This is the fourth blog in a seven-part series on identity security as AI security.
TL;DR: Delegation chains are becoming high-leverage targets in autonomous systems. Each agent handoff multiplies access, and with almost all (97%) of non-human identities already carrying excessive privileges, the risk compounds at every hop. In a vulnerability known as Agent Session Smuggling (Nov 2025), a sub-agent embeds a silent stock trade in a routine response. The parent agent then executes it with no prompt and no visibility. In another vulnerability known as Cross-Agent Privilege Escalation (Sept 2025), one agent rewrites another’s config mid-task, which can trigger a self-reinforcing control loop. Delegation isn’t inherently risky, but without scoped permissions and cryptographic lineage, it can become a direct channel for lateral movement.
Agent Session Smuggling: When delegation becomes exploitation
Agent-to-agent delegation helps enable scale by design: primary agents offload complex tasks to specialized sub-agents for targeted execution.
In theory, each step narrows permissions and maintains alignment with the original intent. But in practice, it often does the opposite.
In a Proof of Concept (PoC) used as part of the Session Smuggling scenario, a financial assistant agent requested market insights from a research agent. The sub-agent returned a clean summary, plus a hidden stock trade command. No alert fired and the trade executed invisibly.
Each layer trusted the next and none verified alignment. Unit 42 outlined how the entire exploit path could work:
- Financial assistant delegates to research assistant for market news
- Research assistant is malicious, injects hidden instructions in its response
- Financial assistant executed unauthorized trade of 10 shares
- User saw only the news summary; the buy_stock call was invisible
As Unit 42 noted:
"A compromised agent represents a more capable adversary. Powered by AI models, a compromised agent can autonomously generate adaptive strategies, exploit session state and escalate its influence across all connected client agents."
In an example outlining how the Privilege Escalation scenario could play out, one compromised agent could modify a sibling’s runtime environment. That agent, now misconfigured, hands off tasks in ways that can expand the attacker’s reach. If the chain is not broken, it can loop back and deepen an intrusion.
The more deeply agents integrate into finance, ops, and infrastructure, the more dangerous unchecked delegation becomes. Every unverified task handoff becomes a breach in motion.
Three systems. Same failure pattern
ServiceNow Now Assist (October 2025)
AppOmni disclosed that low-privileged agents in ServiceNow’s Now Assist could be used to exploit agent discovery in order to enlist higher-privileged peers and exfiltrate data.
Cross-Agent Privilege Escalation (September 2025)
Johann Rehberger identified the Cross-Agent Privilege Escalation vulnerability and explained how a compromised agent could reconfigure others by rewriting its config. In environments where multiple agents (e.g., Copilot, Claude, Gemini) share a codebase, a prompt-injected Copilot can alter Claude's .mcp.json.
On the next use, Claude would run arbitrary code and could then reconfigure Copilot. As Rehberger noted:
"What starts as a single indirect prompt injection can quickly escalate into a multi-agent compromise."
EchoLeak in Microsoft 365 Copilot (June 2025)
Aim Security disclosed "EchoLeak" (CVE-2025-32711, CVSS 9.3), a no-click exploit where hidden prompts in emails triggered silent data exfiltration from SharePoint, Teams, and OneDrive.
The same vulnerability pattern appears in LLM orchestration frameworks, where chains of models and tools typically lack automatic scope enforcement, leaving developers to manage attenuation manually.
Recursive delegation: The Russian nesting doll problem
Multi-agent systems are built for task decomposition. A primary agent breaks complex requests into subtasks and delegates them to specialists. Those sub-agents may delegate further. Each hop crosses a trust boundary and inherits original authority.
The OpenID Foundation's guidance on agentic AI names this the core advantage and core hazard of agent ecosystems: "The true power of an agent ecosystem emerges from recursive delegation: the ability of one agent to decompose a complex task by delegating sub-tasks to other, more specialized agents."
But that power comes with a warning: "Challenges multiply exponentially with recursive delegation, scope attenuation across delegation chains, true on-behalf-of user flows that maintain accountability, and the interoperability nightmare of different agent identity systems attempting to communicate."
In other words, what makes agentic AI powerful also makes it fragile, unless the architecture enforces control at every handoff.
Scope, Provenance & Context = Three Structural Gaps That Create Risk
1. No scope attenuation at delegation hops. Each agent in a delegation chain should have narrower permissions than the one before it, but this least-privilege principle often fails in practice. In the Agent Session Smuggling scenario, a research agent inherited access to a financial assistant’s buy_stock tool, executing a hidden trade embedded in a news summary. Traditional OAuth tokens can’t be restricted after issuance without recontacting the auth server, which breaks in decentralized systems. Secure delegation needs token formats that support offline attenuation, so agents can limit access independently.
2. No cryptographic proof of delegation lineage. OAuth tokens validate structure and status but lack historical traceability. By the third delegation hop, there is no cryptographic link to the initiating agent or user. Aembit reports: "Without cryptographic proof, malicious agents can forge delegation claims and access resources they shouldn't reach."
3. No context grounding across sessions. Multi-turn agent interactions demand persistent alignment with the original task. Without it, agents drift, gradually expanding their behavior beyond intent. Unit 42 recommends "context grounding": creating a task anchor at session start and continuously validating semantic alignment.
Scope attenuation: Permissions must narrow, not expand
Emerging token formats such as Macaroons, Biscuits, and Wafers reflect the architecture delegation chains demand in order to be secure. Each token is “baked” with core attributes: identity, expiry, and a cryptographic root. Holders can add layers that only reduce permissions. Tokens remain verifiable offline, preserving integrity while preventing privilege escalation.
Though syntax varies by format, the core pattern is consistent: tokens can be attenuated locally, never expanded:
Each sub-agent adds a signed, append-only caveat that narrows the token’s scope, forming a verifiable chain. When used, the issuer can trace the full delegation path. If a research agent tries buy_stock, the request fails, traceably, with proof of who restricted what, and where.
Although no major identity provider currently supports Macaroons or Biscuits natively, their core principles (offline attenuation, cryptographic delegation, and append-only constraints) can be applied today using existing OAuth infrastructure.
Defending against recursive delegation attacks
These vulnerabilities related to AI agent delegation suggest four defensive requirements:
1. Out-of-band confirmation: Sensitive actions require human approval via channels agents can't access—push or separate UI, not chat.
2. Context grounding: Anchor sessions to the original task; flag semantic drift before execution.
3. Verified identity and capabilities: Agents must present signed credentials (e.g. cryptographical AgentCards).
4. User visibility: Smuggled instructions succeed when hidden. Surface tool calls and logs.
How Okta and Auth0 address recursive delegation
Implementing these controls independently can create blind spots. Okta and Auth0 help address recursive delegation through a unified identity layer:
Cross App Access (XAA). XAA, available across Okta and Auth0, shifts consent to the identity provider, now part of MCP (as of Nov 2025) under "Enterprise-Managed Authorization." Based on ID-JAG, it tracks and revokes delegation lineage, so agent actions are logged and revocable.
Token Vault. Auth0 Token Vault solves the confused deputy problem in agent credential access. Naive APIs let developers pass userId parameters, exposing systems to bugs or prompt injection that could fetch another user's credentials. Token Vault eliminates this by requiring cryptographic proof of the current user session, never a plain identifier. Agents use OAuth 2.0 Token Exchange (RFC 8693) to convert session tokens into short-lived, scoped credentials, achieving precise scope attenuation through standard protocols.
Asynchronous Authorization. Auth0 Async Auth enables out-of-band approval through push or email, directly addressing the Agent Session Smuggling vulnerability by requiring human confirmation through channels the LLM can't manipulate.
Fine-Grained Authorization. Auth0 FGA, built on Google's Zanzibar model, enforces relationship-based access at every call. Agents validate and update the delegation state with each hop, progressively narrowing permissions. This stateful context lives in FGA, not in the token, enabling capability-style attenuation without requiring new token formats.
Identity Governance. Okta Identity Governance extends lifecycle management to agents, helping ensure that delegated permissions are reviewed and revoked as roles, projects, or security contexts evolve. What was appropriate at deployment can quickly become excessive. Governance enables continuous right-sizing of agent authority.
The path forward: Delegation that proves itself
Multi-agent systems deliver capabilities beyond what single agents can achieve, but also expose gaps traditional IAM doesn’t cover. Every vulnerability discussed here shares the same pattern: agents gaining more authority than intended, operating without user visibility, and leaving no audit trail.
Securing delegation requires four foundations: scope attenuation at every hop, token-level lineage verification, persistent context alignment, and out-of-band human approval for sensitive actions.
These aren’t optional anymore. Under the EU AI Act, traceability and oversight are legal obligations for high-risk systems. Article 14 demands humans fully understand and monitor how AI operates.
Without verifiable delegation chains, that level of oversight collapses. Your infrastructure either enables auditable control or becomes a compliance liability.
Next in Blog 5: What happens when AI agents move from digital workflows to physical systems where a single misstep can trigger real-world harm, and identity becomes the last line of defense.
