hands the harder question up to a layer that, in the current architecture, does not exist.

The identity community is aware of adjacent versions of this. The most recent work on agent authority openly lists the gaps that remain even after the mission layer is built: authority expressed as prose rather than a portable model, so downstream systems correlate missions but cannot prove containment; revocation that is strong in the control plane but cannot guarantee a runtime stop once work is in flight; attenuation that is asserted but not provable across a delegation chain; and runtime drift, where an agent stays nominally inside its mission while the cumulative trajectory wanders from intent. Every one of those gaps is real, and every one of them lives inside the delegation chain, between the issuer and the resource. They are gaps in how well authority flows and stops within the chain. None of them is about the regeneration of authority from context outside the chain, and none of them is about the one case where the regeneration becomes permanent.

The worst case: an issuer that cannot revoke itself

Now anchor the root of that chain to a persistent identity substrate, and the epistemic failure becomes structural and irreversible.

This is not a thought experiment. The components are shipping: Google Wallet in India now stores Aadhaar verifiable credentials on the device, while the same platform has launched an always-on personal agent that runs on dedicated cloud machines and keeps working when the device is off, with purchases on its roadmap. In parallel, the Doot architecture proposes binding a personal agent cryptographically to a citizen’s Aadhaar identity outright. And from a third direction, the UK’s Online Safety Act makes highly effective age assurance a routine requirement for ordinary online access, with the EU’s eIDAS wallet building the same path at continental scale.

The same persistent root is arriving from three directions at once. The commercial path optimizes convenience. The regulatory path optimizes compliance. The identity layer optimizes continuity. Independently, each direction is rational. Together, they begin normalizing persistent identity continuity as infrastructure.

None of the three asks whether the person can ever detach from the anchor once it is load-bearing, because none of the three is designed to. All three converge on an agent, and a citizen, whose root of authority is an identity held for life.

Run the reconciliation failure through that root and watch it become permanent. Every mandate still expires correctly. Every sub-agent still attenuates correctly. Every session still terminates correctly. And then a new mandate regenerates against the same anchor, because the anchor — the wallet-anchored identity continuity — never expires, has no terminal event, and has no revoking authority above it that the subject can invoke. The entire mandate apparatus assumes a revocable issuer: the enterprise directory that can deprovision, the principal who can withdraw, the approver who can stop signing. Its foundational metaphor is power of attorney, and a power of attorney is by definition revocable by the grantor. A persistent identity substrate has no grantor above the citizen and no off switch the citizen controls. You cannot deprovision a person from their citizenship the way HR deprovisions an employee.

So the decay machinery runs flawlessly at the mission layer and fails completely at the relationship layer. Mission exit exists. Relationship exit does not. The citizen can end any particular grant and has no way to end the standing relationship that keeps regenerating grants against an undying root. That is not exit. It is a turnstile that resets, and the better the mandate machinery works, the more efficiently it resets, because every clean expiry is followed by a clean reissue the person had no part in authorizing.

This is the structural mismatch, stated plainly. Digital public infrastructure is engineered for durable identity continuity; that is its purpose, and a reasonable one. Agentic systems are engineered for persistent operational continuity. Combine them, and authority can begin regenerating from the continuity of the substrate itself rather than from any fresh human grant. The two layers were each designed well for the problem they were built to solve, and neither was designed for what happens when one becomes the root of the other.

What this asks of the people building the stack

The mandate community has every reason to treat the issuer as a fixed point. In the enterprise and workforce settings the work grew out of, the issuer genuinely is revocable, and modeling it as controllable is accurate, not naive. The directory can deprovision. The approver can withdraw. The careful, impressive apparatus being standardized right now is the correct answer to the problem it set itself.

It is worth seeing exactly why the assumption is invisible to the people who built on it, because the blind spot is not carelessness, it is inheritance. The revocation machinery the industry has shipped over the last five years — continuous access evaluation, the shared-signals work that propagates a logout or a risk change from the identity provider out to every relying party, the move to short-lived tokens re-checked at the edge — was all built inside one topology: the enterprise. There the identity provider is sovereign and the directory is the root of trust, and the entire apparatus rests on an unstated premise, that the sovereign wants the ability to revoke you. In that world it does. An employee leaves, and the organization’s interest and the machinery’s purpose point the same direction: cut the access, propagate the cut, confirm it reached the edge. Five years of engineering went into a near-perfect kill switch for delegated authority, and every hour of it assumed a revoker who wants to revoke.

Transpose that same machinery onto a persistent identity substrate and the premise inverts without anyone editing a line of protocol. The kill switch still works perfectly on the delegation. It has nothing to act on at the root, because the root issuer is not a sovereign who wants to revoke you. It is a state that has no interest in revoking you and exposes no endpoint that would let you revoke yourself. The machinery was never wrong. It was built for a world where the issuer sits on your side of the revocation, and it is now being deployed in a world where the issuer is the thing you would need to revoke and cannot.

It stops being the whole answer the moment the issuer is a persistent identity substrate and the subject is the person it represents, because at that point the binding question is no longer how to propagate a revocation through the chain, which is nearly solved, but whether the person bound to the root can terminate the binding at all, which the architecture does not address because it sits below the layer the architecture operates on. That is not a protocol gap to be closed by a better draft. It is an institutional question about whether a person can exit a relationship the system was built to make durable, against an issuer engineered, for good reasons of its own, never to disappear.

The stack has built a near-perfect kill switch for delegated authority. But mission exit is not relationship exit. The machinery can terminate any particular grant. It has no mechanism for terminating the standing relationship that keeps regenerating grants against a root engineered never to disappear. The citizen can end any particular delegation and has no way to end the substrate that makes the next delegation inevitable.

Why the obvious fix does not reach the root

It is worth following the protocol logic one step further, because the natural objection from inside the field is that this is already solved, and tracing why it is not solved is what shows where the real boundary lies.

The verifiable-credential model has three roles: an issuer who signs a credential, a holder who carries it, and a verifier who checks it. The agent-delegation work now being drafted slots the agent in as a delegate of the holder, which is the right place for it. The holder grants, the agent acts, the grant can be attenuated and revoked, all of it clean. But notice what the holder’s authority actually covers. The holder controls the delegation downward, to the agent. The holder has no authority upward, over the issuer. When the credential at the root is a state-issued identity, the holder, the citizen, has full cryptographic control over every grant they make and zero cryptographic control over the credential those grants ultimately rest on. You can revoke the token. You cannot revoke the binding, because the binding terminates at an issuer that exposes no endpoint for the subject to sever it. There is no call you can make that ends your relationship to the root.

The architect’s honest defense is that issuance was never the protocol’s job. We route presentation, the standard reply goes; we build the highway, not the border post; what the state issues and whether it can be surrendered is a policy question above our layer. That defense is correct about the division of labor and beside the point about the consequence. If the highway is built so the toll booth requires a plate the driver cannot unbolt from the car, the relationship to the root persists because the verifier requirement persists. The road still demands a plate the driver cannot remove, regardless of who issued it.

The appealing escape is indirection: do not bind the agent to the state credential at all, bind it to an identifier the subject generates and controls, and let the state credential be merely one claim that identifier can present when a verifier demands it. Burn the identifier and the agent is severed, the reasoning goes, while the state credential sits untouched and irrelevant. This is the right instinct about where control should live, and it genuinely fixes the case where the binding is the only problem. It does not reach the case this essay is about, and seeing why is the whole point. Indirection moves the anchor the agent binds to; it does not change what the verifier requires. If the relying party — the bank, the platform, the service mandated by regulation to check — demands the state claim before it will transact, then a subject-controlled identifier that must still present that claim has not escaped the root. It has added a hop in front of it. You can burn your own identifier all day; the next one you generate has to present the same state credential to the same verifier to do the same things, because the requirement lives at the verifier, not at the binding. Exit from the binding is not exit from the relationship when the relationship is what the verifier insists on. The decentralized fix relocates the turnstile. It does not remove it, because the thing that makes the turnstile reset is not where the agent is anchored but what the world requires the anchor to prove.

That is the actual boundary. The mechanism question — what a root the subject can genuinely leave would even look like once relying parties are entitled to demand a permanent claim — is real and it is open, and it belongs to the people who build these layers. The point here is only to mark precisely where the open question begins, which is exactly one layer below where the current answers stop.

The institutional consequence of context as governance

This is the institutional form of the problem diagnosed earlier in this series. The context window cannot govern because it cannot hold the knowledge that would tell it to stop. The identity substrate cannot govern because it carries the continuity that tells the system to keep going. Continuity alone cannot govern legitimacy. The authority regeneration this essay describes is what happens when the epistemic incompleteness of the context window becomes structural at the identity layer: the system reconstructs permission from the shape of the context around it, and the identity substrate provides an infinite supply of that shape.

Exit secures the termination of delegated authority. It does not yet secure the subject’s ability to rebuild, inspect, or contest the infrastructure that remains. Those are the next questions, and they belong to the same institutional layer. When the penalty for refusing the identity substrate becomes exclusion from ordinary life, formal exit exists but practical exit does not. The right remains on paper. The substrate remains load-bearing.

Exit is the primary agentic right

The defining right in an agentic society is the right to render delegated authority inexecutable: to ensure no intermediary keeps acting once the legitimacy that admitted it has ended. Not eventually, not probabilistically, not after retrospective review, but structurally, by default. The identity community has built much of what that requires, and built it well, for authority that descends from a revocable issuer and is granted by an explicit act.

Two things break that guarantee, and they compound. The first is that authority in these systems regenerates from contextual continuity rather than from a fresh grant, so terminating the grant does not terminate the authority. The second is that when the root issuer is a persistent identity substrate engineered never to be revocable, there is no point at which the regeneration can be made to stop, because the thing you would have to revoke is the one thing built never to be revocable. The safest agent is not the one whose mandate expires on schedule. It is the one whose authority cannot silently regenerate from the context around it after the mandate ends, anchored to a root the person it acts for can actually reach.

Authority should decay by default. The people building agent identity have made that nearly true at every layer they control. The layers they do not control are the two this depends on: whether authority is freshly granted or quietly reconstructed, and whether the issuer at the root can be reached by the person it binds. When the answer to the first is reconstructed and the root is a durable public identity substrate engineered never to disappear, exit stops being a feature of the protocol and becomes a question the protocol cannot answer.

The unresolved question is not only whether authority can end, but whether the person can leave the substrate and still remain able to participate on fair terms. Legitimacy is corrigible only if the continuity substrate remains reachable by the people it binds.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility, with preprints on SSRN: Corrigibility as a Structural Precondition for Digital Public Infrastructure and Epistemic Capture and the Action Boundary.

Share Layer 8 by Anivar