Agent Governance Protocol

Introduction

AGP is the open governance protocol for autonomous AI agents — fail-closed execution, delegatable capabilities, and immutable audit trails.

The Agent Governance Protocol (AGP) is an open specification that sits underneath your agents and tools, turning every consequential action into a governed, auditable event. It is model- and framework-agnostic: the governance contract is between your tools and the AGP server, not between AGP and any specific model or runtime.

Why it exists

The most dangerous AI agent is the one that always says yes. An agent that executes every instruction is fast and compliant — and a high-speed liability the moment the instruction is wrong, the authority is forged, or the mandate is dangerous. AGP is the Purple Line: a deterministic boundary that can say no — not because the model refuses, but because the protocol structurally prevents execution without verifiable authority. Read the full rationale →

What AGP guarantees

Fail-closed execution

Actions only execute once capability, policy, and approval checks all pass. If any step is missing, the action is blocked.

Delegatable capabilities

Capability tokens are scoped to specific permitted actions and revocable at any time — revoking one stops every pending action under it.

Immutable audit trails

A hash-chained ledger records intent, decision, policy verdict, approval, and execution. Replay the full sequence for any task.

EU AI Act ready

Risk classification, decision rationale, human oversight, and an append-only ledger map directly to Articles 9, 12, 13, and 14.

Who it's for

AGP is a governance question before it is a code question — read it through the lens that fits your role.

Executives & risk — The Liability Shield

Convert agent accountability from assertion to cryptographic proof. Demonstrate governance to regulators and auditors — don't just assert it.

Architects & security — The Governance Ledger

A fail-closed trust model across three independent domains, with a hash-chained ledger as the authoritative record of every decision.

Developers — Code that Whistleblows

Add governance in ~10 lines: install, declare intent, prove authority, execute. MCP tool calls wrapped automatically, no refactoring.

How it works

A high-security vault opens only when independent keys turn together — no single party can override it. AGP applies the same dual-control discipline: every governed action walks the same pipeline, and the fail-closed gate fires only once intent, authority, and policy all clear. Low- and medium-risk actions complete in a single round-trip; high-risk actions pause for human sign-off first.

Register the task

Declare intent with a risk_tier, principal, and requested outcome.

Bind liability

Attach a sponsoring entity and accountable owner. Required before a decision can be recorded.

Issue a capability

Issue a capability token scoped to the specific permitted actions.

Record the decision

Capture the agent's selected action, rationale, and uncertainty score.

Evaluate policy

Produce a verdict: allow, require_approval, deny, or quarantine.

Submit the action

The fail-closed execution gate verifies every reference, then writes a signed receipt and an immutable ledger entry.

Policy verdicts

VerdictMeaning
allowThe action proceeds through the gate.
require_approvalThe task pauses at APPROVAL_PENDING until a human signs off.
denyThe action is rejected; the gate stays closed.
quarantineThe task is held for review and cannot execute.

EU AI Act mapping

Compliance evidence, out of the box

Each governed task provides risk classification (Art. 9), an append-only audit ledger (Art. 12), decision rationale and uncertainty score (Art. 13), and a human oversight record (Art. 14).

Integrations

AGP governs the full agent stack — tool calls, multi-agent delegation, payments, commerce, and downstream services.

Model Context Protocol (MCP)

Add governance to any MCP server. Every tool call gets a policy decision and an immutable audit entry.

Agent-to-Agent (A2A)

Govern multi-agent workflows with sub-token delegation, liability chains, and cascade revocation.

Agent Payments Protocol (AP2)

Replace manual allowlists with dynamic policy and feed disputes with cryptographic evidence.

Universal Commerce Protocol (UCP)

Govern which agents can initiate checkouts and enforce spend limits on every transaction.

Microservices

Protect downstream services from ungoverned agent calls via gateway, sidecar, or direct envelope verification.

SDKs

  • Pythonpip install agp-sdk (PyPI)
  • TypeScript / JavaScript@agp-protocol/sdk (npm)
  • MCP serverpip install agp-mcp exposes the full AGP lifecycle as MCP tools

What is AGP?

AGP is a guardrail, not a gateway — policy enforcement, accountability, and human oversight for autonomous AI agents.

On this page

Why it existsWhat AGP guaranteesWho it's forHow it worksRegister the taskBind liabilityIssue a capabilityRecord the decisionEvaluate policySubmit the actionPolicy verdictsEU AI Act mappingIntegrationsSDKs