Security Properties of Execution-Time Authorization in Agent Systems: Threat Model, Trust Boundaries, and Replay-Forensic Guarantees

This paper analyzes execution-time authorization for autonomous agent systems that perform effectful tool operations under dynamically generated intent. We formalize a governor architecture that introduces Canonical Action Representation (CAR), a mandatory Action Authorization Boundary (AAB), and replay-oriented Decision Provenance Records (DPRs). The work defines trust boundaries, minimal trusted components, and security invariants that ensure non-bypassability, deterministic decision semantics, and tamper-evident authorization logs. We evaluate common attack classes including authorization bypass, policy downgrade, audit tampering, permit replay and forgery, approval spoofing, state confusion, and time-of-check/time-of-use (TOCTOU) conditions. A deterministic replay methodology is provided for incident reconstruction and counterfactual policy evaluation. The paper clarifies what execution-time authorization guarantees, what evidence it produces, and which threat classes remain out of scope.