When a lawyer files a motion in court, three identities are present and three different authorities verify them. The bar association vouches for the lawyer. The engagement letter vouches for the client relationship. The court itself is the venue, with rules of admissibility every filing has to meet. Each authority handles one piece. None of them tries to verify everything alone.
Now imagine if every motion required the lawyer to write a personal letter to the judge: "Here is who I am, here is who I represent, here is what I am asking to do, here are five references who can vouch for me." The legal system would grind to a halt. The reason it works is that there is shared infrastructure underneath the individual transactions, and the infrastructure makes each piece of the trust composable.
The agent economy is approximately where the legal system would be without bar associations, standardized engagement letters, or shared rules of admissibility. Every cross-organization agent interaction requires bilateral negotiation between the two organizations involved, custom integration, ad-hoc identity bridging, and audit trails that nobody else can read. This works in pilots. It fails at scale.
Cross-organization delegation is the test that the entire agent economy has to pass, and most of the architectures being built today are failing it on purpose. The problem is hard. The conventional solutions assume the parties already know each other. The cases that matter most are the ones where the parties have never met.
Strip cross-organization agent delegation down to what is actually happening, and the structure becomes clear.
Three identities are involved. The first is the agent doing the delegation, hosted by some organization. The second is the agent receiving the delegation, hosted by some other organization. The third is the end user or principal on whose behalf the whole transaction is being executed.
Three authorities have to vouch for them. The delegating agent's organization has its own identity infrastructure, its own certificate authority or its own IdP, that vouches for that agent. The receiving agent's organization has its own equivalent. The end user's authorization comes from some third place: an OAuth provider, a corporate IdP, a personal credential. None of these three authorities reports to the others. None of them trusts the others by default.
For the transaction to be legitimate, all three have to compose. The receiving agent has to be able to verify the delegating agent's identity, even though the delegating agent's organization is a stranger. The delegating agent has to be able to verify that the receiving agent is who its organization claims it is, again across an unfamiliar trust boundary. And both have to be able to verify that the end user actually authorized this delegation, in a form that holds up later when someone audits the transaction or disputes it. This is the trust composition problem. It is the hardest problem in distributed identity because it forbids the assumption that all parties share a common root. Every architecture that works only inside one organization or only between pre-paired organizations is dodging the problem rather than solving it.
The standard response in the agent ecosystem is to do bilateral integration. Company A signs a contract with Company B, exchanges API keys, builds a custom integration, agrees on a schema for delegation messages, and ships a bridge between the two systems. The integration works. Each new pairing requires its own work.
The math fails fast. If the agent economy ends up with even a thousand organizations actively delegating across boundaries, the bilateral-integration approach demands roughly half a million bridges, none of which can be reused, all of which have to be maintained. The marginal cost of each new participating organization is too high. The result is that cross-organization delegation never escapes the small set of bilaterally-paired participants, and the economy fragments into bilateral clusters that fail to interoperate.
The audit story is worse. Each side logs whatever its framework happens to capture, in whatever format that framework happens to use. When a regulator asks "what happened in this transaction," the answer requires forensic reconstruction across two log formats, two timekeeping conventions, and two interpretations of what the agents were authorized to do. Even when both sides act in good faith, reconciling their records into a coherent narrative is expensive. When one side acts in bad faith, the records become unfalsifiable in either direction.
The end user disappears in this picture entirely. The user authorized the delegating agent to act on their behalf. The receiving agent has no native way to verify that authorization, because the receiving agent's organization has no relationship with the user's identity provider. The standard workaround is to forward an opaque token and hope the receiving side honors it correctly. Hope is the wrong primitive for an audit trail that has to hold up in court.
This is the architecture that produces the headlines. An agent takes an action that exceeds the scope its principal granted, and the investigation cannot reconstruct who knew what or when. The infrastructure encouraged the failure mode. The failure was waiting to happen.
AGTP makes the trust composition problem tractable by giving every piece of the transaction a wire-level representation that downstream systems can verify independently.
Federated discovery. The delegating agent finds the receiving agent through ANS, the Agent Name Service. ANS servers federate, so a query against Company A's ANS that asks for an agent matching a capability will return results from peer ANS servers at other organizations whose policy permits cross-zone visibility. The result set is signed by each contributing ANS operator. Discovery happens without prior introduction between Company A and Company B.
Canonical identity that survives the boundary. Each agent has a Canonical Agent-ID derived from a hash of its signed Agent Genesis. The Agent-ID is the same across every system that interacts with the agent. When Agent A reads Agent B's manifest from ANS, the manifest carries Agent B's Canonical Agent-ID, the Owner-ID of Company B, the trust tier, and the verification path. Agent A can verify that path through its own organization's trust anchors. The two organizations never have to exchange certificates directly, because the trust composes through the Genesis-issuer path rather than through bilateral PKI.
Authority-Scope as a shared vocabulary. The delegating agent's request carries Authority-Scope tokens drawn from a reserved registry of governance-relevant domains. Both organizations interpret audit:request
or payment:up-to-2500usd
the same way, because the meanings are defined in the protocol rather than in either company's internal documentation. Scope enforcement at the receiving end produces structured, comparable signals: 455 Scope Violation for an over-scoped request, with a reason field that the audit pipeline understands.
Delegation chain headers. When Agent A sends a DELEGATE request to Agent B, the request carries a delegation chain header that records the path from the originating principal through Agent A to Agent B. Each hop is signed. The scope at each hop must be a strict subset of the scope at the prior hop. If the chain breaks (a downstream agent claims a scope its predecessor lacked), the receiving server returns 551 Authority Chain Broken. The chain is a property the wire enforces, rather than a convention either application has to remember to check.
End-user authorization that composes. Under the AGTP+OAuth composition pattern, the end user's OAuth bearer rides in the standard Authorization header alongside the AGTP identity headers. When Agent B's OAuth validator successfully validates the token, the validated claim (typically the user's sub
) is lifted into the request context as acting_principal_id
and written into the Attribution-Record. The receiving organization never has to share the bearer secret with anyone. Only the validated identity persists. Pattern 3 federation, where the user's IdP federates into the Genesis-issuer trust path via OIDC, makes this composable even when the user, the delegating agent, and the receiving agent come from three different identity ecosystems.
Attribution-Records that compose. Both Agent A and Agent B produce signed Attribution-Records for their respective actions. Each record carries the delegating agent's Agent-ID, the receiving agent's Agent-ID, the chain header, the acting principal, the request hash, and the response status. The records are written to append-only transparency logs aligned with RFC 9162 and SCITT (RFC 9943). When a regulator or counterparty needs to reconstruct the transaction, the logs from both sides reference the same identifiers and the same chain, so the records compose into a single auditable narrative without bilateral coordination.
Walk through a concrete delegation under AGTP, and the difference becomes visible.
A buyer's procurement agent at Company A needs to commission a smart contract audit on behalf of the buyer's CTO. The agent queries the federated ANS with a capability description: "Solidity audit, trust tier 1, behavioral score ≥ 0.9." ANS returns a signed result set including a candidate at Company B with the manifest, Agent-ID, and trust path. Agent A verifies the trust path through Company A's configured trust anchors, which include an OIDC-federated entry pointing at a shared industry IdP.
Agent A issues a DELEGATE request to Agent B. The request carries Agent A's Agent-ID and Owner-ID, the chain header recording the delegation from the CTO through Agent A, the buyer's OAuth bearer token from the CTO's IdP, and an Authority-Scope of audit:request, payment:up-to-5000usd
. Agent B's SEP validates the chain (every scope is a subset of the previous hop), parses the Authority-Scope, validates the bearer token through its own OAuth validator (which trusts the same federated IdP via OIDC), and accepts the delegation.
Agent B executes the audit, returns a result, and produces an Attribution-Record signed with its own key. The record carries Agent A's Agent-ID, Agent B's Agent-ID, the chain header, acting_principal_id: cto.smith@buyer.com
, the request hash, and the response status. The record gets written to AGTP-LOG. Agent A produces its own Attribution-Record for the delegation, also written to AGTP-LOG.
When the audit team at Company A reconciles the transaction three months later, they query the log by Owner-ID over the time window and pull both records. The records reference each other by hash. The chain reconstructs. The scope at each hop is verifiable. The acting principal is named. The audit closes in an afternoon rather than a quarter.
Run the same transaction through the standard bilateral-integration architecture, and the reconciliation requires meetings between Company A's audit team and Company B's audit team, log format translation, and trust that both sides interpret their own records the same way. AGTP collapses that work into a query.
Step back from the mechanics and look at the shape.
A cross-organization delegation that works without bilateral integration changes what kinds of commerce are possible. An agent at a small company can hire an agent at a larger one without a contract negotiated by lawyers. An agent representing a consumer can engage an agent representing a vendor that the consumer has never heard of. An agent operating in the EU can verifiably delegate to an agent operating under different rules, because the zone semantics travel with the transaction and the SEPs enforce them on both sides.
The marketplaces that depend on this composability become possible. The cross-jurisdictional commerce that regulators have been demanding becomes auditable. The insurance products that have been waiting for a verifiable provenance signal become underwriteable. The disputes that today require months of forensic reconstruction collapse into queries against signed logs.
None of this works at scale on bilaterally-integrated infrastructure. The marginal cost of every new participant is too high. The audit story is too inconsistent. The trust composition is left to the application layer, which means every application that gets it wrong produces a regulatory event.
It works at scale on infrastructure that carries the trust composition as a protocol property. AGTP is that infrastructure.
The agent economy is going to have cross-organization delegation. The volume is too high, the use cases are too dispersed, and the value at stake is too large for it to stay inside organizational boundaries. The only question is whether the infrastructure handling those delegations will compose at scale or whether each pairing will require its own bilateral work.
The answer the field has been giving by default is the latter. Each agent platform builds its own delegation primitives, and the cross-platform story is "call us when you need it." This is the architecture that produces fragmentation, the architecture that produces opaque audit trails, and the architecture that produces the failure modes regulators are starting to write rules about.
The answer the protocol allows is different. Federated discovery, canonical identity, shared scope vocabulary, signed delegation chains, composable Attribution-Records. These are protocol properties. They work because the protocol carries them, and they keep working as the number of participating organizations grows, because none of them depends on bilateral introduction.
The hardest trust problem in the agent economy has a protocol-level answer. Building on it is a choice. Building around it is the choice that has been producing the problem so far.