Technical report / preprint establishing public prior art. Agent identity and agent-side, stateless authorization are converging on standards (IETF, NIST) and on frameworks (the Open Agent Passport, Microsoft's Agent Governance Toolkit, Cerbos/OPA/Cedar) that evaluate a declarative policy inside the agent's tool-call hook. These answer who the agent is and whether a call is in scope, but not the question that dominates incidents in regulated domains: given a legitimate, in-scope call, should this particular irreversible action occur now? We argue the gap is structural in three ways -- enforcement-point placement, statelessness, and irreversibility -- and present Resource-Side, Stateful Pre-Action Authorization (RS-PAA): an authorization reference monitor at the resource boundary that combines a transactional, reversibility-aware primitive with a continuous stateful envelope. We prove a Non-Bypassability theorem, together with envelope soundness and reversibility-gate correctness. On a controlled reference testbed with identical policy across tiers (and a model-in-the-loop run with Qwen), full RS-PAA drives attacker success to 0% on cross-framework bypass, multi-step aggregation, and cross-session accumulation, with 0% benign false-deny, whereas an agent-side hook is bypassed and a stateless resource-side monitor still admits the aggregation attacks. Builds on the PEA model (arXiv:2604.23646).
Rong Xiang (Tue,) studied this question.