Authority That Cannot Be Revoked Was Never Delegated

Delegation is one of those words that gets used loosely until it has to do real work, and the looseness produces failures the architecture is not prepared for. The failure worth naming is the case where a delegation can be issued but cannot be withdrawn, where the artefact exists but the delegator has, in practice, no way to take the authority back when the world changes. Many architectures I have looked at treat this as an edge case. It is not an edge case. It is the structural condition that distinguishes a delegation from a standing permission.

What I want to make explicit is what is being claimed when a system carries a delegation artefact and presents it at the moment of action. The claim is not “someone authorised this action a week ago.” The claim is “this action is authorised, under this principal, within this scope, right now.” If the system cannot disprove the present-tense claim, if there is no live revocation surface the delegator can call, then the present tense in the claim is fictional. The delegation reduces to a historical record of past approval, honoured indefinitely because there is nothing to honour it against.

That distinction matters most in the ordinary cases, not the exotic ones. A task finishes early. A contractor leaves. A workflow is paused during an incident. A dataset is reclassified. A principal decides that a system should no longer act on their behalf until a review is complete. In each case the original grant may have been reasonable. What matters is whether the authority can stop being reasonable before its nominal expiry.

A Live Claim, Not A Historical Fact

A delegation is more than a historical record that someone said yes at some earlier moment. It is a live claim about the present (this action is authorised, under this principal, within this scope, right now), and it depends on three properties to remain a delegation in the operational sense. Scope tells the system what the delegate may do; time bounds stop authority from lingering forever; revocation lets the delegator respond, before the time bound runs out, when something changes. Things change in ways the delegator needs to be able to respond to: the task ends earlier than expected, the agent is reassigned, a compromise is suspected, a policy moves, an incident begins.

Without revocation, a delegation stops tracking current intent. It becomes a delayed-expiry credential or, more accurately, permanent authority with better paperwork. The artefact may still be called a delegation, but from a governance perspective it no longer behaves like one. The delegator can issue it but cannot take it back. Authority moves outward and never returns.

Revocation Has To Be Checked At The Boundary

Revocation only works if the system actually checks for it at the moment the action is about to execute. A revocation table is not a control unless the enforcement path consults it at the moment of execution. A revocation record sitting somewhere in a control plane is not enough; a cached not-revoked result from ten minutes ago is not enough either. The only question that matters is the present-tense one: is this action still authorised now?

If the system cannot answer that with information fresh enough to trust, then it does not know whether the authority still exists, and under governance that uncertainty resolves to DENY. Otherwise revocation becomes advisory, and the path around it is obvious: race the check, bypass the check, or break the check. Revocation that fails open is not really revocation. It is a notification system attached to an allow path.

The harder case is latency. Revocation checks touch live state, and live state can be slow, partitioned or temporarily unavailable. That does not mean the authority decision should become a live-state oracle. It means the resolution phase has to produce a bounded revocation assertion before evaluation: this delegation was checked against this revocation source, at this time, within this freshness bound. Authority then evaluates the action using that resolved fact. If the assertion is missing or stale, the action is denied. The purity of the decision is preserved because the mutable check happened before evaluation, and the evidence records exactly what was checked.

Irrevocable Delegation Becomes Standing Permission

There is a reasonable objection to the title of this post, which is that an irrevocable grant is still, technically, a delegation in the sense that one party transferred authority to another. Granted. The position I am taking is narrower than that. Governance cares specifically about whether the delegator retains ongoing control over the authority they granted, and if the answer is no, what the system has is standing permission, issued at some earlier moment and honoured until an expiry that may or may not exist.

Over time, standing permissions accumulate. An agent’s effective authority becomes the residue of past approvals rather than what is intended right now. Task changes, incidents and loss of trust take effect too slowly, because the system continues to honour authority that belongs to the past. Authority that cannot be revoked was never delegated in the operational sense that matters to governance. It was handed over and left behind.