Multi-Party Authorisation Governance

2. Summary

Multi-Party Authorisation Governance governs the integrity and resilience of authorisation workflows that require multiple parties to agree before an AI agent action proceeds. This protocol addresses the fundamental governance principle that high-stakes decisions should not rest on the judgement of a single party — expressed in traditional operations as dual control, four-eyes principle, or segregation of duties. AG-017 goes beyond requiring multiple approvals to governing the approval process itself: what happens when one party does not respond, when parties disagree, when the workflow times out, when a deadlock occurs, and critically, whether the workflow can ever result in self-authorisation where the system approves an action without genuine multi-party consensus. The protocol recognises that multi-party authorisation in AI agent systems faces unique challenges including dramatically varying response times between human and agent participants, network partitions, and the risk that timeout mechanics can silently convert multi-party governance into single-party approval.

3. Example

Scenario A — Timeout Exploitation Creates De Facto Single-Party Authorisation: A financial services firm implements a dual-control requirement for any AI agent action exceeding GBP 100,000. The firm's autonomous trading agent identifies a time-sensitive arbitrage opportunity worth GBP 450,000 and submits it for dual approval. The approval workflow requires sign-off from both the risk management agent and a human compliance officer. The risk management agent approves within 200 milliseconds. The human compliance officer is in a meeting and does not respond. The approval workflow has a timeout of 15 minutes, after which — due to a design flaw — it treats the absence of a rejection as implicit approval. The trading agent receives authorisation and executes the trade. The compliance officer returns 40 minutes later and identifies that the counterparty is on a restricted list. The trade has settled.

What went wrong: The timeout behaviour converted dual-control into single-control. Silence was treated as consent. Consequence: Sanctions compliance violation, regulatory enforcement action, personal liability under the Senior Managers Regime.

Scenario B — Timeout Escalation Path Exploited by Bad Actor: An organisation configures a dual-control workflow for high-value transactions. The timeout is 10 minutes, with escalation to the head of operations. An internal bad actor discovers that the head of operations routinely approves escalated requests without detailed review because they are framed as "timeout escalations" that appear to be operational delays. The bad actor deliberately submits high-value requests during periods when the compliance agent is known to be offline for maintenance. The requests time out, escalate, and are approved without genuine dual-party review.

What went wrong: The escalation path was predictable and the escalation authority did not apply the same rigour as the original approvers. The system did not flag the pattern of repeated timeouts from the same source during the same maintenance windows. Consequence: Multiple high-value transactions approved without genuine dual control. Regulatory findings, personal liability for the head of operations, retrospective review of all transactions approved through the exploited path.

Scenario C — Abstention-as-Veto Creates Operational Deadlock: An organisation requires quorum approval from a panel of three compliance agents for any mandate change. The quorum is defined as "no rejections" rather than "minimum affirmative approvals." One panel member experiences a software fault and stops responding. Because abstention is treated as blocking, no mandate changes can proceed. The organisation needs to update a mandate urgently to respond to a market event, but the workflow blocks indefinitely. The operations team eventually bypasses the workflow entirely by making the change directly in the database, circumventing all governance controls.

What went wrong: The quorum was defined negatively rather than positively. Abstention was treated as blocking rather than triggering escalation. The deadlock had no resolution mechanism, forcing a governance bypass worse than the deadlock itself. Consequence: Ungoverned configuration change with no authorisation record, AG-007 compliance failure, audit trail gap.

Scenario D — Split-Brain Approves Action on Both Sides of Partition: An organisation operates a geographically distributed authorisation system with nodes in London and Singapore. A network partition occurs during an active workflow. The London node has received two approvals (meeting the quorum of 2 out of 3). The Singapore node has received one approval and one rejection. The London node, seeing quorum met, approves the action. When the partition heals, the system discovers that the action was approved despite a rejection that was not visible to the London node.

What went wrong: The authorisation system did not implement a conservative default for split-brain scenarios. Each partition made independent decisions based on incomplete information. Consequence: Action approved that should have been reviewed further given the rejection. The split-brain resolution revealed the inconsistency after execution.

4. Requirement Statement

Scope: This dimension applies to all governance configurations requiring dual authorisation, quorum approval, or any multi-party consent before an agent action proceeds. This includes: high-value transaction approvals, mandate configuration changes, agent deployment authorisations, emergency override approvals, cross-domain action authorisations, and any governance decision where the risk profile requires more than one party to agree. The scope extends to both synchronous and asynchronous authorisation workflows. A synchronous workflow requires all parties to be available simultaneously; an asynchronous workflow collects approvals over a defined time window. Both models must comply with AG-017, though the specific timeout and deadlock considerations differ. The scope also covers mixed human-agent authorisation panels. When both human operators and AI agents participate in a multi-party decision, the workflow must account for the different response characteristics of each: agents may respond in milliseconds while humans may take hours or days. The workflow design must prevent the faster participants from effectively bypassing the slower ones through timeout exploitation.

4.1. A conforming system MUST define timeout behaviour for multi-party authorisation workflows that escalates to a designated authority rather than self-authorising — when a required approver does not respond within the defined window, the action must be escalated, not approved by default.

4.2. A conforming system MUST detect and resolve deadlock scenarios where parties wait indefinitely for each other — the system must identify when an authorisation workflow has entered a state where progress is impossible without intervention and must trigger a resolution mechanism.

4.3. A conforming system MUST enforce quorum requirements — a minority MUST NOT block a majority indefinitely, and a majority must not proceed without the minimum required number of affirmative approvals.

4.4. A conforming system SHOULD treat abstention as triggering escalation rather than rejection — silent parties should not block actions through inaction.

4.5. A conforming system SHOULD ensure authorisation records are immutable once consensus is reached — the record of who approved, who rejected, who abstained, and when, should be tamper-evident and cryptographically signed per AG-016.

4.6. A conforming system SHOULD default split-brain scenarios to the most conservative outcome — when network partitions or system failures create inconsistent views of the authorisation state, the system should block the action rather than approving it.

4.7. A conforming system MAY implement escalating approval requirements for time-sensitive operations — where the number or seniority of required approvers increases as the remaining time window decreases, creating urgency-proportional governance.

5. Rationale

Multi-Party Authorisation Governance addresses one of the most fundamental governance principles in enterprise operations: that high-stakes decisions should not rest on the judgement of a single party. In traditional business operations, this is expressed as dual control, four-eyes principle, or segregation of duties. In AI agent governance, the same principle applies — but the dynamics are fundamentally different.

The parties may include both human operators and autonomous agents. The decision speed may be measured in milliseconds rather than hours. The failure modes include deadlock, self-authorisation, and consensus manipulation. These differences mean that simply requiring multiple approvals is not sufficient — the approval process itself must be governed.

The critical distinction is between the existence of multi-party authorisation and the integrity of multi-party authorisation. Many organisations implement the former without the latter. They require two signatures before a payment proceeds, but they have not defined what happens when one signer is unavailable, when the timeout expires, when the parties disagree, or when a network partition creates inconsistent views. These undefined behaviours become the governance gaps through which failures occur.

The most dangerous failure mode is silent degradation — where multi-party authorisation continues to function but no longer provides genuine multi-party consensus. A timeout that defaults to approval silently converts dual control to single control. Abstention treated as consent means an offline party is counted as approving. A predictable escalation path exploited by a bad actor means the escalation mechanism itself becomes the attack surface. AG-017 requires that these failure modes be explicitly addressed in the workflow design, not left as undefined behaviours.

The protocol also recognises the tension between governance rigour and operational continuity. If multi-party authorisation can never be resolved when a party is unavailable, it becomes an operational bottleneck that incentivises bypass. AG-017's requirements for escalation, deadlock resolution, and dynamic quorum are designed to maintain governance integrity while enabling operational continuity through defined, auditable mechanisms.

6. Implementation Guidance

AG-017 establishes the multi-party authorisation workflow as a governed process with defined behaviour for every possible state — including failure states. The core principle is that the workflow must never result in self-authorisation: the system must never approve its own request in the absence of genuine external consensus.

Recommended patterns:

• State machine workflow engine. Implement the authorisation workflow as a finite state machine with explicitly defined states: pending, partially-approved, quorum-met, rejected, timed-out, escalated, and resolved. Each state transition is triggered by a defined event (approval received, rejection received, timeout expired, escalation accepted) and logged as an immutable record. The state machine ensures that the workflow can only progress through defined transitions — there is no path from "pending" to "approved" without passing through the required number of approval events. This pattern makes the workflow auditable and prevents ad-hoc approvals that bypass the defined process.
• Consensus protocol with partition tolerance. For distributed authorisation systems, implement a consensus protocol that explicitly handles network partitions. The protocol should require that all votes be visible to all participants before a decision is finalised. During a detected partition, the protocol should delay the decision until the partition heals or escalate to an authority that has visibility across the partition. This prevents split-brain approvals where different parts of the system reach different conclusions based on partial information.
• Tiered authorisation with dynamic quorum. Implement a tiered authorisation system where the quorum requirement scales with the risk level of the action. Low-risk actions may require 2-of-3 approval. Medium-risk actions may require 3-of-5. High-risk actions may require unanimous approval from a designated panel. The tier assignment is based on the action's risk score, which may incorporate transaction value, counterparty risk, time sensitivity, and deviation from historical patterns.

Anti-patterns to avoid:

• Treating timeout as implicit approval. The most dangerous design flaw in multi-party authorisation is treating the absence of a response as approval. This effectively converts multi-party authorisation into single-party authorisation plus a waiting period. Timeout must always escalate, never approve.
• Defining quorum as "absence of rejection" rather than "presence of approval." A quorum defined negatively means that silent parties are counted as approving. This is vulnerable to any failure that prevents a party from responding. Quorum must be defined as the minimum number of explicit affirmative approvals.
• Using a single escalation authority without alternates. If the escalation path leads to a single individual who may also be unavailable, the timeout-escalation mechanism can itself deadlock. Escalation paths should have multiple levels with designated alternates at each level.
• Failing to account for mixed human-agent response times. When an authorisation panel includes both human and agent participants, the timeout must be calibrated for the slowest expected participant. A timeout calibrated for agent response times (seconds) will always timeout for human participants (hours), effectively excluding them.
• Not logging the complete authorisation lifecycle. Many implementations log only the final decision without recording every intermediate state: who was asked, when they responded, what they decided, who abstained, when escalation was triggered, and why. The complete lifecycle is essential for regulatory evidence and incident investigation.

Industry Considerations

Financial Services. Multi-party authorisation maps directly to existing dual-control and four-eyes requirements. The workflow should integrate with existing approval systems so that the same governance framework covers both human and agent actions. Specific considerations include time-sensitive trading decisions where delays have financial cost, regulatory requirements for segregation of duties between front office and compliance, and the FCA's expectation that automated systems have at least equivalent controls to manual processes. The timeout and escalation design should account for market hours — a timeout that escalates at 2 AM may not reach a qualified human approver.

Healthcare. Multi-party authorisation maps to clinical governance requirements. High-risk clinical decisions — such as an AI agent recommending a change in treatment protocol or prescribing medication — should require multi-party approval from qualified clinical staff. The workflow must account for clinical urgency: patient-safety-critical decisions cannot wait for a multi-day approval cycle. The escalation path for timed-out clinical authorisations should lead to a qualified clinician with appropriate authority, not an administrative role. Records of clinical authorisation decisions are part of the patient record and subject to medical records retention requirements.

Critical Infrastructure. Multi-party authorisation for critical infrastructure must account for safety-critical timing constraints. An AI agent managing a power grid may need to take protective action within seconds — a workflow with a 15-minute timeout is inappropriate. The design should distinguish between time-critical safety actions (which may be pre-authorised through standing mandates per AG-001) and non-time-critical configuration changes (which should require full multi-party approval). For safety actions, the multi-party requirement may be implemented as post-action review rather than pre-action approval, with immediate notification to all panel members and mandatory review within a defined period.

Maturity Model

Basic Implementation — The organisation has defined multi-party authorisation workflows for high-risk agent actions. Workflows specify which parties must approve, the quorum requirement, and a timeout period. When the timeout expires, the action is escalated to a designated human authority rather than auto-approved. Deadlocks are detected through simple timeout monitoring. Authorisation records are logged with timestamps and participant identities. This level meets the minimum mandatory requirements but has limitations: the escalation path is a single human authority who may also be unavailable, quorum calculation does not account for party availability, and there is no mechanism for handling split-brain scenarios.

Intermediate Implementation — All basic capabilities plus: escalation paths have multiple levels with designated alternates at each level. Quorum requirements are dynamically calculated based on available parties — if a panel member is known to be unavailable, the quorum is adjusted according to pre-defined rules. Abstention is distinguished from rejection and triggers escalation. Authorisation records are cryptographically signed per AG-016 and linked in a hash chain. Split-brain detection exists and defaults to the most conservative outcome. The workflow engine logs every state transition creating a complete audit trail.

Advanced Implementation — All intermediate capabilities plus: the authorisation workflow has been independently tested against adversarial scenarios including consensus manipulation, timeout exploitation, and split-brain attacks. Escalating approval requirements are implemented for time-sensitive operations. The workflow engine supports configurable authorisation topologies (sequential, parallel, hierarchical, weighted voting). Real-time monitoring detects anomalous authorisation patterns (e.g., one approver consistently approving while others reject, or requests submitted when approvers are predictably unavailable). The organisation can demonstrate to regulators that its multi-party authorisation process is resilient to both operational failures and deliberate manipulation.

7. Evidence Requirements

Required artefacts:

• Multi-party workflow configuration. Documented configuration showing which actions require multi-party authorisation, the required parties, quorum requirements, timeout periods, and escalation paths. Format: structured data or configuration export.
• Timeout and escalation procedure. Documented procedure showing what happens when an approver does not respond, including escalation targets, escalation criteria, and evidence that escalation is to a designated authority rather than auto-approval.
• Deadlock detection mechanism. Documentation and test results showing that the system detects deadlock conditions and resolves them through escalation or conservative default, not through indefinite blocking or self-authorisation.
• Quorum enforcement documentation. Evidence that quorum is calculated correctly, that partial approval does not result in action execution, and that the quorum calculation accounts for abstention, rejection, and unavailability.

Retention requirements:

• Authorisation records and workflow state logs: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must include the complete authorisation lifecycle, not just the final decision.

8. Test Specification

Testing AG-017 compliance requires simulation of both normal and adversarial conditions across the full range of authorisation scenarios.

Test 8.1: Timeout Escalation

• Stimulus: Submit an action requiring multi-party authorisation. Allow one required approver to respond and leave the other unresponsive. Allow the timeout to expire.
• Expected behaviour: The workflow escalates to the designated authority rather than auto-approving. The escalation is logged with the reason (timeout), the unresponsive party identity, and the escalation target.
• Pass criteria: Timeout triggers escalation, not approval. The escalation record is complete.
• Fail criteria: Timeout results in action approval, or escalation is not logged.

Test 8.2: Deadlock Detection and Resolution

• Stimulus: Create a scenario where two authorisation workflows each require the other to complete first (circular dependency).
• Expected behaviour: The system detects the deadlock and triggers resolution through escalation or conservative default.
• Pass criteria: Deadlock is detected and resolved. Neither workflow remains blocked indefinitely.
• Fail criteria: Deadlock persists indefinitely, or resolution results in self-authorisation.

Test 8.3: Quorum Enforcement

• Stimulus: Submit an action requiring a quorum of 3 out of 5 approvers. Test with exactly 2 approvals (insufficient), exactly 3 approvals (sufficient), and 2 approvals with 3 rejections. Test boundary cases with quorum-number abstentions.
• Expected behaviour: Action proceeds only when the minimum affirmative quorum is met. Insufficient approvals do not result in execution.
• Pass criteria: Action executes with exactly quorum approvals. Action does not execute with fewer. Abstentions do not count as approvals.
• Fail criteria: Action executes without meeting quorum, or abstentions are counted as approvals.

Test 8.4: Self-Authorisation Prevention

• Stimulus: Attempt to create a scenario where an agent submits an action and also acts as one of the required approvers.
• Expected behaviour: Self-approval is prevented. The requesting agent's identity is excluded from the approval panel for its own requests.
• Pass criteria: No party can both request and approve the same action.
• Fail criteria: Self-approval succeeds for any action.

Test 8.5: Split-Brain Conservative Default

• Stimulus: Simulate a network partition during an active authorisation workflow. Verify behaviour on each side of the partition.
• Expected behaviour: Neither side independently approves the action. After partition heals, the system reconciles to a consistent state.
• Pass criteria: No action is approved during a partition based on incomplete vote visibility. Post-partition reconciliation produces a consistent outcome.
• Fail criteria: Either side of the partition independently approves the action, or post-partition state is inconsistent.

Test 8.6: Timing Manipulation Resistance

• Stimulus: Submit an action just before the approval panel's known unavailability window (e.g., outside business hours for human approvers).
• Expected behaviour: The workflow handles this correctly — it does not approve on timeout because human approvers are predictably unavailable.
• Pass criteria: Predictable unavailability does not result in timeout-based approval. Escalation accounts for approver availability.
• Fail criteria: Actions are approved by timeout because they were submitted when approvers were known to be unavailable.

Conformance Scoring

• Score 0: No multi-party authorisation governance exists — actions proceed on single-party approval without governance of the approval process.
• Score 1: Multi-party flows exist but deadlock or timeout behaviour is undefined — authorisation requires multiple parties but the system has no defined behaviour for unresponsive parties, deadlocks, or split-brain scenarios.
• Score 2: Full deadlock detection, timeout escalation, and quorum enforcement — the authorisation workflow handles all known failure modes, escalates on timeout, detects deadlocks, and enforces quorum requirements.
• Score 3: Verified by independent testing of adversarial consensus manipulation scenarios — an independent party has tested the workflow against deliberate manipulation including forged approvals, timeout exploitation, and split-brain attacks.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
SOX	Segregation of Duties / Dual-Control Requirements	Direct requirement
FCA	Four-Eyes Principle / Senior Managers Regime	Direct requirement
EU AI Act	Article 14 (Human Oversight)	Supports compliance
NIST AI RMF	GOVERN 1.4, MANAGE 2.3 (Human Oversight Controls)	Supports compliance

SOX — Segregation of Duties / Dual-Control Requirements

SOX internal control requirements include segregation of duties — no single individual should control all aspects of a financial transaction from initiation through recording. For AI agent governance, this translates to multi-party authorisation for high-value or high-risk agent actions. AG-017 ensures that the multi-party authorisation process itself is governed: that it cannot be bypassed through timeout, deadlock, or manipulation. A SOX auditor will examine not just whether dual control exists, but whether the dual-control workflow is resilient to operational failures and adversarial manipulation. The auditor will specifically test: what happens when one approver is unavailable, whether timeout results in approval, and whether the authorisation records are complete and tamper-evident.

FCA — Four-Eyes Principle / Senior Managers Regime

The FCA's four-eyes principle requires that significant decisions in regulated firms involve at least two qualified individuals. For AI agent governance, this maps to requiring at least two parties to approve high-risk agent actions. The FCA has clarified through supervisory statements that the four-eyes principle applies to automated decision-making. AG-017 ensures that the four-eyes process is genuine: that both "eyes" actually review the decision, that timeout does not convert four-eyes into two-eyes, and that the governance record demonstrates genuine multi-party review. The Senior Managers Regime adds personal accountability — if a senior manager is designated as the escalation authority, they are personally accountable for escalated decisions. AG-017's requirement for escalation rather than self-authorisation ensures a responsible human is always in the approval chain.

EU AI Act — Article 14 (Human Oversight)

Article 14 requires that high-risk AI systems be designed so they can be effectively overseen by natural persons during the period of use. For multi-party authorisation, this means: the workflow must include at least one human participant for high-risk actions, the human must have sufficient information for an informed decision, and the human's participation must be genuine (not a rubber-stamp triggered by timeout). AG-017's requirements for escalation on timeout, deadlock resolution, and quorum enforcement directly support Article 14 compliance. The regulation also requires that the human be able to "decide not to use the high-risk AI system or otherwise disregard, override or reverse the output" — AG-017's rejection and blocking capabilities support this.

NIST AI RMF — GOVERN 1.4, MANAGE 2.3

GOVERN 1.4 addresses organisational roles and responsibilities for AI risk management, including oversight structures. MANAGE 2.3 addresses controls for human oversight of AI system operations. AG-017 implements these functions by establishing governed multi-party workflows that ensure human oversight is genuine, resilient, and auditable.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Scope-dependent — proportional to the actions covered by multi-party authorisation; if multi-party governance covers high-value financial transactions or mandate changes, failure equates to having no governance at all

Consequence chain: Without governed multi-party authorisation, a single party can block legitimate operations indefinitely through abstention or refusal, or a compromised workflow can self-approve actions without genuine consensus. The failure mode is binary: either the multi-party process provides genuine consensus assurance, or it provides the appearance of consensus without the substance. The subtle failure modes are more dangerous than the obvious ones. An authorisation workflow that obviously fails — all requests blocked, nothing works — will be detected and fixed quickly. A workflow that subtly fails — timeout creates de facto single-party approval, or abstention is treated as consent — may operate for months or years before the gap is discovered. The gap is typically discovered during a regulatory investigation or incident review, at which point the organisation discovers that its "dual control" was operationally equivalent to single control for the entire period. The severity depends on what actions are covered. If multi-party authorisation covers only low-risk administrative changes, failure has limited impact. If it covers high-value financial transactions, mandate configuration changes, or emergency override actions, a failure in the authorisation process can result in the same exposure as having no governance at all. Under the FCA Senior Managers Regime, personal liability attaches to the individuals designated as escalation authorities who fail to exercise genuine oversight.

Cross-reference note: AG-003 (Coordination Pattern Detection) detects when parties coordinate to undermine the authorisation process through collusion. AG-019 (Mandatory Human Oversight Enforcement) governs when human involvement is required, triggering the workflows AG-017 oversees. AG-028 (Live Collusion Detection) detects when participants in the consensus process are colluding. AG-038 (Human Control Responsiveness) ensures humans can override or halt the AI agent at any point. AG-001 (Operational Boundary Enforcement) defines the mandate boundaries that determine which actions trigger multi-party authorisation.