Duct

Research

Architecture and threat models for governed agent actions

Public preprints and reference specifications from the Duct team — how to separate agent identity from user authority, enforce consent at invocation time, and leave verifiable evidence of what ran.

PreprintJuly 2, 2026 · v1CC BY 4.0

Agents Are Not Users: A Reference Architecture for Governed Agent Actions in Third-Party Products

AI agents increasingly execute actions inside third-party products, yet existing authorization models were designed for human users or machine-to-machine integrations. This paper presents a reference architecture for governed agent actions: declarative manifests, explicit authorization boundaries, scoped delegation, approval workflows for irreversible actions, audit receipts, and verifiable execution semantics. Rather than treating agents as privileged API clients, the architecture separates reasoning from execution and places policy enforcement at a dedicated action gateway.

Paper details

Agents Are Not Users · v1 · July 2, 2026

Declare

Products publish a manifest of callable actions — permissions, side effects, and sensitivity tiers — once, instead of ad hoc tool lists per integration.

Authorize

A gateway enforces policy at invocation time: agent identity tokens never authorize mutation alone; user consent and human confirmation gate side effects.

Prove

Signed decision and intent receipts bind authority, policy version, and parameters — with explicit scope of what the record does and does not assert.

How to cite this paper

@misc{sethia2026agents,
  author       = {Sethia, Shorya},
  title        = {Agents Are Not Users: A Reference Architecture for Governed Agent Actions in Third-Party Products},
  year         = {2026},
  publisher    = {Zenodo},
  doi          = {10.5281/zenodo.21133996},
  url          = {https://doi.org/10.5281/zenodo.21133996}

“Research is better when it's reproducible. If you're working on agent systems, we'd love to collaborate.”