Agentic AI & the Service Firm

Engagement letters for robots: what delegated authority actually means

When a trainee acts on a matter, nobody is confused about authority. The engagement letter names the firm. The supervising partner delegates defined tasks. The trainee's work is recorded under the trainee's name, reviewed under the partner's. If something goes wrong, the chain of delegation is the first thing everyone examines — and it exists on paper.

Now ask the same questions about the AI agent that summarised a data room last week. Under whose authority did it act? Its own? It has none. The partner's? Then the record should show the partner delegated that task to that agent — not that the agent simply borrowed the partner's login. In most firms today, borrowing the login is exactly what happens. Every action the agent takes is indistinguishable, in the system's records, from an action the partner took personally.

That is the problem the emerging field of agent identity exists to fix. It sounds technical. It is actually the oldest idea in professional practice — delegation you can evidence — being rebuilt in software.

Three layers, one trainee analogy

Layer one: the agent has its own name. In directory terms, the agent becomes a first-class identity — like a staff record — rather than a script running under a human's account. Microsoft shipped exactly this in its Entra directory: agents as directory objects with their own credentials, their own access policies, their own lifecycle (onboarded, permissioned, and — critically — decommissioned). The trainee analogy: the agent gets an HR file.

Layer two: the agent's authority is delegated, scoped and recorded. The internet's authorization plumbing already supports delegation: OAuth 2.1 and the token-exchange standard (RFC 8693) let a credential carry both identities — the human principal who authorised, and the party that acted. An IETF proposal to specialise this for AI agents exists but has expired without adoption; treat it as direction of travel, not something to buy against. What is live today: the Model Context Protocol, the de-facto standard for connecting agents to tools, mandates modern OAuth with tokens bound to a specific destination, and expressly prohibits passing one system's token through to another — the "confused deputy" failure, where a downstream system trusts credentials it never verified. The trainee analogy: a delegation note that says which partner authorised which task, with authority that expires.

Layer three: the authority is checked every time. Zero-trust architecture — NIST's published model since 2020 — replaces "inside the network, therefore trusted" with per-request verification. Applied to agents: no standing permissions, no assumed goodwill, every access decided on identity, scope and context. The trainee analogy: the file room checks the delegation note at every visit, not just the first.

None of this is exotic. NIST's National Cybersecurity Center of Excellence opened a formal programme on software and AI agent identity and authorization in February 2026, precisely because organisations were improvising. The building blocks exist. What most firms lack is the decision to use them.

The benefits, stated honestly

Agents with real identity and scoped delegation are not just safer — they are more useful. You can give a well-scoped agent more autonomy precisely because its blast radius is bounded: it can read the data room but not the finance system; it can draft but not send; its access ends when the matter closes. Firms that skip identity work face a false choice between locking agents down to uselessness and trusting them with a partner's keys.

The pitfalls, stated honestly

Three are documented rather than hypothetical. Sprawl: industry survey data suggests non-human identities already outnumber human ones by more than ninety to one, and that only about a quarter of organisations can trace an agent's actions back to a human sponsor. Untracked agents are the new untracked spreadsheets — except they act. The confused deputy: an agent with broad credentials can be manipulated — including by content in documents it merely reads — into using legitimate authority for illegitimate ends; scoped tokens exist to contain exactly this. The ownerless agent: the workflow bot whose sponsoring employee left. It still runs. Nobody owns it. A directory with lifecycle management flags it; a borrowed login never will.

What to do this quarter

Register. List every agent, bot and automation touching client data. Name a sponsoring partner for each — the engagement-letter question, answered internally.

Separate. Where the platform allows it, give agents their own identities and stop sharing human logins. Where it doesn't, record that as a supplier gap with a date on it.

Scope and expire. Agent access follows the matter: defined systems, defined actions, an end date. Delegation that never expires is not delegation. It is abdication.

The firms that mastered leverage — juniors doing more work under partners who remained accountable — built the professional services model. Agents are leverage again, at a steeper ratio. The instrument that made leverage safe the first time was the documented chain of authority. It will be again.

Sources

  1. NIST NCCoE, Accelerating the Adoption of Software and AI Agent Identity and Authorization — concept paper, 5 Feb 2026.
  2. NIST, SP 800-207 — Zero Trust Architecture — Aug 2020.
  3. Model Context Protocol, Authorization specification — 18 Jun 2025 (OAuth 2.1, resource-bound tokens, token-passthrough prohibition).
  4. IETF, draft-oauth-ai-agents-on-behalf-of-user — individual draft, rev-02, Aug 2025 (status: expired; direction of travel).
  5. Microsoft, What is Microsoft Entra Agent ID — GA Apr 2026.
  6. Cloud Security Alliance, Agentic AI Identity and Access Management: A New Approach — 18 Aug 2025 (incl. non-human-identity survey figures, self-reported).

How many agents act under your firm's name today? If the answer is "we'd have to check", that is the finding. Start with a 30-minute diagnostic.

Book an AI Risk Diagnostic