Multi-Agent AI Systems Expose Authorization Gaps as Delegation Chains Outpace Legacy Security Controls
A fundamental mismatch between legacy identity and access management protocols and the fluid nature of multi-agent AI workflows is leaving enterprises with untraceable authorization chains, according to analysis published by O'Reilly Radar on 26 May. As organizations increasingly deploy interconnected AI agents that delegate tasks across calendars, document systems, and communication platforms, security teams are struggling to verify who approved each step in an autonomous sequence.
The delegation problem emerges when a single user request triggers a cascade of agent-to-agent handoffs. An AI assistant tasked with preparing a briefing might call upon a calendar agent to find availability, a document analysis agent to extract key figures, and an email agent to distribute results. Each sub-agent accesses internal systems, makes judgment calls about content inclusion, and acts on the user's behalf — yet traditional access controls were designed for static, human-initiated requests, not dynamic machine-to-machine routing.
For Hong Kong IT and security teams, the implications extend beyond operational visibility. Under the Personal Data Protection Ordinance (PDPO), organizations remain accountable for how personal data is accessed and processed, regardless of whether a human or an agent initiated the action. Financial institutions regulated by the HKMA's Technology Risk Management guidelines are similarly expected to maintain clear audit trails for all system access — a requirement that becomes difficult to satisfy when delegation chains span multiple autonomous components.
Industry experts argue that effective governance must shift from perimeter-based defenses to protocol-level traceability. This means embedding cryptographic delegation tokens directly into agent communication layers, implementing policy-as-code frameworks that validate permissions in real time, and maintaining unified audit ledgers capable of mapping end-to-end interactions across heterogeneous agent ecosystems.
The push for open, vendor-neutral standards is gaining urgency as commercial AI deployments outpace the development of corresponding security frameworks. Proprietary compliance solutions risk creating siloed governance models that cannot interoperate across platforms — a particular concern for enterprises operating multi-vendor agent stacks.
Practical steps for regional security teams include establishing cross-functional oversight groups that bring together security engineers, AI developers, and compliance officers to define contextual permission boundaries and least-privilege defaults. Organizations should also identify data sensitivity classifications that trigger mandatory human-in-the-loop review, ensuring that high-risk workflows retain explicit intervention thresholds rather than running fully autonomously.
Open questions remain around how least-privilege permissions can be dynamically calculated across diverse agent environments without introducing performance-degrading latency, and how standards bodies will move toward formal certification of delegation tracking protocols. What is clear is that the window for proactive governance design is narrowing as multi-agent adoption accelerates.
多 Agent AI 系統暴露授權漏洞 委派鏈超越傳統安全控制
根據 O'Reilly Radar 於 5 月 26 日發表的分析,傳統身份與存取管理協議與多 Agent AI 工作流程的流動性之間存在根本性錯配,導致企業出現無法追蹤的授權鏈。隨著組織日益部署互聯的 AI Agent,在日曆、文件系統和通訊平台之間委派任務,安全團隊難以驗證自主序列中每個步驟的審批者。
委派問題在單一用戶請求觸發一連串 Agent 之間的交接時出現。獲指派準備簡報的 AI 助理可能會呼叫日曆 Agent 尋找可用時間、文件分析 Agent 提取關鍵數據,以及電郵 Agent 分發結果。每個子 Agent 都會存取內部系統、就內容取捨作出判斷,並代表用戶行事——但傳統存取控制是為靜態、人類發起的請求而設計,而非動態的機器對機器路由。
對香港 IT 和安全團隊而言,影響不僅限於營運可視性。根據《個人資料(私隱)條例》(PDPO),組織仍須對個人數據的存取和處理方式負責,無論是由人類還是 Agent 發起的行動。受金管局科技風險管理指引監管的金融機構同樣需要為所有系統存取保持清晰的審計軌跡——當委派鏈橫跨多個自主組件時,這項要求變得難以滿足。
業界專家認為,有效管治必須從基於邊界的防禦轉向協議級別的可追溯性。這意味著將加密委派令牌直接嵌入 Agent 通訊層,實施即時驗證權限的 policy-as-code 框架,並維護能夠映射異質 Agent 生態系統中端到端互動的統一審計分類賬。
隨著商業 AI 部署超越相應安全框架的發展,推動開放、供應商中立的標準變得更加迫切。專有合規解決方案可能導致無法跨平台互操作的孤立式管治模式——這對營運多供應商 Agent 堆疊的企業而言尤為令人關注。
地區安全團隊的實際措施包括成立跨職能監督小組,匯集安全工程師、AI 開發人員和合規官員,以定義情境權限邊界和 least-privilege 預設值。組織還應識別觸發強制 human-in-the-loop 審查的數據敏感度分類,確保高風險工作流程保留明確的干預門檻,而非完全自主運行。
仍存在未解問題:如何在不同 Agent 環境中動態計算 least-privilege 權限而不引入降低性能的延遲,以及標準機構將如何邁向委派追蹤協議的正式認證。明確的是,隨著 multi-agent 採用加速,主動管治設計的窗口正在收窄。