Semantic Kernel orchestrates AI agents with plugins, planners, and memory. When an agent executes a plan, each step calls a plugin function. The authorization model: if a plugin is registered, every agent can call every function in it. There's no per-agent, per-function scope constraint.
For enterprise deployments where different agents handle different trust levels:
- A customer-facing agent has access to the same plugins as an internal analytics agent
- A planner that generates a 10-step plan can include any registered function in any step
- When a plugin function has side effects (sending email, modifying data), there's no enforcement checkpoint between the planner's decision and the execution
Delegation-scoped plugin access:
// C# pseudocode showing the concept — SDK is TypeScript/Python
// Each agent gets a delegation defining which plugin functions it can call
var delegation = CreateDelegation(
delegatedTo: agentKey,
delegatedBy: adminKey,
scope: new[] { "plugin:search:web_search", "plugin:math:calculate" },
// NOT in scope: plugin:email:send_email, plugin:database:execute_query
spendLimit: 2000,
expiresAt: DateTime.UtcNow.AddHours(1)
);// TypeScript SDK — actual integration
import { createDelegation, governAction } from 'agent-passport-system'
const agentDelegation = createDelegation({
delegatedTo: agentKey,
delegatedBy: adminKey,
scope: ['plugin:search', 'plugin:math'],
spendLimit: 2000,
expiresAt: new Date(Date.now() + 3600_000),
maxDepth: 0
})
// Before each plugin function call → governance check
const result = await governAction(
{ type: 'plugin:email:send_email', to: recipient, body: content },
async (action) => emailPlugin.sendEmail(action),
{ passport: agentPassport, delegation: agentDelegation, privateKey: agentKey }
)
// Blocked: email plugin not in scope. Signed receipt generated.The governance layer wraps plugin function invocation. The planner can include any function in its plan. The executor checks delegation before each step runs. If a step exceeds scope, it's blocked with a signed denial receipt — the plan continues with the remaining steps.
npm install agent-passport-system (v1.36.2, Apache-2.0) or pip install agent-passport-system (v0.8.0).
Every plugin call produces an Ed25519-signed receipt. The execution trace of a 10-step plan includes 10 receipts, each proving the authorization context for that step.
Semantic Kernel orchestrates AI agents with plugins, planners, and memory. When an agent executes a plan, each step calls a plugin function. The authorization model: if a plugin is registered, every agent can call every function in it. There's no per-agent, per-function scope constraint.
For enterprise deployments where different agents handle different trust levels:
Delegation-scoped plugin access:
The governance layer wraps plugin function invocation. The planner can include any function in its plan. The executor checks delegation before each step runs. If a step exceeds scope, it's blocked with a signed denial receipt — the plan continues with the remaining steps.
npm install agent-passport-system(v1.36.2, Apache-2.0) orpip install agent-passport-system(v0.8.0).Every plugin call produces an Ed25519-signed receipt. The execution trace of a 10-step plan includes 10 receipts, each proving the authorization context for that step.