Why LLM orchestration is broken (and how cryptographic agent identities fix it)

Last week, a “helpful” coding agent opened a PR, commented on the issue, triggered CI, and then tried to deploy to staging. The weird part? Nobody could answer a basic question: What rights did that agent actually have, and who gave them? Not “which API key did it use.” Not “which workflow ran.” Not even “which model generated the output.” I mean: which agent took the action, what it was allowed to do , and whether that authority was delegated intentionally . That’s the orchestration rights problem, and it’s getting worse as teams wire up Claude, Cursor, Copilot, Devin, internal bots, MCP servers, GitHub Actions, and homegrown tools into one giant autonomous spaghetti pile. The real problem isn’t tool calling Most agent systems today still treat identity like this: the agent uses a shared API key the orchestrator decides what tools it can call logs tell you something happened approvals happen out-of-band, if at all That works until multiple agents share the same tools, act on behalf of