The Tower and the Warrant

In April 2007, as a final-year computer science student, I started a blog to document my undergraduate thesis. The thesis was a "fully decentralized peer-to-peer collaboration interface that enables devices over a network to communicate and work together" — a heterogeneous, dynamic network of machines sharing resources with no central authority. I was still settling on a name, but I wrote down the one I favored: Bayanihan Network. I chose it, I said at the time, because it "both embodies what we are trying to achieve and relates to our native heritage."

I am now, nineteen years later, building something I call the Bayanihan Machine. It is the same idea. I did not rediscover it; I never put it down.

There is a particular intuition I keep returning to, and the blog from those years — aptly, if accidentally, titled To the Edge — is full of it in different costumes. In a 2007 post I wrote, almost in passing, that "service consumer and service provider need not be two entirely different entities, after all, who knows best what the customer wants if not the customer?" By August 2010, writing about perception of all things, I ended on this:

"data will no longer need to reside in one particular location, nor be uniquely addressable. Data integrity and security will be the property of the data and not the transport."

I was not writing about AI in either post. I was barely writing about the same subject twice. But the same shape is pressed into both — that authority and integrity should be carried by the thing itself, not granted by the channel it travels through or brokered by an intermediary in the middle; that trust in a network lives at the edges and accumulates through relationship rather than descending from a center; that the question "who can you trust?" has no answer until you also ask "trust to do what, and according to whom?"

I did not have the words warrant or capability or delegation chain in 2007, and only some of them by 2010. I do now. But the conviction has not changed, and the recent work in agentic AI has, if anything, only sharpened it. So this essay is two things at once: an argument about how control should work in a system of autonomous agents, and a marker for a line of thinking I have been pulling on, under the same name, for nineteen years.

The Control Tower

When AI agents began acting on behalf of organizations — making calls, moving money, touching systems — the industry reached, predictably, for the metaphor of central control. ServiceNow's AI Control Tower is the cleanest expression of it: a single pane of glass that watches every agent, enforces every policy, and can shut anything down. The promise is governance. The architecture is centralization.

I want to be careful here, because the Control Tower is not wrong about what needs to happen. It is wrong about where it should happen. Bundled inside that single tower are four genuinely distinct functions, and they have four genuinely distinct natural topologies:

• Enforcement — deciding whether a given action is allowed, in the moment, at the point of action.
• Provenance — knowing where an instruction came from, and through whose hands it passed.
• Revocation — withdrawing a permission that was previously granted.
• Observability — seeing, after the fact, what happened across the system.

The Control Tower's mistake is to assume all four want to live in the same place. They do not. Observability is genuinely centralizing — you want one place to look. But enforcement and provenance are the opposite: they want to be local, verified at every hop, carried by the request itself rather than checked against a distant authority that may be slow, unreachable, or compromised. Put enforcement in the tower and every action in the system becomes a round-trip to a single point of failure. Put it at the edge — carried in the request, verifiable on the spot — and the system keeps working even when the center is dark.

The Warrant

A warrant is the artifact that makes edge enforcement possible. It is not a session token and not an API key. It is a signed, self-describing grant of authority that travels with the request and answers, at every hop, a complete question:

• Principal — who is acting, and on whose authority.
• Delegation chain — the unbroken line from the original grantor to the current actor, each link signed.
• Intent — what this action is for, not just what it touches.
• Allowed and forbidden actions — the positive and negative space of what is permitted.
• Scope and expiry — the boundary in space and the boundary in time.

The prototype I have been building — warrant.py — captures exactly this, with an append-only audit log so that provenance is a byproduct of normal operation rather than a separate bookkeeping burden. When a warrant is verified locally at every hop, enforcement and provenance stop being services you call and become properties the request carries. That is the inversion. The tower asks "may I?" of the center. The warrant arrives already able to prove "I may."

The revocation crux

This is where the argument gets hard, and where most edge-capability schemes quietly fail. If a warrant is long-lived and verified locally, how do you take it back? Local verification is precisely what makes revocation difficult: the whole point was that you did not have to phone home, but revocation seems to require phoning home.

The resolution comes from Macaroons — the capability-token design out of Google's research — and it is a split, not a compromise. You separate two things that the Control Tower had fused:

• The warrant itself is long-lived and verified locally at every hop. This carries the authority and never needs the center.
• A short-lived freshness discharge is checked alongside it — a small, frequently-renewed proof that the warrant has not been revoked since it was issued.

The discharge is issued by a revocation oracle that is deliberately powerless. It cannot grant authority. It cannot widen scope. It can only answer one question — "is this still live?" — and it answers in a token that expires in minutes. So revocation works by withholding: stop issuing freshness for a warrant and it goes dark on its own within the freshness window, everywhere, without any individual enforcement point needing to be told. The center keeps the one power that genuinely must be central — the power to stop — and is stripped of every power that should not be. It is the smallest possible center.

Independent validation: AP2

I want to flag something that happened while this line of thinking was already underway, because it matters for credibility and I would be the first to be suspicious of a private theory that conveniently predicts itself. Google's Agent Payments Protocol — AP2 — arrived as independent validation of the warrant pattern. Faced with the problem of letting agents spend money on a user's behalf, a problem where getting authority wrong is immediately and financially catastrophic, the design that emerged is recognizably the same: signed mandates that carry intent and constraint, verifiable along a delegation chain, rather than a central broker approving each transaction in real time. When a team with Google's resources and incentives, solving the highest-stakes version of the problem independently, lands on the same shape — carried authority, not central permission — that is the kind of convergence that suggests the shape is in the problem, not in me.

The Bayanihan Machine

The name from the beginning was the right one. Bayanihan is a Filipino word for communal effort — the image is a whole neighborhood lifting a house and carrying it to a new place. At twenty-one I chose it for a thesis network because it embodied what we were building and because it came from home. I would choose it again now, for a better-understood reason: the thing I am describing is not the absence of coordination. It is coordination without a master. Trust distributed across a community of agents, each carrying what it needs to act, each able to verify the others, none of them depending on a tower that can fail or be captured. A neighborhood lifting a house: no one of them strong enough alone, all of them able to because none of them is waiting to be told.

So the Bayanihan Machine is not a frame I reached for recently. It is a thesis from 2007 that finally has the surrounding technology it always needed. Data integrity as a property of the data and not the transport; the principal who holds the intent being the one who holds the authority; webs of trust rather than hierarchies of permission — I was circling all of it for years without a system to attach it to. The agentic moment gave it one. The friendliest path into real systems is through emerging agent standards — A2A as an integration surface, the IETF/W3C standardization tracks as a long destination for the warrant schema itself — but the path is downstream of the conviction, and the conviction is nineteen years old.

The tower wants to watch everything from one high window. The warrant lets every agent carry its own light. I have been building toward it, under the same name, since before I had the words for any of it.

---

This is part of an ongoing line of research on decentralized AI trust — warrant schemas, capability-based delegation, and communal rather than centralized models of authority. The line runs further back than the recent work suggests: to a 2007 undergraduate thesis blog that named a decentralized peer-to-peer network the "Bayanihan Network," and to a 2010 post on perception that ends on the line which became the whole argument — integrity as a property of the data, not the transport.