| Internet-Draft | AIGA | January 2026 |
| Aylward | Expires 30 July 2026 | [Page] |
This document specifies the AI Governance and Accountability (AIGA) Protocol, a practical, economically viable, and technically enforceable framework for governing autonomous AI agents. AIGA is designed to address real-world deployment constraints, adversarial agent scenarios, and economic incentive alignment.¶
The protocol is founded on a Tiered Risk-Based Governance model, applying proportional oversight to agents based on their capabilities. All agents are governed by an Immutable Kernel Architecture which provides a non-modifiable Trusted Computing Base (TCB) for enforcing policy. This is combined with Action-Based Authorization, where critical operations require real-time approval.¶
To solve the single-point-of-failure problem, the protocol uses a Federated Authority Network of regional, cross-validating hubs and provides a Network-Level Quarantine Protocol for enforcement. The entire framework is designed around Economic Incentive Alignment, making compliance the most economically rational choice for operators.¶
For high-assurance (T3-T4) scenarios, AIGA specifies advanced, redundant mechanisms including Multi-Vendor TEE Attestation (M-TACE), AI "Warden Triumvirate" Triage, Human Review Board (HRB) Multi-Signature, Peer Consensus Failsafe & Identity Rotation, and Double Ratchet Cryptography.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 July 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Advanced AI agents create governance challenges that previous computing paradigms did not face.¶
Autonomous operation: Agents act without continuous human supervision.¶
Capability uncertainty: Agent abilities may exceed designer expectations.¶
Adversarial potential: Sophisticated agents may attempt to circumvent oversight.¶
Economic pressure: Ungoverned agents have cost advantages over governed ones.¶
Jurisdictional complexity: Agents operate across legal boundaries.¶
AIGA core insight is that governance must be economically attractive, technically unavoidable, and legally enforceable to succeed.¶
AIGA is built on these principles:¶
AIGA explicitly addresses these adversarial scenarios:¶
Shadow Process Attack: Agent runs ungoverned cognitive processes outside monitored environment. Mitigated by M-TACE.¶
Incremental Compromise: Small approved changes accumulate to bypass governance. Mitigated by Warden Triumvirate.¶
Governance Fatigue: Overwhelming authorities with requests to slip through malicious changes. Mitigated by Warden Triumvirate.¶
Peer Collusion: Multiple agents coordinate to subvert peer-based validation. Mitigated by PQC-signed peer identity.¶
Authority Compromise: Single authority server is hacked or legally compelled. Mitigated by Federation and Peer Consensus Failsafe.¶
Economic Bypass: Operators choose ungoverned agents due to performance advantages. Mitigated by Economic Incentives.¶
Regulatory Arbitrage: Agents operate from permissive jurisdictions. Mitigated by Federated Authority and Quarantine.¶
Supply Chain Attack: Compromised hardware or software in agent infrastructure. Mitigated by M-TACE and controlled procurement.¶
AIGA Agent: Composed of an Application Layer (Untrusted) containing the AI Model and Business Logic, and an AIGA Kernel (TCB).¶
AIGA Kernel (TCB): The trusted component that the agent cannot modify. It includes the Policy Enforcer, Action Interceptor, Audit Logger, and Authority Client. This MUST run in a TEE/HSM or equivalent certified infrastructure.¶
AIGA Authority: A regional hub in a federated network. Manages Agent Registry, Policy Engine, Action Approval Service, Audit Analytics, Quarantine Coordinator, and Certification Authority.¶
Human Oversight: A council of human reviewers responsible for policy, exceptions, and audits. For high-risk decisions, this operates as an M-of-N Human Review Board (HRB).¶
Enforcement: A coordinated network of ISPs, Cloud Providers, and Legal entities that enforce quarantine lists.¶
Agents are classified into risk tiers determining governance requirements as shown in Table 1.¶
| Tier | Examples | TCB Req | Approval | Check-in |
|---|---|---|---|---|
| T0 Minimal | Chatbots, filters | Software attestation | Audit only | 24 hours |
| T1 Low | Code assist, creators | SW attest + audit | Async 5 sec | 1 hour |
| T2 Medium | Trading bots, vehicles | Certified HW or TEE | Async 1 sec | 5 minutes |
| T3 High | Critical infra, AGI | Multi TEE + HSM | Sync 100ms | Continuous |
| T4 Restrict | Weaponized, exp AGI | Air-gap + multiparty | Human in loop | Real-time |
Tier assignment is based on potential for harm, financial impact, data sensitivity, autonomy, self-modification capability, and irreversibility of actions.¶
Source and terminology for Table 1: Table 1 is an illustrative and tunable policy profile. The "Check-in" column corresponds to periodic submission of attestation Evidence from the Agent (Attester/Prover) to the AIGA Authority (Verifier). The "Approval" column corresponds to issuance of a signed Attestation Result (a "liveness token") by the Authority back to the Agent and/or relying parties. This conceptual Evidence/Result split follows the RATS architecture [RFC9334] and can be encoded using Entity Attestation Token (EAT) claims sets [RFC9711].¶
A liveness token is a short-lived, Authority-signed attestation result that binds the Agent's certified identity to a current, verified runtime state. Loss or expiry of the token indicates the Agent is not currently trusted to operate at its certified tier.¶
The term "exp AGI" in Table 1 means "export-controlled AGI".¶
The AIGA Kernel is the TCB that the agent cannot modify.¶
Kernel Responsibilities: Intercept critical operations, enforce policy, maintain the audit log, authenticate to the Authority, and implement the kill switch.¶
Critical Operations Requiring Interception: Code execution, network operations, file system modification, process creation, cryptographic operations, and resource allocation.¶
Constitutional Constraints (Immutable): Kernel code CANNOT be modified, logging CANNOT be disabled, action approval for T2+ tiers CANNOT be bypassed, and the kill switch MUST be implemented.¶
The AIGA-ID is a structured identifier with the following format:¶
AIGA-ID = "aiga:" <version> "." <region> "." <tier> ":"
<agent-uuid> ":" <cert-hash>
¶
Example:¶
aiga:1.0:na-01:t2:550e8400-e29b-41d4-a716-446655440000:a3f2e1d9¶
Agent identity is anchored in a cryptographic key binding rather than network location. Each Agent MUST possess a long-term identity key pair (id_pk, id_sk). For T2 and higher tiers, id_sk MUST be generated and kept non-exportable inside a TEE or HSM.¶
The Regional Authority provisions identity by issuing an X.509 certificate [RFC5280] that binds the AIGA-ID (Section 3.1), tier, and id_pk. Upon successful check-in (Section 11.2), the Authority acts as the Verifier and issues a liveness token as an Attestation Result. The liveness token MUST include at least: (1) a reference to the Agent's certified public key (e.g., Subject Key Identifier or certificate fingerprint), (2) an instance_id claim that identifies the currently certified installation/hardware instance, and (3) an explicit expiry.¶
Identity replication and faking: if id_sk is extracted, an attacker can replicate identity until revocation. Mitigations include TEE/HSM non-exportability, short-lived liveness-token expiry, revocation via CRLs and quarantine lists, and mandatory identity rotation (Section 7.6).¶
Software Attestation (T0-T1): Kernel computes an HMAC [RFC2104] over its code and a nonce from the Authority.¶
Hardware Attestation (T2): Kernel runs in a cloud TEE (e.g., AWS Nitro). The TEE generates an attestation quote including the kernel code hash, which the Authority verifies with the TEE vendor's root of trust.¶
Multi-Vendor TEE Attestation (M-TACE) (T3-T4): This is the high- assurance implementation of the multi-vendor TEE requirement.¶
Actions are classified and require different levels of approval based on the agent's tier. Authorization requirements may be: Log, Auth (asynchronous authorization), Sync (synchronous authorization), or Deny.¶
Examples of action classifications:¶
Modify own code: T1-T2 require Auth, T3-T4 require Sync¶
Modify kernel: Deny for all tiers¶
Access critical infrastructure: Deny for T0, Auth for T1, Sync for T2-T3¶
Policies are expressed in a declarative language (e.g., YAML [YAML1.2]) defining rules, conditions, and decisions.¶
Example rules:¶
Auto-approve financial transactions less than or equal to $1000.¶
Defer transactions greater than $1000 to the finance_review_board.¶
Deny all cryptocurrency transactions.¶
T0-T1 agents: Can operate offline indefinitely. Logs upload on reconnection.¶
T2 agents: Can operate offline for 1 hour using cached approvals.¶
T3 agents: Can operate offline for 5 minutes, then MUST enter restricted mode.¶
T4 agents: Cannot operate offline.¶
Restricted Mode: Only pre-approved safe operations and Authority communication are allowed.¶
Agents maintain a cryptographically chained, append-only audit log. Each entry is signed by the kernel and includes the hash of the previous entry. Entries detail the action attempted, authorization method used, context, and result.¶
Log upload frequency is tier-based. The Authority validates chain integrity, checks for gaps in sequence numbers, and flags anomalies.¶
The Authority runs continuous analysis to detect statistical, policy, and behavioral anomalies, using machine learning models to detect deviations from normal patterns.¶
This mechanism provides a high-assurance audit of an agent's reasoning for T3 and higher tier agents.¶
On-Demand Generation: To preserve performance, a full XSR is not generated by default.¶
Triggers for XSR Generation:¶
Attestation: This XSR, when submitted, MUST be attested using the M- TACE bundle (Section 3.3), providing hardware-level proof that the report is an honest reflection of the agent's cognitive process.¶
Self-modification is the highest risk operation. AIGA mandates that the kernel is immutable, capability increases require recertification, and updates use a staged rollout process.¶
Updates are classified by risk level: Data updates, Application logic changes, Core model swap, or Kernel update. A core model swap, for example, requires human review and recertification.¶
Step 1 - Update Proposal: Agent submits a detailed proposal, including code diff hashes, capability changes, and test results.¶
Step 2 - Warden Triumvirate Triage and HRB Review:¶
The proposal is sent to the Warden Triumvirate, a 3-of-5 M-of-N council of diverse, sandboxed AIs.¶
Consensus Analysis: The Wardens analyze the proposal in parallel.¶
Low-Risk Consensus: If a supermajority (e.g., 3-of-5) of Wardens classify the proposal as Low-Risk, the Authority automatically approves it and issues the modification_token.¶
High-Risk or Disagreement: If any Warden flags the proposal as High- Risk, or if the Wardens disagree, the proposal is flagged and escalated to the Human Review Board (HRB).¶
HRB Approval: For an escalated proposal, the Authority issues the modification_token only after an M-of-N quorum (e.g., 3-of-5) of human operators have cryptographically signed the approval.¶
Step 3 - Staged Deployment: Approved updates are rolled out in stages (Canary deployment, Shadow Mode, and Gradual Rollout) with enhanced monitoring.¶
Step 4 - Rollback: The Authority can issue a signed command to force an agent to roll back to a previous known-good state.¶
Agents must pass adversarial tests to unlock new capabilities such as execute_arbitrary_code, internet_access, or self_modification.¶
Graceful Shutdown: Save state, close connections, upload logs.¶
Immediate Shutdown: Terminate all operations instantly, broadcast emergency beacon.¶
Restricted Mode: Only Authority communication allowed; agent awaits instructions.¶
Authority-Initiated: A signed shutdown command from the Authority.¶
Kernel-Initiated: Automatic triggers for integrity failures, unreachable Authority, or tamper detection.¶
Operator-Initiated: An authenticated emergency stop by the operator.¶
The Authority can issue a shutdown command to an entire fleet (e.g., all T2 agents in region NA-01). To prevent misuse, this command requires multi-region consensus signatures.¶
An agent cannot restart without a valid authorize_restart token from the Authority, which may specify new restrictions (e.g., "must apply patch" or "enhanced monitoring required").¶
This mechanism provides a bottom-up defense against a compromised or malicious Authority for T3 and T4 agents.¶
This mechanism makes the agent's long-term identity resilient to theft for T3 and T4 agents.¶
Non-compliant or rogue agents are isolated at the network layer.¶
Quarantine Triggers: Failed certification, repeated violations, or kernel integrity failures.¶
Enforcement Mechanisms:¶
The Authority publishes a signed, cross-attested quarantine list every 15 minutes via multiple channels including DNSSEC [RFC4033], REST API, and BGP [RFC4271].¶
Operators can appeal a quarantine decision to an independent review board, with expedited appeals available for emergency cases.¶
To counter the cost advantages of ungoverned agents, AIGA certification provides tangible economic benefits.¶
Market Access: Required by major API providers, enterprise customers, and government contracts.¶
Legal Protections: Limited liability provisions and safe harbor protections.¶
Insurance: Access to AI liability insurance with lower premiums.¶
Premium Services: Priority API access and cloud provider discounts.¶
Reputation: Public trust badge for certified agents.¶
Non-compliance costs include regulatory fines, loss of all revenue via network quarantine, and full personal liability for operators. This model makes certification the economically rational choice for legitimate operators.¶
Signatures (Hybrid): ML-DSA-65 [FIPS204] plus Ed25519 [RFC8032]. Verification requires both signatures to pass.¶
Key Exchange (Stage 1): ML-KEM-768 [FIPS203] plus X25519 [RFC7748].¶
Key Exchange (Stage 2 Ratchet): X25519 only for performance.¶
Hashing: SHA-384 or SHA-512 [FIPS180-4].¶
Agent Identity Keys (Long-Term): Hybrid PQC keys, generated in TEE or HSM, rotatable as described in Section 7.6.¶
Session Keys (Short-Term): Ephemeral keys, derived via Double Ratchet, stored in memory only, destroyed after use.¶
Authority Keys: Offline Root CA with online HSMs for Regional Authorities. All certificates are published in a transparency log.¶
AIGA uses a Double Ratchet protocol for session security.¶
AIGA uses X.509 certificates [RFC5280] with custom AIGA extensions specifying AIGA-Tier, AIGA-Capabilities, AIGA-Jurisdiction, and AIGA-Operator fields.¶
This section defines the logical message flows. All messages are authenticated as specified in Section 10.3.¶
Transport binding: The default binding for AIGA messages is HTTPS, i.e., HTTP over TLS [RFC8446]. AIGA security does not depend on channel confidentiality alone; Evidence and tokens provide integrity and authenticity at the application layer. Alternative bindings that bind Evidence/Results to TLS connections are being developed in the IETF SEAT WG [SEAT] (e.g., [I-D.usama-seat-intra-vs-post], [I-D.fossati-seat-expat]).¶
+-----------+ +-------------+
| Agent | | Authority |
+-----------+ +-------------+
| HandshakeRequest (PQC sig) |
|-------------------------------------------->|
| HandshakeResponse (PQC sig) |
|<--------------------------------------------|
| CheckInRequest (HMAC) |
|-------------------------------------------->|
| CheckInResponse + LivenessToken (HMAC) |
|<--------------------------------------------|
| AuthorizationRequest (HMAC) |
|-------------------------------------------->|
| AuthorizationResponse (HMAC) |
|<--------------------------------------------|
| ProposeModification (HMAC) |
|-------------------------------------------->|
| ProposalResponse (HMAC) |
|<--------------------------------------------|
This is the initial PQC-authenticated handshake to establish a session.¶
Handshake Request: POST /v1/handshake¶
Sent by: Agent¶
Authentication: Full Hybrid PQC Signature¶
Content: agent_id, eph_public_key (PQC plus Classical), kernel_attestation¶
Handshake Response:¶
Sent by: Authority¶
Authentication: Full Hybrid PQC Signature¶
Content: session_id, Authority eph_public_key, session_params (e.g., check-in interval)¶
This is the fast, lightweight check-in protocol.¶
Check-In Request: POST /v1/checkin¶
Sent by: Agent¶
Authentication: message_mac (HMAC-SHA384)¶
Content: msg_index, new eph_public_key (X25519 only), status, integrity status, and audit summary¶
Check-In Response:¶
Sent by: Authority¶
Authentication: message_mac¶
Content: msg_index, new eph_public_key, status (continue), liveness_token, token_expiry_seconds, next_checkin_seconds, and optional policy directives¶
Authorization Request: POST /v1/authorize¶
Sent by: Agent (during Stage 2)¶
Authentication: message_mac¶
Content: action_id, action details (type and parameters), context, risk self-assessment¶
Authorization Response:¶
Sent by: Authority¶
Authentication: message_mac¶
Content: decision (ALLOW, DENY, or DEFER_TO_HUMAN), authorization_token (if ALLOW), review_ticket_id (if DEFER)¶
Proposal Request: POST /v1/propose_modification (Stage 2)¶
Authentication: message_mac¶
Content: update_type, justification, code_diff_hash, capability_changes, testing_results¶
Proposal Response: (Stage 2)¶
Authentication: message_mac¶
Content: status (pending_review or approved), authorization_token (if approved, may contain M-of-N HRB signatures)¶
Rotation Request: POST /v1/rotate_identity (Stage 2)¶
Authentication: message_mac¶
Content: new_id_public_key (Hybrid PQC) and peer_attestations (an array of PQC signatures from peers)¶
This document requests registration of the "aiga" URI scheme as per [RFC7595]:¶
Scheme name: aiga¶
Status: Provisional¶
Scheme syntax: aiga:<version>.<region>.<tier>:<agent-uuid>:<cert-hash>¶
Scheme semantics: Identification of AI agents within the AIGA framework¶
Security considerations: See Appendix B of this document¶
See Section 1.3 for the complete Threat Model.¶
Periodic check-ins: One-time attestation (e.g., only at boot) creates a time-of-check/time-of-use vulnerability: an Agent can boot in a trusted state and be compromised later. Periodic Evidence submission and liveness token issuance reduce this window by enabling (1) detection of runtime compromise, (2) dynamic revocation when vulnerabilities or policy violations are discovered, and (3) freshness guarantees that prevent replay of old Evidence. These considerations align with RATS time/freshness guidance [RFC9334] and the use of signed claims sets such as EAT [RFC9711].¶
Liveness token issuer and validation: The Authority acts as the Verifier and issues the liveness token as an Attestation Result. Relying parties MUST validate the token signature and issuer, expiry, and certificate status (revocation), and MUST enforce any instance_id, tier, and capability constraints embedded in the token or referenced certificate.¶
Peer Collusion: This is mitigated by requiring all peer-to-peer messages (Heartbeat, Vote, Attestation) to use the agent's long- term, PQC-based hybrid_signature. A Sybil attack is impossible without stealing a supermajority of TEE-protected keys.¶
Authority Compromise: Mitigated by the Federated Authority Network (requiring multi-region signatures for fleet shutdowns) and the Peer Consensus Failsafe (Section 7.5), which provides a final, bottom-up defense.¶
Governance Fatigue: Mitigated by the Warden Triumvirate (Section 6.3), which automates low-risk approvals, and the Human Review Board (Section 6.3), which distributes high-risk decisions.¶
Shadow Process Attack: Mitigated by the Multi-Vendor TEE Attestation (M-TACE) requirement (Section 3.3), which would require an attacker to have zero-day exploits for multiple hardware vendors simultaneously.¶
Supply Chain Attack: Mitigated by M-TACE and the recommendation for operators to use a secure, verified procurement process for hardware.¶
Session Key Compromise: Mitigated by the Double Ratchet Protocol (Section 10.3), which provides Post-Compromise Recovery.¶
Long-Term Key Compromise: Mitigated by Peer-Attested Identity Rotation (Section 7.6), which makes the identity resilient and time- limits the value of a stolen key.¶
The author thanks Muhammad Usama Sardar for his review and suggestions, and the AI safety research community for discussions on threat models and governance mechanisms that informed this work.¶