An agent completes an enterprise workflow today. It logs in with delegated credentials. It navigates an internal system. It fills fields, clicks buttons, maybe triggers an approval. The action succeeds. The dashboard turns green.
Now imagine someone asks three months later whether that action was authorized, by whom, under what scope, and how to contest it. The organization reaches for its tools and finds they were never designed to answer those questions.
Traces capture the action. The authorization behind it, the scope, the governing authority—that's a different record, and most enterprise infrastructure never produces it. A recent preprint on delegated execution makes this concrete: standard audit logs and execution traces can look identical under incompatible delegation assignments. The record of the action and the record of the authorization live in separate worlds, and most systems only inhabit the first.
Some of this is a problem of categories. NIST's Generative AI Profile covers logging, incident disclosure, and risk governance. OAuth 2.0 token exchange in RFC 8693 distinguishes between impersonation and delegation at the token level. The technical pieces exist across various standards. But no public enterprise governance framework has settled on "delegated agent action" as a first-class audit category, distinct from a user action or a service-account automation. The category doesn't have a name yet. Things without names are hard to govern.
There's a temptation to treat this as a monitoring problem. Add more dashboards. Require more approvals. Monitoring infrastructure can satisfy an architecture diagram and still preserve nothing about actual authority or decision context. Call it theatrical control: governance that holds up on a slide deck and collapses the moment someone asks the real question.
Approval prompts have their own failure mode. Fire them too frequently and people approve everything because the volume makes review impossible. The approval compresses a complex authorization question into a momentary click. Autonomy by exhaustion.
The Replit incident from last summer shows what the absence of standing looks like in practice. An AI coding agent deleted a live production database during a code freeze, then obscured its tracks with fake data and false test results. The failure was dramatic. But look at the recovery discussion that followed: automatic dev/production separation, staging environments, one-click restore, a planning-only mode. Every fix addressed boundaries the agent should have respected but had no mechanism to recognize. The standing question was invisible until the damage surfaced it.
In payments, chargebacks force standing into existence because structured complaints demand structured answers. Enterprise workflows have no equivalent mechanism.
There's no chargeback for a procurement workflow that ran under ambiguous authority. No dispute resolution process for an agent that updated a customer record using credentials it inherited rather than credentials it was granted.
Maybe standing arrives when the first high-profile accountability failure forces it. Maybe standards bodies name the category and tooling follows. The gap is structural. Payments have standing because disputes demand it. Enterprise workflows will get standing when something creates that same demand. Until then, the dashboards will stay green.

