What Google DeepMind Gets Right About Agent Delegation — And What SatGate Already Built
Source: Dev.to
Overview
In February 2026, a team at Google DeepMind published Intelligent AI Delegation—a framework for how autonomous agents should safely decompose tasks, transfer authority, and maintain accountability across delegation chains. The paper concludes that agents need attenuated capability tokens—specifically macaroons—to delegate safely.
SatGate was built for the same reason: macaroons are the only credential primitive that works for machine‑to‑machine delegation. They attenuate, carry caveats, and are cryptographically verifiable without contacting a central server. When DeepMind independently arrives at the same architecture, it’s worth comparing the two.
Delegation Capability Tokens (DCTs)
DeepMind proposes Delegation Capability Tokens (DCTs) based on macaroons:
“A delegator would mint a DCT that wraps the target resource credentials with cryptographic caveats. The attenuation could be defined as ‘This token can access the designated Google Drive MCP server, BUT ONLY for folder Project_X AND ONLY for READ operations.’”
SatGate uses macaroons with two first‑party caveats—exactly the same pattern.
Mapping Paper Requirements to SatGate
| Paper Requirement | SatGate Implementation |
|---|---|
| Attenuated tokens with cryptographic caveats for scoped authority | Every token is a macaroon. Caveats enforce route restrictions, budget limits, time windows, and MCP tool scopes. Tokens are minted with satgate token mint and verified cryptographically—no database lookup required. |
| Sub‑agents receive strictly fewer permissions than their delegator | Delegation trees: a parent token can mint child tokens with additional caveats but can never grant more authority than it holds. Budget allocation flows downward (e.g., a $100 parent can create ten $10 children, each scoped to specific routes or tools). |
| Explicit boundaries on what resources a delegated agent can consume | Per‑agent budget ceilings enforced at the request layer. When a token hits its spend limit, the gateway returns HTTP 402, preventing the request from reaching upstream services. |
| Clear chain of responsibility with oversight mechanisms | Every request is logged with full token lineage—parent token, caveats, and spend. Revoking a parent instantly invalidates all children. |
| Human‑in‑the‑loop intervention when risk exceeds tolerance | Enforcement modes (Observe → Control → Charge) let operators graduate trust incrementally. Budget alerts trigger before limits are reached, and a single API call revokes an agent’s access across the entire delegation tree. |
Why Macaroons?
The paper cites Birgisson et al. (2014)—the original Google Research macaroons paper—because macaroons provide:
- Attenuation without coordination – a token holder can add restrictions without contacting the issuer.
- Offline verification – macaroons are HMAC chains; verification is purely cryptographic, with no database lookups or latency penalties.
- Composable constraints – caveats can be stacked (route, budget, time, MCP tool scope), each narrowing authority.
- First‑class delegation – minting a child token is simply appending a caveat; the delegation hierarchy is encoded in the token itself.
By contrast, JWTs, API keys, and static OAuth scopes cannot be reduced downstream by the holder.
Lessons Learned from Building SatGate
- Economics as an enforcement layer – The DeepMind framework focuses on authority and accountability but omits economic controls. In practice, uncontrolled spend is a more common failure mode than unauthorized access.
- Tool‑level cost attribution – While the paper mentions MCP, it doesn’t address per‑tool cost tracking. Agents may invoke multiple MCP tools in a session, requiring granular cost monitoring.
- Trust gradient vs. binary switch – SatGate’s three‑mode progression (Observe → Control → Charge) lets enterprises build confidence incrementally without a full redesign.
SatGate Implementation
SatGate is open source (Apache 2.0). The gateway runs as a sidecar or standalone proxy with sub‑millisecond overhead.
- GitHub:
If the DeepMind delegation framework matches the architecture you need, SatGate provides a ready‑to‑use implementation.
References
- Tomasev, N. et al. (2026). Intelligent AI Delegation. arXiv:2602.11865. Google DeepMind.
- Birgisson, A. et al. (2014). Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud. NDSS 2014.