Mandates Are Not Blank Checks
When a human buys something online, they click “Purchase.” That click is their consent — implicit, instantaneous, revocable by calling their bank.
When an agent buys something, there is no click. There might not even be a human present. So the question becomes: who authorized this? Under what constraints? And can you prove it after the fact?
This is what a mandate solves.
Two Channels of Authority
Authority in agentic systems flows through exactly two channels:
Channel 1 — Session Authority (human-present). The user is in the session. The agent acts, the trust model evaluates, and if trust is uncertain the system can challenge the user directly: “Are you sure?” The human is the fallback.
Channel 2 — Mandate Authority (human-NOT-present). The user delegated authority and walked away. The agent acts at 3am. The trust model still evaluates — but there is no human to challenge. The mandate’s constraints become the pre-committed response to every challenge.
The key insight: the trust evaluation still runs. The four dimensions still evaluate. Continuous evaluation still applies. What changes is the fallback mechanism when trust is uncertain.
| Situation | Session (human-present) | Mandate (human-absent) |
|---|---|---|
| Trust is HIGH | Allow | Allow |
| Trust is UNCERTAIN | Challenge the user | Check constraints — comply or block |
| Trust is LOW | Step-up authentication | Block and record |
| Trust is DEGRADED | Deny | Block and revoke mandate |
What a Mandate Contains
A mandate is a constitutional delegation — enumerated powers with cryptographic consent. Think of it like a power of attorney. The agent can act on your behalf, but only within the scope you defined:
- Spending limit — not unlimited, this ceiling
- Category restrictions — not anything, these specific products
- Merchant constraints — not anyone, these specific merchants
- Time bounds — not forever, this window
- Rate limits — not unlimited frequency, this cadence
Every boundary is explicit. Every boundary is signed.
Dual-Signed, Not Single-Signed
Here is the critical part: both parties sign.
The user signs with their verifiable credential (SD-JWT-VC). This is their consent — cryptographic, not just a checkbox. The merchant counter-signs with their credential (JWS). This is their acceptance of the terms.
The mandate itself becomes an independently verifiable artifact — like a digital contract. You don’t need to trust the platform. The signatures can be verified independently by anyone who has the mandate.
This is what separates a mandate from a configuration file or a database constraint. Config files can be changed without authorization. Database constraints enforce rules but produce no decision trail. Neither is cryptographically bound to the parties.
Policy Is a Promise. Architecture Is Physics.
Traditional approaches to constraining autonomous agents enforce limits by policy — rules written in a document, enforced by convention, checked by auditors after the fact. Someone says the agent can’t exceed $5,000. If it does, you find out later.
A mandate enforces constraints by architecture — structurally, at execution time. The spending ceiling, category restrictions, time bounds — they are not guidelines the agent should follow. They are boundaries the system cannot bypass.
The compliance verification stage evaluates every constraint before the order executes. If any constraint fails, the pipeline stops. Not because a policy says so — because the architecture won’t proceed.
Policy says “don’t exceed the limit.” Architecture says “the limit is a wall, not a sign.”
The 6-Stage Pipeline
When an agent acts under mandate authority, every autonomous decision passes through six stages:
- Trigger Evaluation — did the condition actually fire?
- Mandate Validation — does a pre-authorized mandate exist? Is it still valid?
- Stock Analysis — inventory check, price comparison
- Compliance Verification — every constraint checked. All must pass.
- Execute — order placed under mandate, within scope
- Build Attestation — L1/L2/L3 cryptographic proof over the entire decision chain
Every stage produces evidence. Every decision is attested. The rejection is signed just like the approval — because proof of what didn’t happen is as important as proof of what did.
The 3am Question
It’s 3am. No human present. An agent detects that office supplies are running low. It needs to reorder.
Without a mandate, that agent is spending your money with no authorization, no constraints, no proof.
With a mandate — a pre-authorized, scope-bound, time-limited, dual-signed constitutional delegation — the agent can act autonomously within the boundaries you set. Every decision auditable. Every claim verifiable. Every authority chain cryptographically proven.
Without this, autonomous commerce is autonomous risk.
This is Part 3 of the “Zero Trust for Agentic AI” series. Previously: Effective Trust and Your Existing Posture. Next: Policy Is a Promise, Architecture Is Physics — enforcement by design.
The full model is grounded in a larger document corpus backed by a live implementation.
