[OAUTH-WG] Comment on OAuth WG Recharter: Ward-Centric Authorization and Exhaustible Authority as Missing Primitives

[Paul Knowles <Paul@secours.ai>]

Comment on the OAuth Working Group Recharter
Submitted to: oauth@ietf.org | iesg@ietf.org
Date: June 5, 2026
From: Paul Knowles, CEO and Chief Architect, Secours.ai


AUTHOR IDENTIFICATION AND INSTITUTIONAL BASIS

Paul Knowles is the CEO and Chief Architect of Secours.ai and the inventor of the Overlays Capture Architecture (OCA), the data capture architecture selected by the Swiss government as the preferred architecture for the Swiss national e-ID programme. A US preliminary patent for Role-Based Containment (RBC), a Ward-centric governance architecture for autonomous systems, was filed on January 26, 2026. The author is a contributing member of the American Bar Association's Autonomous Systems Governance Working Group (ASG-WG), a joint initiative of the Risk and Trust Management Committee of the Science and Technology Law Section and the Cyber and Technology Committee of the Business Law Section, which is actively examining governance models for autonomous systems including the Ward-centric model described in this comment. The views expressed here are those of the author and do not represent the formal position of the ABA or the ASG-WG.

This comment is submitted in response to the OAuth Working Group recharter proposal currently under IESG review. It identifies a structural gap in the scope of the proposed recharter and requests that the new charter explicitly include exhaustible authority as a primitive to be evaluated alongside token-based delegation.


THE STRUCTURAL GAP IN THE CURRENT SCOPE

The body of individual drafts proposing how human authority delegates to AI agents represents technically serious and rigorous work. The delegation mechanics drafts in the RFC 8693 family address real weaknesses in the current token exchange model: chain splicing, the absence of monotonic attenuation, and the lack of runtime identity for dynamically spawned agents. The audit and compliance drafts, particularly the Kuehlewind cross-layer audit architecture, represent a genuine advance in giving regulators a complete accountability story for agent actions. This comment does not challenge the quality of that work.

It identifies a gap that none of the thirty-two individual drafts currently in the corpus address: the action-time authority question.

Every draft in the current corpus answers a version of the same question: how does authority move from a principal through a delegation chain to an agent? The answers vary in sophistication, from simple token exchange to cryptographically verifiable actor chains to monotonically attenuating capability tokens. But the architectural assumption underlying all of them is identical: authority is granted at the point of admission and persists until it is revoked, expired, or attenuated. This is the standing authority model. It was designed for human-speed principals operating within bounded organisational contexts. It has three structural properties that make it inadequate for autonomous systems operating at machine speed across organisational and jurisdictional boundaries.

First, standing authority accumulates. A token that has been attenuated at each delegation hop is still a standing permission. It persists across multiple actions. It can be exercised repeatedly within its validity window. The attack surface it creates scales with the system's uptime, not with the specific actions the system is authorised to take.

Second, standing authority cannot evaluate present admissibility. A permission granted at step zero of an action chain cannot evaluate whether the conditions that justified that grant still hold at step seven. The token does not know that the Ward's account balance has changed, that a vendor relationship has become legally sensitive, or that a prompt injection payload has entered the chain between initiation and effect. It knows only that the grant has not been revoked.

Third, standing authority produces accountability records rather than legitimacy proofs. The Kuehlewind audit architecture produces four record types -- Interaction, Action, Delegation, and Authorization Transition -- that together give regulators a complete retrospective account of what happened. This is valuable and necessary infrastructure. But it does not satisfy the requirement that the EU AI Act's Articles 12 to 14 impose: action-level records of human authority exercise at the moment of effect, not system-level documentation of oversight design. A peer-reviewed compliance analysis published in April 2026 mapping the AI Act's essential requirements against the current governance tooling market states this explicitly: runtime enforcement tools answer the question of permission but not authority, and the essential requirements of Articles 12 to 14 can only be demonstrated through action-level records of human authority exercise, not through system-level documentation of oversight design. [1]

The gap between what the Kuehlewind architecture provides and what Articles 12 to 14 require is the precise gap that this comment asks the recharter to scope.


THE MISSING PRIMITIVES: WARD, WARRANT, AND WARDEN

The primitives required to close this gap are not novel inventions. They are the application of legal doctrine refined over four centuries in property law, agency law, and trust law to a problem that digital infrastructure has never previously been asked to solve.

The American Bar Association's Autonomous Systems Governance Working Group is formally examining these primitives for legislative and regulatory use. A working glossary has been submitted to the ABA for consideration. The following definitions are grounded in that legal doctrine and are proposed here for consideration by the OAuth WG as foundational vocabulary for the agent authorization problem space.

Ward. The party whose proprietary interest generates the governance chain and who directly bears the consequences of autonomous action. The Ward is the consequence-bearer: the person or entity whose assets are modified, whose payments are processed, whose data is accessed, and whose interests are affected by every action in an agent's execution chain. All authority in a Ward-centric architecture derives from and must remain traceable to the Ward's protected interest. The Ward is the concept that does not appear in any current IETF agent authorization draft, and its absence is the structural explanation for why the standing authority model cannot answer the action-time governance question.

Warrant. A bounded, specific, exhaustible grant of authority to take one specific action, on behalf of a specific Ward, under conditions that obtain at the moment of effect, evaluated at the execution boundary, and consumed immediately upon execution regardless of outcome. A Warrant is not a token with a shorter lifetime. A token persists across multiple actions within its validity window. A Warrant exists only in the interval between admissibility evaluation and execution and ceases to exist the moment the action executes. It cannot be replayed. It cannot be inherited by the next action in the chain. It cannot be exercised by any party other than the Warden on behalf of the Ward at the specific moment for which it was minted. The next action in the chain requires a fresh Warrant, evaluated against current conditions.

The distinction between a Warrant and an attenuated token is not a matter of degree. It is a structural difference in kind. An attenuated token narrows the scope of standing authority. A Warrant eliminates standing authority entirely. The former makes ambient power smaller. The latter makes ambient power impossible.

Warden. The enforcement mechanism that evaluates proposed actions at the execution boundary against the Ward's current interests, issues a Warrant if and only if the proposed action is within the authorised scope of the Ward's protected interest under present conditions, and consumes the Warrant immediately upon execution. The Warden is not a policy engine that intercepts actions after the agent has decided to take them. It is the governance primitive that determines whether an action may produce effect at all.

These three primitives together constitute the Ward-centric governance architecture. They are grounded in property law's concept of the conveyance moment, where validity is evaluated at the instant of transfer rather than retroactively; in agency law's doctrine of ultra vires action, where authority exercised beyond delegated scope is void regardless of the identity of the actor; and in trust law's guardianship standard, where the duty to protect is assessed against the Ward's present condition rather than historically fixed intent.


WHY THIS MATTERS FOR THE RECHARTER SCOPE

The OAuth WG recharter is occurring at the precise moment when the technical vocabulary of agent authorization is hardening. The individual drafts in the current corpus introduce terms, claim names, and define primitives that will shape the working group's output. Three independent drafts are already contesting the name AIP simultaneously, which is a structural indicator of how fast the field is moving and how consequential naming decisions are at this moment.

The Ward-centric vocabulary is not in any of these drafts. If the recharter scope does not explicitly include exhaustible authority as a primitive to be evaluated, the working group will produce specifications built entirely on the standing authority model. Those specifications will create a JSON-LD context with @protected flags on terms that cover adjacent but not equivalent ground to the Ward, Warrant, and Warden concepts. Once that vocabulary is locked in a W3C namespace or an IETF RFC, introducing the Ward-centric primitives requires overcoming the processing errors and compatibility constraints of an established standard rather than contributing to an open conversation.

The consequence is not merely technical. Autonomous systems are being deployed at consumer scale right now. On May 12, 2026, Google announced Gemini Intelligence for Android, a system that executes multi-step action chains across calendar, email, payment, and messaging services on behalf of users with approximately three billion active Android devices globally. The governance model for every action in every chain on every one of those devices is a single confirmation prompt presented before the chain begins. That prompt answers one question: did you initiate this task? It cannot evaluate whether conditions at step zero still hold at step seven of a chain. The Ward-centric architecture closes that gap. The standing authority model cannot.

The OWASP Agentic Security Initiative's Top 10 for Agentic Applications, published in December 2025 and reviewed by representatives from NIST, the European Commission, and the Alan Turing Institute, identifies tool misuse and privilege escalation as the most frequently reported agentic threat category and concludes that mitigation requires controls at the execution layer rather than the model layer. [2] That conclusion is an independent empirical confirmation that the execution boundary governance primitive is the missing layer in the current agent security architecture.


SPECIFIC REQUEST

This comment respectfully requests that the OAuth Working Group recharter explicitly scope the following items for consideration by the new working group.

First, exhaustible authority as a primitive to be evaluated alongside token-based delegation. The recharter scope should acknowledge that the standing authority model, however sophisticated its delegation mechanics, cannot satisfy the action-time governance requirements of autonomous systems and should explicitly charter work on authorization primitives that eliminate rather than manage standing authority.

Second, the Ward as a foundational concept in the agent authorization architecture. The consequence-bearer whose proprietary interest generates the governance chain is currently absent from all agent authorization drafts. No specification that omits the Ward can answer the question of whose interests bound the authority being delegated.

Third, the execution boundary as a governance surface distinct from the admission boundary. Current drafts govern what an agent is permitted to do at the point of admission to a system or service. The execution boundary, where each proposed action must be evaluated against current conditions before it may produce effect, is a different governance surface that requires different primitives.

Fourth, explicit engagement with the EU AI Act's essential requirements under Articles 12 to 14 as a design constraint on the compliance architecture. The Kuehlewind audit architecture is the most sophisticated compliance story in the current corpus. It does not yet close the gap between system-level documentation of oversight design and action-level records of human authority exercise that the EU AI Act requires. The working group should scope this gap explicitly.


REFERENCES

[1] Nannini, L., Smith, A.L., Maggini, M.J., Panai, E., Feliciano, S., Tiulkanov, A., Maran, E., Gealy, J., and Bisconti, P., "AI Agents Under EU Law: A Compliance Architecture for AI Providers." arXiv:2604.04604v1 [cs.CY], April 7, 2026. Section 9(10) identifies the absence of action-level authority governance infrastructure as both a market gap and a compliance gap under Articles 12 to 14 of EU Regulation 2024/1689 (AI Act).

[2] OWASP GenAI Security Project, Agentic Security Initiative. "OWASP Top 10 for Agentic Applications 2026." December 2025. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

[3] American Bar Association, Resolution 604, adopted at the ABA Midyear Meeting, February 6, 2023. Establishes that human authority, oversight, and control must be maintained over AI systems; that organizations must be accountable for legally cognizable harm caused by AI; and that legal responsibility may not be shifted to an algorithm.

[4] Brooks, M., "A smarter, more proactive Android with Gemini Intelligence." Google, The Keyword, May 12, 2026. https://blog.google/products-and-platforms/platforms/android/gemini-intelligence/


CONTACT

Paul Knowles
CEO and Chief Architect, Secours.ai
paul@secours.ai

This comment is submitted as an individual submission. The author welcomes direct engagement from Working Group participants, draft authors, and IESG reviewers on the architectural arguments presented here.