Abstract
Every protocol currently proposed for AI agent authorization including TAP, SentinelAgent, AIP, Agentic JWT, ASTRA, and others uses the word mandate or scope to mean, informally, a list of permitted strings attached to a signed token. None of these protocols defines what a mandate means, in the sense in which Scott and Strachey gave the lambda calculus a meaning independent of any interpreter, or in which Dennis and Van Horn gave access control a meaning independent of any operating system's implementation. This absence is not a gap in rigour that any one protocol could fix by writing better documentation; it is the absence of an entire semantic level. This paper supplies that level. We define a mandate denotationally, as an element of a security-labeled domain, a complete lattice of permitted world-states ordered by an authority relation independent of how any particular protocol encodes, signs, or transmits it. We define delegation as a class of structure-preserving maps between mandate domains and prove, as a theorem rather than a design convention, that every legitimate delegation map is monotone-decreasing with respect to the authority order. Scope can only narrow under delegation, never expand, and this is forced by the semantics rather than asserted by protocol designers. We show that this denotational model subsumes the syntactic constructs of TAP, SentinelAgent, and the capability-based access-control literature as concrete representations of the same underlying object, in the precise technical sense that there exist meaning-preserving translations from each protocol's syntax into our domain. We give the model a fixed-point treatment of recursive (self-referential) delegation, analogous to Scott's solution of the domain equation for the untyped lambda calculus, addressing the case increasingly common in production multi-agent systems where an agent's mandate is partly determined by mandates it has itself issued to sub-agents. We conclude by showing what existing protocols get right as instances of sound delegation maps and where they are denotationally unsound, permitting scope expansion through composition orderings their own syntax does not forbid, and we argue that a protocol verified against this semantics, rather than against its own internal consistency, is the correct standard for an IETF-track authorization protocol for autonomous AI agents.