Summary: Agents don’t just perform actions; they execute plans where the safety of each step depends on what has already happened. That makes sequencing an authorization problem. This post explores how policy, delegation data, and multi-signature approval can govern the order in which agents receive authority, not just the scope of it.’

This post is part of a series on using dynamic authorization to control and coordinate AI agents. See the series recap to find other posts in this series.

Suppose you ask an agent to summarize a set of documents and then email the summary to a group. You might be comfortable granting the agent access to your email for that purpose, but only after the summary has been completed and reviewed. If the agent can access your email too early, sensitive information from your inbox could leak into the task. In agent systems, authorization is not only about what actions are permitted. It is also about when they are permitted.

That makes sequencing an authorization problem, not just a workflow problem. Agents do not simply perform isolated actions. They execute plans, accumulate context, revise their strategies, and sometimes coordinate with other agents or people. A permission that is safe at one point in a task may be unsafe at another. The challenge is to ensure that authority unfolds in the right order and only under the right conditions.

Why sequencing matters

Traditional authorization systems are good at answering questions like “Can this principal read this file?” or “Can this service call this API?” Agent systems introduce a different question: “Can this principal take this action now, given what has already happened?” In other words, authorization must constrain the path, not just the destination.

Consider a few examples:

• An agent migrating records between systems needs to verify the backup completed successfully before it begins deleting records from the source. If it starts deleting before the backup is confirmed, data loss is irreversible.

• A research agent gathering information from multiple sources needs to finish collecting and cross-referencing before it synthesizes a summary. Starting the summary too early means drawing conclusions from incomplete data and then anchoring on them.

• A deployment agent rolling out a new service version needs to confirm the canary deployment is healthy before it proceeds to full rollout. Granting it permission for the full rollout from the start means a bad canary could cascade.

• A triage agent classifies incoming support tickets and routes them to specialized agents. The specialized agent should not begin work until triage is complete and the right context is attached. Acting on incomplete classification means acting on wrong information.

• A code review agent runs a test suite against a proposed change. It needs to finish the tests before posting a review summary. A partial summary while tests are still running could greenlight a broken build.

• An agent gathers invoices and calculates reimbursement totals. It should not initiate payment until a manager approves the request.

• An incident response agent collects logs and diagnoses the problem, but restarting production systems requires an engineer to sign off on the plan.

In each case, the question is not whether the action is allowed in the abstract. It is whether the action is allowed at this point in the workflow and under these conditions.

Sequencing through policy

One way to handle sequencing is through policy. In this model, the authorization request includes contextual attributes that represent the task’s current state, allowing policy to determine whether the next action is permitted. Consider the data migration example: an agent should not delete source records until the backup is confirmed. Here’s a pseudocode policy that enforces that:

permit delete_source_records
when backup_status == “verified”;

This approach works well for recurring workflows and institutional rules. Because the sequencing logic lives in policy rather than in agent behavior, operators can inspect and update it independently. In effect, the system says: these actions are forbidden until the required conditions are met.

Sequencing through delegation data

Another approach is to model sequencing as evolving delegated authority. Instead of encoding every possible sequence in durable policy, the system issues task-specific authority at each stage. The agent starts with a limited capability set, and additional permissions become available only when the prior stage has completed successfully. In this model, authority changes as the task progresses.

Consider a deployment agent rolling out a new service version. The agent initially receives a capability token scoped to the canary environment. Only after the canary passes health checks does the monitoring system issue a new token authorizing full rollout. A policy evaluates delegation data like this:

permit full_rollout
when delegation.type == “canary_passed”
  && delegation.service == request.service
  && delegation.version == request.version;

This is especially useful for one-off or highly contextual tasks. Every deployment targets a different service and version; writing a durable policy for each one would be impractical. The delegation data carries the specifics while the policy enforces the pattern.

In this sense, sequencing can be handled either as policy as code or as policy as data. Durable institutional workflows are often best expressed in policy. Temporary, task-specific sequencing can often be handled through delegation data evaluated by policy at runtime.

Adding multi-signature approval

Sequencing alone is not enough. Some workflows also require multi-signature approval: a human or another trusted actor explicitly authorizes the next step before the agent can proceed.

Consider a financial reimbursement agent. The agent might gather receipts and produce a reimbursement summary, but it should not initiate payment until a manager approves the request. Or consider an incident response agent that identifies a remediation plan but cannot execute it until an SRE signs off. In these cases, the authorized trajectory includes both ordered steps and approval conditions. This can also be expressed through policy:

permit reimbursement_pay
when summary_status == “complete”
  && approvals.contains(”manager_approved”);

Or it can be modeled through delegation data, where the approving party issues a credential or capability indicating that the next stage is authorized. Authority is not granted all at once; it unfolds over time and across actors.

Hybrid models

In practice, most real systems will combine these approaches. High-level sequencing rules may be defined in policy, while task-specific permissions are carried in delegation records or approval credentials. A workflow might require that every payment be approved by policy, but use task-specific delegation data to determine which specific invoice, amount, and recipient are in scope.

This is another example of why the distinction between policy as code and policy as data matters. They are not competing ideas. They are complementary tools for shaping how authority is granted, constrained, and evolved in dynamic systems.

Authorized trajectories

Agents do not just need authorization boundaries. They need authorized trajectories. We need to govern not only the actions an agent may take, but the order in which it may take them and the approvals required along the way.

As agents become more capable, safety will depend less on static permission sets and more on our ability to shape how authority unfolds over time. This is not a narrow technical point. The people whose data, money, and reputations are at stake deserve systems where authority is earned step by step, not handed over in bulk. Governing the path an agent takes is how we keep humans in control of the systems that act on their behalf.

Photo Credit: Sequencing agents from ChatGPT (public domain)