Over the past year I have reviewed enterprise agent architectures at nearly two dozen organizations, including banks, retailers, healthcare systems, and a number of regulatory agencies. لقد كانت المخططات المعمارية مثيرة للإعجاب بشكل موثوق. There are bins for the MCP gateway, tool registry, vector store, orchestrator, policy engine, and observability stack. There are arrows showing how agents discover each other, share context, and invoke tools across the network. وفقًا لمعايير عام 2026، هذه هي الصور المطروحة لأي عملية نشر جدية للعملاء. But what none of them explain anywhere is who the agents are, who holds the authority, or who answers when they are wrong.
Main driftthe constant disconnect, in any sufficiently large agentic system, between the human authority from which the recorded action is supposed to be derived and the agent who actually performed it. What seems like a defensible identity position the day you ship your first agent quietly deteriorates as agents proliferate, compose, and persist in their original initiatives. Major drift is not three independent failure modes; It’s one series. Identity collapses first. Then authority erodes, because there is no longer a stable principle to which politics can be linked. Third, accountability occurs, because the cost of the agent’s error falls on the team with the weakest negotiating position when the incident review begins. Stopping cascading means intervening at the first link, but almost no enterprise agent platform currently does this.
To see the cascade, take the organization’s most boring agent, the Refund Agent, and watch it.
The customer service representative, having a conversation, asks the agent to process a $48 refund for a damaged item. يتحقق الوكيل من الأهلية، ويصدر المبالغ المستردة، وينشر تحديثًا. An audit log records the action taken by something like Refund-agent-prod-03, which operates under a service principle owned by the customer service platform team. هذا الإدخال صحيح، ولكنه أيضًا عديم الفائدة. The agent was not acting like Refund Agent-Product-03. He was acting as a representative, on behalf of the client, under a chain of authority that no one had recorded. In a well-constructed system, the customer, representative, agent and service manager identities are recorded together, so that they are queryable as a chain and persistent after the session. In most production systems today they are not. This is the first link in the chain, where identity collapses to the basis of public service, and is no longer there from To attach anything else.
Authority then erodes. The refund agent has an Issue_refund tool that can technically refund any order. من المفترض أن تكون سلطتها أضيق (استرداد ما يصل إلى 200 دولار، الطلبات أقل من 90 يومًا، العملاء في وضع جيد، التصعيد التلقائي فوق 50 دولارًا)، ولكن هذه السلطة تعيش في موجه أو ملف YAML أو صفحة فكرة قام الفريق بتحديثها آخر مرة عندما كانت السياسة مختلفة. The runtime enforces power, but no one really enforces power. عندما تؤدي مدخلات مسمومة أو سلسلة من التفكير المشوش إلى قيام الوكيل بإعادة مبلغ 1800 دولار إلى العميل الخطأ، فلا توجد إجابة واضحة لسؤال ما بعد الحادث “من وافق على هذه السياسة؟” Because politics has never been an artifact. النمط نفسه أسوأ في المخاطر الأعلى: تخيل وكيل تشفير يتمتع بوصول مدمج إلى فرع محمي، يتم توجيهه من خلال مطالبة مضمنة في تعليق التعليمات البرمجية “لتسجيل قيم التكوين لتصحيح الأخطاء”، وتسرب الأسرار بصمت إلى خدمة مراقبة خارجية.
Then accountability dissolves. The team that built the client says it followed policy. The team that wrote the policy says it did not anticipate the input. The team running the platform says the agent was acting as a service manager who didn’t own their behavior. An audit log may show the action, but it does not show the cause that led to the action, the recovered context that shaped the cause, or the claim history that framed the recovery. The post-accident review becomes an archaeological science, and the cost is ultimately absorbed by whoever has the weakest negotiating position when the meeting ends.
Is any of this new? لدينا IAM، وحوكمة الهوية، والسياسة كرمز، ومسارات التدقيق، وSIEMs، و30 عامًا من ممارسات الامتثال. Why is IAM not implemented properly? Because IAM is built around assumptions that agents violate. تفترض IAM وIGA مجموعة من المبادئ التي تتغير وفقًا للجداول الزمنية البشرية: يتم تعيين الأشخاص، ويغادر الأشخاص، وتتناوب حسابات الخدمة ربع سنوية. يتم تجميع الوكلاء في كل جلسة وتكوينهم في سلاسل حيث يستدعي وكيل وكيلًا آخر، والذي يستدعي وكيلًا ثالثًا، وينتحل شخصية المستخدمين من خلال الرموز المميزة المفوضة التي لا يمكن لـ IGA التقليدية تمثيلها كسلسلة على الإطلاق. تعمل محركات السياسة في لحظة الإجراء، في واجهة برمجة التطبيقات (API)، وقاعدة البيانات، والشبكة. Agents make their most important decisions before They arrive at those implementation points, in the reasoning step that determines which tool to call and with what arguments. تفترض سجلات التدقيق الناضجة أن إعادة تشغيل المدخلات يؤدي إلى إعادة إنتاج المخرجات. But for agents, a router restart and recovery can trigger a different action, because the model itself contributes to the state that the log does not capture. Machines catch fire, dashboards turn green, and the agent who quietly leaked the secrets is still doing so. The audit log records the action as Agent-service-01, which is again incorrect and unhelpful.
هذا هو أيضًا المكان الذي يريد البائعون الذين يبيعون المكدس الموحد منك تخطيه. Microsoft’s Entra Agent ID, currently in public preview, is the most polished solution yet, extending the conditional access, identity management, and identity protection used for humans and workloads to cover AI agents as a new identity type, but Google and Salesforce are also building out this layer. The marketing line is that agents get the same identity-based protections as the rest of the workforce. This is a real step forward in addressing the first link in the chain, but it is not governance. It is a control plane with judgment plane marketing. Conditional access can tell you whether a proxy Trying to reach It was allowed. Can’t tell you whether resolution The agent made it before the access attempt was within his authority, the reason the agent reached the decision, or the business unit that owned the policy the decision was supposed to adhere to.
{
"event_id": "refund-2026-05-17-08431",
"triggered_by": {
"human_principal": "rep:olivia.chen@firm.com",
"delegated_via": "support-console-session-9c2a",
"customer_principal": "cust:7741289"
},
"agent": {
"identity": "refund-agent",
"version": "v4.7.2",
"policy_ref": "refund-policy/v3.1 (signed: r.patel, 2026-04-22)"
},
"task": "Process refund for order 88812204",
"retrieved_context": (
{"doc": "order:88812204", "fetched": "2026-05-17T08:43:11Z"},
{"doc": "policy:refund-eligibility", "chunk": 4, "fetched": "2026-05-17T08:43:12Z"}
),
"reasoning_trace": "...",
"tool_calls": (
{"tool": "check_eligibility", "input": "...", "output": "eligible"},
{"tool": "issue_refund", "input": {"amount": 48.00}, "output": "ok"}
),
"action": "refund:48.00",
"principal_chain_hash": "0x9e7b3f..."
}Not every agent needs this. The scheduling agent who suggests meeting times does not. An agent that moves money, deploys code, or makes decisions that the regulator will eventually question needs it, and this is the right standard to set because of the cost associated with it. Logic-level auditing is closer to a flight data recorder than a system log feed. يعد تخزين البيانات والاستعلام عنها مكلفًا، مع ما يترتب على ذلك من آثار حقيقية على الخصوصية نظرًا لأن هذه السجلات تحتوي على كل ما رآه الوكيل، بما في ذلك البيانات المصرح للوكيل بقراءتها ولكن لم يكن من المفترض أن يحتفظ بها نظام التدقيق. يمكنك تحمل ذلك من خلال الاحتفاظ النسبي: التقاط المنطق الكامل للوكلاء ذوي النطاق العالي (الذين يواجهون المنظمين، والممولين من العملاء، والمواد التعاقدية، وتعديل الإنتاج) والتقاط أخف للمساعدين الداخليين فقط.
Which raises the question that an architectural planner doesn’t: Who is building and managing this? Security can enforce policy but cannot authorize it. الأشخاص الذين يعرفون ما يجب السماح لوكيل استرداد الأموال بالقيام به هم من يملكون أعمال استرداد الأموال، وليس جدار الحماية. يمكن لتكنولوجيا المعلومات توفير الهويات ولكن لا يمكنها صياغة “الوضع الجيد” أو كتابة قاعدة التصعيد. The MCP and A2A communities are doing real work on identity and authorization at the wire level. يمنحك MCP مصدر استدعاء الأداة وهو معرف Entra Agent القياسي والذي تعتمد عليه معظم أطر عمل البائعين. A2A converges on the fundamentals of proxy delegation. Both are important, but neither formulates policy. Norms, not the institution, drive connections.
What organizations need is new functionality that falls between the business units that own policies and the platform teams that manage runtime. We call it Agent operations: A small group, often four to eight people in a Global 2000 organization, embedded rather than centralized, reporting to a CIO or CISO depending on house policies, with a clear charter to keep a record of each production agent, its named human owner, its issued authority specifications, its retention policy for logical auditing, and its lifecycle status. Each agent is joined with a signed policy, reviewed on a real cadence, and actually retired when their initiative expires, rather than the current default of quietly outliving their sponsors. إن التصميم ضد أوضاع الفشل مثل إيقاعات المراجعة التي تتكلس في الحفل، أو السياسات المصطنعة التي تتأخر في سرعة نشر العميل، أو الوظائف التي تصبح المكان الذي يذهب فيه العملاء للموت في اللجنة هو في حد ذاته جزء من العمل. The job must be shipped at the platform teams pace otherwise it will be routed within a quarter of an hour.
Work is hard. لقد فات موعده أيضًا، والساعة التنظيمية تعمل. High-risk provisions in EU law on artificial intelligence came into force this year, and regulators will require explainability, traceability, lifecycle records, and specific human accountability. هذه هي بالضبط القطع الأثرية التي تنتجها وظيفة عمليات الوكيل. أطلق تايلر أكيداو على هذا اسم In his April Radar article; Latest Artur Hauk”From capabilities to responsibilities“It converges on similar ground on the runtime side. The naming is less important than the business. This piece is about governance within a single organization. The harder issue is governance across organizations, where agents operate under different trust systems. This is just as bad, and deserves its own topic.”
Within your four walls, a diagnosis can be made in an afternoon. Choose one production agent. Try to answer with evidence: To whom does the authority of the act belong to a named person? Where was its validity determined and who signed the current version? عندما يفعل شيئًا خاطئًا غدًا، من الذي يدفع، وكيف يتم تحديد ذلك، وما هو سجل درجة التفكير الذي يدعم القرار؟ Most architects who do this honestly come out with three blanks and a knot in their stomach. This is the main drift, named and visible.
The network you have built is real and necessary, but it is not sufficient. The rest of the structure is the institution above it: the registry, the signed policies, the logical scrutiny, and the named human at the end of each chain. In most companies, it doesn’t exist yet, and it won’t arrive by purchasing another platform. You will have to formulate it yourself.
