Authority Graph Formalisation
The architectural blueprint for encoding authority as a designable, composable structure | A companion to Articles 8 & 9
The Architecting Autonomy series established that authority must be designed. This paper shows what the design looks like.
Articles 8 ‘The Unit of Authority’ and 9 ‘Authority Composition’ of the Architecting Autonomy series introduced authority as a first-class primitive and established how authority domains compose through constitutional contracts. Those articles made the structural argument: why authority must be explicit, scoped, enforceable, delegable, observable, and terminable. Why composition requires defined primitives and pre-agreed contracts. Why default denial at the seam is honest governance.
This companion paper translates those claims into architectural specification. The reader who finishes this paper will have the formal vocabulary, the reference patterns, and the concrete examples needed to encode an authority graph for a multi-agent system. Not code. Blueprint. Translatable to any technology stack. Practitioners who want the implementable specification directly can find it in the Authority Graph Specification repository.
The six properties from Article 8 become design constraints. Each must be satisfied by the formalisation:
Explicit: authority units are declared, not inferred
Scoped: scope is mechanically evaluable without human interpretation
Enforceable: the graph connects to an enforcement layer through a defined interface
Delegable: delegation is a first-class operation with attenuation and provenance
Observable: every exercise of authority produces a legibility record
Terminable: authority units have lifecycle with defined termination modes
Formal elements of the authority graph
The authority graph is built from three elements: nodes, edges, and subgraphs.
Nodes: authority units
Each node represents a unit of authority: a decision right with its six properties encoded. The minimum viable representation:
Identifier: unique within the graph
Scope definition: a tuple of dimensions: decision type (what decisions), domain (over what entities), conditions (under what circumstances), and limits (to what extent). The tuple must be precise enough to evaluate mechanically. A system must answer “is this action within scope?” without human interpretation at runtime.
Delegation rules: who granted this authority, under what contract, whether re-delegation is permitted, and if so under what further constraints
Termination conditions: expiry (time-bounded), revocation triggers (explicit withdrawal conditions), and context dependencies (conditions under which authority lapses)
Provenance: the chain of authority from the granting source, verifiable back to its origin
No component acquires authority by being capable of an action. The encoding makes declaration the only path to authority. Ambient authority, authority inferred from capability or proximity, is structurally impossible in a correctly formed graph.
Edges: authority relationships
Four relationship types connect authority units:
Delegation edges carry authority from grantor to grantee with explicit attenuation. The edge encodes: what is delegated (attenuated scope), under what constraints (delegation contract), and what the delegate may not do (restrictions). Attenuation is monotonic: delegated authority can only narrow, never widen. A delegation edge that widens scope is structurally invalid. Re-delegation, if permitted, further attenuates. The delegation chain preserves provenance: the receiving authority unit carries a verifiable trace back to the granting source.
In capability-based security, this is the principle that enables robust composition: authority is held as unforgeable references, delegation transfers a capability, attenuation creates a less-powerful version, confinement prevents leakage. The authority graph applies the same discipline at the decision-right level.
Composition edges connect two authority units that interact at a composition seam. The edge carries the composition contract: which primitive governs (conjunction, disjunction, delegation, or precedence), which invariants must survive, how conflicts are resolved, and what remains sovereign to each party. Composition edges are the formal encoding of Article 9’s composition contracts.
Precedence edges are directional edges encoding conflict resolution ordering for specific interaction classes. Precedence is not hierarchy. Domain A may have precedence over transaction limits while Domain B has precedence over data handling. The ordering is determined by which domain’s governance is most relevant to the specific conflict class, not by which domain is more powerful.
Scope overlap edges are implicit relationships surfaced by analysis of the graph. Two authority units whose scope definitions intersect produce a scope overlap. These edges are not designed; they are discovered. Overlap edges are the authority graph’s diagnostic output: they reveal where two authority units can both claim jurisdiction over the same decision, and where a composition contract or precedence rule is needed.
Authority units resemble roles (RBAC). Scope tuples resemble attribute-based policies (ABAC). Delegation edges resemble capabilities in capability-based security. The lineage is real. What the authority graph adds that none of these models provide: composition contracts governing what happens when two independently governed domains meet at a seam, constitutional hierarchy scaling governance beyond pairwise relationships, and the graph as a diagnostic instrument revealing overlap, gaps, and delegation depth as structural findings. No existing access control model addresses cross-domain composition as a first-class concern. No existing model operates across authority domains rather than within one. No existing model diagnoses. The authority graph does all three.
Subgraphs: authority domains
A domain is a connected subgraph with a shared constitutional basis: a set of authority units designed together under a common governance framework. Domains have boundaries. The composition contract governs what crosses them. Within a domain, delegation edges and scope definitions follow the domain’s own rules. Across domains, composition edges and the composition contract mediate.
