Delegation Chains
In multi-agent systems, one agent often delegates tasks to another. Agent A asks Agent B to query a database, which asks Agent C to format the results. This creates a delegation chain — a sequence of agent-to-agent handoffs that MITRITY tracks, validates, and governs.
Without governance, delegation chains introduce serious security risks: privilege escalation (Agent A accesses resources through Agent B that it could not access directly), circular delegation (infinite loops), and fan-out attacks (one agent triggering hundreds of sub-agents). MITRITY's delegation chain system addresses all of these.
Overview
When an agent delegates a task to another agent, the gateway records the delegation as a hop in a chain. Each hop captures:
- The delegating agent (from)
- The receiving agent (to)
- The action being delegated
- The governance decision at this hop
- The effective permissions at this point in the chain
The control plane assembles hops into a complete chain and evaluates the chain against delegation rules.
Chain Structure
A delegation chain consists of an initiator (the first agent) and one or more hops:
{
"id": "chain_8k2m4n",
"initiator": {
"agent_id": "agt_orchestrator",
"agent_name": "orchestrator",
"action_type": "generate_report",
"timestamp": "2026-03-01T10:00:00Z"
},
"hops": [
{
"hop_number": 1,
"from_agent_id": "agt_orchestrator",
"from_agent_name": "orchestrator",
"to_agent_id": "agt_data-fetcher",
"to_agent_name": "data-fetcher",
"action_type": "db.postgres.query",
"decision": "allow",
"effective_permissions": ["read:public.analytics_*"],
"timestamp": "2026-03-01T10:00:01Z"
},
{
"hop_number": 2,
"from_agent_id": "agt_data-fetcher",
"from_agent_name": "data-fetcher",
"to_agent_id": "agt_formatter",
"to_agent_name": "formatter",
"action_type": "format.generate_pdf",
"decision": "allow",
"effective_permissions": ["execute:format.*"],
"timestamp": "2026-03-01T10:00:02Z"
}
],
"total_hops": 2,
"max_depth": 2,
"status": "completed",
"duration_ms": 2340,
"created_at": "2026-03-01T10:00:00Z",
"completed_at": "2026-03-01T10:00:02Z"
}
Chain Visualization
The dashboard shows delegation chains as a directed graph:
orchestrator ──generate_report──► data-fetcher ──db.query──► formatter
│
▼
generate_pdf
Navigate to Security > Delegation Chains to view active and historical chains.
Chain Depth Limits
Chain depth limits prevent excessively deep delegation hierarchies. Deep chains are harder to audit, more likely to contain privilege escalation, and increase governance latency.
Configuring Depth Limits
Set the maximum chain depth in Settings > Security > Delegation:
{
"delegation": {
"max_chain_depth": 5,
"depth_exceeded_action": "deny"
}
}
| Field | Type | Default | Description |
|---|---|---|---|
max_chain_depth | integer | 5 | Maximum number of hops in a delegation chain. Range: 1-20. |
depth_exceeded_action | enum | deny | Action when depth is exceeded: deny (block), alert (allow + alert), hold (queue for approval). |
Per-Agent Depth Override
Override the global depth limit for specific agents:
curl -X PATCH https://api.mitrity.com/api/v1/agents/agt_orchestrator \
-H "Authorization: Bearer mk_live_your-api-key" \
-H "Content-Type: application/json" \
-d '{
"delegation_settings": {
"max_chain_depth": 8,
"allowed_delegates": ["agt_data-fetcher", "agt_formatter", "agt_sender"]
}
}'
Blocked Reasons
When a delegation is blocked, the event includes a blocked_reason that explains why:
| Reason | Description | Severity |
|---|---|---|
circular_delegation | The delegation would create a cycle (Agent A delegates to Agent B, which delegates back to Agent A) | Critical |
depth_exceeded | The chain would exceed the maximum depth limit | High |
privilege_escalation | The receiving agent would gain access to resources the delegating agent cannot access directly | Critical |
fan_out_exceeded | The delegating agent has already exceeded the maximum number of concurrent delegations | High |
unauthorized_delegate | The delegating agent is not authorized to delegate to the receiving agent | High |
rate_limited | The delegation rate limit has been exceeded | Medium |
Circular Delegation Detection
MITRITY detects circular delegations by tracking the full chain path. If a delegation would add an agent that already exists in the current chain, it is blocked:
orchestrator → data-fetcher → formatter → orchestrator (BLOCKED: circular)
{
"hop_number": 3,
"from_agent_id": "agt_formatter",
"to_agent_id": "agt_orchestrator",
"decision": "deny",
"blocked_reason": "circular_delegation",
"chain_path": ["agt_orchestrator", "agt_data-fetcher", "agt_formatter"],
"timestamp": "2026-03-01T10:00:03Z"
}
Privilege Escalation Detection
MITRITY compares the effective permissions at each hop in the chain. If a receiving agent would gain access to resources that the initiating agent (or any agent earlier in the chain) does not have, the delegation is flagged as privilege escalation.
Example: Agent A has read-only access to public.analytics_*. Agent B has read-write access to public.*. If Agent A delegates to Agent B with a write operation, this is privilege escalation — Agent A is using Agent B to perform an operation it cannot do directly.
{
"hop_number": 1,
"from_agent_id": "agt_read-only-bot",
"to_agent_id": "agt_full-access-bot",
"action_type": "db.postgres.insert",
"decision": "deny",
"blocked_reason": "privilege_escalation",
"escalation_details": {
"requested_operation": "write",
"delegator_permissions": ["read:public.analytics_*"],
"delegate_permissions": ["read:public.*", "write:public.*"],
"escalated_resources": ["public.*"]
}
}
Fan-Out Detection
Fan-out limits prevent a single agent from spawning an excessive number of parallel delegations. This protects against denial-of-service attacks and resource exhaustion.
Configure fan-out limits in Settings > Security > Delegation:
{
"delegation": {
"max_fan_out": 10,
"fan_out_window": "1m"
}
}
| Field | Type | Default | Description |
|---|---|---|---|
max_fan_out | integer | 10 | Maximum concurrent delegations from a single agent |
fan_out_window | string | 1m | Time window for counting fan-out delegations |
Effective Permissions
At each hop in a delegation chain, MITRITY calculates the effective permissions — the intersection of the delegating agent's permissions and the receiving agent's permissions. The receiving agent can never gain more access than the delegating agent has.
Delegator Permissions ∩ Delegate Permissions = Effective Permissions
Example:
- Agent A (orchestrator):
read:public.*,write:public.reports_* - Agent B (data-fetcher):
read:public.*,write:public.*,delete:public.* - Effective permissions for Agent B in this chain:
read:public.*,write:public.reports_*
Agent B's effective permissions are restricted to the intersection. It can read all tables (both agents have this), write to reports tables (both agents have this), but cannot delete (Agent A does not have delete permission).
API Reference
List Delegation Chains
curl "https://api.mitrity.com/api/v1/delegation-chains?status=completed&limit=25" \
-H "Authorization: Bearer mk_live_your-api-key"
Query parameters:
| Parameter | Type | Description |
|---|---|---|
agent_id | string | Filter chains involving a specific agent (as initiator or participant) |
status | enum | Filter by status: active, completed, blocked |
min_depth | integer | Minimum chain depth |
blocked_reason | enum | Filter by blocked reason |
start_date | datetime | Chains created after this timestamp |
end_date | datetime | Chains created before this timestamp |
limit | integer | Results per page (default: 25, max: 100) |
cursor | string | Pagination cursor |
Response:
{
"data": [
{
"id": "chain_8k2m4n",
"initiator_agent_id": "agt_orchestrator",
"initiator_agent_name": "orchestrator",
"total_hops": 2,
"max_depth": 2,
"status": "completed",
"duration_ms": 2340,
"created_at": "2026-03-01T10:00:00Z",
"completed_at": "2026-03-01T10:00:02Z"
}
],
"meta": {
"request_id": "req_chain001",
"timestamp": "2026-03-01T11:00:00Z",
"next_cursor": null,
"total": 1
}
}
Get a Single Chain
curl https://api.mitrity.com/api/v1/delegation-chains/chain_8k2m4n \
-H "Authorization: Bearer mk_live_your-api-key"
Returns the full chain with all hops, effective permissions, and governance decisions.
Get Delegation Summary
curl "https://api.mitrity.com/api/v1/delegation-chains/summary?days=30" \
-H "Authorization: Bearer mk_live_your-api-key"
Response:
{
"data": {
"total_chains": 4521,
"total_hops": 12847,
"average_depth": 2.8,
"max_depth_observed": 7,
"blocked_chains": 34,
"by_blocked_reason": {
"circular_delegation": 3,
"depth_exceeded": 8,
"privilege_escalation": 15,
"fan_out_exceeded": 5,
"unauthorized_delegate": 3
},
"top_initiators": [
{ "agent_id": "agt_orchestrator", "agent_name": "orchestrator", "chain_count": 2340 },
{ "agent_id": "agt_workflow-bot", "agent_name": "workflow-bot", "chain_count": 890 }
],
"top_delegates": [
{ "agent_id": "agt_data-fetcher", "agent_name": "data-fetcher", "delegation_count": 3450 },
{ "agent_id": "agt_formatter", "agent_name": "formatter", "delegation_count": 2100 }
]
},
"meta": {
"request_id": "req_chain002",
"timestamp": "2026-03-01T12:00:00Z"
}
}
Dashboard Features
Chain Explorer
The delegation chain explorer at Security > Delegation Chains provides:
- Chain timeline: Visual timeline of all hops in a chain with timestamps
- Permission flow: Effective permissions at each hop, highlighting any privilege reduction
- Decision log: Governance decisions at each hop (allow, deny, hold)
- Agent graph: Interactive graph showing delegation relationships between agents
Delegation Topology
The delegation topology view shows the aggregate delegation patterns across all agents:
- Which agents delegate to which other agents
- Most common delegation paths
- Blocked delegation attempts (highlighted in red)
- Privilege escalation hotspots
Real-Time Monitoring
Active delegation chains are shown in real-time in the dashboard. Chains that exceed depth warnings or trigger privilege escalation alerts are highlighted.
Delegation Policies
Write policies specifically for delegation governance:
Restrict Delegation Targets
{
"name": "restrict-orchestrator-delegates",
"policy_type": "deny",
"action_pattern": "delegate.*",
"priority": 500,
"constraints": {
"agent_id": ["agt_orchestrator"],
"delegation": {
"disallowed_delegates": ["agt_admin-bot", "agt_billing-bot"]
}
}
}
Hold Cross-Environment Delegation
{
"name": "hold-cross-env-delegation",
"policy_type": "hold",
"action_pattern": "delegate.*",
"priority": 450,
"hold_timeout_minutes": 15,
"timeout_action": "deny",
"constraints": {
"delegation": {
"cross_environment": true
}
}
}
Best Practices
Set Conservative Depth Limits
Start with a max depth of 3-5. Most legitimate multi-agent workflows complete within 3 hops. Deeper chains often indicate design issues or potential attacks.
Whitelist Delegation Pairs
For critical agents, explicitly whitelist which agents they can delegate to using the allowed_delegates setting. This prevents unexpected delegation paths.
Monitor Privilege Escalation
Privilege escalation through delegation is a critical security risk. Set the privilege escalation action to deny (not alert) in production environments.
Review Blocked Chains
Blocked delegation chains often reveal security issues or architectural problems. Review blocked chains weekly and investigate recurring patterns.
Use Effective Permission Logging
Enable verbose logging of effective permissions at each hop. This creates a detailed audit trail for compliance reviews and incident investigations.
Related Documentation
- Injection Detection — Detect prompt injection in delegated instructions
- Credential Broker — Manage credential access across delegation chains
- Threat Intelligence — Detect known delegation attack patterns
- RBAC — Role-based access control for team members
- ML Insights — ML-driven analysis of delegation patterns