When an agent crosses organizational boundaries, who governs it?

An agent that acts across two companies or two departments answers to two sets of rules and two owners. Without a federated model, the gaps between them are where the failures and the breaches live.

B

Balagei G Nagarajan

4 MIN READ


An agent acting across two organizational domains, with a federated governance agreement spanning the boundary between them

Key facts.

  • AgentDojo measured a frontier agent at about a 48% targeted attack success rate under prompt injection, the kind of compromise that propagates across an unsecured cross-org path. source
  • The Cloud Security Alliance publishes agentic identity and access guidance, including verifiable credentials and zero-trust patterns built for agents acting across trust boundaries. source
  • Greshake's indirect prompt injection shows an agent obeys instructions hidden in data it reads, so crossing into a partner's data is exactly where an unowned seam turns into a breach. source

Why does a single-owner governance model break at the boundary?

Because each owner governs only their side and the agent's action spans both. Company A grants the agent permissions in A's systems and logs what it does there; company B does the same in B's systems. Neither owns the full path the agent takes across the two, so when the agent does something wrong in the handoff between them, there is no single party who saw the whole sequence, who is accountable for it or who can reconstruct it end to end. The gap between two governance models is not governed by either and a cross-boundary agent lives precisely in that gap. The same is true across departments inside one company when each has its own controls and no one owns the seam between them.

A stronger model does not close the seam. AgentDojo is why: under injected instructions, a frontier agent is compromised about half the time, so an agent crossing into a partner's data carries a real chance of acting on something hostile it read there and without a shared identity, a shared audit trail and an agreed accountability model, the compromise spreads across a path that neither side fully governs. The fix is federated governance: the parties agree in advance on how the agent authenticates across the boundary, what it is permitted to do on each side, where the audit trail lives so both can read it and who is accountable when it fails. The CSA's agentic identity work exists because this cross-boundary problem is real, and Greshake's indirect-injection result is exactly why crossing into a partner's data without a shared audit trail is so dangerous: the agent can be turned by something it read on the other side of the seam.

A Venn diagram of two organizations' governance with the agent operating in the overlap, and a federated agreement covering the intersection

What does a federated governance model specify?

Four things, agreed by every party. Identity: how the agent authenticates across the boundary, so each side knows it is the agent and what it is allowed to be. Permissions: what the agent may do on each side, enforced by each side, with deny-by-default across the seam. Audit: a trail both parties can read, so the full cross-boundary path is reconstructible by either. Accountability: a named owner for the agent's behavior across the boundary, so a failure in the seam is owned, not orphaned. Without all four, the boundary is a gap and the gap is where the incident happens.

DimensionSingle-owner gapFederated model
IdentityEach side trusts its ownAgreed cross-boundary authentication
PermissionsOnly governed per sideDeny-by-default across the seam
Audit and accountabilityNo one owns the full pathShared trail, named cross-boundary owner

A cross-boundary agent needs federated identity and audit agreed in advance, the minimal case; a stronger model does not help (AgentDojo: roughly 48% hijack). (arXiv:2406.13352)

The Pattern Intelligence Layer is where a federated model is enforced, so an agent crossing organizational boundaries authenticates, stays within permission and is audited end to end at the pattern level rather than falling into the gap between two owners. Identity, permissions and audit are tracked across the seam, which is exactly where single-owner governance leaves a hole. Reliability at the pattern level is what lets an agent cross a boundary without leaving the boundary ungoverned.

Frequently asked questions

Can't each organization just govern its own side?
That governs the two halves but not the seam between them, where the cross-boundary action lives. A wrong handoff is owned by neither side without a federated model.

Why is identity the hard part?
Because each side has to trust the agent is what it claims across the boundary. Agentic identity work, like CSA's verifiable-credential patterns, exists to solve exactly this.

What goes wrong without federation?
An injection or error in the handoff propagates across a path neither party fully sees, so the incident is hard to trace, hard to contain and owned by no one.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.