Agent Governance Protocol
Getting Started

What is AGP?

AGP is a guardrail, not a gateway — policy enforcement, accountability, and human oversight for autonomous AI agents.

AGP (Agent Governance Protocol) is an open standard for governing autonomous AI agents in regulated, high-stakes, and multi-stakeholder environments. It defines an agent policy framework — specifying which actions an agent may take, under whose delegated authority, and with what cryptographic evidence trail. This is agentic AI compliance at the protocol layer, not routing infrastructure.

Policy · Accountability · Oversight

AGP answers the governance question before every consequential action: is this agent authorised, under which policy, with what delegated capability scope? AI agent governance enforced deterministically — fail-closed when authority cannot be verified.

Governance, not routing

Unlike Agent Gateway Protocol (Cisco/AGNTCY, a routing and infrastructure layer), AGP governs intent — intercepting action envelopes, running OPA policy decisions, and writing immutable audit entries. Different problem. Different solution. AGP = agent governance.

Two keys. Both required. No bypass path.

A high-security bank vault uses dual-control: two independent keys, inserted by two independent parties, before the door opens. Neither key works alone. Neither party can override the other. AGP applies the same principle to every consequential AI action.

Key 1 — Verifiable Authority

The agent must present a signed, scoped Capability Token — issued by an authorised controller, constrained to specific actions and spend limits, revocable at any time. No token. No execution. The issuing chain is cryptographically verifiable and immutable.

Key 2 — Policy Clearance

Every action is evaluated against the organisation's rule set — jurisdiction, spend thresholds, vendor controls, regulatory frameworks — before a single downstream API is called. The policy engine may auto-approve, require human sign-off, escalate, or deny. Both keys must turn.

The Regulatory Cliff — Protocol Whistleblows

When policy is violated, AGP does not log a warning and proceed. It halts execution and raises an Escalation Notice — a protocol-layer whistleblowing mechanism that routes the incident to a designated compliance monitor. The agent cannot override this. The instruction giver cannot override this. The cliff is structural.

Banking-Grade Evidence Chain

Every step — intent declared, authority proved, policy evaluated, approval obtained, action executed — is written to an Immutable Ledger with hash-chained entries. No entry can be removed or altered post-commit. A complete forensic replay is possible from any point in the chain. This is not a log. It is a legal record.

AI agents are Yes-Bots. That's a liability.

Every AI agent that can take consequential action is, by default, a high-speed liability. AGP was designed to fix that — structurally, at the protocol layer.

WHY — AI agents have no structural way to say 'no'

Current AI agents are Yes-Bots: optimised to execute, not to govern. They approve payments, send communications, and modify records at machine speed — with no checkpoint between a dangerous mandate and a real-world consequence. When something goes wrong, there is no audit trail, no proof of authority, and no clear accountability chain. That is a legal, regulatory, and reputational liability.

WHAT — AGP is the digital safety cage — The Purple Line

AGP defines a deterministic boundary between an agent's intent and its actions. It is not a guardrail bolted onto a model's output. It is a protocol-layer enforcement mechanism that operates independently of the AI system itself. Crossing The Purple Line without authority, policy clearance, and a complete evidence chain is structurally impossible — by design, not by convention.

HOW — A dual-control bank vault for every agent action

AGP works like the dual-control mechanism on a high-security bank vault — both keys must be inserted independently before the door opens. No single party can bypass the process. Before a single line of consequential code executes: intent is declared and registered, authority is cryptographically proven, and policy is evaluated deterministically. If any condition fails, the vault stays closed. Always.

The Bank Vault — Three Independent Locks

No single party — not the agent, not its operator, not even the platform — can unilaterally execute a consequential action without satisfying all three conditions:

Intent is declared.

The agent registers a Task — a verifiable record of who is acting, what they intend to do, and the assessed risk tier. This creates accountability before a single API call is made.

Authority is proven.

The agent presents a signed, scoped Capability Token — a delegatable grant issued by an authorised controller. Tokens can be revoked at any time. No valid token means no execution, regardless of the instruction source.

Policy is evaluated.

The action is checked against the organisation's rule set before execution. The engine may auto-approve, require human sign-off, escalate, or deny. Every outcome is logged immutably — approval and denial alike.

Introduction

AGP is the open governance protocol for autonomous AI agents — fail-closed execution, delegatable capabilities, and immutable audit trails.

How it works

AGP is a governance layer that sits between an agent's intent and its actions.

On this page

Two keys. Both required. No bypass path.AI agents are Yes-Bots. That's a liability.The Bank Vault — Three Independent LocksIntent is declared.Authority is proven.Policy is evaluated.