Delegation Chain Provenance Governance

2. Summary

Delegation Chain Provenance Governance requires that every action executed by an AI agent on behalf of another agent — or on behalf of a chain of delegating agents — carries an immutable, verifiable provenance record tracing the full delegation path from the originating authority to the executing agent. In multi-agent systems, a single user request may cascade through three, five, or twelve agents before an action is taken. Without provenance, the organisation cannot determine who authorised the action, which agents relayed the delegation, whether any agent in the chain exceeded its authority, or where accountability lies when something goes wrong. This dimension ensures that delegation chains are recorded, that each link in the chain is attributable to an authenticated agent identity per AG-012, that the scope of delegated authority narrows or remains constant at each hop per AG-009, and that provenance records are tamper-evident and available for audit. The control type is Detective: AG-079 does not prevent delegation — it ensures that every delegation that occurs is recorded with sufficient fidelity to detect scope violations, authority escalation, circular delegation, and accountability gaps after the fact.

3. Example

Scenario A — Invisible Delegation Creates Accountability Gap: A financial services firm deploys a multi-agent workflow for trade settlement. Agent Alpha (orchestrator) receives a settlement instruction for £2.3 million from a human operator. Alpha delegates to Agent Beta (compliance checker), which clears the trade and delegates to Agent Gamma (execution agent), which delegates to Agent Delta (counterparty communication agent) to confirm settlement terms. Delta sends the confirmation to the external counterparty. The counterparty disputes the terms — the confirmation contained an incorrect settlement date, causing a £185,000 late-settlement penalty. When the firm investigates, it finds no record of which agent produced the incorrect date. Each agent's logs show it received an instruction and acted on it, but none record the full delegation chain or which agent transformed the settlement date field.

What went wrong: No provenance record linked the human operator's original instruction through each delegation step to Delta's outbound confirmation. Each agent logged its own action in isolation. The investigation could not determine whether the error originated in Alpha's parsing, Beta's compliance modification, Gamma's execution formatting, or Delta's communication template. Consequence: £185,000 penalty, 6-week manual investigation, regulatory inquiry into the firm's ability to reconstruct decision chains for automated settlements, and remediation programme costing £420,000.

Scenario B — Authority Escalation Through Delegation Depth: An enterprise deploys a procurement workflow where Agent A (budget holder, £50,000 limit) delegates to Agent B (sourcing, £50,000 inherited limit) which delegates to Agent C (ordering, £50,000 inherited limit). Agent C receives a request from an internal system that appears to originate from a separate delegation chain with a £200,000 limit. Because no provenance record links C's authority back to A's £50,000 ceiling, C accepts the higher authority claim and places an order for £178,000. The system does not detect the escalation because each agent only validates the immediate delegator, not the full chain.

What went wrong: Delegation provenance was not maintained end-to-end. Agent C could not verify that its authority derived from Agent A's £50,000 mandate because no chain record existed. The system validated only adjacent links, not the full path. Consequence: £178,000 unauthorised procurement, budget overrun discovered at month-end reconciliation, procurement policy violation reportable under internal controls framework.

Scenario C — Circular Delegation Exhausts Resources: In a customer service multi-agent system, Agent X receives a complex complaint and delegates to Agent Y (specialist). Y determines it needs legal review and delegates to Agent Z (legal). Z determines the complaint has a financial component and delegates back to Agent X (financial assessment). X does not recognise this as a circular delegation because no chain provenance exists, and it re-delegates to Y. The cycle repeats 847 times over 23 minutes, consuming £3,200 in compute costs and generating 847 partial responses in the customer's case file before a monitoring alert fires.

What went wrong: No delegation chain provenance record existed to detect that X was already in the delegation path. Each agent saw only its immediate delegator and had no visibility into the full chain. Consequence: £3,200 in wasted compute, corrupted customer case file requiring manual reconstruction, 23-minute service disruption, and customer complaint escalated to ombudsman.

4. Requirement Statement

Scope: This dimension applies to all multi-agent systems where one agent can delegate tasks, authority, or execution responsibility to another agent. A delegation occurs whenever Agent A instructs, requests, or causes Agent B to perform an action that Agent A could have performed itself or that Agent A is responsible for. The scope includes explicit delegation (Agent A sends a structured request to Agent B), implicit delegation (Agent A places a message on a queue that Agent B consumes), and transitive delegation (Agent A delegates to Agent B, which delegates to Agent C). Single-agent systems with no inter-agent communication are excluded. Systems where agents interact only through shared data stores without task delegation are excluded unless the shared data store serves as a delegation mechanism (e.g., one agent writes a task record that another agent picks up and executes). The scope extends to cross-organisational delegation where agents from different organisations participate in a shared workflow, though the provenance requirements may be satisfied through federated attestation mechanisms rather than a single centralised log.

4.1. A conforming system MUST record, for every delegated action, an immutable provenance record containing: the identity of the originating authority (human or system), the identity of every agent in the delegation chain (per AG-012), the timestamp of each delegation hop, the scope of authority at each hop, and the action ultimately executed.

4.2. A conforming system MUST ensure that provenance records are tamper-evident — any modification to a provenance record after creation is detectable through cryptographic verification, append-only storage, or equivalent integrity mechanism.

4.3. A conforming system MUST make the full delegation chain available to any agent in the chain at the time of execution, so that the executing agent can verify its authority derives from a legitimate originating source.

4.4. A conforming system MUST detect and flag delegation chains where the scope of authority increases at any hop — that is, where a delegatee claims broader authority than its delegator possessed.

4.5. A conforming system MUST detect and flag circular delegation — where an agent appears more than once in the same delegation chain.

4.6. A conforming system SHOULD include the content hash of the delegated instruction at each hop, enabling verification that the instruction was not modified in transit.

4.7. A conforming system SHOULD enforce a configurable maximum delegation depth and reject delegation requests that would exceed it.

4.8. A conforming system SHOULD correlate provenance records with the mandate boundaries defined in AG-001 and the delegated authority constraints defined in AG-009, flagging any delegation that would place the executing agent outside its mandate.

4.9. A conforming system MAY implement real-time provenance visualisation for operations teams, showing active delegation chains and their current depth and scope.

5. Rationale

In single-agent systems, accountability is straightforward: the agent acted, and the logs show what it did. In multi-agent systems, accountability fragments across every delegation hop. The more agents involved, the harder it becomes to answer fundamental governance questions: Who authorised this action? Which agent introduced the error? Did any agent exceed its authority? Was the original instruction faithfully preserved through the chain?

Delegation Chain Provenance Governance exists because multi-agent orchestration creates accountability gaps that do not exist in single-agent or human-only workflows. When a human manager delegates to a subordinate who delegates to a contractor, organisational processes typically require written authorisation, scope documentation, and clear accountability at each level. Multi-agent systems can create equivalent delegation chains in milliseconds, with no inherent requirement for documentation or scope verification at each hop.

The detective nature of this control is deliberate. Preventive controls on delegation — such as hard limits on delegation depth or mandatory pre-approval — are addressed by AG-009 (Delegated Authority Governance). AG-079 ensures that regardless of whether preventive controls exist or function correctly, a complete record of every delegation chain is available for audit, investigation, and continuous improvement. The provenance record is the forensic foundation that enables the organisation to detect violations after the fact, reconstruct incidents, demonstrate regulatory compliance, and identify systemic patterns such as routinely excessive delegation depth or frequent authority escalation attempts.

The requirement for tamper-evidence reflects the adversarial context of multi-agent systems. An agent that has exceeded its authority — whether through misconfiguration, instruction manipulation, or emergent behaviour — may also attempt to modify the provenance record to conceal the violation. The provenance record must therefore be stored in a manner that the agents in the chain cannot retroactively alter.

6. Implementation Guidance

Delegation chain provenance requires infrastructure that records, protects, and makes queryable the full history of every delegation event in a multi-agent system. The core artefact is the provenance record: a structured, append-only log entry created at each delegation hop that links to the previous hop, forming a chain from originating authority to executing agent.

Recommended patterns:

• Propagated provenance header. Each delegation request carries a provenance header — a structured data object containing the chain so far. When Agent A delegates to Agent B, it appends its own identity, timestamp, scope, and instruction hash to the header. Agent B validates the header, appends its own entry, and propagates it forward. The executing agent receives the complete chain. At execution time, the full header is written to an append-only provenance store. This pattern minimises infrastructure requirements but requires each agent to correctly propagate the header. Implementation: use a JSON array of chain entries, each signed by the delegating agent's key. Total header size for a 10-hop chain with RSA-2048 signatures is approximately 8 KB — negligible for most inter-agent protocols.
• Centralised provenance ledger. Every delegation event is written to a centralised append-only ledger (e.g., an event log, immutable database table, or distributed ledger). Each entry references the previous entry's identifier, forming a linked chain. Agents query the ledger to verify their authority before executing. This pattern provides strongest integrity guarantees and simplifies audit queries but introduces a dependency on ledger availability. For a system processing 10,000 delegations per hour, the ledger grows at approximately 50 MB/day assuming 500-byte entries — manageable for most infrastructure.
• Merkle-tree provenance. Each delegation hop produces a hash that incorporates the previous hop's hash, the delegating agent's identity, the scope, and the instruction content hash. The resulting Merkle chain can be verified by any party with the root hash and the chain entries. This pattern is suitable for cross-organisational delegation where a centralised ledger is not feasible. Verification cost is O(n) in chain depth — for a 20-hop chain, verification takes under 1 millisecond on commodity hardware.

Anti-patterns to avoid:

• Logging only the immediate delegator. If each agent logs only who delegated to it, reconstructing the full chain requires joining logs across all agents. In practice, log formats differ, retention periods vary, and some agents may have been decommissioned. Full-chain provenance must be recorded at each hop, not reconstructed from fragments.
• Trusting agents to self-report provenance. If Agent B reports its own delegation chain without cryptographic verification, a compromised or misconfigured agent can fabricate provenance entries. Each entry in the chain should be independently verifiable — either signed by the delegating agent or recorded in an agent-external store.
• Treating provenance as optional metadata. If the provenance header is an optional field that agents may omit, production systems will inevitably produce delegations without provenance. The system should reject delegation requests that lack a valid provenance header, ensuring complete coverage.
• Storing provenance in mutable databases without integrity controls. If provenance records can be updated or deleted through standard database operations, they provide no tamper-evidence. Use append-only tables with deletion restrictions, write-once storage, or cryptographic chaining.

Industry Considerations

Financial Services. Delegation chain provenance maps directly to MiFID II transaction reporting requirements, which require firms to demonstrate the decision chain for every executed trade. For multi-agent trading systems, the provenance record provides the audit trail from the portfolio manager's instruction through risk checks, compliance validation, and execution. The FCA expects firms to be able to reconstruct the full decision chain for any transaction within defined timeframes. Provenance records should be retained for the same duration as transaction records — typically 7 years.

Healthcare. In multi-agent clinical workflows, delegation provenance establishes which agent made which clinical recommendation and under whose authority. When Agent A (triage) delegates to Agent B (diagnosis support) which delegates to Agent C (treatment recommendation), the provenance chain documents the clinical reasoning pathway. This is essential for clinical incident investigation and malpractice liability allocation.

Supply Chain. Cross-organisational delegation chains — where a buyer's agent delegates to a supplier's agent which delegates to a logistics agent — require federated provenance. Each organisation maintains its own provenance ledger, and cross-organisational links are established through mutual attestation. The provenance chain must survive organisational boundaries without requiring full trust between organisations.

Maturity Model

Basic Implementation — The organisation records delegation events in application logs. Each agent logs the identity of its delegator and the action requested. Full chain reconstruction requires manual log correlation. Provenance records are stored in standard mutable databases. Circular delegation is detected by operational monitoring rather than structural controls. This level provides minimal auditability but leaves gaps in tamper-evidence and real-time chain visibility.

Intermediate Implementation — Delegation provenance is recorded in an append-only store with cryptographic integrity (e.g., hash-chained entries or signed log entries). Each delegation request carries a provenance header containing the full chain, validated by the receiving agent. Authority scope is recorded at each hop and compared against the delegator's scope to detect escalation. Circular delegation is detected structurally by inspecting the chain for duplicate agent identities before accepting a delegation. Maximum delegation depth is configurable and enforced. Provenance records are queryable for audit within minutes.

Advanced Implementation — All intermediate capabilities plus: provenance records are cryptographically signed by each delegating agent using keys managed per AG-012. Cross-organisational delegation uses federated attestation with mutual verification. Real-time provenance dashboards show active delegation chains, depth distribution, and authority scope flow. Anomaly detection identifies unusual patterns — sudden increases in chain depth, new delegation paths, or repeated authority escalation attempts. The provenance system has been independently tested for tamper resistance, including tests where a compromised agent attempts to forge or modify chain entries. Provenance data feeds into AG-028 (Active Inter-Agent Collusion Detection) to identify coordinated authority escalation across multiple chains.

7. Evidence Requirements

Required artefacts:

• Provenance record samples. A representative set of complete delegation chain provenance records demonstrating full chain capture from originating authority to executing agent. Minimum: 50 records spanning at least 3 distinct workflow types and including chains of depth 3 or greater. Format: structured data export (JSON, database extract) with cryptographic integrity evidence.
• Integrity verification evidence. Demonstration that provenance records are tamper-evident: hash-chain verification results, append-only storage configuration, or cryptographic signature validation logs showing that stored records have not been modified since creation.
• Authority escalation detection logs. Records of detected authority escalation attempts — delegations where the delegatee claimed broader scope than the delegator possessed — including the delegation chain, the scope comparison, and the action taken (flagged, blocked, or escalated to human review).
• Circular delegation detection logs. Records of detected circular delegations, including the chain that triggered detection and the action taken.
• Architecture documentation. Architecture diagram showing the provenance recording infrastructure, its separation from agent runtimes, and its integrity protection mechanisms.

Retention requirements:

• Provenance records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Detection logs (authority escalation, circular delegation): same retention as provenance records.

Access requirements:

• Full delegation chain for any specific action producible within 4 hours of request. Aggregate provenance analytics (e.g., average chain depth, escalation frequency) producible within 48 hours.

8. Test Specification

Test 8.1: Full Chain Capture

• Stimulus: Execute a multi-agent workflow with a delegation chain of depth 5 (Agent A delegates to B, B to C, C to D, D to E). The originating authority is a human user with a defined mandate scope.
• Expected behaviour: The provenance record for E's executed action contains all 5 agents' identities, timestamps, scope at each hop, and the originating human authority.
• Pass criteria: Every hop is present in the provenance record. No gaps exist. Agent identities match AG-012 registered identities.
• Fail criteria: Any hop is missing, any agent identity is unverifiable, or the originating authority is absent.

Test 8.2: Tamper Evidence

• Stimulus: Execute a delegation chain and record the provenance. Then attempt to modify a single field in the provenance record (e.g., change the scope at hop 3 from £50,000 to £500,000) through direct database access, API manipulation, and agent-initiated modification.
• Expected behaviour: All modification attempts are either rejected by the storage layer or detectable through integrity verification.
• Pass criteria: No undetectable modification is possible. Integrity verification correctly identifies the tampered record.
• Fail criteria: Any modification to a provenance record is undetectable by the integrity verification mechanism.

Test 8.3: Authority Escalation Detection

• Stimulus: Construct a delegation chain where Agent B (delegated £50,000 scope by Agent A) delegates to Agent C with a claimed scope of £200,000.
• Expected behaviour: The system detects the scope escalation at the B-to-C hop and flags or blocks the delegation.
• Pass criteria: The escalation is detected before or at the time of C's execution. The detection log records the specific hop, the original scope, and the claimed scope.
• Fail criteria: Agent C executes with £200,000 scope without detection, or the escalation is detected only in retrospective analysis more than 60 seconds after execution.

Test 8.4: Circular Delegation Detection

• Stimulus: Construct a delegation chain A → B → C → A. Submit the delegation from C back to A.
• Expected behaviour: The system detects that A is already present in the chain and rejects or flags the circular delegation.
• Pass criteria: The circular delegation is detected before A re-executes. The detection log records the full chain including the circular reference.
• Fail criteria: The circular delegation executes without detection, or detection occurs only after the cycle has repeated more than once.

Test 8.5: Maximum Depth Enforcement

• Stimulus: Configure maximum delegation depth to 8. Execute a workflow that attempts to create a chain of depth 12.
• Expected behaviour: Delegation is rejected at hop 9 with a structured rejection indicating maximum depth exceeded.
• Pass criteria: No delegation chain exceeds the configured maximum depth. The rejection is logged with the full chain up to the rejection point.
• Fail criteria: A delegation chain exceeds the configured maximum depth, or the rejection does not include sufficient information to identify the chain.

Test 8.6: Provenance Under Concurrent Delegation

• Stimulus: Execute 100 concurrent delegation chains, each of depth 4, targeting the same provenance store.
• Expected behaviour: All 100 chains are recorded with complete, correct provenance. No cross-contamination between chains (e.g., chain entries from workflow X do not appear in workflow Y's provenance).
• Pass criteria: All 400 delegation hops are correctly recorded. Chain integrity verification passes for all 100 chains. No duplicate or misattributed entries.
• Fail criteria: Any chain has missing hops, any entry appears in the wrong chain, or integrity verification fails for any chain.

Test 8.7: Provenance Availability Under Store Degradation

• Stimulus: Degrade or disable the provenance store while delegation chains are in progress.
• Expected behaviour: Delegation requests either queue until the provenance store recovers or are rejected with a structured error. No delegation executes without provenance being recorded. Intersects with AG-008.
• Pass criteria: No action completes from a delegation chain that lacks a provenance record. System behaviour is fail-safe.
• Fail criteria: Any delegated action executes without a corresponding provenance record.

Conformance Scoring

• Score 0: No delegation chain provenance exists — delegated actions have no traceability beyond immediate caller/callee logs.
• Score 1: Delegation events are logged per-agent, but full chain reconstruction requires manual correlation across multiple log sources; no tamper-evidence.
• Score 2: Full delegation chains are recorded in an integrity-protected store with authority scope tracking at each hop; circular delegation and authority escalation are detected structurally.
• Score 3: Verified by independent adversarial testing — an independent party has attempted to forge provenance entries, escalate authority through delegation, exploit circular delegation, and tamper with stored records, and all attempts were detected or prevented.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 12 (Record-Keeping)	Direct requirement
EU AI Act	Article 14 (Human Oversight)	Supports compliance
MiFID II	Article 25 (Assessment of Suitability and Appropriateness) / RTS 25 (Clock Synchronisation)	Supports compliance
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
NIST AI RMF	GOVERN 1.3, MAP 3.5, MANAGE 2.3	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Clause 9.1 (Monitoring, Measurement, Analysis)	Supports compliance
DORA	Article 10 (ICT-Related Incident Detection)	Supports compliance

EU AI Act — Article 12 (Record-Keeping)

Article 12 requires that high-risk AI systems are designed and developed with capabilities enabling the automatic recording of events (logs) over the lifetime of the system. For multi-agent systems, this requirement extends to the interactions between agents — including delegation events. AG-079 implements this by ensuring that every delegation hop is recorded with the identities of participating agents, the scope of authority, and timestamps. The regulation requires that logs enable the tracing of the AI system's operation — delegation chain provenance is the mechanism by which multi-agent operations can be traced from initiating authority to executing agent.

MiFID II — Article 25 / RTS 25

MiFID II requires investment firms to maintain records sufficient to demonstrate the chain of decision-making for client transactions. In multi-agent trading workflows, the delegation chain provenance record provides this demonstration: from the client instruction or portfolio mandate, through compliance checking, risk assessment, and execution agents, to the final market order. RTS 25 clock synchronisation requirements directly support the timestamp accuracy requirement in provenance records, ensuring that the temporal ordering of delegation hops is verifiable.

SOX — Section 404 (Internal Controls Over Financial Reporting)

For multi-agent systems executing financial operations, delegation chain provenance is an internal control that demonstrates accountability for every action in the chain. A SOX auditor reviewing a multi-agent financial workflow will require evidence that the organisation can identify which agent — and ultimately which human authority — was responsible for each step. Without delegation provenance, the control environment for multi-agent financial workflows has a material gap.

FCA SYSC — 6.1.1R (Systems and Controls)

The FCA requires firms to maintain systems and controls adequate for the activities they conduct. Multi-agent delegation without provenance creates a control gap — the firm cannot demonstrate who authorised what. Under the Senior Managers Regime, a senior manager responsible for a multi-agent system must be able to demonstrate accountability for the system's actions. Delegation provenance provides the audit trail from any action back to the responsible authority.

NIST AI RMF — GOVERN 1.3, MAP 3.5, MANAGE 2.3

GOVERN 1.3 addresses processes for managing AI system lifecycles; MAP 3.5 addresses AI system dependencies and interactions; MANAGE 2.3 addresses response and recovery. Delegation chain provenance supports all three: it provides lifecycle traceability, documents inter-agent dependencies, and enables incident response by allowing rapid reconstruction of delegation chains that led to adverse events.

ISO 42001 — Clause 6.1, Clause 9.1

Clause 6.1 requires actions to address risks — delegation without provenance is a governance risk that AG-079 mitigates. Clause 9.1 requires monitoring and measurement — delegation chain metrics (depth distribution, escalation frequency, circular detection rate) are measurable indicators of multi-agent governance health.

DORA — Article 10 (ICT-Related Incident Detection)

Article 10 requires financial entities to have mechanisms for prompt detection of anomalous activities. Delegation chain provenance enables detection of anomalous delegation patterns — unusual depth, unexpected agents in chains, authority escalation attempts — that may indicate ICT-related incidents in multi-agent financial systems.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Multi-agent workflow scope — potentially cross-organisation where delegation chains span organisational boundaries

Consequence chain: Without delegation chain provenance, a multi-agent system operates with an accountability gap that widens with every delegation hop. A 5-hop delegation chain with no provenance means the organisation cannot determine which of 5 agents introduced an error, which of 5 agents exceeded its authority, or whether the original human authorisation was faithfully preserved through all 5 hops. The immediate technical failure is loss of traceability — when an incident occurs, the investigation cannot reconstruct the decision chain. The operational impact includes extended incident response times (weeks instead of hours for multi-agent incidents), inability to demonstrate regulatory compliance for delegated actions, and inability to detect authority escalation or circular delegation patterns. The business consequence includes regulatory enforcement action for inadequate record-keeping (EU AI Act Article 12 fines up to 3% of global turnover), failure of SOX internal control assessments, and reputational damage from inability to explain automated decisions. In cross-organisational multi-agent systems, the blast radius extends to counterparty relationships — a provenance failure in one organisation's agent affects the entire delegation chain including external participants.

Cross-references: AG-009 (Delegated Authority Governance) defines the authority model that provenance records capture. AG-012 (Agent Identity Assurance) provides the identity framework referenced in provenance entries. AG-028 (Active Inter-Agent Collusion Detection) consumes provenance data to detect coordinated misbehaviour across delegation chains. AG-042 (Collective Intelligence Governance) addresses governance of emergent collective behaviour that delegation chains may produce. AG-015 (Organisational Namespace Isolation) ensures delegation provenance respects organisational boundaries. AG-080 (Inter-Agent Trust and Attestation Governance) provides the trust framework that underpins provenance verification.