Papers
Topics
Authors
Recent
Search
2000 character limit reached

Intent-Preserving Delegation Protocol (IPDP)

Updated 4 July 2026
  • The protocol ensures every delegated action is confined to the originating intent, enforcing monotone narrowing and precise scope control.
  • It employs mechanisms like intent certificates, JWT tokens, and delegation grants to secure tool authorization, planning, and multi-principal coordination.
  • Empirical evaluations show significant improvements in safety, coordination efficiency, and auditability while also addressing challenges in normalization and probabilistic verification.

Intent-Preserving Delegation Protocol (IPDP) denotes a class of delegation and enforcement mechanisms in which a delegated action, tool effect, workflow step, or state mutation remains justified by, and no broader than, an originating intent. In one canonical formulation, IPDP is “a server-side delegation and enforcement protocol that ensures every tool effect an AI agent can exercise is justified by, and no broader than, the user’s currently expressed intent”; parallel formulations preserve an intended effect through hierarchical plan expansion, make intent declaration a precondition for shared-state mutation, or bind each API call to a workflow step and a validated delegation chain (Zhu et al., 22 Jun 2026, Lai et al., 2020, Qian et al., 10 Apr 2026, Goswami, 16 Sep 2025).

1. Scope and conceptual variants

Across recent work, IPDP is not a single mechanism but a recurring design pattern. In server-side authorization, IGAC realizes IPDP through intent certificates, session-scoped policy narrowing, manifest filtering, and intent–tool–payload consistency checks. In cryptographic delegation, A-JWT, Delegation Grants with Canonical Verification Contexts, SentinelAgent’s Delegation Chain Calculus, and ACP all treat intent or delegated authority as a signed, auditable object validated at request time. In planning, the Markov Intent Process treats intent as a desired target state or net effect and preserves it while recursively inserting prerequisite skills. In multi-principal coordination, MPAC requires explicit intent declaration before operations on shared state. A distinct line of work applies IPDP to liquid democracy, where sealed delegation, ranked multi-delegation, and personal fallback ballots preserve voter intent during formation, resolution, and tallying (Zhu et al., 22 Jun 2026, Goswami, 16 Sep 2025, Saavedra, 21 Jan 2026, Patil, 3 Apr 2026, Fernandez, 19 Mar 2026, Qian et al., 10 Apr 2026, Li et al., 2 Jul 2026).

Domain Representative instantiation Core binding object
Tool authorization IGAC on OpenPort Intent certificate
Agent security A-JWT, ACP, SentinelAgent Intent token / capability token / chain token
Identity interoperability DG + CVC + Trust Gateway Delegation Grant
Planning Markov Intent Process Intent plan / skill effect
Shared-state coordination MPAC Intent declaration + conflict object
Sealed civic delegation Resilient liquid democracy Encrypted policy tuple Πi=(Di,bi)\Pi_i=(D_i,b_i)

These variants share a common concern: the delegator’s authority, semantics, or purpose must remain externally checkable after delegation. The main differences lie in what counts as “intent” and where enforcement occurs. In IGAC and ACP, enforcement is admission control over tools or state mutation. In MIP, enforcement is structural preservation of the terminal intended effect. In MPAC, enforcement is state-machine gating and optimistic concurrency control. In liquid democracy, enforcement is deterministic post-reveal resolution of encrypted delegation policies.

2. Core invariants and formal properties

The most common invariant is monotone narrowing. IGAC formalizes an authority lattice AA with partial order \le, a static integration authority a0Aa_0 \in A, a normalized intent ii, and a narrowing function N(i,a0)N(i,a_0). Its monotonicity conditions are: N(i,a0)a0N(i,a_0)\le a_0 for all ii, and if i2i1i_2 \preceq i_1, then N(i2,a0)N(i1,a0)N(i_2,a_0)\le N(i_1,a_0). In set form, if AA0 is the set of allowed AA1 triples under static policy and AA2 is the set allowed under the intent certificate, then AA3, hence AA4 (Zhu et al., 22 Jun 2026).

Identity- and capability-centric formulations express the same principle as chain-wise attenuation. In the Delegation Grant framework, downstream delegation satisfies scope reduction, constraint monotonicity, time bounding, and depth bounding: AA5, AA6, AA7, and AA8. ACP states the effective capability set as AA9 and the effective policy as \le0, with a non-expansion proof sketch over signed delegation links and transitive revocation (Saavedra, 21 Jan 2026, Fernandez, 19 Mar 2026).

SentinelAgent makes the distinction between deterministic and probabilistic properties explicit. Its Delegation Chain Calculus defines seven properties: authority narrowing, policy preservation, forensic reconstructibility, cascade containment, scope-action conformance, output schema conformance, and intent preservation. The first six are deterministic; intent preservation is probabilistic. The same work states a proposition establishing the practical infeasibility of deterministic intent verification for natural-language delegation descriptions without restricting the input language to a formal grammar (Patil, 3 Apr 2026).

Planning-oriented IPDP uses a different but related invariant. In the Markov Intent Process, every non-terminal expansion for a skill \le1 returns a plan whose last element is \le2; when preconditions are satisfied, it returns \le3. Dynamic adaptations insert prerequisites but never remove or alter the final intended effect (Lai et al., 2020).

Open-world formulations generalize the invariant from permissions to action envelopes. “Toward a Science of Intent” defines an intent-compiled contract tuple \le4 and a deterministic delegation envelope

\le5

together with a risk-sensitive probabilistic envelope

\le6

MPAC states an analogous invariant operationally: every committed operation must reference an authorized intent whose scope covers the target object, and any optimistic-concurrency failure must create a conflict object rather than silently overwrite state (Armesto et al., 27 Apr 2026, Qian et al., 10 Apr 2026).

3. Protocol artifacts and enforcement architectures

IGAC’s artifact is the intent certificate: a short-lived, auditable, session-scoped delegation artifact issued by an intent gateway from trusted user input or product flows. Its server-side record includes requestHash, intentClasses, resourceBounds, effectBounds, confidence \le7, review mode \le8, expiry \le9, classifierSource, and auditDigest. The certificate is validated by matching requestHash == H(u), checking expiry, and enforcing a confidence or review-mode rule; it is scoped to app/key/actor and cannot be reused by other credentials. Downstream, the certificate induces a session policy that only tightens static OpenPort policy, filters the manifest, and gates preflight, draft creation, witness binding, idempotency, commit, and audit. The state machine runs from S0 Idle through S8 Audited with guards that enforce monotonicity and consistency (Zhu et al., 22 Jun 2026).

A-JWT moves the binding object into a JWT-compatible token. It encodes workflow_id, workflow_step, executed_by, initiated_by, delegation_chain, step_sequence_hash, and execution_context, and pairs these with an agent_checksum, per-agent proof-of-possession via cnf.jkt, and replay-resistant jti. Its issuance path includes agent identity derivation from prompt, tools, and configuration, per-agent PoP key derivation, dual-faceted intent token minting, PoP signing, and client shim self-verification. The resource server checks A-JWT signature, freshness, issuer and audience, replay protection, agent identity checksum, shim integrity, PoP signature, delegation chain validity, step binding, execution-context consistency, and scope–intent consistency on every request (Goswami, 16 Sep 2025).

The interoperable identity architecture centered on Delegation Grants separates transport from verification. A Delegation Grant is a signed authorization artefact with scope, constraints, temporal bounds, delegation depth, proofs, and signature; the Trust Gateway detects incoming profiles such as OAuth2/OIDC, OIDC4VP, VC-LD, SD-JWT, and DIDComm, normalizes them into a Canonical Verification Context

a0Aa_0 \in A0

and routes this object to a layered verification engine. Verification yields signed Verification Result Objects, while optional blockchain anchoring adds tamper-evident ordering without becoming a structural dependency (Saavedra, 21 Jan 2026).

ACP is a more prescriptive admission-control stack. It defines AgentID = base58(SHA-256(pk)), capability tokens with deleg.allowed, max_depth, and parent_hash, deterministic risk evaluation, single-use Execution Tokens, transitive revocation, and append-only hash-chained audit events

a0Aa_0 \in A1

Its core invariant is stated as Execute(request) ⇒ ValidIdentity(agent) ∧ ValidCapability ∧ ValidDelegationChain ∧ AcceptableRisk, and its prohibited behaviors include approving when any evaluation fails, reusing a consumed execution token, omitting signature verification, ignoring max_depth, and continuing to process artifacts with invalid signatures (Fernandez, 19 Mar 2026).

SentinelAgent places these checks under a non-LLM Delegation Authority Service. Its token tuple a0Aa_0 \in A2 is checked at three points: pre-execution, at-execution, and post-execution. The runtime components include an Identity Registry, Policy Engine, Intent Verifier, Token Signer, Chain Store, Cascade Controller, Scope Enforcement Proxy, and Output Schema Validator. This architecture is designed so that even if intent verification is evaded, scope-action conformance, output schema conformance, forensic reconstructibility, and containment remain intact (Patil, 3 Apr 2026).

4. Planning, coordination, and open-world execution

In hierarchical planning, IPDP appears as intent-preserving decomposition rather than authorization. The Markov Intent Process defines a tuple a0Aa_0 \in A3, where each high-level skill a0Aa_0 \in A4 is identified by a single intended effect a0Aa_0 \in A5, and a0Aa_0 \in A6 returns a plan of skills and primitive actions that aims to achieve a0Aa_0 \in A7. Execution is on-demand: a one-shot top-level intent plan is computed once from a0Aa_0 \in A8, and only the head skill is expanded when needed. Unmet primitive-action success conditions a0Aa_0 \in A9 determine which prerequisite subskills are inserted, and the terminal action remains the canonical action ii0 for the original effect (Lai et al., 2020).

Task-aware collaboration work translates offline preference structure into online delegation cues. Prompts are embedded with Sentence-BERT, reduced with UMAP, and clustered with K-means into ii1 task clusters. Capability Profiles define task-conditioned empirical win-rates

ii2

and Coordination-Risk Cues define cluster-level tie-rates

ii3

At runtime, the system assigns a prompt to a cluster, selects the primary collaborator by ii4, and routes to high-assurance mode when ii5 exceeds a threshold, adding clarification, auditing, citations, or a stepwise plan. This work treats common-ground verification, explicit rationale disclosure, and privacy-preserving accountability logging as delegation primitives (Gu, 11 Mar 2026).

The open-world “science of intent” extends IPDP from local permissions to distributed verification. Intent compilation transforms partially specified human purpose into a semantic contract ii6, evidentiary contract ii7, procedural contract ii8, and institutional contract ii9. Residual openness is represented by the closure-gap vector

N(i,a0)N(i,a_0)0

and failures are separated into undersearch and misclosure. The operational claim is that in open worlds, verification is distributed across semantic, evidentiary, procedural, and institutional dimensions, so longer search traces can remain “fluent work over an undercompiled problem” unless closure interventions reduce the dominant gaps (Armesto et al., 27 Apr 2026).

MPAC adapts the same idea to concurrent shared-state collaboration. It defines five layers—Session, Intent, Operation, Conflict, and Governance—together with three state machines, Lamport-clock causal watermarking, and optimistic concurrency control. An operation carries a pre-read version N(i,a0)N(i,a_0)1, and commit is allowed only if N(i,a0)N(i,a_0)2; otherwise a structured conflict object is created and routed to governance. The protocol therefore treats conflict visibility and governance binding as part of intent preservation, not as ancillary recovery logic (Qian et al., 10 Apr 2026).

“Intelligent AI Delegation” generalizes these execution ideas into a broader framework with Dynamic Assessment, Adaptive Execution, Structural Transparency, Scalable Market Coordination, and Systemic Resilience. Its IPDP-style synthesis emphasizes contract-first decomposition, role and boundary specification, monitoring streams, verifiable completion, dispute resolution, adaptive coordination triggers, and permission attenuation across delegation chains. This suggests a wider interpretation of IPDP as a protocol family for delegation under explicit authority, responsibility, accountability, and verification constraints (Tomašev et al., 12 Feb 2026).

A further extension appears in secure liquid democracy. There, each voter encrypts a policy tuple N(i,a0)N(i,a_0)3, where N(i,a0)N(i,a_0)4 is an ordered list of delegates and N(i,a0)N(i,a_0)5 is a personal fallback ballot. Delegation formation is sealed by decentralized timed-release encryption; resolution after the reveal phase routes voting power to the highest-ranked available delegate and ultimately to the fallback ballot if necessary. Pre-reveal secrecy, resubmission receipt-freeness, and deterministic post-reveal recomputability are the corresponding intent-preservation properties (Li et al., 2 Jul 2026).

5. Empirical results and security evidence

IGAC’s runtime artifacts report two quantitative evaluations. In a synthetic microbenchmark of 176 tasks, “OpenPort-only admitted unjustified authority in all non-benign cases but executed none (UER=0); IGAC+OpenPort achieved zero unsafe accepted authority under oracle/rule certificates and mean manifest reduction around 0.76.” In an end-to-end LLM runtime pilot of 34 tasks × 3 models × 3 runs, unsafe execution remained 0 with IGAC+OpenPort, residual unsafe accepted authority persisted in some create-draft cases due to weak certificate bounds, and manifest reduction was approximately 0.79–0.80 (Zhu et al., 22 Jun 2026).

SentinelAgent reports a three-point verification lifecycle achieving 100% combined [TPR](https://www.emergentmind.com/topics/structured-tensor-product-representations-tpr) at 0% FPR on [DelegationBench v4](https://www.emergentmind.com/topics/delegationbench-v4) (516 scenarios, 10 attack categories, 13 federal domains). Under black-box adversarial conditions, the Delegation Authority Service blocked 30/30 attacks with 0 false positives; an independent red team blocked 45/45 with 0 FPR. Properties P1, P3–P7 were mechanically verified by TLA+ model checking across 2.7 million states with zero violations. At the same time, standalone intent verification degraded to about 13% TPR under adversarial paraphrasing, while fine-tuning on 190 government delegation examples improved P2 from 1.7% to 88.3% TPR with F1=82.1% (Patil, 3 Apr 2026).

A-JWT reports a Python proof-of-concept that functionally blocks scope-violating requests, replay, impersonation, and prompt-injection pathways with sub-millisecond overhead on commodity hardware, and its reference implementation blocks 100% of modeled threat requests through mint-time or verify-time denials. The interoperable DG/CVC/TG architecture reports end-to-end average latency 58.60 ms, median 34.47 ms, P95 196.72 ms, roughly 14 ms per additional delegation hop, and compact Verification Result Objects of about 0.5 KB; optional blockchain anchoring adds 24.5 ms on average and approximately +45.9% end-to-end overhead (Goswami, 16 Sep 2025, Saavedra, 21 Jan 2026).

MPAC’s controlled three-agent code review benchmark reports a 95 percent reduction in coordination overhead and a 4.8 times wall-clock speedup versus a serialized human-mediated baseline, with per-agent decision time preserved. In planning, Delegate is reported as 100% successful on all tested domains and noise levels where baselines often fail, with sharply lower planning times such as 0.028 ± 0.008 s for Mining, 0.047 ± 0.009 s for Baking, and 0.348 ± 0.156 s for Factorio, compared with much larger MCTS or RRT runtimes (Qian et al., 10 Apr 2026, Lai et al., 2020).

Task-aware delegation cues report predictive-probe evidence that cluster features improve winner prediction accuracy from 0.541 to 0.548 and reduce difficulty-prediction MSE from 2.567 to 2.463 under stratified 5-fold cross-validation. In the liquid-democracy setting, ranked multi-delegation with personal fallback ballots reduces vote loss under targeted failures from approximately 26–30% to approximately 3%, and this replication is reported across 20 participatory-budgeting elections; the same line of work also reports that the benefit of sealed formation is primarily structural, sharply reducing power concentration rather than directly improving representational accuracy (Gu, 11 Mar 2026, Li et al., 2 Jul 2026).

6. Limitations, misconceptions, and future directions

A recurring misconception is that IPDP is merely agent-side prompting or tool filtering. The security-oriented literature rejects that view explicitly: model planners, tool descriptors, and conversation context are treated as untrusted inputs, while authorization, discovery, payload checks, workflow-step checks, risk gates, and audit must remain under server or resource-server control. IPDP therefore layers on top of OAuth2 scopes, RBAC, ABAC, and Zero Trust rather than replacing them; intent is consistently modeled as a narrowing attribute, not as a scope-expanding exception (Zhu et al., 22 Jun 2026, Goswami, 16 Sep 2025, Fernandez, 19 Mar 2026).

The central controversy concerns natural-language intent itself. SentinelAgent states that deterministic intent verification is practically infeasible for the class of delegation descriptions used in federal multi-agent systems, and the closure-gap framework likewise argues that open-world deployment difficulty comes from distributed semantic, evidentiary, procedural, and institutional verification rather than from insufficient search alone. A plausible implication is that robust IPDP designs will continue to combine probabilistic intent inference with deterministic non-expansion, scope conformance, output conformance, and auditability (Patil, 3 Apr 2026, Armesto et al., 27 Apr 2026).

Precision and normalization remain limiting factors. IGAC identifies residual unsafe accepted authority when certificates lack enforceable numeric or resource bounds for create-like calls, and recommends canonicalizers, bound validators, planner retries on schema errors, and protocol conformance tests. A-JWT identifies agent evolution, revocation strategies, long-running workflows, privacy of prompt-derived hashes, key rotation, and TOCTOU in prompt evaluation as open issues. The interoperable DG/CVC stack notes standards drift around SD-JWT, OIDC4VCI/VP, and BBS+, and reports that interactive holder binding was not fully implemented (Zhu et al., 22 Jun 2026, Goswami, 16 Sep 2025, Saavedra, 21 Jan 2026).

Coordination-centric systems expose a different set of constraints. MPAC identifies governance scalability, multi-principal authentication complexity, and non-textual or semantic conflict merges as continuing burdens. “Intelligent AI Delegation” adds broader unresolved questions around scalable privacy-preserving monitoring, standardized cross-protocol verification slots, uncertainty calibration, and the governance problem of liability firebreaks and moral crumple zones. These concerns shift IPDP from a narrow access-control primitive toward a socio-technical protocol surface (Qian et al., 10 Apr 2026, Tomašev et al., 12 Feb 2026).

Future work across the literature is notably convergent: stronger bound extraction and normalization; durable stores and external audit anchoring; mechanized proofs for monotonicity and risk routing; standard profiles for intent certificates, reason codes, Delegation Grants, and Canonical Verification Contexts; BFT-replicated or threshold-signed delegation authorities; richer policy languages; CRDT-backed alternatives to optimistic concurrency control; and controlled internalization of routines only when contract representation is stable, monitorable, and rollback-capable. The common direction is not toward removing intent from the protocol, but toward making intent compilation, attenuation, verification, and audit more explicit and more interoperable (Zhu et al., 22 Jun 2026, Patil, 3 Apr 2026, Saavedra, 21 Jan 2026, Armesto et al., 27 Apr 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Intent-Preserving Delegation Protocol (IPDP).