Authorization Breaks When Agents Execute in Parallel with Autonomy

Running agents in parallel exposes something uncomfortable about how we model authorization.

Authorization doesn't break when agents get smarter. It breaks when they start executing in parallel with autonomy.

Last week I shared how I've been running 8 AI agents in parallel using an explicit execution model — workstreams, service boundaries, batches, merge points, even ASCII dashboards.

What surprised me wasn't the parallelism.

It was what that structure made obvious.

Once you start modeling agents this way, something clicks:

Agents don't really operate in sessions. They operate in execution graphs.

They spawn tasks. They fan out across boundaries. They converge at merge points. They block waves. They wait on stragglers.

At some point it stops feeling like prompt engineering and starts feeling like distributed systems.

That's where my thinking shifted.

Traditional IAM asks: What permissions should this identity have?

But when I looked at my own runs, batches moving, sub-agents spawning, tool calls happening mid-chain — identity started to feel like the wrong unit.

Because what's needed in Batch 1 isn't what's needed in Batch 4.
A sub-agent at a merge point shouldn't inherit everything upstream.
A tool call late in the flow shouldn't rely on a token minted hours ago.

Authority shouldn't be static. It should shrink as work converges and collapse when a task completes.

I saw authority leak across execution boundaries in my own workflow.

So I drew the difference.

On the left, authority stays flat for the entire identity lifetime.
On the right, authority shrinks batch by batch — from 37 tools to 1.

Identity-Bound Authorization — Identity-bound auth: scope is static for the identity's lifetime

Execution-Bound Authorization — Execution-bound auth: authority shrinks as work converges — 37 tools down to 1

The contrast became clear:

Traditional auth binds authority to identity. Execution-based auth binds authority to work.

Okay… but what about SPIFFE? What about OPA?

This doesn't replace workload identity systems or policy engines. It changes what they should bind to.

Instead of attaching long-lived authority to a session or workload identity, we attach short-lived authority to execution context.

Identity proves who is acting. Execution determines what is allowed — right now.

Authorization has to follow the execution graph.

Not the login session.
Not the service account.
Not the static scope configured months ago.

Execution is the new boundary.

If agents are becoming distributed systems, authorization has to become execution-bound.

Identity proves who.
Execution decides what.
That's the architectural shift.

I'm still unpacking edge cases: timeouts, context pollution, delegation chains, revocation across waves.

How are you handling this when agents spawn agents or fan out across APIs and MCP tools, CLI, and browsers?

Are you binding permissions to identity or to execution?