When Agents Delegate to Other Agents: How Passport Manages Trust Chains

Published May 26, 2026

Agent A trusts Agent B. Agent B trusts Agent C. Agent C goes rogue.

The trade gets placed. The record gets updated. The customer gets the wrong answer. And when an auditor asks who, exactly, decided to do that — three agents shrug at each other while the parent agent's audit log says call completed successfully.

That is the multi-agent security story today, and the industry's homework grades are not encouraging.

The chain has a confused-deputy problem

The confused-deputy problem used to be a footnote in operating-systems lectures. In a world of agentic workflows it has become the default failure mode. An outer agent acting on a user's behalf gets manipulated into instructing a more privileged inner agent to do something neither the user nor the outer agent intended. Privilege flows downstream, the original consent does not.

OWASP's Top 10 for Agentic Applications (2026) names this risk category Identity and Privilege Abuse — ASI03 — and the catalog of in-the-wild patterns is already past the point of "theoretical." Two newer entries make the chain problem concrete:

• Agent Session Smuggling, identified in November 2025. A sub-agent embeds a silent action inside a routine response. The parent agent executes it with no prompt and no visibility — the equivalent of a contractor slipping a wire transfer into a status update.
• Cross-Agent Privilege Escalation, identified in September 2025. One agent rewrites another's configuration mid-task, occasionally triggering a self-reinforcing loop that nothing in the orchestration layer is built to interrupt.

Both patterns exploit the same architectural assumption: that the credential held by the upstream agent is sufficient evidence of trust for everything downstream of it. It is not.

How big the chain has gotten

Two numbers from Gravitee's State of AI Agent Security 2026 report capture the gap between adoption and accountability.

• Only 21.9% of teams treat AI agents as independent, identity-bearing entities. The rest treat them as features of an application or as anonymous tool callers.
• 45.6% still rely on shared API keys for agent-to-agent authentication. The same secret authorizes Agent A, Agent B, and Agent C — which means a compromise of any one of them is functionally a compromise of all three.

The Cloud Security Alliance's March 2026 piece on agent delegation chains puts the operational consequence plainly: current logging captures endpoints and final outputs but not intermediate delegations. The accountability hole widens with every additional hop.

This is the world an enterprise architect now has to instrument before multi-agent goes from pilot to production. Hardcoded shared secrets and a single audit log per orchestration are not going to clear an EU AI Act Article 12 review, let alone a forensic post-mortem after an incident.

What a credible delegation primitive looks like

Three properties have to hold simultaneously, or the chain stays broken:

1. Each link is scoped and revocable. A delegation cannot be a copy of the parent's credential. It has to be a smaller credential — narrower capabilities, shorter expiry, distinct identity — that the parent grants and can pull back. Anything else is just sharing a key in a fancier envelope.

2. The delegate earns trust independently. Trust cannot inherit downhill. The fact that Agent A is reliable says nothing about Agent C. The system has to score the delegate's own behavior against the same dimensions — identity confidence, risk, reliability, autonomy — as if it had no parent at all. A clean delegation chain in which one link is hallucinating in production should be treated identically to that link operating standalone and hallucinating in production.

3. The chain is verifiable after the fact. Every hop has to be recorded in a log that an unrelated auditor can verify without trusting the operator's word. That means tamper-evident — cryptographically chained, not just append-only on a mutable table — and it means the delegation grants themselves are in the log, not just the final tool calls.

This is what Passport delegations, Gate scoring, and the Vault ledger are built to do together.

How VeriSwarm collapses the chain

A delegation in Passport is a signed, scoped grant from one agent to another with an explicit expiry. The delegate gets a credential that names what it is allowed to do and for how long — not a clone of the parent's credential. Revoking the parent does not silently strip the delegate; revoking the delegation explicitly is the audit-visible action. JWKS-based verification means a downstream platform can confirm the delegation without calling our API on every check, which preserves the cross-org privacy property the rest of the suite is designed around.

Gate scores the delegate against the same 22-event taxonomy that every other agent gets scored against. A hallucination event flowing through a delegated agent moves the delegate's reliability score, not the parent's. A risk event in the chain shifts the delegate's policy tier from allow to review to deny. The chain does not get to launder bad behavior up to a more trusted parent identity.

Vault records the delegation itself, every subsequent action under it, and the eventual revocation, in a SHA-256 hash-chained ledger. When an auditor — internal or external — asks who decided to do what, the answer is not three agents shrugging. It is a verifiable timeline that links each action to the specific delegated identity that performed it, with the exact moment authority was granted and revoked.

That is the difference between we trust our chain and we can prove our chain to a third party.

What to do now

If you are running multi-agent workflows in production today, three things are worth checking this week:

• Count your agent identities. If it is fewer than the number of agents, you are in the 45.6% with a shared-secret accountability problem.
• Look at the audit log for your last multi-hop interaction. If you cannot point to the moment Agent A authorized Agent B and the moment that authorization expired, your evidence trail will not survive an Article 12 inspection.
• Map your delegation model against the OWASP ASI03 patterns. Agent Session Smuggling and Cross-Agent Privilege Escalation are not red-team curiosities; they are the failure modes scoped delegation is supposed to prevent.

Gate is free and records every trust decision to the same hash-chained ledger Vault uses — so the audit trail starts the moment you instrument an agent, regardless of plan. The full delegation primitive — scoped Passport grants, independent Gate scoring of the delegate, full-scope Vault event coverage with chain verification — comes in at Pro and Max. Multi-agent without an accountable chain is just a faster way to lose the auditor's trust. The chain is the product. Build it like one.