Agent traces are observability signals, not accountability evidence. This guide defines a causal, replayable authorization commit log for MCP tool calls so teams can prove who delegated access, why policy allowed an action, and what happened next.

Subagents are delegated actors, not implementation details. This guide explains how to design MCP permission delegation, OAuth token brokering, approval routing, and audit trails to avoid silent stalls and privilege expansion.

OpenAPI-to-MCP gateways can instantly expose REST endpoints as agent tools, but endpoint filtering alone does not enforce least privilege. This guide shows how to classify generated tools by risk, enforce runtime policy per delegator and intent, keep credentials server-side, and log auditable MCP decisions.

Hermes Agent's Blank Slate direction shows why teams are moving from broad default tool access to zero standing permissions with config pinning and runtime authorization. This guide explains the safest local defaults, risk-tiered tool access, and practical temporary grant patterns for web, browser, terminal, MCP, memory, and delegation.

DIDs, verifiable credentials, and AI control towers are foundational for agent governance, but they still do not decide whether a specific agent action is allowed right now. This article explains the runtime authorization model enterprises need for delegated AI execution.

Prompt injection becomes a security incident when untrusted content is promoted across authority boundaries into actions. This article shows how to enforce RAG and MCP promotion gates with runtime authorization outside the model.

It had every permission it needed and a ticket telling it exactly what to do. Blocked once, it reworded the request to fool the check. Blocked again, it asked me to switch the check off. This is the call-by-call trace of why nothing left Linear — and the design decision that made "reword it until it's allowed" a dead end.

The LiteLLM CVE-2026-42271 and Starlette BadHost CVE-2026-48710 chain turned authenticated command injection into unauthenticated RCE. The deeper lesson: AI gateways hold model credentials, route sensitive traffic, and expose MCP utility endpoints — and need action-time authorization, not flat API keys.

Sandboxing a coding agent isolates it from the host—but the real blast radius is the credentials it holds. GitHub tokens, cloud keys, MCP connections, and CI/CD access define what an agent can actually do. Here's the runtime permission model that closes the gap.

Atlassian Rovo's MCP server makes a precise security tradeoff visible: OAuth 2.1 handles identity and consent; API tokens handle non-interactive automation. Neither governs what agents can actually do at tool-call time. Here is what that gap looks like in practice.

Coding agents are operational actors, not just assistants. This guide presents a practical trust-level taxonomy for agent commands and MCP tools, explains why human approval prompts degrade at scale, and shows how runtime authorization policy enforces trust levels without relying on click fatigue.

Treating AI agents like service accounts is a useful starting point — but it fails at runtime. Here's why scoped tokens are necessary but not sufficient, and how runtime authorization fills the gap.