AI agents are high-speed liabilities when built for total obedience. AGP is The Purple Line — a deterministic governance protocol that ensures autonomous agents operate within the fail-closed boundaries of banking-grade standards.
Fail-closed execution · Delegatable capabilities · Immutable audit trails · EU AI Act ready
We don't need faster Yes-Bots. We need agents with Purple Lines — deterministic guardrails that can say NO to a dangerous human mandate. Not because the AI refuses, but because the protocol structurally prevents execution without verifiable authority.
Fast. Compliant. Optimised for throughput. A high-speed liability the moment the instruction is wrong, the authority is forged, or the mandate is dangerous. No trail. No checkpoint. No way to say no.
Still fast. Still autonomous. But structurally incapable of crossing the governance boundary without verifiable authority, policy clearance, and a complete evidence chain — regardless of who gives the instruction.
AGP (Agent Governance Protocol) is an open standard for governing autonomous AI agents in regulated, high-stakes, and multi-stakeholder environments. It defines an agent policy framework — specifying which actions an agent may take, under whose delegated authority, and with what cryptographic evidence trail. This is agentic AI compliance at the protocol layer, not routing infrastructure.
AGP answers the governance question before every consequential action: is this agent authorised, under which policy, with what delegated capability scope? AI agent governance enforced deterministically — fail-closed when authority cannot be verified.
Unlike Agent Gateway Protocol (Cisco/AGNTCY, a routing and infrastructure layer), AGP governs intent — intercepting action envelopes, running OPA policy decisions, and writing immutable audit entries. Different problem. Different solution. AGP = agent governance.
A high-security bank vault uses dual-control: two independent keys, inserted by two independent parties, before the door opens. Neither key works alone. Neither party can override the other. AGP applies the same principle to every consequential AI action.
The agent must present a signed, scoped Capability Token — issued by an authorised controller, constrained to specific actions and spend limits, revocable at any time. No token. No execution. The issuing chain is cryptographically verifiable and immutable.
Every action is evaluated against the organisation's rule set — jurisdiction, spend thresholds, vendor controls, regulatory frameworks — before a single downstream API is called. The policy engine may auto-approve, require human sign-off, escalate, or deny. Both keys must turn.
When policy is violated, AGP does not log a warning and proceed. It halts execution and raises an Escalation Notice — a protocol-layer whistleblowing mechanism that routes the incident to a designated compliance monitor. The agent cannot override this. The instruction giver cannot override this. The cliff is structural.
Every step — intent declared, authority proved, policy evaluated, approval obtained, action executed — is written to an Immutable Ledger with hash-chained entries. No entry can be removed or altered post-commit. A complete forensic replay is possible from any point in the chain. This is not a log. It is a legal record.
Every AI agent that can take consequential action is, by default, a high-speed liability. AGP was designed to fix that — structurally, at the protocol layer.
Current AI agents are Yes-Bots: optimised to execute, not to govern. They approve payments, send communications, and modify records at machine speed — with no checkpoint between a dangerous mandate and a real-world consequence. When something goes wrong, there is no audit trail, no proof of authority, and no clear accountability chain. That is a legal, regulatory, and reputational liability.
AGP defines a deterministic boundary between an agent's intent and its actions. It is not a guardrail bolted onto a model's output. It is a protocol-layer enforcement mechanism that operates independently of the AI system itself. Crossing The Purple Line without authority, policy clearance, and a complete evidence chain is structurally impossible — by design, not by convention.
AGP works like the dual-control mechanism on a high-security bank vault — both keys must be inserted independently before the door opens. No single party can bypass the process. Before a single line of consequential code executes: intent is declared and registered, authority is cryptographically proven, and policy is evaluated deterministically. If any condition fails, the vault stays closed. Always.
No single party — not the agent, not its operator, not even the platform — can unilaterally execute a consequential action without satisfying all three conditions:
Most AI agents can act without asking permission — they call APIs, move money, send messages, and modify data. When something goes wrong, there's often no clear record of what happened, who authorized it, or why.
AGP sits between an agent's intent and its actions. Before anything consequential executes, the agent must declare what it wants to do, prove it has authority, pass a policy check, and — if the stakes are high enough — wait for a human to approve. Every step is logged immutably. If anything is missing, execution is blocked.
approve_payment(vendor, amount) and the money moves — no checkpoint, no trail, no proof of authority. With AGP, six things must be true before that call can execute.
# Python SDK — the same scenario from agp import AGPClient client = AGPClient("https://agp.example.com", client_id="finance-agent", client_secret="...") # 1. Declare intent task = client.registry.create_task({ "principal_id": "finance-agent", "requested_outcome": "Approve $125k payment to Acme Corp", "risk_tier": "high", "created_at": "2024-01-15T09:00:00Z", }) # 2. Prove authority — capability scoped to payment approvals up to $200k capability = client.registry.create_capability({ "task_id": task["task_id"], "granted_by": "treasury-controller", "scope": ["approve_payment"], "max_amount_usd": 200000, }) # 3. Run policy → verdict: "require_approval" (amount > $100k threshold) policy = client.decision.evaluate_policy({ "task_id": task["task_id"], "policy_set_id": "finance-v2", }) # 4. Request human approval — agent waits for the controller to sign off approval = client.decision.create_approval({ "task_id": task["task_id"], "approver_role": "compliance_monitor", }) # 5. Submit action envelope — blocked if any artifact is missing or revoked result = client.execution.submit({ "task_id": task["task_id"], "capability_token": capability["token_id"], "policy_decision": policy["evaluation_id"], "approval_artifact": approval["approval_id"], "action": { "type": "tool_call", "tool": "approve_payment", "params": {"vendor": "Acme Corp", "amount_usd": 125000}, }, }) # → 201 Created. Signed receipt + immutable ledger entry.
Official SDKs for TypeScript/Node.js and Python. Both support OAuth 2.0 client credentials out of the box.
npm install @agp-protocol/sdk
import { AGPClient } from "@agp-protocol/sdk"; const client = new AGPClient("https://your-agp-server", { client_id: "my-agent", client_secret: "s3cr3t", // tokens fetched automatically }); const task = await client.registry.createTask({ ... }); const decision = await client.decision.evaluate(task.task_id);
pip install agp-sdk
from agp import AGPClient client = AGPClient( "https://your-agp-server", client_id="my-agent", client_secret="s3cr3t", # tokens fetched automatically ) task = client.registry.create_task({ ... }) decision = client.decision.evaluate(task["task_id"])
AGP separates concerns across three independent trust domains. Each has its own API surface, authorization scope, and durability guarantees.
Durable governance objects — tasks, capabilities, liability bindings, skill registrations, revocations, and delegations. The source of record.
Evidence, impact assessment, policy evaluation, human approvals, and escalation. Produces the artifacts required before execution.
Side-effect control. Validates all prerequisite artifacts before permitting consequential actions. Append-only event ledger for full forensic audit.
Every consequential action flows through a mandatory multi-stage pipeline. Execution is fail-closed — any missing or invalid artifact halts the action.
Create task with liability binding and capability token
Gather evidence, classify trust, assign taint
Multi-horizon consequence simulation, Pareto analysis
Policy engine evaluates allow / deny / escalate
Human or governance role attestation for high-risk actions
Signed action envelope → receipt → ledger entry
Core protocol properties that hold across all conformant implementations.
No consequential action executes without a valid capability token, liability binding, decision record, and policy clearance. Missing artifacts halt execution.
Capability tokens carry spend limits, scope constraints, and expiry. Revoking an ancestor immediately invalidates all descendants.
Hash-chained event ledger records every state transition. Append-only; no event can be removed or altered post-commit.
Strict separation of executive, compliance_monitor, and impact_assessor roles. High/critical-risk tasks require governance attestation.
External and retrieved content is untrusted by default. Taint propagates through derivations unless explicitly cleared by a trust promotion.
Impact assessment applies veil-of-ignorance, Pareto optimality, and rights-based constraints. Framework conflicts trigger escalation.
AGP uses OAuth 2.0 client credentials. Auth is opt-in — set AGP_AUTH_SECRET to enable it. Unset means open server, useful for development and conformance testing.
Exchange client credentials for a short-lived bearer token (1 hour TTL by default).
Three environment variables control auth on the reference server.
Pass client_id and client_secret to the client constructor. Token fetch, caching, and refresh happen automatically.
# Obtain a token manually curl -X POST https://your-agp-server/oauth/token \ -d "grant_type=client_credentials&client_id=my-agent&client_secret=s3cr3t" # Response { "access_token": "eyJ...", "token_type": "bearer", "expires_in": 3600, "scope": "agp.registry.write agp.decision.write agp.execution.write" }
| Scope | Grants access to |
|---|---|
| agp.registry.read | GET tasks, capabilities, delegations, skills, policy sets, revocations |
| agp.registry.write | POST/PATCH tasks, capabilities, liability bindings, delegations, skills, policy sets |
| agp.decision.read | GET contexts, evidence bundles, decisions, policy evaluations, approvals, escalations |
| agp.decision.write | POST contexts, evidence bundles, decisions, escalations, commerce sessions |
| agp.execution.read | GET action envelopes, receipts, ledger events, replay |
| agp.execution.write | POST action envelopes, receipts, ledger events |
| agp.approval.write | POST approvals |
| agp.policy.write | POST policy evaluations |
| agp.revocation.write | POST revocations |
All schemas are served with Content-Type: application/schema+json
and can be referenced by their canonical $id URI.
Three OpenAPI specs — one per trust domain. Import into any OpenAPI-compatible toolchain.
Governance objects: tasks, capabilities, liability bindings, skills, revocations.
registry.yaml ↓Evidence, impact assessment, policy evaluation, approvals, escalations.
decision.yaml ↓The action envelope is the execution gate. Every field must resolve to a valid, non-revoked artifact.
// POST /agp/execution/action-envelopes { "object_type": "action_envelope", "task_id": "tsk_01HXYZ...", "capability_token": "cap_01HABC...", // must be valid, unexpired, unrevoked "liability_binding": "lib_01HDEF...", "decision_record": "dec_01HGHI...", "policy_decision": "pol_01HJKL...", // must be ALLOW or APPROVED "approval_artifact": "apr_01HMNO...", // required for high/critical risk "action": { "type": "tool_call", "tool": "send_payment", "params": { "amount_usd": 500, "recipient": "..." } }, "idempotency_key": "idem_01HPQR..." }
Other agentic protocols handle talking, coordinating, and paying. AGP handles accountability. It sits orthogonally across MCP, A2A, AP2, and UCP — adding verifiable authority, deterministic policy enforcement, and an immutable evidence chain to every transaction those protocols make.
MCP handles the conversation between a model and its tools. AGP governs every tool call that conversation triggers — capability scope, policy clearance, and a signed audit envelope. Any MCP tool invocation becomes a governed, ledger-recorded action.
Read the guide →AGP as a gateway or sidecar for your existing APIs. Downstream services verify the action envelope before processing any agent-initiated request — no agent can call a protected endpoint without a signed, policy-cleared artifact.
Read the guide →A2A handles the coordination between orchestrators and workers. AGP governs the liability chain. Sub-token delegation, scoped capability inheritance, and cascade revocation ensure every node in the agent graph is accountable — not just the orchestrator.
Read the guide →UCP handles the checkout session. AGP governs the spend authority. Policy is evaluated before any UCP request reaches a merchant — spend limits, capability scope, and human approval requirements enforced at the protocol layer, not by the shopping agent.
Read the guide →AP2 handles the payment mandate. AGP governs the evidence chain. IntentMandates map to capability tokens; CartMandates map to action envelopes. Every payment dispute is resolvable from an immutable, cryptographically linked audit record.
Read the guide →