The Agent Authorization Design Space

Every agent authorization system answers the same five questions. The interesting part is which questions each system refuses to answer — and what that refusal reveals about what we actually trust. An AI agent needs to book a flight. It has access to your calendar, your airline account, your credit card. It knows your preferences. It can find the optimal itinerary, compare prices, and execute the purchase — all without you lifting a finger. Here is the question that matters: what does authorized mean in that sentence? Not "is the agent capable?" It clearly is. Not "does the user want the flight booked?" Assume they do. The question is narrower and harder: what proof exists, after the fact, that a specific human gave this specific agent permission to execute this specific action at this specific moment? If your answer is "the user configured the agent to book flights," you've answered a different question. Configuration is blanket authority. The flight-booking question is about this fli