The Elicitation Gap closed on a turn from the capability to the thing that exercises it. The capability a benchmark never surfaced is drawn out at runtime by an actor — a system calling tools, retrieving data, and invoking other agents under authority the enterprise granted it. This dispatch reads that actor, and the gap between what it is and what the enterprise built to govern it.
The actor is a principal. In the language of identity, a principal is anything that acts — a user, a service, a process holding a credential and doing things with it. Enterprise identity has governed principals for decades, and does it well: it authenticates them, authorizes them, and records what they did. The agent identity gap is the distance between that discipline and the principal the agent actually is — one that acts on its own initiative, under authority that propagates through chains the identity system can authenticate but was never built to bound.
The architecture that assembles the capability holds the assurance.
The agent identity gap is Luminity vocabulary for that distance, and it is the most operational reading in this series. It extends the transfer failure to the actor: the capability is assembled by the enterprise, and the actor that exercises it is a machine principal the lab never evaluated and the enterprise’s identity stack was not designed to govern. The reading is grounded in the corpus this series reads, where a cluster of recent work converges on the same gap from identity, authorization, and governed-execution directions at once.
A principal the identity system did not anticipate
Enterprise identity grew up around two kinds of principal: the human user, and the service account a human configures and owns. Both are relatively stable, both trace to a human decision, and both sit still long enough to be reviewed. The controls that govern them — role assignments, access reviews, standing permissions — assume a principal whose authority is set in advance and changes slowly.
The agent is a third kind of principal, and the assumptions do not hold. It acts on its own initiative within a task, decides which tools to call and which data to reach, and hands work to other agents that act in turn. Its authority is not a standing assignment a reviewer set last quarter; it is exercised, composed, and passed on at runtime. The corpus marks the scale of the shift plainly: a machine-identity governance taxonomy records that AI agents, service accounts, and automated workflows “now outnumber human identities in enterprise environments by ratios exceeding 80 to 1, yet no integrated framework exists to govern them.” The principals that exercise the most capability are the ones the governance was built least for.
The gap is not that agents lack identity. They can be authenticated as readily as any service. The gap is that authentication answers who the principal is, and the question an agent raises is what its authority does once it starts acting — and that is a question the identity discipline, built for principals whose authority sits still, was not shaped to answer.
Authority propagates faster than identity governs
The hard problem is not naming the agent. It is that authority moves. An agent inherits permissions from the principal that invoked it, delegates a subset to a sub-agent, acts under authority that is meant to expire, and aggregates access across boundaries that were drawn to keep things apart. Each hop is legitimate on its own; the exposure is in the chain.
The corpus gives the problem its name. Work on authorization propagation reads it as a workflow-level property that the standard access models — role-based, attribute-based, relationship-based — do not capture: transitive delegation, where authority passes down a chain no single check sees end to end; aggregation, where an agent assembles from permitted pieces an access no one granted as a whole; and temporal validity, where authority outlives the moment it was meant for. The same work reports that these failures do not require an adversary — ordinary system behavior already produces them. That is the structural core of the gap. The governable unit is no longer a principal’s standing permissions. It is the propagation of authority through a runtime chain, and the identity system that governs the first does not, by itself, govern the second.
The pieces of a control plane, not yet assembled
Read across the corpus, the field is converging on the same answer — and has not yet composed it. The shape it is converging toward is identity governance treated as infrastructure: authority that derives, attenuates, expires, and is verified at the moment of action rather than asserted once and trusted thereafter.
The primitives are arriving. A cryptographic delegation-provenance scheme binds a terminal action to the human authorization that originated it and to each signed hop in the chain, verifiable without a central registry. A compositional authorization framework treats delegation as a contractual term rather than a static token, with scope attenuation as an executable primitive that bounds what each hop can pass on. A machine-identity governance taxonomy maps the risk surface and the controls that answer it across enterprise and jurisdictional boundaries. Each is real, and each converges on the same idea from a different starting point.
What the corpus has not produced is the assembly. The primitives arrive as separate drafts — internet-drafts, extensions to existing authorization standards, individual frameworks — each governing one facet of a propagating authority that crosses all of them at runtime. This is the same pattern Series 17 read at the field scale: independent work converging on a shared shape without anyone drawing the whole. The convergence names the property an agent control plane must have. It does not yet hand the enterprise the control plane. And until it does, the authority that propagates through the chain is governed in pieces, by drafts that do not yet know about each other.
Governing the actor is governing execution
The property the enterprise needs from agent identity is not documentary. It is not a record that a role was assigned or a policy written. It is behavioral: that the boundary holds when an agent under pressure attempts to exceed its scope, and that authority is checked at the moment an action is attempted rather than assumed from a grant made earlier.
The corpus reads agent governance, at its most developed, as governed execution. A typed-planning system compiles policy guardrails into the execution path, so that a proposed action that would cross a boundary is blocked before it takes effect rather than flagged after. A reading of agentic architecture treats reliability as a structural property — least-privilege tool calls, runtime governance, and simulate-before-actuate checks built into how the system is composed, not added over it. And a governance framework for high-autonomy settings replaces a binary notion of control with a continuous one, treating the quality of control as something measured and maintained across the operating life rather than asserted at the start. These are the same axes Series 17 arrived at — from documentary toward behavioral, from point-in-time toward continuous, from a control requested of a probabilistic actor toward a bound enforced by construction — read here at the layer of the principal.
That is why the agent identity gap closes, when it closes, in the architecture. Authority that propagates at runtime is bounded at runtime, by an identity that cannot be exceeded because the architecture does not grant the reach, verified at the moment of action because that is the only moment the propagation is visible. The actor exercising the assembled capability is governed where it acts — which is the same place the capability was assembled, and the same architecture the prior dispatches have been pointing at.
What identity is for
None of this is a charge against enterprise identity. It is the floor, and a sound one: it authenticates the principals inside the boundary, governs the human users and service accounts it was built for, and gives the enterprise a place to stand while the rest is assembled. Most organizations run agents today on exactly that floor, with the agents wearing service-account credentials built for a different kind of principal. The floor holds the weight it was designed for.
What it does not yet do is govern a principal whose authority is exercised, delegated, and aggregated at runtime — and reading the gap accurately is how an enterprise tells which of its agent controls are load-bearing for the question it actually has. The corpus marks where the missing governance is being assembled, primitive by primitive. The enterprise holds the residual until the assembly arrives.
Identity governs the actor — the principal inside the boundary, acting under authority the enterprise can, in principle, bound. But the capability that actor exercises often rides on weights the enterprise did not create, drawn from a release it cannot inspect, decayed across derivatives between the lab and the deployment. Identity reaches the actor. What governs the model it inherited?
The governable unit is no longer a principal’s standing permissions — it is the propagation of authority through a runtime chain.
