OAuth 2.0 tells you who the agent is and what resources it can access. IPP proves every action in the chain stayed within what the human authorized — mathematically, without a central server, across organizational boundaries. You need both.
OAuth 2.0 does its job well — authenticating agents and governing resource access. But it answers a different question than the one autonomous agents require. IPP is the layer that answers the second question: did every action in the chain stay within what the human authorized?
OAuth scopes tell you what resources an agent may touch. They carry no information about why access was authorized, what quantitative bounds apply, or what actions are explicitly prohibited. When an agent spawns sub-agents, there is no mechanism to ensure the chain stays within the human's original intent.
When a CFO says "optimize cash positions, max $10M per transaction, no equity purchases" — that intent contains a goal, a quantitative bound, and an explicit prohibition. OAuth scopes cannot express it. When agents delegate to sub-agents, scope can silently expand at every step with no cryptographic check.
OAuth-based delegation validation requires all parties to share an authorization server. When agents operate across organizational boundaries — vendors, partners, cloud providers — requiring shared infrastructure is often contractually impossible and always a single point of failure.
OAuth logs tell you what an agent was permitted to do. They cannot tell you whether the action honored the human's original intent, what the constraints were, or who bears legal accountability at each step. Regulators are starting to ask for exactly this. OAuth cannot answer it. IPP can.
IPP introduces four foundational properties enforced through Ed25519 digital signatures, Decentralized Identifiers, and the Narrowing Invariant — a novel enforcement mechanism that makes scope expansion cryptographically detectable.
Every action taken by every agent is traceable through an unbroken chain of cryptographic signatures to a human Principal — a person with a name, a legal jurisdiction, and accountability. Not a service account. A person.
Every Intent Token carries explicit, machine-readable constraints on authorized scope. Those constraints travel through every delegation level and cannot be expanded by any intermediate agent. The Narrowing Invariant enforces this cryptographically.
Every token is cryptographically signed. The record is verifiable by any third party — auditors, regulators, counterparties — without requiring communication with the original issuer. Legally defensible by design.
Compliant implementations work regardless of AI framework, cloud environment, or programming language. Any conformant implementation can verify any conformant token. Framework-agnostic. Cloud-agnostic. Open standard.
The IPP Python SDK adds cryptographic governance to any existing LangChain, AutoGen, or CrewAI agent without modifying its logic. Drop it in. Every action is now governed, audited, and provably authorized.
| Requirement | OAuth / SAML | Intent Provenance Protocol |
|---|---|---|
| Human authentication | ✓Strong | —Complementary layer |
| Bounded intent — machine-enforceable | ✕Not supported | ✓Core primitive |
| Delegation chain — cryptographic | ✕Not supported | ✓Narrowing Invariant |
| Scope narrows — cannot expand | ✕Not enforced | ✓Protocol-enforced |
| Action provenance — append-only audit | ✕Not supported | ✓Provenance chain |
| Legal attribution — defensible | ✕Not supported | ✓Non-repudiation by design |
| Cross-org trust — no central authority | ✕Requires federation | ✓Decentralized verification |
| Revocation — mid-chain propagation | ✕Token-level only | ✓Full ancestry revocation |
| Authorship — permanent cryptographic record | ✕Not supported | ✓Genesis Seal |
IPP is not an identity platform. It is the intent provenance standard that identity platforms implement.
Identity and access platforms govern who an agent is and what it can access. IPP governs why it acted, under whose bounded human intent, and provides the cryptographic proof that the action stayed within those bounds. These are complementary layers — IPP sits beneath identity platforms and above the cryptographic infrastructure they depend on.
17 years in cybersecurity and spent my career watching enterprises struggle to answer basic accountability questions about their systems.
When AI agents arrived, the same gap appeared — but at a scale and speed that existing protocols cannot address. So I built the infrastructure layer to fix it.
OAuth 2.0 tells you who the agent is and what resources it can access. IPP proves every action in the chain stayed within what the human authorized — mathematically, without a central server, across organizational boundaries. You need both.
How IPP prevents scope creep in agent delegation chains — cryptographically, without a central authority.
August 2026 enforcement means organizations must prove AI actions were authorized at time of execution.
Every enterprise deploying AI agents today is accumulating compliance exposure they cannot yet address. The window to build the infrastructure is closing.