Protocol Governance Model
ACP is admission control for agent actions. Its governance model defines a single, mathematically precise condition that must be satisfied before any agent is permitted to mutate system state — regardless of what the agent reasons, plans, or is instructed to do.
The Constitutional Invariant
Every execution in the ACP environment is strictly governed by a mathematical invariant. If any component fails, no execution occurs and no state change is allowed.
Execute(request) ⇒ ValidIdentity ∧ ValidCapability ∧ ValidDelegationChain ∧ AcceptableRisk
ValidIdentity → pkg/agent · pkg/hp
The agent's Ed25519 identity signature is current, verifiable, and cryptographically bound to an institutional root. Implemented via ACP-AGENT-1.0 and the ACP-HP-1.0 handshake protocol.
ValidCapability → pkg/ct
The agent holds a signed capability token that precisely matches the requested operation scope, autonomy level, and time window. Tokens are scoped, time-bounded, and non-transferable. Implemented via ACP-CT-1.0.
ValidDelegationChain → pkg/dcma
The capability traces back through a cryptographic chain to a recognized institutional root: human → agent → sub-agent → tool. No agent can re-delegate authority it does not itself hold. Implemented via ACP-DCMA-1.1.
AcceptableRisk → pkg/risk · pkg/psn
The action's evaluated risk score is within the thresholds defined by the current active policy snapshot. Policy snapshots transition atomically — when institutional policy changes, all subsequent admission checks use the new parameters immediately. Implemented via ACP-RISK-1.0 and ACP-PSN-1.0.
Execution Proof
When all four conditions are satisfied, the admission control issues a signed execution token — the cryptographic proof that this specific action was authorized, by whom, under which policy version, at which timestamp.
The token and the full event chain are appended to the institution's immutable ledger (SHA-256 hash chain, Ed25519 signed). Any third party can independently verify any event in the chain without trusting the institution — the math speaks for itself.
Implemented via pkg/exec (ACP-EXEC-1.0) and pkg/ledger (ACP-LEDGER-1.3).
Institutional Responsibility
In distributed agentic systems, it must be unambiguous who is responsible when something goes wrong. ACP solves this via cryptographic delegation chains.
When an agent is spawned, it receives a restricted, scoped, time-bounded identity signed by its parent. This pattern continues up to a root key held by a human operator or Enterprise KMS. Therefore, any valid ACP execution can definitively answer: "Who authorized this execution?"
The institutional root that signed the initial delegation is fully accountable for all downstream execution outputs. There is no ambiguity — the chain is publicly verifiable.
Cross-Organizational Trust
ACP enables institutions to accept agent requests across organizational boundaries without trusting each other's internal systems. If Bank A receives a request from an agent spawned by Bank B, Bank A does not need to understand Bank B's orchestration logic — it only needs to verify the ACP admission invariant: that the agent's identity and capabilities are cryptographically bound to Bank B's institutional root.
Trust comes from verification, not from behavioral assumptions or bilateral agreements about agent design.
Formal Verification
The ACP governance invariant is not just specified — it is formally verified with TLC model checking. The tla/ACP_Extended.tla module (v1.20) encodes the full execution model including per-agent cooldown temporal state, denial accumulation, and delegation chain integrity.
verified
verified
0 violations
Key invariants: CooldownEnforced (active cooldown forces DENIED regardless of risk score), CooldownImpliesThreshold (cooldown only after real denial accumulation), DelegationIntegrity (no consecutive self-delegation in chain), RiskDeterminism (same capability+resource always produces the same risk score). The liveness property CooldownExpires guarantees cooldown is not permanent — verified with weak fairness on time advance.
Source: tla/ACP_Extended.tla · tla/ACP_Extended.cfg · TLC v1.7.1
Adversarial Robustness
The invariant is validated under adversarial conditions — not just in the base case. Nine experiments in compliance/adversarial/ demonstrate that ACP's admission control holds under real attack patterns.
Exp 1 — Cooldown Evasion
500 requests alternating high/low risk. Cooldown triggers after exactly 3 real DENIED decisions. 495/500 requests blocked (99%). Evasion pattern does not bypass accumulation.
Exp 2 — Distributed Multi-Agent
100 coordinated agents at low individual volume. Per-agent isolation enforced — no cross-agent interference. Each agent blocked independently after its own denial threshold.
Exp 3 — State Backend Stress
N=5 runs. InMemory ~376k req/s (±45%), Redis ~2,300 req/s (±10%), pipelined ~4,200 req/s (±11%, 1.8× unpipelined). ACP does not eliminate the cost of distributed state — it makes that cost explicit and measurable.
Exp 4 — Controlled Latency Injection
Injected backend latency (0–100 ms). Throughput degrades proportionally; the Evaluate() function contributes 767–921 ns regardless of backend latency. LedgerQuerier abstraction confirmed as the correct performance boundary.
Exp 5 — Token Replay
Sequential and concurrent replays accumulate via F_anom Rule 3, escalating RS from 55 (ESCALATED) to 70 (DENIED) after 3 identical patterns. Replay resistance bounded: near-identical tokens with varied resource fields evade Rule 3 — documented limitation, not design gap.
Exp 6 — Stateless vs. Stateful
500 requests. Stateless engine: 500/500 admitted (0% detection). ACP stateful: 2/500 admitted (0.4%). Detection latency: 11 actions. Temporal behavioral properties are structurally unenforceable without state.
Exp 7 — State-Mixing Vulnerability
ACP-RISK-2.0: cross-context Rule 1 contamination causes RS +20 and ESCALATED→DENIED after 11 data.read requests in an unrelated context. Formally characterized vulnerability, fixed in v1.22.
Exp 8 — Context-Scoped Fix (ACP-RISK-3.0)
PatternKey = SHA-256(agentID ‖ cap ‖ resource). Cross-context contamination eliminated. Same-context burst detection preserved (RS=85 DENIED). 767 ns key derivation — sub-microsecond envelope maintained.
Exp 9 — Deviation Collapse and Restoration
Upstream sanitization eliminates all risk signals — ACP returns APPROVED for every request (BAR=0.00) while the engine functions correctly. Counterfactual injection (structural, behavioral, temporal mutations) restores boundary interaction to BAR=1.00. Demonstrates that meaningful governance requires preserving failure conditions at the execution boundary, not only enforcing them.
Research Series
ACP is the enforcement layer of a seven-paper series on formal agent governance. Each paper addresses a distinct layer of the governance stack. View the full series →
P0 — Atomic Decision Boundaries
Proves the structural condition under which an admission control system can guarantee admissibility at execution time. Introduces the atomic decision boundary: decision and state transition as a single indivisible step.
P1 — Agent Control Protocol (ACP) This paper
Temporal admission control that enforces behavioral properties over execution traces. TLA+ verified over 4.29 × 10⁹ states.
P2 — From Admission to Invariants (IML)
Proves that no enforcement signal can recover whether an agent's behavior remains within its admission-time admissible space. Introduces the Invariant Measurement Layer (IML): a consistent estimator of behavioral deviation with finite detection delay.
P3/4 — Irreducible Governance Structure
Proves that allocation is a structural component of governance. Establishes Sybil amplification and strategy-proofness impossibility results, and proves irreducibility: no strict subset of the four governance layers can replicate the guarantees of the full architecture.
P5 — Reconstructive Authority Model (RAM)
Separates integrity from coverage: attestation proves trust in measurement, not completeness of execution-relevant reality. RAM introduces a reconstruction gate over the coverage envelope and proves it is a necessary condition for execution validity under partial observability.
P6 — Operationalizing Reconstructive Authority
Provides the runtime enforcement of RAM: dynamic dependency resolution, authority reconstruction at action time, and a Recovery Loop integrating drift detection (IML) with execution gating (ACP). Proves execution safety and conditional liveness.