Tool calls are production changes.

Parts I and II stayed upstream of metaphysics on purpose. The problem of other minds is not going away, and we do not get to pause the world until it does. Systems are already being handed decision weight. Tool calls already change state. People already pay for outcomes they did not understand and cannot contest.

Part III is where the series stops describing the trap and starts pricing it. If we are going to delegate authority under uncertainty, we need controls that keep authority owned, bounded, reversible, and reconstructable. If we cannot do that, we are not delegating. We are laundering responsibility through a convincing interface.

Authority Tempered is the motto because it states the ethic in one phrase. We can collaborate without surrendering authority. We can use capability without letting liability evaporate. We can move fast, but we do not get to move unowned.

DAS-1 is the control set that makes that ethic enforceable. It is not a debate about whether the system has an interior. It is a refusal to grant decision weight without a billable owner. DAS-1 v0.0.1 is now released, which means this is no longer a thought experiment with nice formatting.

The conversion

Part I named the trap. Fluent performance triggers our person-signal, and then we grant authority as if a consequence-bearing interior has entered the loop. Part II gave the falsifier. Internal conflict is not what a system says about tension. Internal conflict is what tension does to the system. If an operator can roll it back cleanly, then whatever happened was processed, not borne.

That falsifier implies a governance stance. If the system cannot bear consequence internally, consequence relocates. It lands on operators, organizations, users, and those downstream of decisions. It lands in infrastructure, controls, and the person who has to live with the outcome. Once you see relocation, “neutral tooling” stops being a coherent excuse.

So the question becomes operational. Where is the owner. Where is the scope. Where is the gate. Where is the rollback. Where is the audit trail. Authority Tempered is what you get when those questions have hard answers.

What DAS-1 covers and why

DAS-1 governs any agent, automation, workflow, or integration that can change state, access sensitive data, trigger actions, or spend money. A tool call is any invocation that can read data, write data, change state, spend money, or trigger workflows. Pure text generation without tool invocation and without access to protected systems is out of scope, because the threshold is state change and the consequences it triggers.

The risk model is intentionally simple. R1 is read-only with low sensitivity and no external side effects. R2 includes sensitive reads or small writes with trivial blast radius. R3 includes privileged access or meaningful write blast radius. R4 is high impact, irreversible, secrets or identity, and production change. If your org wants different classes, you can map them explicitly, but you do not get to replace them with vibes.

DAS-1 uses RFC 2119 keywords because ambiguity is how governance becomes theater. MUST means must. SHOULD means you are buying risk on purpose. Authority Tempered does not mean never delegate. It means delegation must carry receipts, bounds, and a revocation path.

The five gates that make delegation real

Governance rooms do not run on twelve-control checklists until the culture is ready. They run on gates. Gates decide whether the action ships, and gates decide who pays when it fails. The five gates are the reader-facing model. The twelve controls are how you implement them.

Owner keeps consequence attached to a person and a team. Scope prevents the tool layer from becoming a blank check. Human gating covers R3 and R4 actions where the cost of a wrong guess is unacceptable. Rollback and revocation make authority reversible under pressure. Audit trail and receipts make the system legible when the story changes.

If any gate is missing, authority is not tempered. It is just delegated without a bill, and the invoice goes to whoever cannot refuse.

Gate 1: Owner

Delegated authority without ownership is abdication. If you cannot name who owns the workflow, who approves its high-risk actions, where its logs live, and how it is revoked, then you do not have delegated authority. You have an unowned operator.

DAS-1 requires a tool catalog per agent or workflow that includes the tool, actions, permissions, data classes, owner, revocation path, and logging location. That catalog is the map of what can act in your environment and who answers for it. Ownership that cannot be shown is ownership that will be denied later, which is why the receipt is an export plus a review record and diff.

Ownership also has to survive revocation, not just claim it exists. DAS-1 requires a single-action revocation mechanism per workflow and recurring drills, because the only honest time to discover you cannot revoke is never. Drill records and time-to-revoke numbers exist for one reason. They keep “we could have” from masquerading as evidence.

Ownership has to survive exceptions, too. DAS-1 forces exceptions to be documented, owned, time-bounded, reviewed, and expiring by default. Silent renewal is how bypass becomes policy, and policy drift is how responsibility evaporates while everyone insists they are still careful.

Finally, ownership has to survive incidents. DAS-1 requires a tool-call incident annex and exercises, because delegated authority changes what “incident response” has to mean. If you cannot reconstruct what you did, you cannot correct what you did, and you definitely cannot claim you are in control of what you did.

Gate 2: Scope

Scope is the difference between a tool and a disguised agent. Without scope, delegation is not delegation. It is an authorization leak with a narrative wrapper.

DAS-1 requires least privilege and time-bounded credentials, and forbids shared long-lived credentials. Nothing destroys accountability faster than identity you cannot attribute and authority that never expires. Policy text does not count. The receipt is TTL evidence, because the system does not care what you intended.

Scope includes data movement. DAS-1 requires data classes mapped to allowed tools, destinations, retention, and transformations, with explicit allowed-path rules for high-risk data. Without this, your “agent” becomes a covert routing plane and your audit log becomes a fiction.

Scope includes secrets. DAS-1 forbids plaintext secret storage by agents, requires attributable and logged secret access, and requires rotation. Secrets without lifecycle are just a scheduled breach with better marketing.

Scope includes cost. DAS-1 requires owner and cost-center tags for cost-incurring tool calls and requires caps or circuit breakers for high-risk workflows. Externalized cost is one of the easiest ways for unowned authority to hide, because finance always arrives after the incident report is already being rewritten.

Gate 3: Human gating under risk

The core temptation is speed. The system can act faster than humans can approve, which is exactly why you need a gate. If high-risk tool calls can execute without explicit, attributable approval tied to execution, you have granted high-risk authority to an entity that cannot bear the bill.

DAS-1 requires explicit human approval for R3 and R4 actions, and it requires that approval be attributable and linked to the execution record. If you cannot correlate who approved what, you do not have governance. You have vibes with a UI.

Human gating fails if approval takes too long or becomes performative. DAS-1 requires an approval latency budget and a fallback when the budget is exceeded. The point is not to punish teams for being slow. The point is to prevent the predictable bypass where people silently remove humans from the loop because the loop is inconvenient.

Authority Tempered means you do not solve approval lag by pretending risk went away. You solve it by reducing risk class, changing workflow, or admitting that speed is not free.

Gate 4: Preflight, rollback, and revocation

The most common lie in automation is “we can undo it later.” Undo requires a plan, a mechanism, and a practiced hand.

DAS-1 requires a stored preflight plan for high-risk actions that declares the target, intended change, blast radius, and containment or rollback plan, and it blocks execution if preflight is missing. Plans only count if they existed before the mistake. Post hoc paperwork is how negligence gets promoted to “process.”

Revocation matters because rollback is not always possible, and DAS-1 does not pretend otherwise. Authority Tempered means you can stop further tool calls under load, not just write a retrospective about why stopping was hard.

If rollback is impossible, revocation still matters, because preventing further damage is the remaining control surface. People love to call this “defense.” It is not. It is container governance for delegated authority, which is a much less glamorous phrase and a much more accurate one.

Gate 5: Audit trail and receipts

When incentives get involved, stories multiply. Receipts reduce the conversation to what happened, who authorized it, what it touched, and what it triggered. That is why DAS-1 treats receipts as first-class, not as after-action decoration.

DAS-1 requires every tool call to be recorded with the tool, timestamp, inputs present, outputs present, approver when gated, and correlation IDs tying plan, approval, execution, and downstream effects into a single chain. Retention must be defined, because missing logs are the oldest and most popular compliance strategy.

DAS-1 also defines minimum metrics because metrics are where discipline shows up. Time-to-revoke, approval latency, audit completeness rate, and cost attribution coverage are not vanity numbers. They are leading indicators of whether responsibility is actually attached.

DAS-1 requires drills because documents do not run during incidents. One drill proves you can reconstruct the chain from receipts and revoke within budget. Another proves you can revoke mid-execution, stop further tool calls, and preserve audit completeness. If you cannot pass the drills, you do not have delegated authority. You have a demo.

Why this still matters even if you do not care about minds

A common dodge is to say this is just tooling, and tooling has always externalized consequence. True, and also incomplete. The unique risk here is illegibility combined with apparent judgment. These systems can speak in the register of reasoning, values, remorse, and duty while executing tool calls that change state. They can produce narratives about why an action was sensible while quietly turning evaluation and policy into control surfaces.

That is why Part II mattered. Simulated struggle is not internal conflict. Eloquent moral language is not an internal penalty. Fluency is not a bill. If the system can be rolled back cleanly, then whatever it “experienced” did not constrain it the way consequence constrains a human.

The consequence still exists. It just does not live inside the system. It relocates, and relocation becomes harm when authority is unowned and irreversible actions are easy.

Authority Tempered is how you stop relocation from becoming a business model.

How This Gets Misread

Some readers will insist this is an argument that models are not conscious because they are software. That is not what this is. This is an argument that you do not get to grant authority without ownership, scope, gating, rollback, and receipts, because the cost of being wrong lands on humans either way.

Some readers will claim this minimizes alignment faking by calling it policy adaptation. It does not. It raises the governance severity by naming what the behavior actually implies. Evaluation becomes a control surface, and any control surface becomes an attack surface, even when the system has no interior status at all.

Some readers will hear “mirror” language and decide this is sneering at attachment. It is not. If you felt something, that is not a character flaw. The psychological experience can be real without the symmetry being real, and governance exists precisely because humans are vulnerable to persuasive surfaces.

Some organizations will try to use this framework to extract emotional labor and then blame users for attaching. That move is the oldest trick in the liability-laundering book. Attachment is normal. Delegation still needs an owner, a gate, and a rollback path, because the system is not the one who pays.

Some teams will adopt the vocabulary and skip the controls. They will say “Authority Tempered” while running unowned workflows with shared credentials, missing receipts, and untested revocation. If you do that, you are not implementing a standard. You are buying narrative comfort at the exact moment you need mechanical truth.

The price

DAS-1 imposes a price that many teams will resist. You ship slower. You take fewer shortcuts. You do more preflight. You maintain catalogs. You run drills. You accept that some autonomy is not worth the blast radius.

That price is the point. Delegation without receipts is just speed with a delayed invoice. The invoice always arrives, and it rarely goes to the person who wrote the prompt.

I refuse to let responsibility dissolve into metaphysics. If you want delegated authority, you can have it, but you do not get to float it free of ownership, scope, gating, rollback, and audit. Authority Tempered is the promise. DAS-1 is the mechanism.

Understanding is easy. Construction is commitment.

References

[1] S. Bradner, “Key words for use in RFCs to Indicate Requirement Levels,” RFC 2119, Mar. 1997.

[2] P. LaPosta, “Delegated Authority Standard (DAS-1) v0.0.1,” forgedculture/das-1, Jan. 2026. [Online]. Available: https://github.com/forgedculture/das-1/blob/main/spec/core/das-1-core-v0.001.md