Protocol Governance Model

The core proposition of the Agent Control Protocol (ACP) is governance. The protocol moves beyond simply orchestrating agent tools and focuses entirely on the accountability graph necessary for serious infrastructure and financial integrations.

The Constitutional Invariant

Every execution in the ACP environment is strictly governed by a mathematical invariant that must be satisfied. If any part of this invariant fails, no execution occurs, and zero state change is allowed.

Execute(request) ⇒ ValidIdentity ∧ ValidCapability ∧ ValidDelegationChain ∧ AcceptableRisk

Invariant Components Break Down:

ValidIdentity

The agent's identity signature is current, verifiable, and cryptographically signed.

ValidCapability

The agent natively holds an authorized capability token precisely matching the requested operation scope.

ValidDelegationChain

The capability can be directly traced back through a cryptographic delegation chain to a recognized institutional root identity.

AcceptableRisk

The action's evaluated risk score remains within the policy thresholds set by the institutional root.

Institutional Responsibility

In distributed agentic systems, it must be completely unambiguous who is responsible when something goes wrong. ACP solves this via cryptographic delegation chains.

When an agent is spawned, it is given a highly restricted, temporary, capability-scoped identity. This identity is cryptographically signed by its "parent." This pattern continues up to a root private key held by a human operator, an Enterprise KMS, or an authorized DAO.

Therefore, any valid ACP execution can definitively answer: "Who authorized this execution?"

There is no ambiguity. The institutional root who ultimately signed the initial delegation is fully responsible for the downstream execution outputs.

Cross-Organizational Trust

By enforcing this governance structure natively, ACP enables institutions to accept agent requests across organizational boundaries. If Bank A receives a request from an agent spawned by Bank B over ACP, Bank A doesn't need to trust the agent's LLM; Bank A verifies the ACP invariant and simply trusts Bank B's delegation signature and bounded capabilities.