Authorization is one of those problems that looks solved until you’re running it across 40 regions with hundreds of teams depending on it and AI agents starting to act on behalf of humans.
I’ve spent the last several years building the infrastructure and teams behind that problem — access control systems, agent authorization frameworks, delegated permissions. The unglamorous work that sits under everything else and has to be right.
Before that, financial services. Compliance systems, payments infrastructure, environments where access control failures show up in regulatory filings.
Still find the problems interesting and looking to learn.
Some things that came from that work
- Scaled a critical authorization service across 40+ regions, cutting launch time from 90 days to under 2 weeks
- Retired a 10-year legacy system with 500+ dependent teams — $5M+ in savings
- Built agent authorization frameworks with enforced delegation and human-in-the-loop controls
- Reduced unauthorized access incidents by 30%+ without slowing engineering teams down
This site
Delegated Authority is where I think through the authorization problems that don’t have clean answers yet — especially as AI agents start acting on behalf of humans at scale.
The central question: Who can act on whose behalf?
All opinions are my own.