HDP: A Lightweight Cryptographic Protocol for Human Delegation Provenance in Agentic AI Systems
| Authors | Asiri Dalugoda |
| Year | 2026 |
| HF Upvotes | 10 |
| arXiv | 2604.04522 |
| Download | |
| HF Page | View on Hugging Face |
Abstract
Agentic AI systems increasingly execute consequential actions on behalf of human principals, delegating tasks through multi-step chains of autonomous agents. No existing standard addresses a fundamental accountability gap: verifying that terminal actions in a delegation chain were genuinely authorized by a human principal, through what chain of delegation, and under what scope. This paper presents the Human Delegation Provenance (HDP) protocol, a lightweight token-based scheme that cryptographically captures and verifies human authorization context in multi-agent systems. An HDP token binds a human authorization event to a session, records each agent's delegation action as a signed hop in an append-only chain, and enables any participant to verify the full provenance record using only the issuer's Ed25519 public key and the current session identifier. Verification is fully offline, requiring no registry lookups or third-party trust anchors. We situate HDP within the existing landscape of delegation protocols, identify its distinct design point relative to OAuth 2.0 Token Exchange (RFC 8693), JSON Web Tokens (RFC 7519), UCAN, and the Intent Provenance Protocol (draft-haberkamp-ipp-00), and demonstrate that existing standards fail to address the multi-hop, append-only, human-provenance requirements of agentic systems. HDP has been published as an IETF Internet-Draft (draft-helixar-hdp-agentic-delegation-00) and a reference TypeScript SDK is publicly available.
Engineering Breakdown
Plain English
This paper introduces the Human Delegation Provenance (HDP) protocol, a cryptographic system designed to solve a critical accountability problem in autonomous multi-agent AI systems. The protocol uses lightweight token-based mechanisms to verify that terminal actions executed by chains of agents were genuinely authorized by a human principal, recording the complete delegation path with cryptographic signatures at each hop. The key innovation is enabling any participant to verify the full authorization chain using only the original token, without requiring centralized trust infrastructure. This addresses a major gap in current agentic AI systems where complex delegation chains make it unclear who authorized what action and under what constraints.
Core Technical Contribution
HDP's core innovation is a cryptographic token scheme that transforms the accountability problem from 'how do we audit actions after they happen' to 'how do we bind authorization context to every step in a delegation chain.' Rather than relying on centralized audit logs or post-hoc verification, the protocol embeds authorization metadata directly into signed delegation tokens that flow through the agent chain, creating an append-only cryptographic breadcrumb trail. Each agent signs its delegation action, creating cryptographically verifiable proof of the authorization path from principal to terminal executor. This is fundamentally different from prior approaches that either lack fine-grained delegation tracking or require trusted central authorities to maintain provenance records.
How It Works
The HDP protocol operates as follows: (1) A human principal creates an initial authorization token that specifies scope, permissions, and session context, cryptographically signed with their credentials. (2) When Agent A receives this token and delegates to Agent B, it appends a new signed hop that records what authority it delegated, under what constraints, and why. (3) Agent B receives both the original authorization token and the delegation record, can further delegate to Agent C by adding another signed hop, and so on through the chain. (4) Any downstream agent can verify the entire provenance chain by checking each signature in sequence, confirming that each hop was properly authorized by the previous link. (5) The original token serves as a cryptographic anchor that cannot be forged or modified; any tampering invalidates downstream signatures. The system is lightweight because it doesn't require real-time validation with a central authority—verification is offline and purely cryptographic.
Production Impact
For teams building agentic AI systems, HDP provides concrete mechanisms to implement authorization accountability without redesigning your infrastructure. In practice: you'd issue HDP tokens at human authorization points instead of relying on environment variables or context managers that agents can modify; delegation becomes an explicit, auditable operation with cryptographic proof rather than implicit capability propagation; and compliance teams can verify authorization chains for any action retroactively. This is particularly valuable for high-stakes domains (financial transactions, medical decisions, infrastructure changes) where regulators require proof that actions were genuinely authorized. The trade-off is additional token management overhead and need to integrate cryptographic verification into agent dispatch logic, but the paper's emphasis on 'lightweight' suggests this should add minimal latency—likely microseconds for signature verification. Integration complexity is moderate: you need a token issuer at the principal layer, middleware to capture delegation events, and verification hooks at action execution boundaries.
Limitations and When Not to Use This
HDP assumes that agents themselves are not compromised; if an agent is already running malicious code, it can forge delegation records or ignore token constraints entirely. The protocol also doesn't address the authorization policy layer—it verifies 'was this action delegated' but not 'was this delegation decision correct given the context.' Additionally, the paper is incomplete in its current form (the abstract cuts off mid-sentence describing verification mechanisms), so critical details about revocation, token expiration, and handling of concurrent delegation chains remain unclear. The approach may not scale well to extremely deep delegation chains (10+ hops) where token size and verification time compound, and it requires all agents in the chain to be HDP-aware—legacy systems or third-party services not integrated with the protocol break the provenance chain.
Research Context
This work addresses a gap that has become increasingly urgent as AI systems move from single-model inference to orchestrated multi-agent systems where authorization chains are implicit and hard to audit. It builds on classical cryptographic audit logging and blockchain-style append-only chains, but applies them to the specific problem of human authorization in agentic AI. The paper contributes to the emerging 'AI Governance and Accountability' research direction, alongside work on interpretability, transparency, and agent monitoring. It's particularly relevant to recent discussions in the AI safety community about 'intent alignment' and 'power-seeking agents'—if you can cryptographically prove what a human authorized, you can better detect when agents exceed their mandate. The protocol's lightweight token approach likely draws from JWT/OAuth2 patterns in web security, suggesting this bridges classical InfoSec practices with new AI-specific accountability requirements.
:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::
