Authorization Is Not Enforcement: Execution Integrity in Agentic Systems

Recent work around MCP security (MCPS, ArkForge) is converging on strong guarantees around: Transmission integrity — messages are not modified in transit Identity verification — requesters are authenticated Auditability — actions are logged and attested These are necessary. But they don't close a critical gap in agentic systems: Ensuring that the request authorized is the request executed. A system can be correct in identity and transport, and still violate authorization. Most current agent security systems do NOT enforce this invariant. This post breaks down that gap as execution integrity — and why it becomes the primary enforcement failure mode in multi-agent and distributed systems. TL;DR Most systems ensure: Who sent the request (identity) ✅ That it wasn't modified in transit (transport) ✅ But they do NOT ensure: → the request executed is the one that was authorized That missing guarantee is execution integrity. Without it, authorization is advisory — not enforceable. Example An a