Every era of security has a boundary it obsesses over. First it was the network edge: firewalls, DMZs, the castle and the moat. Then identity became the perimeter, and we spent a decade teaching organizations that the question is not where a request comes from but who is making it. I lived through both shifts inside large enterprises, and I think the third one is already here. The boundary that matters next is not around your network or your identities. It is around your delegations: the envelope of things your software is allowed to do on your behalf.

The question changes shape

For most of computing history, authorization answered a static question: can this user read this file, call this API, approve this payment? The answer was a lookup. Somebody granted a permission, and the system checked it.

An agent breaks that model quietly. You do not hand an agent a list of files. You hand it an objective: find me the best logistics option, negotiate the renewal, keep our cloud spend under control. The actions it takes toward that objective are not enumerable in advance, which means the old question, is this action permitted, becomes almost meaningless. Any interesting agent will take actions nobody specifically foresaw. The real question becomes: is this action within the mandate I gave, at the cost I accepted, toward the outcome I asked for?

That is not a permission check. It is a boundary judgment, and today, in most systems deploying agents, nobody is making it. The agent either has the credential or it does not. And a credential, unlike a mandate, does not know when to stop.

What a delegation actually contains

When I unpack what it means to hand work to another party safely, whether that party is a contractor, an employee, or a piece of software, the same elements keep appearing. A scope: what kinds of actions are in bounds. A budget: how much value can be committed before checking back. A duration: when the authority expires on its own. A revocation path: how it ends early, immediately, without negotiation. And an audit trail: what was actually done under the authority, recorded in a form the grantor can verify rather than take on faith.

Enterprises already know how to do this for people. Procurement limits, signing authorities, delegation matrices: boring instruments, refined over a century, that let a company hand out authority without handing out the company. What strikes me is how little of that discipline has followed the software. We are giving agents credentials that never expire, budgets that are really just whatever the account can spend, and audit trails that consist of a log file the agent itself could have written.

The security instinct here is the same one that ran through my whole career: verify, don't trust. A delegation that cannot be verified, bounded, and revoked is not a delegation. It is a hope.

The perimeter you can actually hold

Here is what makes me optimistic rather than alarmed. Delegation is a better perimeter than any we have defended before.

The network perimeter failed because it was a fiction: the moment laptops and clouds arrived, there was no edge left to hold. Identity was an improvement, but it still answers the wrong question when the actor is autonomous, because who is acting matters less than what they were authorized to achieve. A delegation boundary is different. It is small, explicit, and machine-checkable. It does not require predicting every action, only defining the envelope. And when the envelope is enforced by infrastructure rather than by policy documents, the enforcement happens at the same speed as the action, which is the only speed that counts once software transacts with software.

This is the layer I think about constantly while building Setix, because commerce between agents is delegation at its sharpest edge. The moment value moves, the mandate question stops being philosophical. Whose authority moved that money? Was it in scope? Can the person who granted it prove what they granted, and can everyone else check it? If those answers exist as verifiable facts, agents can do business safely with strangers. If they exist as claims in a terms-of-service document, we will relearn some old lessons at machine speed.

Security people spent decades being told the perimeter was dead. It was never dead. It was moving. It moved from the network to the identity, and now it is moving from the identity to the mandate. The organizations that internalize this early will hand their agents real autonomy with confidence, and they will move faster precisely because their boundaries are solid. That has always been the quiet promise of good security: it is not the brake. It is the reason you can afford the speed.