Every meaningful action in an enterprise follows the same path. Someone has to be identified, authorized, delegated, observed, and — eventually — revoked.
Most organizations handle the first step well. The rest compound silently.
The six stages
Identity — Who is acting?
Before anything else, the actor must be known. A human, a service, an AI agent. Identity is the foundation. Without it, nothing else holds.
Authority — What are they allowed to do?
Identity alone isn’t enough. A known actor still needs explicit permission to act. This is where most authorization systems focus — and where most of the investment goes.
Delegation — Whose authority are they exercising?
This is the stage most systems skip. When an AI agent acts, it is rarely acting on its own authority. It is exercising authority delegated from a human principal. The chain of delegation should be explicit, documented, and traceable.
Execution — What action occurred?
The action itself. What was done, to what resource, at what time, under what conditions.
Observation — What evidence exists?
Every action should leave a trail. Not just for compliance — for governance. If you cannot observe what an actor did, you cannot verify that the delegation was honored.
Revocation — How is authority removed?
The most neglected stage. Delegation without revocation is a door left permanently open. Every grant of authority should have an explicit answer to: how does this end?
Why this matters for AI agents
Human actors move slowly. They request access, get approved, use it occasionally, and eventually leave — at which point IT (hopefully) revokes their access.
AI agents move differently. They can be granted broad access in minutes, act across dozens of systems simultaneously, and operate continuously without anyone noticing what they are doing.
The lifecycle applies to both. The stakes are different.
Who can act on whose behalf — and at which stage does your organization lose visibility?