MyAuberge K.K. AI agents operating in automated workflows require a structured authorization credential that binds agent authority not merely to an action type, but to a specific governed resource instance, a specific human principal, a specific Cedar action scope, and a specific mission context. Existing workload credentials provide identity but not governance binding. Existing OAuth tokens provide scope but not resource-instance specificity, human principal linkage, or mandate issuance chain traceability. This document defines the Mandate JWT (MJWT): a WIMSE workload credential profile that grants an AI agent authority to perform a specified set of Cedar actions on a specific Sovereign Object instance under the oversight of a named human principal. The MJWT carries governance claims not present in general-purpose workload credentials: a Cedar action scope, a Sovereign Object instance binding, a human principal identifier, a mission reference, and a mandate ceiling. The Narrowing Property -- by which a child mandate is always a strict subset of its parent in all authorization dimensions -- is normatively defined. The MJWT is the authorization primitive referenced by [I-D.sato-soos-idp], [I-D.sato-soos-hem], [I-D.sato-soos-gar], [I-D.sato-soos-cap], and [I-D.sato-soos-sov].