Proving Mission-Bound Authorization

Chapter 4 of Mission-Bound Authorization, the handbook: the validation. The model held against framings its authors did not choose.

The first three chapters of the handbook make its own argument: the intuition, the architecture, the implementation. This chapter runs that argument against tests it did not write. An architecture that only answers its own questions is a belief. One that holds up under a threat model coined by someone else, and under a requirements list derived by someone else, has been validated rather than merely asserted.

An architecture earns trust by holding up under framings its authors did not choose.

Four framings, four posts. A threat model: the lethal trifecta, Simon Willison’s name for the combination that makes agents dangerous (private data, untrusted content, and external communication in one loop). A requirements framework: the Seven Laws of AIdentity, Patrick Parker’s independently derived statement of what agent identity systems must guarantee, from split actors to proof-carrying action. A threat taxonomy: OWASP’s Agentic AI Threats and Mitigations, the fifteen-threat checklist security reviews actually open with. And the governance frameworks: NIST AI RMF, the EU AI Act’s high-risk obligations, and ISO/IEC 42001, the regimes with auditors behind them. Each post maps the framing onto the handbook’s machinery, names where the answer is an existing control with a draft behind it, and is honest about where the handbook delegates or declines.

The Four Proofs

Part 1: Splitting the Lethal Trifecta

The threat model.

The trifecta is the reason agent authorization cannot be a login-time decision: an agent holding private data, reading untrusted content, and able to communicate externally can be turned into an exfiltration machine by anything it reads. The handbook’s answer is structural. Type the three legs, keep them split at execution time, and make the third leg unreachable without a fresh decision.

Part 2: Answering the Laws of AIdentity

The requirements framework.

Parker’s seven laws were derived from the dynamics of delegated, generated action: split actors, generated intent, bounded agency, continuous authorization, least exposure, justifiable chains, and proof-carrying action. The handbook was derived from the invariants of delegated authority. The two meet, law by law, and the convergence is the point: independent derivations landing on the same requirements is evidence the missing layer is real.

Part 3: Containing the OWASP Agentic Threats

The threat taxonomy.

When a security team reviews an agent deployment, the framing on the table is OWASP’s: fifteen agentic threats from memory poisoning to human manipulation, plus the LLM Top 10. The crosswalk gives every threat a verdict instead of a hand-wave: contained by machinery built for it, bounded at the action gate, or delegated to a named complement. Six contained, nine bounded, and half the LLM Top 10 honestly someone else’s layer.

Part 4: Making Compliance a By-Product

The governance frameworks.

NIST AI RMF, the EU AI Act’s high-risk obligations, and ISO/IEC 42001 converge on one demand: show me. Show me who is accountable, what the system is for, how you observe it, and how it stops. The architecture answers because the artifact that enforces is the artifact that documents: the Mission is the documented purpose, the approval is the accountable decision, the evidence family is the log, and Termination is the interrupt. The evidence is a by-product. The compliance duties that stay with the deployment are named, not absorbed.

Where to Go Next

The reading order ends here, with the model held against four framings it did not choose.