NEWSLETTER
Who Signed the Chain?
July 7, 2026
NEWSLETTER
July 7, 2026
Individual AI agent reviews can each pass while the multi-agent chain they form together never gets re-approved as a unit. Microsoft Entra Agent ID solved sponsor lifecycle at the individual agent level in its May 2026 release, but chain-level approval still runs on a single signature from the day the system launched. The Chain Authorization Gap names the distance between agent-level compliance and chain-level accountability, and the Observed-Outcome Trigger in the Disposition Protocol is the mechanism designed to close it.

Three AI agents work at a car loan company. The kind Microsoft's enterprise customers have already built more than 120,000 of through Copilot Studio, per Microsoft's Q1 FY2026 earnings commentary, running quietly inside software the reader's own company probably already licenses. Agent A reads incoming requests from customers who want to change their loan payments. Agent B decides whether the change makes sense. Agent C executes the paperwork. Together they form a relay team. One hands off to the next, all day, thousands of times, with humans out of the middle entirely.
Eight months ago, a room full of people approved this relay team. Signed off, launched, done.
Now watch what happens next, because this is where it gets strange.
(This scenario is constructed to illustrate a real gap. It comes from publicly documented product behavior, not from any client engagement.)
Every ninety days, the company runs a check. Not on the relay team. On each agent, one at a time. Does Agent A still have a human sponsor, a real person accountable for it? Yes. Agent B? Yes. Agent C? Its sponsor, an underwriting manager, quit six weeks ago.
And here Microsoft's system does exactly what it promises. Every agent identity in Microsoft Entra Agent ID carries a named human sponsor, and since Microsoft's May 2026 Agent ID release, sponsor lifecycle workflows catch the moment a sponsor leaves and reassign or wind down the agent's access per policy. Agent C's sponsor is replaced by a new underwriting manager within the day. A green checkmark for the process. The system worked.
All three agents keep running. Sponsors current, individual reviews spotless, three green checkmarks in a row, and the relay keeps relaying without a pause. And in that room where the quarterly review just wrapped, with coffee cups draining and laptops closing, a question hangs in the air that fails to get asked.
Agent A handled its step. Agent B handled its step. Agent C handled its step. The three of them together decided the loan. That decision belongs to a system, and the system has one signature on it, from eight months ago. Are the reasons behind that signature still true? Did someone write down a date to check? Is there a calendar entry, somewhere in the company, that says re-approve the relay team?
There is not. There almost never is.

Every governance system your company owns, every audit, every review, every checklist, was built on one quiet belief: a human made each decision, so accountability means finding that human. That belief has a name in my framework library. It is called The Accountability Assumption, and agents broke it.
Companies patched the break at the individual level, and to be fair, Microsoft built that patch well. Each agent gets an identity, a sponsor, an expiration path. The individual layer is genuinely good now.
But decisions at these companies are made by chains of agents, and the chain has zero sponsors. The chain carries a single approval from the day it was born. After that, governance reviews the parts and assumes the whole still holds.
A sharp examiner in a regulated industry gets to this faster than the organization does. The examiner has stopped asking whether your agents are auditable, because the tooling answers that automatically. The uglier question arrives instead: who approved these three agents to act together on this category of decision, when, and what has changed since? From a supervisory perspective, this is how policy drift becomes customer impact while every individual control keeps passing. Misapplied credit decisions, inconsistent customer treatment, a model risk file that describes a system which quietly stopped existing months ago.
The individual reviews all passed. That is exactly how the failure stays invisible.
The distance between what each agent is individually cleared to do and whether the sequence they form still holds a valid, current approval is the Chain Authorization Gap. The framework page covers what must be answered before a chain goes live. This edition adds the question that arrives after launch: what wakes that approval up for review?
One control does the heavy lifting. The Observed-Outcome Trigger, part of the Disposition Protocol, re-opens the chain-level approval the moment the chain produces an outcome its original approvers would have rejected if they had seen it coming, even while every individual agent inside it stays current and clean. Calendars review on schedule. Outcomes review on evidence. A chain needs both clocks, and most organizations own only the first. The supporting structure around that trigger, lifecycle tracking, the written authorization record, lives in The Authorization Layer library.

Run this exercise on a Tuesday morning. The blank column is your finding. Want to know where your organization stands today? Run The Chain Authorization Test. One piece of paper, two columns. Left column: every multi-agent sequence you run, with the date each agent inside it last cleared sponsor review. Right column: the date the sequence itself was last approved as a unit, by name, by a person, in writing.
Most organizations hand back a full left column and an empty right one.
The relay team at the car lender is still running today, three agents strong, doing exactly what it was designed to do eight months ago.
It will do exactly what you meant. That is the part that should terrify you.
Somewhere in your company right now, a chain of agents is approving credit, releasing funds, or triaging cases under an approval that has been read by exactly one meeting, ever. When the examiner asks whose name is on it, whose desk does the question land on?