Agents Are Not Users: A Reference Architecture for Governed Agent Actions in Third-Party Products
AI agents increasingly execute actions inside third-party products, yet existing authorization models were designed for human users or machine-to-machine integrations. This paper presents a reference architecture for governed agent actions: declarative manifests, explicit authorization boundaries, scoped delegation, approval workflows for irreversible actions, audit receipts, and verifiable execution semantics. Rather than treating agents as privileged API clients, the architecture separates reasoning from execution and places policy enforcement at a dedicated action gateway.
Paper details
Agents Are Not Users · v1 · July 2, 2026
Paper details
Agents Are Not Users · v1 · July 2, 2026
Declare
Products publish a manifest of callable actions — permissions, side effects, and sensitivity tiers — once, instead of ad hoc tool lists per integration.
Authorize
A gateway enforces policy at invocation time: agent identity tokens never authorize mutation alone; user consent and human confirmation gate side effects.
Prove
Signed decision and intent receipts bind authority, policy version, and parameters — with explicit scope of what the record does and does not assert.
How to cite this paper
@misc{sethia2026agents,
author = {Sethia, Shorya},
title = {Agents Are Not Users: A Reference Architecture for Governed Agent Actions in Third-Party Products},
year = {2026},
publisher = {Zenodo},
doi = {10.5281/zenodo.21133996},
url = {https://doi.org/10.5281/zenodo.21133996}