Speaker:: Niki Aimable Niyikiza Title:: Capability-Based Authorization for AI Agents Duration:: 29 min Video:: https://www.youtube.com/watch?v=bw928cFShK4 ## Key Thesis Multi-agent AI systems are fundamentally broken from an authorization standpoint because they inherit ambient authority from workload identity primitives designed for deterministic services — not runtime-reasoning agents that spawn sub-agents unpredictably. The solution is capability-based authorization via cryptographically-signed, ephemeral, delegation-aware "warrants" that freeze the blast radius of any agentic workflow at the moment of task creation, regardless of prompt injection or model misbehavior. ## Synopsis Niyikiza opens by drawing a sharp distinction between traditional workloads (deterministic, known behavior at deploy time) and agentic workflows (reasoning at runtime, spawning sub-agents dynamically). The root problem: enterprises deploy agents with ambient authority — the full credential of the workload — when the correct model is derived authority, scoped only to the task at hand. This is the "confused deputy" problem, and it's why prompt injection against agents is so catastrophic today. The valet key analogy is central to the talk: you don't give a valet your full car key (opens trunk, glove box, no geo-fence). You give them a valet key with speed caps, geo-fencing, and no access to storage. The Tenur warrant primitive operates on exactly this principle: when a top-level orchestrator mints a warrant for a sub-agent, that warrant is cryptographically scoped to only what's needed for the task, with a short TTL, and the mathematical guarantee of monotonic attenuation — sub-agents can never receive more authority than their parent. The six properties of a Tenur warrant: (1) signed by the issuer, (2) sculpted to the task — if it's not in the warrant, the agent cannot do it, (3) ephemeral with short TTLs, (4) holder-bound via proof-of-possession (stolen warrants without the private key are useless), (5) verifiable offline without a central server, (6) delegation-aware — the full delegation chain is encoded cryptographically, producing audit logs as a byproduct. The live demo showed a SOC triage scenario using LangGraph. A sock lead mints a broad warrant, passes it to a triage agent which strips the "isolate host" capability before delegating to an investigation agent. When a prompt injection in the logs attempts to redirect the investigation agent to read vault credentials, Tenur denies it at execution time — deterministically, not probabilistically — because the file path is not in the warrant. Similarly, an attempt to exfiltrate data to `evil-attacker.com` fails because the investigation agent had its `send_HTTP` capability stripped during delegation. The system produces cryptographic receipts for every action. Tenur is built in Rust with Python bindings, is open source, and currently supports nine frameworks including LangGraph, CrewAI, and A2A. Deployment models covered: in-process hook, sidecar (Envoy extension), API gateway, and MCP proxy. The team benchmarked 53 cryptographic tests with 5,000+ fuzzing scenarios and reports moving the attack surface from 90% to 0% for clearly-scoped workflows. A key lesson: path traversal and URL encoding edge cases require three layers — logical constraints, normalized "attenuated map" constraints, and sandbox-level enforcement that speaks the same language as the warrant. ## Key Takeaways - Traditional workload identity is insufficient for agentic systems because it provides ambient authority, not task-scoped derived authority - Capability-based authorization (60+ year old concept, re-applied here) is the right model — the DeepMind "CAMEL" paper and a February 2026 follow-up both converge on this conclusion - Monotonic attenuation is the core guarantee: child agents can never exceed parent scope, no matter how many delegation hops - The warrant is not a secret — it's cryptographically holder-bound, so theft without the private key is useless - Prompt injection is NOT prevented — the threat model is containment: even a fully prompt-injected agent cannot exceed its warrant - Schematization at the constraint layer is insufficient alone; path normalization and sandbox alignment are needed to prevent path traversal bypasses - The approach produces cryptographic audit logs as a structural byproduct, not an add-on - Performance cost is minimal — authorization and cryptographic verification happen in the Rust core ## Notable Quotes / Data Points - "We moved the attack surface from 90% to 0% when you have Tenur and a clearly-defined scope" - 53 cryptographic tests, 5,000+ fuzzing scenarios using adversarial LLM-generated inputs - Nine framework integrations as of talk date: LangGraph, CrewAI, A2A, Temporal, and others - DeepMind released "Defeating Prompt Injection by Design" (March 2025) and "Intelligent AI Design" (February 12, 2026) — both conclude capability-based authorization is the correct framework - Analogy: a corporate debit card for an intern on a business trip — limited vendors, expires at end of trip, bound to the person, no approval call needed at point of sale #unprompted #claude