Security · Agentic AI

Agentic AI Has a Hidden Problem:
Uncontrolled Delegation

Most organisations are focused on prompt injection, model security, and data privacy. All important. But there's a more dangerous issue emerging in agentic systems — uncontrolled delegation of access between agents.

Two AI agent systems — agentic AI governance and delegation risk

Most organisations building with AI today are focused on the right things — prompt injection, model security, data privacy. These are real risks and they deserve attention. But in agentic environments there is a more dangerous issue quietly taking shape: uncontrolled delegation of access between agents.

What's happening

In modern AI environments, systems are no longer isolated. They are interconnected:

Agents call other agents (A2A) Orchestrating agents dynamically invoke sub-agents to handle parallelised workstreams — each with its own access and capabilities.
Orchestration layers (MCP-style) route tasks dynamically Tasks are routed at runtime based on context and availability — not pre-approved static configurations.
Tools, APIs, and data sources are chained together A single user request can trigger a chain of agent interactions, tool calls, and data retrievals that the user never explicitly authorised individually.

This creates implicit trust paths — and most organisations have no controls to see them, let alone govern them.

A concrete example

Delegation scenario — no violation triggered
Agent A
Has access to sensitive data Authorised. Scoped. Logged at provisioning time.
↓ delegates task to
Agent B
Does NOT have access to sensitive data Not authorised — but asks Agent A to retrieve the data on its behalf.
↓ result
System
Complies. No alert. No violation. Just "normal" behaviour. The access happened. The data moved. Nothing in the logs looks wrong.

The problem isn't access. It's delegation.

We are no longer dealing with the traditional security question:

"Who has access?"

We are dealing with a fundamentally different question:

"Who can cause access to happen?"

In agentic systems, trust becomes transitive. Privileges become composable. Boundaries become blurred. This leads to:

Indirect privilege escalation An agent without a permission acquires it by routing requests through an agent that has it.
Unauthorised tool execution Agents invoke tools and APIs they were never directly authorised to use — through delegation chains.
Data boundary collapse Sensitive data crosses classification boundaries because the delegating agent had legitimate access — even if the receiving agent did not.
Prompt-driven lateral movement A manipulated agent propagates malicious instructions laterally through the agent network — at machine speed, without human detection.

And the most concerning part: it often looks like entirely legitimate system behaviour.

This is a classic problem — reimagined

Security professionals will recognise this immediately: it is the Confused Deputy Problem.

A system with legitimate authority is manipulated into using that authority on behalf of something that should not have it. Now reimagine that problem as:

DistributedAcross dozens of agents, tools, and APIs — not a single system boundary.
AutonomousOperating without human instruction at each step — reasoning and acting independently.
Happening at machine speedCompleting in milliseconds what would take a human attacker hours to execute manually.

Where most organisations are falling short

✓ Being secured

  • Models and inference endpoints
  • APIs and integration layers
  • Infrastructure

✗ Not being secured

  • Agent-to-agent trust
  • Delegation boundaries
  • Identity propagation
  • Data flow control

What needs to change

If you are deploying agentic AI, start by answering these questions:

Can Agent A delegate its authority to Agent B?Is that delegation explicit, scoped, and logged — or implicit and unlimited?
Is delegation logged at every step?Not just at the orchestration layer — but at every agent-to-agent interaction in the chain.
Can agents invoke tools indirectly through other agents?And if so, is there policy enforcement at the point of indirect invocation?
Do you control how data moves between agents?Is data lineage tracked across the full agent interaction graph?

What this requires

Strong agent identity — not shared credentials. Every agent needs a distinct, non-transferable identity with explicit scoped permissions.
Scoped, time-bound delegation — any authority an agent passes to another must be explicitly scoped and expire. No open-ended delegation.
Capability-based controls — not just role-based access. What an agent can do must be as tightly controlled as what it can see.
Policy enforcement at the orchestration layer — controls must exist where delegation decisions are made, not just at system boundaries.
Full traceability of agent interactions — the complete delegation chain, not just the originating request and the final action.
Data lineage as a security control — track which agents touched data, transformed it, or passed it on — and with what authority.

Final thought

In traditional systems: access is granted.

In agentic systems: access is propagated.

If you don't control delegation, you don't control the system.

#CyberSecurity #AI #GenAI #AgenticAI #AISecurity #CISO #ZeroTrust #OneCompliant

Assess your agentic AI exposure

OneCompliant's OASAT assessment maps your AI systems against governance, security, and delegation risk — producing a prioritised remediation roadmap in 4–6 weeks.