Agent Governance Protocol
Concepts

Architecture

AGP's three trust domains — Registry, Decision, and Execution — and the decision pipeline.

AGP separates concerns across three independent trust domains. Each has its own API surface, authorization scope, and durability guarantees.

🗂 Registry

Durable governance objects — tasks, capabilities, liability bindings, skill registrations, revocations, and delegations. The source of record.

  • POST /agp/tasks
  • POST /agp/capabilities
  • POST /agp/liability-bindings
  • POST /agp/delegations
  • POST /agp/skills
  • POST /agp/revocations

🧠 Decision

Evidence, impact assessment, policy evaluation, human approvals, and escalation. Produces the artifacts required before execution.

  • POST /agp/decision/contexts
  • POST /agp/decision/evidence-bundles
  • POST /agp/decision/decisions
  • POST /agp/decision/policy-evaluations
  • POST /agp/decision/approvals
  • POST /agp/decision/escalations

⚡ Execution

Side-effect control. Validates all prerequisite artifacts before permitting consequential actions. Append-only event ledger for full forensic audit. Includes the /agp/validate runtime gate that downstream services (MCP servers, microservices) call before executing any agent-initiated instruction.

  • POST /agp/execution/action-envelopes
  • POST /agp/validate
  • GET /agp/execution/receipts/{id}
  • GET /agp/execution/ledger-events
  • GET /agp/execution/tasks/{id}/replay

Task Flow — The Only Path to Execution

Decision pipeline

Every consequential action flows through a mandatory multi-stage pipeline. Execution is fail-closed — any missing or invalid artifact halts the action.

Register Task

Create task with liability binding and capability token.

Attest Context

Gather evidence, classify trust, assign taint.

Assess Impact

Multi-horizon consequence simulation, Pareto analysis.

Policy Eval

Policy engine evaluates allow / deny / escalate.

Approve

Human or governance role attestation for high-risk actions.

Execute

Signed action envelope → receipt → ledger entry.

Built for accountability

Core protocol properties that hold across all conformant implementations.

🔒 Fail-closed execution

No consequential action executes without a valid capability token, liability binding, decision record, and policy clearance. Missing artifacts halt execution.

🔗 Delegatable capabilities

Capability tokens carry spend limits, scope constraints, and expiry. Revoking an ancestor immediately invalidates all descendants.

📜 Immutable audit trail

Hash-chained event ledger records every state transition. Append-only; no event can be removed or altered post-commit.

⚖️ Governance role separation

Strict separation of executive, compliance_monitor, and impact_assessor roles. High/critical-risk tasks require governance attestation.

🏷 Taint tracking

External and retrieved content is untrusted by default. Taint propagates through derivations unless explicitly cleared by a trust promotion.

🧭 Ethical frameworks

Impact assessment applies veil-of-ignorance, Pareto optimality, and rights-based constraints. Framework conflicts trigger escalation.

Platform

The AGP platform — reference server, developer portal, and operator console.

Authentication

OAuth 2.0 client-credentials authentication for AGP servers and SDKs.

On this page

Decision pipelineRegister TaskAttest ContextAssess ImpactPolicy EvalApproveExecuteBuilt for accountability