Agent Control Protocol: Admission Control for Agent Actions

Agent Control Protocol (ACP) is a formal technical specification for admission control governance of autonomous agents in B2B institutional environments. Before any agent action reaches execution, it passes a cryptographic admission check validating identity, capability scope, delegation chain, and policy compliance – an admission control layer between agent intent and system state mutation. ACP defines cryptographic identity (Ed25519, JCS), capability-based authorization, deterministic risk evaluation (integer arithmetic, no ML inference), chained delegation, transitive revocation, and cryptographically-chained auditing. It operates on top of RBAC and Zero Trust, addressing what neither model solves: governing agent actions with deterministic enforcement, temporal limits, and full traceability across organizational boundaries. The protocol is compute-cheap but state-sensitive: decision evaluation costs ~820 ns while throughput reaches 920k req/s – a separation enabling state backend replacement without modifying protocol semantics. Adversarial evaluation confirms ACP-RISK-2.0 enforcement holds under active evasion: 99% (495/500) single-agent evasion attempts are blocked after only five requests, per-agent isolation is preserved across 100 coordinated agents, and throughput degradation under stress is attributable to state-backend latency. The v1.19 specification comprises 38 technical documents, a Go reference implementation (23 packages), 73 signed conformance test vectors, 65 RISK-2.0 vectors, an OpenAPI 3.1.0 specification (18 endpoints), a TLC-checked TLA+ formal model (3 invariants, 0 violations), an ACR-1.0 sequence compliance runner, and adversarial evaluation scripts in compliance/adversarial/.

💡 Research Summary

The paper introduces the Agent Control Protocol (ACP), a deterministic admission‑control framework designed to govern autonomous agents operating across institutional boundaries in B2B environments. Unlike traditional RBAC or Zero‑Trust models that focus on human identities and static role permissions, ACP inserts a verification layer between an agent’s intent and any state‑mutating operation. The protocol consists of several sequential checks: (1) cryptographic identity verification using Ed25519 keys (ACP‑AGENT‑1.0, ACP‑HP‑1.0), (2) capability token validation (ACP‑CT‑1.0) and chained delegation verification (ACP‑DCMA‑1.1), (3) deterministic risk evaluation (ACP‑RISK‑2.0) that aggregates autonomy level, historical usage, resource limits, and anomaly signals into an integer risk score, and (4) issuance of a single‑use execution token (ACP‑EXEC‑1.0) for approved actions. Every decision—admit, deny, or escalate—is recorded in an append‑only, institution‑signed audit ledger (ACP‑LEDGER‑1.3), enabling full post‑hoc accountability and cross‑organization verification using only public keys.

A key design insight is the separation of computation from state. The decision logic is stateless and runs in roughly 820 ns per request, while overall throughput (up to 920 k requests per second) is limited primarily by the latency and contention of the state backend (LedgerQuerier). This allows operators to swap or scale the backend (in‑memory store, distributed KV, or blockchain) without altering protocol semantics.

The authors provide a comprehensive artifact set: a formal TLA+ model checked with TLC (three invariants, zero violations), 73 signed conformance test vectors, 65 risk‑engine scenario vectors, an OpenAPI 3.1 specification with 18 endpoints, and a Go reference implementation comprising 23 packages. Formal verification guarantees that identity, delegation, and audit invariants hold; the test vectors ensure implementation‑spec alignment; and the risk engine has been exercised against adversarial scenarios.

Experimental evaluation demonstrates sub‑microsecond decision latency, a fast “cool‑down” fast‑path (≈ 88 ns) that bypasses full risk calculation after repeated suspicious requests, and robust security properties. In adversarial tests, 99 % of 500 single‑agent evasion attempts were blocked within five requests, and per‑agent isolation persisted across 100 coordinated agents. Throughput degradation under stress was traced to state‑backend contention rather than protocol logic.

The paper also discusses integration with existing security stacks: ACP sits atop RBAC and Zero‑Trust, adding identity‑bound cryptographic proofs, dynamic delegation, and deterministic risk scoring. It supports multi‑institutional trust anchors (IT‑A) for key rotation and revocation, and defines a reputation snapshot mechanism for cross‑org reputation sharing.

Use‑case sections illustrate applicability to inter‑bank payment agents, governmental document processing, multi‑company AI orchestration, and critical‑infrastructure monitoring. Limitations include reliance on integer‑based risk scoring (restricting expressive policies) and the need for high‑availability state backends. Future work envisions richer policy languages, blockchain‑backed ledgers, and broader industry standardization.

In summary, ACP offers a rigorously specified, formally verified, and performance‑optimized admission‑control layer that enables safe, auditable, and interoperable deployment of autonomous agents across organizational boundaries, filling a critical gap left by existing access‑control frameworks.