How it works
AGP is a governance layer that sits between an agent's intent and its actions.
Most AI agents can act without asking permission — they call APIs, move money, send messages, and modify data. When something goes wrong, there's often no clear record of what happened, who authorized it, or why.
AGP sits between an agent's intent and its actions. Before anything consequential executes, the agent must declare what it wants to do, prove it has authority, pass a policy check, and — if the stakes are high enough — wait for a human to approve. Every step is logged immutably. If anything is missing, execution is blocked.
Example scenario — An AI agent is about to approve a $125,000 vendor payment
Without governance, it calls approve_payment(vendor, amount) and the money moves — no
checkpoint, no trail, no proof of authority. With AGP, six things must be true before
that call can execute.
Declare intent
The agent registers a Task — who is acting, what they want to do, and how risky it is. This creates an accountable record before anything happens. The task is the root of everything that follows.
Prove authority
The agent presents a capability token — a signed, delegatable grant that says "this agent may approve payments up to $X from account Y." Tokens can be revoked at any time. Without a valid one, execution is blocked immediately.
Run policy
The policy engine checks: Is this vendor approved? Is $125k within the agent's delegated limit? Is the jurisdiction covered? Does it conflict with any regulatory framework? In this case, the result is require_approval — the amount exceeds the auto-approve threshold.
Get human sign-off
Because the policy returned require_approval, an approval request is created and routed to a human controller. They review the task, the vendor, the amount, and the policy output — then approve or reject. The agent waits. Nothing executes until this step resolves.
Execute with a signed envelope
Only now — with all prerequisite artifacts valid — does the payment proceed. The action envelope bundles the task, capability, policy clearance, and human approval into a single signed object that is submitted to the execution layer and logged immutably to the audit ledger.
Missing anything? Blocked.
If the capability token is revoked, the policy denies, the human rejects, or any artifact is missing — the submission is rejected. Execution is fail-closed by design. There is no way to bypass the pipeline from outside the server.
Domain map — Registry, Decision, Execution
In code, this looks like:
# Python SDK — the same scenario
from agp import AGPClient
client = AGPClient("https://agp.example.com",
client_id="finance-agent", client_secret="...")
# 1. Declare intent
task = client.registry.create_task({
"principal_id": "finance-agent",
"requested_outcome": "Approve $125k payment to Acme Corp",
"risk_tier": "high",
"created_at": "2024-01-15T09:00:00Z",
})
# 2. Prove authority — capability scoped to payment approvals up to $200k
capability = client.registry.create_capability({
"task_id": task["task_id"],
"granted_by": "treasury-controller",
"scope": ["approve_payment"],
"max_amount_usd": 200000,
})
# 3. Run policy → verdict: "require_approval" (amount > $100k threshold)
policy = client.decision.evaluate_policy({
"task_id": task["task_id"],
"policy_set_id": "finance-v2",
})
# 4. Request human approval — agent waits for the controller to sign off
approval = client.decision.create_approval({
"task_id": task["task_id"],
"approver_role": "compliance_monitor",
})
# 5. Submit action envelope — blocked if any artifact is missing or revoked
result = client.execution.submit({
"task_id": task["task_id"],
"capability_token": capability["token_id"],
"policy_decision": policy["evaluation_id"],
"approval_artifact": approval["approval_id"],
"action": {
"type": "tool_call",
"tool": "approve_payment",
"params": {"vendor": "Acme Corp", "amount_usd": 125000},
},
})
# → 201 Created. Signed receipt + immutable ledger entry.