Implicit Delegation

Implicit Delegation is the pattern where an AI agent calls sub-agents, sub-tools, or external services with the same authority it holds itself, without recording the delegation chain or bounding the delegated authority. Every downstream action then appears (in logs, in tool invocation records, in audit trails) to come from the original identity, regardless of which agent in the chain actually decided to take the action.

The pattern is one of the principal failure modes inside OWASP ASI03 (Identity and Privilege Abuse). It produces two practical problems. First, post-incident reconstruction becomes impossible: when something goes wrong, the audit trail shows "the user did X" rather than "the user delegated to agent A which delegated to sub-agent B which called tool C which did X." The actual chain that produced the action is invisible. Second, authority propagation is unbounded: each sub-agent inherits the parent's full authority by default, so a successful goal hijack at any depth in the chain has the original identity's full authority.

Why Implicit Delegation Is the Default

Most agent runtimes implement delegation as a function call. The agent decides to invoke a sub-agent or tool; the sub-agent or tool runs; the result is returned. There is no identity transition because there is no concept of identity in the function-call model — the same process, the same UID, the same credentials are in play throughout. This is a clean abstraction for software engineering and a security catastrophe for high-authority agents.

The classical analog is process forking with full credential inheritance, but agentic systems compound the problem because the agent's reasoning step decides whether to delegate based on prompt context that may include adversarial input. An attacker who can influence the agent's planning can influence delegation decisions — including delegating to sub-agents the operator never explicitly authorised, with the operator's full identity intact across the chain.

Defensive Patterns

Three controls combine to bound implicit delegation. Explicit identity transition at every delegation boundary: each sub-agent gets its own identity rather than inheriting the parent's. Authority scoping: the delegating agent specifies which subset of its authority transfers to the sub-agent, with the rest unavailable. Delegation audit logs: every transition records who delegated to whom, what authority transferred, and what context produced the decision.

For Web3 contexts specifically, the rule is that any delegation that touches signing authority, wallet credentials, or transaction-creation primitives must require explicit per-delegation authorisation rather than inheriting the parent agent's authority. The risk that an unbounded delegation chain reaches a signing primitive is too great to gate with logging alone.

For deeper guidance, see the OWASP ASI03 explainer and the MCP Security Audit service description.