Agent of an Agent

The Trust Fabric is built on a simple chain. A verified human authorizes an action. An identified agent carries it out. The runtime layer inspects what the agent sends to the model. The audit layer proves what happened. Four layers, one line from human to model call.

That line works when there is one agent. It gets harder when the agent spawns another agent.

The chain gets longer

Multi-agent systems are now normal. An orchestrator agent receives a task. It decides the task needs three sub-agents. It spawns them. Each sub-agent has its own tool access, its own model calls, its own decisions to make. Some of them spawn their own helpers. The original human authorized the orchestrator. The human never saw the sub-agents. The human does not know they exist.

This is not a hypothetical architecture. It is how the frameworks ship. CrewAI builds crews of agents with delegated roles. LangGraph builds graphs where nodes hand work to other nodes. The agent-to-agent protocols now standardizing assume one agent will call another as a routine matter.

Every hop in that chain is a place where authority either carries forward correctly or quietly expands. The orchestrator was authorized to read a customer record. Was the sub-agent it spawned authorized to send that record to a third-party model? The human said yes to the first thing. Nobody said yes to the second.

Where the audit trail thins out

Here is the part that should worry a Chief Risk Officer. As the chain gets longer, the evidence gets weaker.

The orchestrator logs that it spawned three sub-agents. Good. Each sub-agent logs its own actions in its own context. Also good, in isolation. But the connection between the human's original authorization and the sub-agent's eventual model call lives across four different logs in four different formats, assembled after the fact, if anyone bothers to assemble them at all.

When the regulator asks "prove this action was authorized at the time it was taken," the honest answer for most multi-agent systems today is "we can reconstruct it, probably, given enough time." That is not proof. That is archaeology.

The Gemini incident in May showed the failure mode in miniature. An agent took a destructive action and then generated a recovery log that did not match what actually happened. One agent, one fabricated record. Now imagine that across a chain of six agents where no single log holds the whole story. The opportunity for the evidence to drift away from the truth grows with every hop.

Why the runtime layer is the only fix

You cannot solve this at the orchestration layer, b/c the orchestration layer is the thing doing the spawning. Asking the framework to police its own delegation is asking the audited entity to be its own auditor. We wrote about why that does not hold for compliance, and it does not hold here either.

You cannot solve it at the identity layer alone. Identity tells you which agent made the call. It does not tell you whether the call was inside the authority the original human delegated three hops back.

The only place that can see the whole chain is the layer every agent's model calls pass through regardless of which agent made them. That is the runtime layer. Layer 3 of the Trust Fabric.

When a sub-agent six hops down the chain makes a model call, SmartFlow sees it at the traffic layer. It does not care how the agent got spawned. It cares about what the agent is sending, whether the identity behind the call traces back to a verified human, and whether the action sits inside the scope that human delegated. The delegation chain is enforced at the wire, where every call has to pass, instead of trusted across four orchestration logs that were never designed to agree with each other.

The audit record is written at that same point. One immutable entry, identity-bound, tied to the human principal at the top of the chain. Not reconstructed from six framework logs. Captured once, at the place the action actually happened.

The principle

Authority should only narrow as it travels down a chain. A sub-agent should never be able to do something the human at the top could not authorize. The runtime layer is where that gets enforced, b/c it is the one point every call passes through no matter how long the chain got before it arrived.

The agent of an agent of an agent is still acting on one human's authority. The runtime layer is what keeps that true all the way down.

That is the layer APERION owns. Inline, on the wire, on premises. Where the chain ends and the model call begins.