# AGP — Agent Governance Protocol > An open governance protocol for autonomous AI agents operating in high-stakes, regulated, and multi-stakeholder environments. AGP (Agent Governance Protocol) is an open HTTP/REST protocol that sits between an AI agent's intent and its actions. Before any consequential action executes, AGP requires the agent to declare intent, prove authority via a capability token, pass a policy evaluation, and — for high-risk actions — obtain human approval. Execution is fail-closed: any missing or invalid artifact blocks the action. Every step is logged to an immutable, hash-chained audit ledger. Built and maintained by CunardAI (https://cunardai.com). Apache-2.0 licensed. ## Docs - [Protocol site](https://agp-protocol.dev): Overview, schemas, API specs, install - [Specification](https://agp-protocol.dev/spec/implementation-profile.md): Full AGP Implementation Profile v0.9 - [Registry API](https://agp-protocol.dev/api/registry.yaml): OpenAPI 3.1 spec — tasks, capabilities, liability bindings, delegations, skills, revocations - [Decision API](https://agp-protocol.dev/api/decision.yaml): OpenAPI 3.1 spec — evidence, impact assessment, policy evaluation, approvals, escalations - [Execution API](https://agp-protocol.dev/api/execution.yaml): OpenAPI 3.1 spec — action envelopes, receipts, event ledger, replay - [GitHub](https://github.com/cunardai/agp-protocol): Source code, JSON schemas, OPA policies, conformance suite ## Explainers - [Explainers — Technical](https://agp-protocol.dev/docs/explainers): 60-second explainer scripts for C-Level, Platform Architects, and Developers - [Explainers — Persona](https://agp-protocol.dev/resources/explainers): 60-second scripts for Chief Risk Officer (liability, regulatory whistleblowing), Platform Architect (separation of concerns, fail-closed gate), and Developer (action envelope, SDK simplicity) ## The Mandate Paradox AGP is designed to solve the Mandate Paradox: AI agents are optimised to execute instructions (Yes-Bots), but in high-stakes environments an agent that always says YES is a high-speed liability. AGP introduces The Purple Line — a deterministic, protocol-layer guardrail that structurally prevents an agent from executing a consequential action without verifiable authority, policy clearance, and a complete evidence chain. The Purple Line cannot be crossed by instruction alone, regardless of who gives the mandate. ## Protocol Interoperability AGP is the governance layer across the emerging agentic protocol stack. Other protocols handle transport and commerce; AGP handles accountability: - MCP (Model Context Protocol): handles tool-call transport. AGP governs every tool call — capability scopes, policy evaluation, audit envelope. - A2A (Agent-to-Agent): handles agent coordination. AGP governs the authority chain — sub-token delegation, scoped inheritance, cascade revocation. - AP2 (Agent Payments Protocol): handles payment mandates. AGP governs the evidence chain — IntentMandates map to capability tokens, CartMandates map to action envelopes. - UCP (Universal Commerce Protocol): handles checkout sessions. AGP governs spend authority — policy evaluated before any UCP request reaches a merchant. ## SDKs - Python: `pip install agp-sdk` — https://pypi.org/project/agp-sdk/ - TypeScript/Node.js: `npm install @agp-protocol/sdk` — https://www.npmjs.com/package/@agp-protocol/sdk Both SDKs handle OAuth 2.0 token acquisition and refresh automatically when client_id and client_secret are provided. ## Core Concepts **Task**: The root lifecycle object. Every AGP-governed action begins with a Task — who is acting, what they intend to do, and the risk tier (low / medium / high / critical). Tasks move through a 14-state machine from CREATED to COMPLETED. All other protocol objects reference a Task. **Capability Token**: A signed, delegatable authorization grant. Proves the agent has been delegated authority to perform a specific class of action, with optional spend limits, scope constraints, and expiry. Tokens form a delegation chain. Revoking any token in the chain immediately invalidates all dependents. **Liability Binding**: Associates a task to a sponsoring entity and accountable owner. Establishes who is legally responsible for the action before it occurs. **Attested Context**: Describes the execution environment — trust classification of the input, taint flags for externally-sourced content, and jurisdiction. External and retrieved content is untrusted by default. Taint propagates through derivations unless explicitly cleared by a trust promotion. **Evidence Bundle**: Grouped evidence items with verification status. Feeds the impact assessment and policy evaluation. **Impact Assessment**: Multi-horizon consequence simulation using veil-of-ignorance, Pareto optimality, and rights-based ethical frameworks. Framework conflicts trigger automatic escalation. **Policy Evaluation**: The policy engine (OPA-compatible Rego by default) evaluates whether the action may proceed. Verdicts: allow / deny / require_approval / quarantine. **Approval Artifact**: Human or system attestation required when the policy verdict is require_approval. Supports single approver, dual-control, and multi-party modes. **Action Envelope**: The execution gate. A single signed object bundling the task, capability token, liability binding, decision record, policy evaluation, and (when required) approval artifact. Submitted to POST /agp/action-envelopes. Any missing, expired, or revoked artifact causes the server to reject the request. **Execution Receipt**: Signed proof that a valid action envelope was accepted and the action may proceed. **Event Ledger**: Append-only, hash-chained audit log. Every state transition across all protocol objects is recorded. No event can be removed or altered post-commit. Full replay is supported. **Revocation Notice**: Invalidates a capability token with an effective_at timestamp. Propagates to all downstream tokens in the delegation chain. ## The Six-Step Pipeline Every consequential action flows through this mandatory pipeline. Any stage that fails or is missing halts execution: 1. **Register Task** — POST /agp/tasks. Declare intent, principal, risk tier. 2. **Establish authority** — POST /agp/capabilities and POST /agp/liability-bindings. Prove delegated authority and bind legal accountability. 3. **Attest context and gather evidence** — POST /agp/decision/contexts and POST /agp/decision/evidence-bundles. Classify trust, record taint, gather supporting evidence. 4. **Run policy evaluation** — POST /agp/decision/policy-evaluations. Policy engine returns: allow / require_approval / deny / quarantine. 5. **Obtain human approval** (if verdict is require_approval) — POST /agp/decision/approvals. Human controller reviews and signs off. Agent waits. 6. **Submit action envelope** — POST /agp/action-envelopes. Server validates all artifacts. On success: returns 201 with signed receipt and creates a ledger entry. ## Authentication AGP uses OAuth 2.0 client credentials flow (RFC 6749). Auth is opt-in: set AGP_AUTH_SECRET on the reference server to enable it. When disabled, the server is open — useful for development and conformance testing. Token endpoint: POST /oauth/token Response: { access_token, token_type: "bearer", expires_in, scope } Nine fine-grained scopes: - agp.registry.read / agp.registry.write - agp.decision.read / agp.decision.write - agp.execution.read / agp.execution.write - agp.approval.write - agp.policy.write - agp.revocation.write ## Design Properties - **Fail-closed execution**: No consequential action executes without a complete, valid, non-revoked set of prerequisite artifacts. - **Delegatable capabilities**: Capability tokens carry scope constraints, spend limits, and expiry. Revoking an ancestor invalidates all descendants immediately. - **Immutable audit trail**: Hash-chained event ledger. Append-only. Every state transition recorded. Full forensic replay supported. - **Governance role separation**: Strict separation of executive, compliance_monitor, and impact_assessor roles. High and critical risk tasks require attestation from a governance role. - **Taint tracking**: External and retrieved content is untrusted by default. Taint propagates through derivations unless explicitly cleared. - **Ethical frameworks**: Impact assessment applies veil-of-ignorance, Pareto optimality, and rights-based constraints. Conflicts between frameworks trigger automatic escalation. - **EU AI Act alignment**: Risk classification maps to Article 9 (risk management). Human oversight maps to Article 14. Immutable ledger satisfies Article 12 (record-keeping). Attested context and evidence bundles satisfy Article 13 (transparency). ## Conformance AGP ships a pytest-based conformance test suite with 200+ tests across all three domains plus authentication (§17). Any server implementation can run the suite against itself: ``` pytest tests/ --base-url=http://your-server ``` Auth-mode tests require AGP_AUTH_SECRET, AGP_CLIENT_ID, and AGP_CLIENT_SECRET to be set on the server. ## Common Use Cases **Autonomous financial agents**: Payment approval, trade execution, account access — AGP enforces delegation limits, spend caps, and creates defensible audit trails for every authorized action. **Clinical AI agents**: Treatment plan modification, test ordering, prescription assistance — AGP enforces human-in-the-loop for high-risk decisions and satisfies record-keeping requirements. **Legal and compliance workflows**: AI agents that draft, file, or approve documents — AGP's liability binding and immutable ledger provide defensible evidence of who authorized what and when. **Multi-agent systems**: When one agent delegates to another (orchestrator → worker), AGP's capability delegation model tracks the full chain of authority. Sub-tokens can be scoped narrower than the parent. Revoking the orchestrator revokes all workers. **EU AI Act compliance**: Any AI system subject to Articles 9, 12, 13, or 14 of the EU AI Act. AGP's domains map directly to the Act's requirements for risk management, transparency, record-keeping, and human oversight. ## Frequently Asked Questions **Q: How is AGP different from just logging what an AI agent does?** A: Logging records what happened after the fact. AGP enforces governance before the action executes. An agent cannot submit an action envelope without valid authorization — the server rejects it. This is the difference between an audit log and an access control gate. **Q: Does AGP require OPA or a specific policy engine?** A: No. The reference server uses OPA with Rego policies, but the policy evaluation API is engine-agnostic. Any system that can return a structured verdict (allow / deny / require_approval / quarantine) can be used. **Q: How does AGP handle agent-to-agent delegation?** A: Via capability token chains. An orchestrating agent issues a sub-token to a worker agent with narrower scope, lower spend limits, and shorter expiry. Revoking the orchestrator's token cascades to all sub-tokens. **Q: Is AGP tied to any specific AI framework?** A: No. AGP is a REST protocol. The Python and TypeScript SDKs wrap it, but any HTTP client works. It is framework-agnostic and model-agnostic. **Q: Is AGP production-ready?** A: v0.9.x is a stable draft with a conformance suite, published SDKs, and a reference server. CunardAI operates a hosted AGP platform. The open specification is Apache-2.0 licensed. **Q: What is the difference between a Task and an Action Envelope?** A: A Task declares intent — it is created at the start of a workflow and is the governance root. An Action Envelope is the execution gate — it is submitted immediately before a specific consequential action, bundling all prerequisite artifacts. One Task may have multiple Action Envelopes if the agent takes multiple steps to complete its goal.