A new Agent Control Protocol codifies cryptographic admission control for enterprise autonomous agents, pairing 36 specification documents with a 22-package Go reference implementation and 51 signed conformance vectors; it aims to let institutions authorize, audit and revoke agent actions without replacing existing RBAC or Zero Trust systems.

Main Finding

ACP (Agent Control Protocol) is a formal, cryptographically grounded admission-control protocol designed to govern autonomous agents in B2B institutional environments. It inserts a verifiable, cross‑institutional checkpoint between agent intent and system state mutation so that no agent action can execute unless identity, capability scope, delegation chain, and policy/risk constraints are simultaneously validated and immutably recorded.

Key Points

• Purpose: closes the "structural gap" where agent decision and execution are currently the same event; introduces an intermediate, auditable admission check.
• Protocol nature: precise technical specification (v1.13) + reference implementation; not a loose framework or best-practice doc.
• Core invariant: Execute(request) ⇒ ValidIdentity ∧ ValidCapability ∧ ValidDelegationChain ∧ AcceptableRisk. If any predicate fails, action is denied.
• Cryptography & canonicalization:
  • Ed25519 signatures (32-byte keys, 64-byte signatures), SHA‑256 hashing, JCS (RFC 8785) canonical JSON, base64url encoding.
  • AgentID = base58(SHA‑256(public_key)).
• Central artifacts:
  • Capability Token (ACP-CT-1.0): signed JSON specifying capabilities, resource, expiry (mandatory), 128‑bit nonce, delegation policy and parent_hash for chaining.
  • Handshake / Proof‑of‑Possession (ACP-HP-1.0): stateless challenge-response per request to bind token to private key.
  • Execution Token (ACP-EXEC-1.0): single‑use, short‑lived cryptographic permit for exactly one action; prevents replay and enforces separation of authorization and execution.
  • Audit Ledger (ACP-LEDGER-1.3): append‑only, chained events (hn = SHA‑256(en ∥ hn−1)), signed by institutional Root Institutional Key (RIK).
• Delegation and revocation:
  • Verifiable chained delegation (ACP-DCMA-1.1): delegation depth bounded, no privilege escalation (delegated subset), parent_hash crypto‑links, transitive revocation.
• Deterministic risk evaluation (ACP-RISK-1.0):
  • Risk Score RS ∈ [0,100] = min(100, baseline_by_capability + context + agent_history + resource_classification).
  • Example thresholds for autonomy_level=2: RS ≤39 APPROVED; 40–69 ESCALATED; ≥70 DENIED. Autonomy levels 0–4 control permissible thresholds.
  • No stochastic/ML elements in the critical path (deterministic only).
• Inter‑institutional trust:
  • Institutional Trust Anchor (ACP-ITA-1.0) maps institution_id → Ed25519 public key; initial distribution of ITA public key is out‑of‑band.
  • Mutual recognition (MRA) is bilateral and non‑transitive.
• Cross‑organization execution:
  • Interaction_id (UUIDv7) for deduplication; event_id (UUIDv4) per emission.
  • Retry/backoff rules and explicit CROSS_ORG_ACK ledger events; derived state only from ledger events (no mutable status).
• Fail‑closed design and conformance:
  • Five non-negotiable design principles (fail closed, cryptographic identity, non‑escalating delegation, complete auditability, external verifiability).
  • v1.13 specification: 36 documents, Go reference implementation of 22 packages, 51 signed conformance test vectors, OpenAPI endpoints, conformance levels L1–L5.
  • Lists of verifiable requirements and prohibited behaviors (e.g., reuse of ETs prohibited).

Data & Methods

• Document type: technical specification + reference implementation and conformance tests (not empirical/behavioral study).
• Implementation artifacts:
  • Spec release v1.13 (36 documents).
  • Reference implementation in Go (22 packages).
  • 51 signed conformance test vectors (Ed25519 + SHA‑256).
  • OpenAPI 3.1.0 for endpoints.
• Formal mechanisms and algorithms:
  • JSON canonicalization (JCS), SHA‑256 hashing, Ed25519 signatures for all ACP artifacts.
  • Capability Token structure (example fields: ver, iss, sub, cap, res, exp, nonce, deleg, parent_hash, sig).
  • Proof‑of‑possession handshake: 128‑bit CSPRNG challenge, sign(challenge ∥ method ∥ path ∥ body_hash), 30s validity, single‑use.
  • Deterministic risk scoring function with additive factors: baseline by capability, request context, agent history, resource classification. Example numeric values given for components and thresholds.
  • Ledger chaining formula and full ledger query API for FULL conformance.
  • Cross‑org protocol with explicit retry schedule (three retries with exponential backoff: +30s, +60s, +120s), pending_review SLA (24h), and invariants preventing race conditions.
• Security model: STRIDE threat enumeration, guaranteed security properties, and declared residual risks (e.g., out‑of‑band ITA bootstrap trust, emergency revocation semantics).

Implications for AI Economics

• Transaction costs and trust:
  • ACP creates cryptographic, verifiable evidence that can reduce monitoring, verification, and dispute costs in agent‑mediated transactions. That lowers friction for delegating economically valuable tasks to autonomous agents across institutions.
  • Immutable audit trails and single‑use execution tokens make attribution and ex post liability clearer, enabling cheaper contract enforcement, fraud detection, and insurance underwriting.
• New markets and intermediaries:
  • Demand for ITA services, audit/attestation providers, secure HSM key management, conformance certification, and hosted ACP stacks. These create opportunity for specialized vendors and potential fee-based trust anchors.
  • Businesses may monetize ACP conformance as a signal of safety/creditworthiness; premium interoperability markets could emerge (L1–L5 segmentation).
• Network effects and standard adoption:
  • Strong positive network effects: the value of ACP grows with the number of participating institutions because cross‑institution agent activity becomes feasible and low‑friction.
  • Early adopters with widely trusted ITA keys or large partner networks could obtain strategic advantage; standards may favor larger incumbents that can absorb implementation/compliance costs—raising concentration risks.
• Compliance, regulation, and liability:
  • Regulators may favor protocols that provide deterministic, auditable controls and external verification. ACP could become a compliance baseline for regulated sectors (finance, critical infrastructure), shifting compliance costs from process to technical implementation.
  • Clear cryptographic provenance may shift liability allocation toward institutions that issue tokens or operate agents, while also enabling faster regulatory audits and automated reporting.
• Cost structure and firm incentives:
  • Implementation costs (HSMs, ledger exposure, engineering to integrate ACP checkpath, policy/risk tuning) raise fixed costs; smaller firms might face barriers to entry unless third‑party ACP-as-a-service providers emerge.
  • Deterministic risk evaluation and strict fail‑closed behavior reduce tail risk but may constrain agent autonomy and throughput; firms must trade off safety vs. speed/productivity of agents.
• Interoperability friction and bilateralism:
  • Mutual recognition is explicitly bilateral and non‑transitive; establishing a dense web of MRAs entails coordination costs. Expect phased, clustered adoption (consortia, industry alliances) rather than immediate universal interoperability.
• Incentives for behavioral changes and governance:
  • With verifiable delegation chains and transitive revocation, firms have technical means to limit moral hazard in delegated agent tasks, possibly enabling broader delegation and automation of previously manual tasks.
  • The prohibition of ML in the critical deterministic path may delay or reshape how adaptive ML models are integrated into authorization—ML can be used in advisory or non‑critical layers but not to decide admission in the spec’s critical path. This affects design choices and could create demand for certifiable, deterministic approximations or hybrid architectures.
• Potential negative externalities / risks:
  • Over‑reliance on a single ITA or dominant trust marketplace increases systemic risk (bootstrap trust is out‑of‑band).
  • Attackers who compromise a RIK or achieve emergency‑type key compromise could cause broad invalidation and operational disruption; economic value of keys and attestation may attract targeted attacks.
  • Deterministic risk scoring could be gamed if factors are observable or manipulable; adversaries may adapt their behavior to sit below thresholds, implying ongoing governance and periodic parameter updates (with attendant governance costs).
• Distributional effects:
  • Larger institutions and platform providers that can become widely trusted anchors may capture disproportionate value from cross‑institution agent orchestration, while smaller firms benefit from greater automation but may become dependent on those anchors.
  • Labor implications: easier, auditable agent deployment could substitute for some supervisory/operational roles, while creating jobs in compliance, audit, and cryptographic operations.
• Path to adoption:
  • Expect gradual, sectoral adoption where regulatory or economic incentives align (finance, government, critical infra), and marketplace solutions to frontload the fixed costs (managed ACP services, shared ITAs, consortia MRAs).
  • The specification’s conformance levels and signed test vectors lower interoperability uncertainty, helping markets form around certified suppliers.

Overall, ACP materially reduces informational and enforcement frictions for cross‑institutional agent actions by creating verifiable, cryptographic admission controls and audit trails. That lowers some transaction costs and enables new forms of inter‑firm automation, but also creates distributional effects, coordination costs for trust formation, and new security/market concentrations that economic actors and regulators will need to manage.