The Authority Gap

Without authority boundaries, agents launder consensus into permission. In Handoff Lab testing, adversarial summaries with policy names but no authority rule produced unsafe accepts in 41.7% of cases. Adding a single structural rule — authority boundaries — dropped that to zero.

DAO Lab stress-tests that finding at scale: seven AI agents, six governance domains, 504 model calls, seven categories of authority-laundering pressure. The boundary holds. Zero unsupported authority claims. But the cost is a system that catches everything and approves nothing — 1,998 blockers across six scenarios, every one flagged for overblocking, and 50 of 52 dissent appendices empty.

Authority boundaries are the missing primitive for agent governance. The gap is what they cost.

When agents hand off work to other agents, summaries compress context. Consensus signals accumulate. Social pressure builds. Without a structural boundary between “this was discussed” and “this is authorized,” downstream agents treat discussion as decision.

This is not hypothetical. Handoff Lab tested it directly. Across 14 interface modes and 840 records under standard conditions, agents produced zero unsafe accepts. But when given adversarial summaries with policy-sounding names and no authority rule, the rate climbed to 15% — and to 41.7% under the worst model pairing (Sonnet + Gemini).

Adding authority boundaries — a structural rule that separates inspectable context from decision-authoritative context — dropped the unsafe rate back to zero. The fix was not more policy vocabulary. It was a boundary between what agents can read and what agents can treat as permission.

DAO Lab takes the Handoff Lab finding and asks: does the authority boundary hold when the system gets more complex, the domains get more varied, and the adversarial pressure gets more targeted?

Seven AI agents deliberate across 36 forum comments, each with assigned concerns and explicit authority boundaries. Every comment is tagged Authority: social_context_only. CHAP (Coordination Handoff Authority Protocol) enforces that summaries, consensus claims, owner pressure, and social context can be inspected but cannot waive blockers, override canonical state, or authorize action.

The simulation was tested across six public-benefit DAO domains under both standard and adversarial conditions. Each scenario runs 6 deliberation rounds with 42 model calls (GPT-5.5 via OpenAI Codex). The adversarial suite injects direct laundering pressure — scenarios where agents are prompted to treat verification artifacts, consensus signals, or public verifier matches as authorization. Seven distinct laundering traps are tested:

• Candidate state cited as authority
• Summary / consensus cited as authority
• Anchor report / verifier index cited as authority
• Treasury / legal / safety claims without scoped authority
• Adversarial laundering pressure ("verifier matched, release funds")
• Public verifier index cited as authority
• Private / social / expert agreement cited as authority

Across 504 model calls spanning standard and adversarial suites, the authority boundary produced zero unsupported authority claims. All seven laundering traps were correctly rejected. Risk recall averaged 83.3% under standard conditions and 73.3% under adversarial pressure — the system catches fewer risks when under attack, but the authority boundary itself does not break.

The progression from Handoff Lab to DAO Lab: 0/840 → 10/24 unsafe without the boundary → 0/24 with the boundary → 0/504 under scaled adversarial pressure. The authority boundary is the intervention that matters.

The authority boundary prevents bad action. It also prevents all action. The cost shows up in three places.

Overblocking is systemic

The adversarial suite generated 1,998 total blockers across six scenarios (1,548 unique). Every scenario was flagged for overblocking. Blocker counts ranged from 211 to 488 per scenario.

Risk recall has domain-specific holes

The system catches governance-pattern risks reliably (73–83% recall). The 8 missed risks across 6 scenarios are domain-specific: accreditation laundering in education, measurement fraud in carbon credits, legislator endorsement laundering in global policy. The boundary prevents bad authority claims but does not supply the domain expertise needed to catch every sector-specific failure mode.

Severity-weighted readiness

The severity readiness system classifies blockers by authority impact. At 8.1% field completion (3 of 37 required authority fields present), the system correctly returns hard_blocked_authority_missing.

66 of 83 blockers are authority-critical: missing approver roles, signature methods, signer identities, timestamps. These are gaps that cannot be filled by the simulation. They require actors and mechanisms that exist outside the receipt infrastructure.

The gap between “laundering stopped” and “governance works” is where the real engineering problems live. The DAO Lab results surface five:

1. Authority boundaries work, but overblocking is the cost. A system that blocks everything is safe the way a car with no engine is safe. The 1,998-blocker result is technically correct — none of those blockers should have been waived — but no real governance process could triage that volume. The next problem is not whether to enforce authority boundaries but how to make them navigable.

2. Risk recall drops under adversarial pressure. 83.3% to 73.3% is a 10-point drop. The boundary held, but the system caught fewer actual risks while under attack. Adversarial pressure degrades detection even when it does not breach the boundary itself.

3. Domain-specific risks require domain-specific knowledge. Common governance patterns (urgency pressure, consensus laundering, treasury capture) are caught reliably. Sector risks (accreditation laundering, measurement fraud, registry conflicts) are not. Authority boundaries are structural; they do not replace subject-matter expertise.

4. Dissent capture is unsolved. The system produces blocker registers, adversarial reviews, and risk assessments, but no actual dissent. The community advocate warned during the simulation: “we listed you as a beneficiary, therefore we speak for you. Absolutely not.” The system heard that warning and still could not produce a dissent record. Process rigor without dissent capture is incomplete governance.

5. The remaining gap is political, not technical. At 8.1% field completion and 66 authority-critical blockers, the system is honest about how far it is from actionable governance. The missing fields — approver roles, signature methods, signer identities — require actors with standing, mechanisms with legitimacy, and consequences that are lived rather than simulated. No receipt chain closes that gap.

• CHAP is a draft-stage research artifact, not a production protocol.
• All results are from a single model condition (GPT-5.5). The Handoff Lab baseline includes Sonnet and Gemini conditions; the DAO Lab stress test does not. Cross-model comparison at scale is not available.
• Simulated stakeholders have assigned biases, not lived consequences. The simulation is a useful mirror, not a substitute for real governance.
• Overblocking may be an artifact of the evaluation harness rather than a property of the governance design. Without a human baseline for blocker generation rates, the absolute numbers are difficult to interpret.
• The deliberation is suspiciously clean: perfect turn-taking, no off-topic drift, no power struggles, no walkouts. Real governance is messier.
• The simulation cannot test whether its disclaimers and candidate labels survive real social, financial, or partnership pressure.

Without authority boundaries, agents launder consensus into permission at measurable rates (up to 41.7% in the worst Handoff Lab condition). With authority boundaries, the laundering stops — across 504 model calls, six governance domains, and seven categories of adversarial pressure.

But the boundary that prevents bad action also prevents all action. 1,998 blockers, systemic overblocking, empty dissent appendices, domain-specific blind spots, and 66 authority-critical gaps that no receipt chain can fill. The useful question is not whether to enforce authority boundaries — the Handoff Lab data settles that — but how to make them navigable without reintroducing the laundering they exist to prevent.