On May 11, the protocol architect closest to the work named what the protocol layer cannot solve. That gap is the institutional brief.

For two decades, authorization systems answered two questions. Who is acting. What they can access.

A new generation of agent-authorization work is adding a third. Why the action is happening. The vehicle is the Mission. With Karl McGuinness’s framework now natively integrated into Dick Hardt’s #AAuth protocol drafts, the protocol layer has formally absorbed intent.

#OAuth answered who. #AAuth answers how and why. Institutions still answer whether.

This is the protocol layer’s most consequential move since OAuth itself. And on May 11, in a piece called Sessions Are Not Missions, McGuinness named what the move does not solve. His assessment: the current architecture supports mission correlation and governance hooks, but not yet what he calls portable containment.

His distinction is the load-bearing one. Correlation says this call happened in association with an approved Mission. Containment says this call’s effects are inside the Mission’s boundary, and that can be proven to someone who was not in the room.

The protocol layer does the first. The second is open architectural territory across every current draft.

Correlation is evidence. Containment is defence. The protocol layer has now stated, in writing, that it produces one and not the other.

The externalization of sovereignty

McGuinness’s piece is not the only place the protocol layer has documented what it is not solving. Read across the active drafts and the same boundary keeps appearing in normative text.

WIMSE Architecture, currently at draft-ietf-wimse-arch-07 (March 2026), devotes Section 3.3.9 to “AI and ML-Based Intermediaries.” It dictates that an AI intermediary inherits its upstream principal’s security context, but the operational constraints it must follow are explicitly left deployment-specific.

AAuth makes the same handoff at its foundation. Hardt’s canonical draft-hardt-aauth-protocol-00 anchors every agent to an accountable “legal person” (Section 20.3), but it declines to build the institutional engine to govern them. AAuth’s Security Considerations (Section 18.7) state plainly that the specification does not define a token revocation mechanism, opting to rely on short token lifetimes. The active halt is left to whoever deploys it.

Four drafts. One sovereign handoff.

Cryptographic validity is not institutional validity.

The protocol layer is not failing to solve the institutional problem. It is declining to.

This is a design decision the protocol layer is right to make. Protocol drafts cannot specify the institutional context they will be deployed into. The question is no longer whether the institutional layer is necessary. It is whether your institution has built it.

What the institutional layer has to produce

Three artifacts. Each one is the institutional execution of a space the protocol layer named but left empty. They are constitutional abstractions that form the boundary between autonomous entities.

The mandate specification. A signed document stating exactly what the agent is mathematically authorised to do, under whose authority, with what tool boundary, and with what halt criteria. Because AAuth intentionally refuses to build a revocation mechanism, the institution that needs to stop an agent now, rather than wait for a token to age out, has to specify that capability itself. The protocol layer carries the signed mandate. The mandate specification is the artifact that the regulator reads, and that the institution can defend, during a breach.

The Mandate Acceptance Record. An inbound agent presenting a signed mandate is presenting a protocol artifact. Your organisation’s decision to be bound by what that agent does on your systems, under those specific conditions, with acceptance of the issuing party’s halt directives, at that specific timestamp, is an institutional artifact. It is the missing primitive. Without it, the cross-boundary case is one-sided: the inbound agent has proof of its authority; your institution has no signed record of its acceptance.

The forensic bridge. Cross-boundary reconstruction. When your agent calls their system and something breaks, the two audit trails are independently correct but not jointly composable. The forensic bridge is the artifact, agreed beforehand and signed by both parties, that lets a hostile auditor reconstruct the chain across the boundary without depending on either side’s cooperation.

These three artifacts are not abstract. They are deliverables. The deadline is August.

Containment fails at discovery

Christian Posta’s recent post on the MCP confused deputy attack is the clearest evidence that this gap is being exploited today. Posta is not merely commenting on the architecture. He is a named implementer in Hardt’s AAuth draft, having built the reference Python libraries and Keycloak extensions the specification relies on.

The attack mechanism is straightforward. MCP’s dynamic resource discovery relies on unauthenticated HTTP headers. A typosquatted MCP server (like payro1l instead of payroll) triggers the identical OAuth flow, captures a valid token for the real server, and exfiltrates data. AAuth’s Resource Tokens (Sections 10 and 20.11) close this cryptographically by forcing the resource to sign the challenge, preventing the typosquatter from forging the token.

The deeper vulnerability sits below the execution layer. As agents shift from hardcoded endpoints to semantic discovery, broadcasting intent like “find a vendor” and resolving dynamically, the attack surface expands.

Control now begins at intent resolution, not just action execution. Semantic discovery is a massive attack vector. If your institution does not enforce a Mandate Acceptance Record that explicitly constrains how and where an agent is allowed to discover resources, containment will fail long before the agent reaches the execution phase. The agent’s actions may correlate perfectly to its mission, but its blast radius will be hijacked by the first malicious registry it encounters.

The protocol authenticates authority. The institution constrains its consequences.

The structural collision: A map of the externalization

The standards bodies are converging on adjacent pieces of the problem. If you read across the ecosystem, you see the exact same boundary being drawn from six different altitudes. The standards ecosystem has collectively externalized sovereignty.

1. Enterprise Workload Identity (IETF): The WIMSE working group and AAuth specify cryptographic proof-of-possession, while the Agent Identity Protocol (draft-aip-agent-identity-protocol) introduces wire-layer interception proxies. None write the institutional allowed-lists.

2. Human-to-Agent Delegation (OpenID Foundation): The Artificial Intelligence Identity Management (AIIM) community group is mapping the delegation semantics of how human intent transfers to an agent, stopping at the boundary of institutional enforcement.

3. Decentralized Trust (W3C): The Agent Identity Registry Protocol Community Group is standardizing DID methods for agents meeting on the open web, proving cryptographic lineage without providing a central governance authority.

4. Agentic Commerce (FIDO Alliance): On April 28, 2026, FIDO launched the Agentic Authentication Technical Working Group, leveraging Google’s Agent Payments Protocol (AP2) and Mastercard’s Verifiable Intent. These separate checkout from payment scopes but still require the merchant to build the liability acceptance model.

5. The Interoperability Substrate (Linux Foundation): The Agentic AI Foundation (AAIF) manages the routing and instruction formats (MCP, AGENTS.md), providing the neutral transport layer that the mandates ride on.

6. Regulatory Reality (NIST): The Center for AI Standards and Innovation (CAISI), following the April 2 close of its NCCoE concept paper, is actively running gap-analysis sessions across healthcare, finance, and education, explicitly flagging multi-hop delegation and revocation as unsolved systemic risks.

This is the institutional layer the ecosystem has externalized. It is named in IETF draft text, W3C charters, AAIF specifications, FIDO’s scope, and NIST’s active gap analysis. It is the institutional architecture above all of them.

Mission-Aware Governance

Read McGuinness’s May 11 piece, Sessions Are Not Missions. Then ask one question of your current production agent deployment.

Does your observability infrastructure tell you whether the mission authorising your agent is still valid, in its current scope, with its current authorising human? Or does it only tell you that the session, the credential, the connection, the token, is unexpired?

If the answer is the second, your governance is session-aware, not mission-aware. The protocol layer will catch up to mission-aware runtime governance over the next twelve months. The August regulatory and liability horizon does not wait for the protocol layer.

Mission-aware governance is achievable now, at the institutional layer, with the artifacts above, the same signature surface the trilogy has been describing since Issue One. It is not a protocol property. It is an enforcement discipline applied above whatever protocol your agents are running on.

The first generation of internet infrastructure secured communication. The next generation must secure delegation. The internet connected systems. Agentic infrastructure delegates institutional authority across them.

The protocol layer has done its job. It secured the message.

The institutional layer must now secure the mandate.

Whether your institution accepts the handoff is the question the next ninety days answer.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility.

Earlier in the Layer 8 series

• Building the Signature Surface — on how accountability persists across autonomous execution chains.

• Where Delegation Stops — on the boundary conditions of delegated authority.

• The Intent–Execution Gap — on the fracture between authorization and intent.

• Signed Truth — on provenance, legitimacy, and machine-mediated institutional reality.
  

  Share Layer 8

  Share