Agent Control Protocol (ACP)

Admission control for agent actions.

ACP is the governance layer between agent intent and system state mutation — the open standard that answers who authorized the agent, what policy allowed the action, and how to verify it independently.

Get Started Read Specification

What is ACP

Agent Control Protocol (ACP) provides verifiable governance for autonomous agents. It defines who authorized an agent, what it executed, and who is accountable for the outcome across systems and institutions.

ACP enables:

Authority verification: Cryptographically prove who authorized an agent's actions.
Execution traceability: Maintain a verifiable log of every operation.
Institutional accountability: Unambiguously map outcomes back to the responsible institution or individual.

Why ACP Exists

Autonomous agents are increasingly interacting with real systems such as APIs, enterprise infrastructure, financial systems, and other agents. When agents operate across organizations, several critical governance questions arise:

Authorization

Who authorized the agent to act on their behalf?

Capabilities

What capabilities does the agent actually possess?

Policy

What policy definitively allowed the specific action?

Verification

Can the execution be independently verified later by third parties?

Most current systems cannot answer these questions reliably. ACP introduces the infrastructure to answer them definitively.

How ACP Works

ACP treats agent interactions as governable operations. Each interaction must successfully pass through a strict sequence to ensure it is traceable, auditable, and attributable.

The Constitutional Invariant

Execute(request) ⇒ ValidIdentity ∧ ValidCapability ∧ ValidDelegationChain ∧ AcceptableRisk

No action Executes unless all conditions are satisfied.

To learn more about how ACP structures these interactions, explore the ACP Architecture or read about our Governance Model.

Example ACP Request

Every governable action begins with an encoded request carrying all necessary cryptographic proofs.

{
  "agent_id": "did:acp:agent-123",
  "capability": "payments.transfer",
  "delegation_chain": [
    "org-root",
    "finance-department"
  ],
  "risk_score": 0.18,
  "timestamp": "2026-03-12T14:32:10Z",
  "signature": "0xabc123..."
}

In this execution request, the agent presents a globally unique agent_id and requests to execute the payments.transfer capability. It brings a delegation_chain tracing back to an authorized institutional root, an evaluated risk_score, and a cryptographic signature binding the request to its root.

Reference Implementation

ACP ships a production-grade Go reference implementation — not pseudocode. 23 packages, 5 conformance levels, 138 compliance test vectors, and the ACR-1.0 sequence runner: validate any implementation against the full ACP-RISK-3.0 execution contract, with real cryptography and real hash chains.

Go packages
L1 → L4

138

Single-shot
test vectors

Sequence scenarios
ACR-1.0 runner

Specification
documents

Quickstart Browse Implementation

Performance

ACP is compute-cheap but state-sensitive: decision evaluation incurs minimal overhead, while throughput is bounded by the state backend — not by the protocol logic itself.

~820 ns

per admission decision
Intel i7-8665U · Go 1.22

~88 ns

cooldown path
9.5× faster via Step 2 early exit

~920k

req/s at baseline concurrency
bounded by state backend

<1 μs

all decision paths
sub-microsecond by design

The LedgerQuerier abstraction formalizes this boundary — replace the state backend (in-memory → Redis → Postgres) without touching protocol semantics.

Verification Flow

ACP enforces the governance invariant through verifiable runtime execution. The code below demonstrates the invariant checks before any tool access is granted.

def handle_acp_request(request):
    # Enforce the Constitutional Invariant
    if not compute_signature(request) == request.signature:
        raise AuthenticationError("InvalidIdentity")
        
    if not capability_registry.has_permission(request.agent_id, request.capability):
        raise AuthorizationError("InvalidCapability")
        
    if not verify_chain(request.delegation_chain, "org-root"):
        raise DelegationError("InvalidDelegationChain")
        
    if request.risk_score > policy.max_acceptable_risk("payments.transfer"):
        raise PolicyViolationError("UnacceptableRisk")
        
    # All governance checks passed. Deterministic execution proceeds.
    return execute_capability(request)