Skip to main content
June 9, 2026Anthropic Launches Claude Fable 5 with Runtime Fallback Safeguards and Mandat...

Telemetry correlation is what the platform produces. Authorization is what the organization produces. The telemetry record shows the sequence of actions the chain took. The chain authorization record shows what the chain was permitted to do, and who is named as accountable when it acts outside that boundary. Most enterprises running agent orchestrations today have the first record. Far fewer have the second.

When AI agents work together in a chain, nobody has defined who is accountable for what the chain does as a unit.

Seven primary sources examined this between December 2025 and June 2026. None of them reached the same conclusion.

In December 2025, ISACA named what was already building inside enterprise AI deployments an authorization crisis. The specific finding: agentic AI systems were being deployed in ways that traditional identity and access management frameworks were never designed to govern. ISACA was not writing about a future risk. ISACA was describing what practitioners inside regulated enterprises were already experiencing.

That was December.

On January 27, FINRA published observations from actual examinations of member firms running AI agent systems. The finding came from examiners inside real firms watching real systems process real customer transactions. What they found: agents acting beyond a user's intended scope and authority, and multi-step agent reasoning tasks making outcomes difficult to trace or explain, complicating auditability. FINRA did not name the firms. FINRA named the pattern.

On February 17, NIST opened a dedicated AI Agent Standards Initiative. The initiative page states that agent identity, authorization, and audit trails are core focus areas. The reason NIST opened a dedicated initiative is the same reason any standards body opens a new workstream: the existing standards do not cover what is being deployed. NIST was not writing new guidance for a problem the field had already solved.

On April 17, the OCC issued revised model risk management guidance. In one sentence that deserves more attention than it received, the OCC stated that generative AI and agentic AI are not within the scope of this guidance and that the agencies plan a future request for information on banks' use of AI including agentic AI. Banks are deploying agentic AI systems today in production, making consequential decisions about real customers. The regulatory framework governing model risk at those banks explicitly does not cover those systems. The OCC said so and moved on.

On April 30, CISA, NSA, and Five Eyes partner agencies published joint guidance on agentic AI based on observed patterns across real enterprise deployments. Their specific documented finding: when multiple autonomous agents collaborate on a task and an erroneous outcome occurs, fragmented logs and opaque reasoning make it difficult to explain the result, assign responsibility, or demonstrate compliance. That sentence was written by agencies that had examined real systems running in production at regulated enterprises. Not theoretical deployments.

On June 2, the Berkeley Technology Law Journal named three things that do not yet exist at most enterprises running multi-agent systems: mandatory interaction logging at every agent-to-agent handoff, standardized agent identity across multi-agent deployments, and explicit liability allocation rules for cross-provider composition.

On June 22, the heads of the Five Eyes cybersecurity agencies signed a joint statement published by NSA. The signatories were the directors of NSA, CISA, the Australian Signals Directorate, the Canadian Centre for Cyber Security, the UK National Cyber Security Centre, and New Zealand's Government Communications Security Bureau. Their message to boards and executives was precise: it is not enough to have controls. Leaders must be confident those controls will perform during a real incident. Their first call to action for every organization was not technology, not patching, not tool deployment. It was this: understand and assess risk, readiness, and accountability.

Seven findings. Seven dates. December through June. Seven different signals pointing at the same object from seven different angles.

None of them named the same thing.

ISACA named an authorization crisis. FINRA named a traceability problem. NIST named a standards gap. The OCC named a regulatory scope problem. CISA named a responsibility assignment problem. The Berkeley Technology Law Journal named a liability allocation problem. The Five Eyes directors named an accountability gap at the board level. Each one described a different surface of the same object. None of them named the object itself.

Here is what the object is.

When three agents work together in a Microsoft Copilot Studio orchestration, each agent has an identity. Microsoft Entra Agent ID registers each one as a service principal. Each has a named owner in the platform. Microsoft Foundry captures every step of every transaction. Microsoft Purview logs every agent action, every handoff, every output. The telemetry is complete. The individual records are clean.

The Five Eyes directors just said that is not enough.

What does not exist is a single record that answers four questions about the chain as a composition.

Who authorized these agents to act together on this class of decision.

What the combined scope of their permitted actions covers as a unit.

Which agent carried which scope at each delegation point.

What external effects is the chain authorized to produce, and who is named as accountable when the chain acts outside that boundary.

Microsoft's Copilot Studio documentation for connected and child agents explains how a parent agent can invoke other agents and pass context between them. Those handoffs, like other operations in multi-agent systems, can be traced and correlated using telemetry identifiers in your observability tooling, so you can reconstruct what the chain actually did. Correlation is what the platform and telemetry stack can produce. Authorization is what the organization must produce. The telemetry record shows the sequence of actions the chain took. The authorization record shows what the chain was permitted to do. Most enterprises running agent orchestrations today have the first record. Far fewer have the second.

FINRA called it a traceability problem because that is what examiners experience when they cannot reconstruct a chain. CISA called it a responsibility assignment problem because that is what incident responders experience when an outcome occurs and no single agent's record covers it. The OCC excluded agentic AI from model risk guidance because the existing framework was built for single models making single decisions and orchestrated agent chains do not fit that shape. ISACA called it an authorization crisis because the identity and access management frameworks built around human identities and fixed service accounts were never designed for agents that create other agents and operate across multiple systems simultaneously. The Five Eyes directors called it an accountability gap because boards and executives cannot be confident their controls will perform during a real incident if nobody has defined who answers when the chain produces a harmful outcome.

This is the Chain Authorization Gap. The absence of any authorization record for the outcome of a multi-agent chain, where no single agent in the chain was individually authorized for what the chain collectively did.

NIST opened a standards initiative to define what that record must contain. No finalized standard has been published. The CISA guidance named the pattern but did not prescribe the artifact. The OCC promised a future request for information. The Berkeley Technology Law Journal named the legal problem and left the governance solution to enterprise practitioners. The Five Eyes directors told boards to act on accountability now, before the guidance arrives.

The Chain Authorization Gap framework asks four questions every orchestration must answer before it goes live.

Who triggered the chain and for what business purpose.

Who authorized the chain as a composition, not each individual agent but the combined scope of what they are permitted to decide together.

Which agent acted at each delegation point and what scope it carried.

What external effects is the chain authorized to produce, and who is named as accountable when the chain acts outside that boundary.

These are not questions the platform answers. They are organizational decisions that require a named human being to make them, write them down, and accept accountability for the chain's outputs before the first request is processed.

Seven primary sources examined this problem between December and June. The field now has ISACA's authorization crisis finding, FINRA's documented examination results, NIST's open standards initiative, the OCC's explicit regulatory scope exclusion, CISA's cross-agency guidance, the Berkeley Technology Law Journal's legal framing, and the Five Eyes directors' personal call for board-level accountability. The documentation exists. The named gap exists. The framework exists.

The authorization record for your most consequential agent orchestration either exists or it does not. That answer does not require a future OCC request for information to determine. It does not require waiting for the next Five Eyes guidance document. It requires one organizational decision, made by a named human being, written down before the chain processes its next request.

In your organization, which team is responsible for producing that record before the next orchestration goes live, and what is the date on the calendar when it is due?