Overview

The strongest validation an architecture can get is a requirements list it did not write. Patrick Parker’s Seven Laws of AIdentity are exactly that: a statement of what agent identity systems must guarantee, derived from the dynamics of delegated, generated action and framed in the lineage of Kim Cameron’s Laws of Identity. Parker’s summary of the shift is one sentence: control moves from login to action, and proof moves from logs to receipts. The question a system must answer is who acted, under whose authority, through what chain, and how can you prove it.

The handbook was derived from a different starting point: the five laws of delegated authority, the invariants any implementation of the missing layer must satisfy. Two independent derivations, one from agent dynamics and one from authority invariants, should meet if the layer they describe is real. This post runs that test, law by law. Where Parker’s law lands on existing handbook machinery, the crosswalk names the control and the draft behind it. Where it lands on something the handbook delegates or declines, the last section says so plainly, because a crosswalk that maps everything perfectly has been fitted, not tested.

The Crosswalk

Parker’s lawWhat it demandsThe handbook’s answer
1. The Split ActorPrincipal, delegate, authorizer, approver, credential holder, and executor stay distinct actors, or attribution collapsesAttribution: subject and approver as distinct {iss, sub} principals, the act chain on every hop, attested instance identity, and mediated custody separating the credential holder from the executor
2. Generated IntentAgents generate specific intent after authority is granted, so authorize the action, not the agentThe handbook’s enemy sentence, operationalized: per-action PEP/PDP enforcement with parameter binding, and interpretation moved to consent time through shaping and approval
3. Bounded AgencyExplicit scope, purpose, constraints, time limits, budget, and revocation paths, with humans setting the boundariesThe Mission object itself: goal, purpose, constraints, expires_at, the derived Authority Set, Narrowing on every derivation, Termination as the revocation path, and Consumption Metering (experimental) for the budget
4. Continuous AuthorizationAuthorize across discovery, invocation, execution, and outcome, not just at entryOnly active permits reliance, freshness with a published bound, the discovery loop for runtime discovery, and Execution Evidence for the outcome
5. Least ExposureAgents request governed outcomes rather than hold broad reusable credentials, and credentials act only inside approved boundariesMediated custody (the agent never holds the key for mediated classes), narrow short-lived derivation from the Mission, and Least Exposure Is Broader Than Least Privilege, the same law under the same name
6. Justifiable Action ChainsThe identity, provenance, and integrity of every chain participant is proven, not assumedThe act chain and instance attestation, capabilities bound to source digests with drift failing closed as capability_drift, strict-subset Child Missions with cascade revocation
7. Proof-Carrying ActionReceipts, not logs: signed proof of authority, constraint, attribution, execution, and outcome, tamper-evidentThe evidence family: Consent, Decision, and Execution Evidence joined on mission_id, the integrity anchors and policy_version committing what was authorized under what policy, and SCITT transparency for the hash-chained, tamper-evident feed

Seven demands, seven answers, and every answer is a control that existed before the crosswalk was drawn, with a draft behind it. That is the difference between validation and retrofit.

Three Mappings Worth a Closer Look

Generated intent is the deepest agreement. Parker’s second law is the observation this handbook calls its enemy: registration and token issuance happen before the agent decides what to actually do, so a system that authorizes only the agent will permit operations no human approved. The handbook’s whole shape follows from taking that seriously twice. Interpretation moves to consent time, where the human is present and the disclosure is committed, and then every generated action is still checked at execution time against what was approved, because approval is a moment and the work is a span. Authorize the action, not the instrument, was the card chapter’s rule 4. Parker derived the same sentence from the other end.

Least exposure arrives under its own name. Parker’s fifth law and the handbook’s exposure discipline are the same claim: what an agent can see and hold is an attack surface independent of what it may do, so credentials belong inside mediated execution boundaries and breadth of visibility is a risk to budget, not a convenience to default. Mediated custody is the sharpest instance: for the classes a deployment mediates, the agent cannot leak a credential it never holds.

Proof-carrying action is where the wire details matter. Parker asks for receipts with decision context, delegation evidence, policy snapshots, and tamper detection. The handbook’s evidence family maps piece by piece: Decision Evidence carries the decision context including denials, the act chain is the delegation evidence, policy_version on the record makes the derivation re-checkable against the policy that produced it, the integrity anchors commit what was approved, and SCITT registration makes the whole feed append-only and tamper-evident, committed by hash so the sensitive content stays out of the log. The receipts-not-logs shift Parker names is the same shift the handbook makes when it says audit joins on one identifier or it is archaeology.

Where the Handbook Delegates or Declines

An honest crosswalk names its remainders.

  • Necessity is not judged. Parker’s sixth law asks whether every chain participant is necessary, not merely authorized. The handbook verifies identity, provenance, integrity, and subset authority for participants, and bounds fan-out by count and depth. Whether a given sub-agent was needed at all is an orchestration and design judgment the protocol records but does not decide.
  • The generator’s identity is evidence, not enforcement. Which model produced a proposal is captured by Shaping Evidence as audit material. The handbook deliberately does not condition authorization on model identity, because a trustworthy model is not a property the authorization layer can verify.
  • Policy snapshots are references, not archives. policy_version makes a derivation re-checkable if the deployment retains its policy history. Parker’s full receipt vision, with policy snapshots inline, is a retention discipline the deployment must add.
  • Embodied agents are out of scope. Parker’s laws extend to cyber-physical surfaces. The handbook’s bindings are protocol substrates. The laws travel, and the wire profiles for physical actuation do not exist yet, which the substrate requirements draft would govern if someone writes one.

The convergence stands regardless. Parker’s closing question, who acted, under whose authority, through what chain, and how can you prove it, is the vendor test in different words, and the fact that two framings built independently keep producing the same six questions is the point of this chapter: the missing layer is not one proposal’s opinion. It is what everyone finds when they look.