Enterprise IAM governs who an agent is and what it may do at each boundary. No widely adopted control governs whether its mission should still be running. This series builds the case for the authority-governance layer that closes that gap.
The agent has valid credentials, authorized access, and a mandate that expired five minutes ago. Every control shows green. This series makes that failure mode visible. Then it builds the case for a mission-authority governance layer that sits above identity and access and treats the Execution Mandate as a first-class, independently revocable artifact.
Enterprise IAM was designed for human-paced execution. Agents remove the presence, pacing, and natural scope-limiting that made those controls work. The result is a structural gap that stronger credentials, tighter scopes, and faster JIT provisioning cannot close.
Tokens, credentials, and scopes tell a system what an agent may do. They say nothing about why execution was authorized or when it should end. The Execution Mandate is the primitive that closes that gap: a signed, inspectable authority record that runtime systems can evaluate and revoke throughout the execution lifecycle.
An Execution Mandate defines what delegated authority looks like. This post builds the control plane that makes it operational: how mandates are issued and held as authoritative artifacts, how authority is evaluated continuously rather than at gates, how governance crosses organizational boundaries, and where enforcement lands in practice.