Large and decentralized security-sensitive systems require mechanisms to enforce access control polices that may involve hundreds to thousands of agents (users) and access rights. For example, consider the security needs of an Internet-scale service composed from dynamically instantiated mobile agents deployed onto a set of hosts that span a diverse group of loosely allied administrative domains. Agents and hosts must determine the level of each other's authorization and agents must determine the amount of authorization to attribute to other agents. In addition, the level of authorization should degrade as it is transitively delegated. Current access control systems provide no representation of this degradation beyond explicit enumeration, and do not address the systems challenges of collecting authorizing credentials and monitoring prolonged relationships between agents. This talk describes my recent work addressing these challenges including two new access control frameworks. dRBAC is a Decentralized Role-Based Access Control system that provides mechanisms to collect credentials and authorize prolonged relationships. In addition, dRBAC embeds the degradation of authorization within transitive delegation credentials and thus permits access-control decisions to specify a limit to this degradation. I will also describe my more recent investigation of a new framework for expressing partial authorization that provides a rational representation for the increased authorization that should result when multiple agents co-endorse an authorization decision.