AI agents are making decisions, calling APIs, processing sensitive data, and delegating to other agents. Without cryptographic governance, there is no provable answer to the question: "Who authorized this agent to do that?"
Signed delegation chains. Scoped capability tokens. Time-bounded authority. Instant revocation. All post-quantum.
Autonomous AI agents are making consequential decisions across organizations. The authorization chain from human intent to agent action is invisible, mutable, and unverifiable.
An AI agent processes a patient record, approves a financial transaction, or modifies production infrastructure. Who authorized it? Under what scope? With what time bounds? If the answer is "the config file says so," that is not proof — that is a trust assumption.
Agent A delegates to Agent B, which sub-delegates to Agent C. Traditional RBAC cannot trace this chain after the fact. If Agent C takes an unauthorized action, there is no cryptographic record of the delegation path or the scope constraints at each hop.
An agent's authority needs to be revoked immediately. But cached permissions, stale tokens, and eventually-consistent authorization systems mean the agent keeps acting for seconds, minutes, or hours after revocation. In high-stakes environments, that gap is catastrophic.
One relies on a central authority that can be compromised. The other is independently verifiable by construction.
A delegation chain is a cryptographically signed sequence from a human authority to an autonomous agent. Each link narrows the scope. Any party can verify the entire chain.
H33 agent governance is built on six independent cryptographic primitives. Each one is independently verifiable. Together, they provide complete governance for autonomous AI agents.
Every delegation from human to agent (and agent to sub-agent) is signed with three PQ signature families. The chain is self-proving — any party can trace it back to the human origin and verify every signature without accessing any central system.
Each agent receives a capability token that cryptographically defines what it CAN do. The scope is encoded in the signed delegation. An agent cannot exceed its scope because downstream systems verify the capability token before executing any action.
Every delegation includes cryptographic time bounds. When the bound expires, the delegation is invalid — no revocation needed, no cache to invalidate. The expiration is embedded in the signed token and verified at action time.
Revocation is a signed certificate, not a database update. When published, any verifier checking the agent's authority sees the revocation immediately. No propagation delay, no cache invalidation window, no eventually-consistent gap.
High-stakes actions require M-of-N agents to independently attest before proceeding. Each agent's attestation is independently verifiable. The quorum is enforced cryptographically — not by a coordinator that could be compromised or coerced.
Organization A's agent can delegate a scoped capability to Organization B's agent using the same signed chain mechanism. No shared infrastructure, no trust federation, no API gateway in between. The delegation is signed, scoped, time-bounded, and revocable.
Traditional agent identity is a name in a config file or a row in a database. H33 gives every agent a 74-byte cryptographic identity via H33-74 attestation. The identity is signed by three PQ families and hash-chained into the delegation sequence.
The agent's identity is cryptographically bound to its delegation chain. An attacker cannot impersonate an agent without forging three PQ signatures simultaneously. The identity is independently verifiable by any party.
Every action the agent takes is attested with its H33-74 identity. After the fact, any auditor can trace an action back through the agent's identity, through the delegation chain, to the human who authorized it. The entire path is PQ-signed.
Every agent action, its attestation, and the delegation chain that authorized it are stored on Cachee.ai. Full execution replay is available for compliance, debugging, and forensic analysis with sub-microsecond retrieval.
Policy is not a document. It is a cryptographic constraint embedded in the capability token. The agent cannot exceed its bounds because the bounds are verified at execution time by every downstream system.
Which datasets, tables, or records the agent can read or write. Cryptographically encoded. Verified at query time.
Transaction amount ceilings, daily aggregates, and counterparty restrictions. Enforced per-action, not per-session.
Business hours only. 24-hour max authority. Expiration embedded in the signed token. No renewal without re-signing.
Explicit enumeration of permitted actions. Anything not in the whitelist is rejected. The whitelist is part of the signed capability token.
Delegate authority, scope it, time-bound it, and verify every action in the chain.
# Create a delegation chain from human to agent delegation = h33.delegate( from_authority=human_key, to_agent="deploy-agent-7", scope=["staging:deploy", "staging:rollback"], expires="2026-05-11T00:00:00Z", max_actions=100 ) # Agent sub-delegates with narrower scope sub_delegation = h33.delegate( from_authority=delegation, to_agent="test-runner-12", scope=["staging:test-read"], # narrower than parent expires="2026-05-10T18:00:00Z" # shorter than parent ) # Verify any action in the chain result = h33.verify_chain(sub_delegation) # result.origin — "Eric Beans, CTO" # result.chain — [human -> deploy-agent-7 -> test-runner-12] # result.scope_valid — True (each hop narrowed correctly) # result.time_valid — True (all bounds within parent bounds) # result.signatures — all 3 PQ families verified at each hop # Revoke instantly h33.revoke(delegation) # cascades to all sub-delegations
Access control determines whether an agent is permitted to perform an action at the moment of the request. Agent governance goes further: it provides a cryptographic record of who authorized the agent, under what scope, with what time bounds, and traces the complete delegation chain from human intent to agent action. Access control is a runtime gate. Governance is a permanent, verifiable, audit trail.
No. The capability token is cryptographically signed and verified by every downstream system before executing an action. The scope is not an advisory label — it is a constraint embedded in the signed delegation. An agent presenting a token scoped to "staging:test-read" cannot write to staging or read from production. The token verification fails before the action reaches the target system.
When a high-stakes action is requested, the governance system requires M-of-N independent agents to attest before proceeding. Each agent evaluates the action independently and produces an H33-74 attestation. The action proceeds only when the quorum threshold is met. Each attestation is independently verifiable. There is no central coordinator — the quorum is enforced by the cryptographic threshold, not by a trust assumption about a coordinator.
Organization A's agent signs a scoped, time-bounded delegation to Organization B's agent using the same PQ-signed chain mechanism. No shared infrastructure is required. Organization B's verifiers check the signed delegation chain, verify all three PQ signatures at each hop, and confirm the scope and time bounds. Trust is replaced by verification. The two organizations do not need to share an identity provider, a permissions database, or an API gateway.
Revocation produces a signed revocation certificate. Any verifier checking the agent's delegation chain will see the revocation and reject the action. Because the revocation is a signed certificate (not a database flag), there is no propagation delay, no cache invalidation race, and no eventually-consistent gap. Revocation also cascades to all sub-delegations — if you revoke deploy-agent-7's authority, test-runner-12's sub-delegated authority is automatically invalid because its parent chain is broken.
Deploy an agent with a signed delegation chain. Scope its authority. Watch every action get attested. No commitment required.