When an agent makes a consequential decision, can you trace who authorised it and what happened?

Picture this: an expense-approval agent authorises €47,000 in vendor payments. The CFO asks “who decided?” The audit log shows alice@company.com. But Alice was in a meeting. She delegated to the agent three months ago. The agent decided — and the audit trail cannot capture that.

Traditional audit logs answer “who accessed what.” With agents, you need to answer “who or what made this call, under whose authority, and what was the chain of delegation that got here?” That’s a fundamentally different question, and most infrastructure can’t answer it yet.

On-Behalf-Of patterns (RFC 8693) help: they let the audit log show both who delegated and who acted. But they only work within a single trust domain. When agents cross organisational boundaries, you need identity and authority that travel with the request — verifiable at every step, not assumed.

Go deeper: Why Traditional IAM Breaks Down walks through the delegation problem and what infrastructure needs to change. The OAuth OBO explainer shows the token exchange step by step.