If you've implemented OAuth scopes, you've already touched the edge of a 600-year-old governance system. In January 2025, South, Marro, Hardjono, Mahari, and Pentland published arXiv:2501.09674 β a three-token architecture for AI agent authorization extending OAuth 2.0 and OpenID Connect: User ID-token β standard OIDC identity. Who owns the agent. Agent-ID token β the agent's capabilities, limitations, and unique identifier. Delegation token β cryptographically signed, scoped, revocable. The authorization itself. They didn't reference privateering. But the architecture they built is the same one Western maritime law spent 300 years refining.β¦
