The 'consent drift' failure mode here is underrated. Most implementations treat authorization as a session-level gate: did the user authenticate, and do they have permission? That check happens once, at the start.
But a long-running agent can receive user consent at step 1 and still be executing 45 minutes later at step 23 — with context that's fully stale. The user approved 'schedule a meeting' but the agent interpreted that as 'access my entire calendar, read all attendee info, send an external webhook, create a contact record.' Each step was technically within granted scope. The chain as a whole wasn't what was consented to.
One failure mode I'd add to your list: no kill switch. You can have tight scopes and fresh consent checkpoints and still have no mechanism to abort a running workflow mid-execution. Once the agent starts, it completes. Real agentic authorization needs interrupt capability — a way to revoke consent mid-chain when something unexpected happens at step 8.
rodchalski•3h ago
But a long-running agent can receive user consent at step 1 and still be executing 45 minutes later at step 23 — with context that's fully stale. The user approved 'schedule a meeting' but the agent interpreted that as 'access my entire calendar, read all attendee info, send an external webhook, create a contact record.' Each step was technically within granted scope. The chain as a whole wasn't what was consented to.
One failure mode I'd add to your list: no kill switch. You can have tight scopes and fresh consent checkpoints and still have no mechanism to abort a running workflow mid-execution. Once the agent starts, it completes. Real agentic authorization needs interrupt capability — a way to revoke consent mid-chain when something unexpected happens at step 8.