Proving Mission-Bound Authorization
Chapter 4 of Mission-Bound Authorization, the handbook: the validation. The model held against framings its authors did not choose.
The first three chapters of the handbook make its own argument: the intuition, the architecture, the implementation. This chapter runs that argument against tests it did not write. An architecture that only answers its own questions is a belief. One that holds up under a threat model coined by someone else, and under a requirements list derived by someone else, has been validated rather than merely asserted.
An architecture earns trust by holding up under framings its authors did not choose.
Four framings, four posts. A threat model: the lethal trifecta, Simon Willison’s name for the combination that makes agents dangerous (private data, untrusted content, and external communication in one loop). A requirements framework: the Seven Laws of AIdentity, Patrick Parker’s independently derived statement of what agent identity systems must guarantee, from split actors to proof-carrying action. A threat taxonomy: OWASP’s Agentic AI Threats and Mitigations, the fifteen-threat checklist security reviews actually open with. And the governance frameworks: NIST AI RMF, the EU AI Act’s high-risk obligations, and ISO/IEC 42001, the regimes with auditors behind them. Each post maps the framing onto the handbook’s machinery, names where the answer is an existing control with a draft behind it, and is honest about where the handbook delegates or declines.
The Four Proofs
Part 1: Splitting the Lethal Trifecta
The threat model.
The trifecta is the reason agent authorization cannot be a login-time decision: an agent holding private data, reading untrusted content, and able to communicate externally can be turned into an exfiltration machine by anything it reads. The handbook’s answer is structural. Type the three legs, keep them split at execution time, and make the third leg unreachable without a fresh decision.
- Question: Does the handbook contain the defining agent threat model, and what honestly remains?
- The framing: Simon Willison’s lethal trifecta
- Laws: Containment does the work, with Termination behind the kill switch
- Read: Splitting the Lethal Trifecta
Part 2: Answering the Laws of AIdentity
The requirements framework.
Parker’s seven laws were derived from the dynamics of delegated, generated action: split actors, generated intent, bounded agency, continuous authorization, least exposure, justifiable chains, and proof-carrying action. The handbook was derived from the invariants of delegated authority. The two meet, law by law, and the convergence is the point: independent derivations landing on the same requirements is evidence the missing layer is real.
- Question: Does the handbook satisfy an independently derived requirements list for agent identity systems?
- The framing: Patrick Parker’s Seven Laws of AIdentity
- Laws: all five, crosswalked against Parker’s seven
- Read: Answering the Laws of AIdentity
Part 3: Containing the OWASP Agentic Threats
The threat taxonomy.
When a security team reviews an agent deployment, the framing on the table is OWASP’s: fifteen agentic threats from memory poisoning to human manipulation, plus the LLM Top 10. The crosswalk gives every threat a verdict instead of a hand-wave: contained by machinery built for it, bounded at the action gate, or delegated to a named complement. Six contained, nine bounded, and half the LLM Top 10 honestly someone else’s layer.
- Question: Which of the fifteen agentic threats does an authorization layer actually answer, and which does it only cap?
- The framing: OWASP’s Agentic AI Threats and Mitigations and the LLM Top 10
- Laws: all five, with Containment doing the heaviest lifting
- Read: Containing the OWASP Agentic Threats
Part 4: Making Compliance a By-Product
The governance frameworks.
NIST AI RMF, the EU AI Act’s high-risk obligations, and ISO/IEC 42001 converge on one demand: show me. Show me who is accountable, what the system is for, how you observe it, and how it stops. The architecture answers because the artifact that enforces is the artifact that documents: the Mission is the documented purpose, the approval is the accountable decision, the evidence family is the log, and Termination is the interrupt. The evidence is a by-product. The compliance duties that stay with the deployment are named, not absorbed.
- Question: Does the architecture produce the evidence the governance frameworks demand, without a separate compliance build?
- The framing: NIST AI RMF, the EU AI Act, and ISO/IEC 42001
- Laws: Attribution and Durability carry the records, Termination carries the interrupt
- Read: Making Compliance a By-Product
Where to Go Next
The reading order ends here, with the model held against four framings it did not choose.
- Continue: hand the essentials to whoever asks next, and for evaluating anyone else’s claim against the same bar, the vendor test asks Parker’s closing question in six answerable parts: who acted, under whose authority, through what chain, and how can you prove it.
- Alongside this chapter: the wire-level treatments behind the proofs live in the practice chapter. Mission-Bound Runtime Enforcement carries the trifecta’s execution-time contract and the gate most OWASP verdicts stand on, Mission Lifecycle and Change carries the revocation machinery behind the regulatory interrupt, The Agent Runtime and Audit carries the evidence machinery that Parker’s seventh law and Article 12 both demand, and Least Exposure Is Broader Than Least Privilege carries the exposure discipline the framings converge on.
- The appendix: the Field Reference carries the adversary model behind these proofs, the litmus test, and how to cite this handbook.
- The cover: the handbook’s cover maps the essentials, the chapters, and where to start by role.
- The argument: every proof here names its residuals, and issues on the draft repository are where to contest them.