This paper defines the authorization boundary for agentic AI systems operating in regulated environments. As AI agents transition from generating text to producing side effects (writing to databases, submitting regulatory filings, executing transactions), the governance question shifts from "did the agent connect correctly?" to "was the agent's output authorized under governing policy, and can we prove it?" The paper introduces a distinction between access authorization (identity and scope verification, addressed by OAuth 2.1 and MCP authentication) and action authorization (evidence that a specific output complies with the specific policy version governing it at the time of the event). It argues that the emerging MCP gateway ecosystem, while solving necessary problems of interoperability, traffic management, and operational control, does not produce the independently verifiable authorization artifacts that regulated industries require. The paper presents minimum requirements for evidence-grade governance: deterministic evaluation under a defined governed state, version-binding with temporal validity, pre-execution evidence generation gated by release-credential issuance, and state freshness with release binding (the governed state must remain valid at release, and the action released must be canonically equivalent to the action authorized). It presents a minimum anti-laundering screen for distinguishing genuine deterministic governance from trust-based imitation, drawn from the Expanded Anti-Laundering Protocol (EALP), and references the Five Tests Standard (5TS), a published, vendor-neutral conformance specification for verifiable AI systems that supersedes the earlier Four Tests Standard (4TS). Its five normative tests are Stop, Ownership, Replay, Escalation, and Provenance. Version 2.0 (July 2026) aligns the paper with 5TS and the authorization-artifact vocabulary of the FERZ corpus, adds state freshness and release binding, clarifies the compatibility conditions for asynchronous artifact generation, and adds a companion-paper reference to Execution-Time Authorization for AI Agents (v2.1), which develops the formal architecture of the boundary. It supersedes Version 1.7 (February 2026). Intended audience: infrastructure architects, compliance officers, and policy makers evaluating governance requirements for enterprise agentic AI deployments. Keywords: AI governance, agentic AI, Model Context Protocol, MCP, authorization, authorization artifacts, proof-carrying decisions, deterministic governance, regulatory compliance, Five Tests Standard, AI safety
Edward Meyman (Sun,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: