The Gap Between Permission and Conduct
Permission is evaluated at a point in time. Conduct unfolds over time. In agentic systems, the risk lives in the distance between them.
Every framework for governing automated agents shares one quiet assumption: that if an action is permitted, the system is safe. Permission is treated as a proxy for safety. For a long time that proxy held, because the things we automated were narrow, predictable, and stateless. A request was either allowed or it wasn't, and the answer didn't change between the moment of approval and the moment of effect.
That assumption is now breaking, and it is breaking in a specific, structural way.
Modern agents do not act in a single step. They reason across many steps, carry context forward, delegate to other agents, and reinterpret their own task as they go. Each individual step can be entirely within bounds. The agent is, at every checkpoint, compliant. And yet the trajectory — the accumulated sequence of locally-valid steps — can arrive at an outcome that no one would have authorized if asked directly.
This is the core observation of this note: permission is evaluated at a point in time; conduct unfolds over time. A control that checks whether an action is allowed is asking a question about a single moment. But the risk in agentic systems does not live in any single moment. It lives in the drift between them.
Why point-in-time permission misses it
Consider how authority actually moves through a chain of agents. An agent with a given scope hands a task to another agent. Authority does not simply transfer — it accumulates. A request that looked routine at the top of the chain can become a high-impact action by the bottom, not because any single handoff was malicious, but because each handoff was locally reasonable and no one was watching the whole.
The same dynamic appears inside a single agent reasoning over many steps. A harmless opening, a related follow-up, a hypothetical, a reframing — each step stays inside policy, and the system continues to believe it is inside policy, precisely as it crosses a boundary it would have refused had the boundary been visible at the start.
In both cases the failure is invisible to permission-based control, and for the same reason: the control is checking each step against a rule, and each step passes. The boundary that was crossed was never crossed in a single step. It was crossed across them. Nothing in a permission model is positioned to see that.
The structural point
This is not an argument against control. Controls are necessary, and the work being done to standardize them matters. It is an argument that control and observation answer two different questions, and that the second question is currently unanswered.
Control asks: is this action allowed? It is evaluated before the fact, against a rule, at a point in time. It requires the agent to participate — to expose its action to the check.
Observation asks: how is this agent actually behaving? It is evaluated over time, against the trajectory, and it does not require the agent's cooperation to function.
The second question is the one that catches drift, because drift is a property of conduct over time, not of permission at a moment. And it is the one that holds for the agents an organization does not control at all — the ones arriving at its surface from outside, which will never implement anyone's permission model.
An organization is both a sender and a receiver of agents. For the agents it operates, it can impose control — and should. But control assumes cooperation and evaluates a moment. The conduct of an agent, whether its own or one that arrives uninvited, is a different object, and seeing it requires a different posture: observation, not permission.
Approval is a statement about what an agent may do. It has never been a statement about what it does. The distance between those two is not a detail. In agentic systems, it is where the risk now lives.
BotConduct studies the behavior of automated agents at the receiving surface. This note describes the problem space; our method is not discussed here.
