The gap you name, a key proves a request is authorized but not which agent acted, under whose authority, or whether the action was approved, is exactly what makes agent audit trails so thin today. What I'd add is time-bounding, a passport that encodes an expiry and an approved scope stops a long-running agent from quietly accumulating permissions across sessions. Does the model tie each action back to a specific human owner at sign-off, or to the agent identity alone?