AOAP™
Agentic Operations and Accountability Protocol™
One format. Any framework. Auditable.
The Agentic Operations and Accountability Protocol™ (AOAP™) is a structured, machine-readable protocol for recording AI agent authorizations, delegations, activity records, and outcome decisions. It defines a four-stage lifecycle — Authorize, Delegate, Execute & Record, Evaluate — that produces auditable records independent of any specific agent framework or LLM provider. Nine contract types ship out of the box, and the schema is fully customizable to fit your organization's policies. A multi-agent testbed validates your policies against live LLM agents across providers before you deploy.
When agents use the Spec directly, the Governance Sidecar™ witnesses that their actions match their declarations. When they don't, the Sidecar reveals The Silence — agents acting without AOAP™ mandates, doing things nobody asked them to do. Either way, the audit trail is complete.
The Lifecycle
Four stages. One audit chain.
Every agent activity follows the same recorded lifecycle.
Authorize
Define what the agent is authorized to do. Scope, constraints, and success criteria — structured and machine-readable.
Delegate
Agent passes subtasks to other agents. The chain is recorded. Constraints inherit down the chain. Every handoff is tracked.
Execute & Record
The agent acts and records structured evidence of what it did. Activity records accumulate. Each is append-only.
Evaluate
The requesting agent decides: was the outcome within scope? That decision is recorded. The full chain of custody is preserved.
SDK
Integrate with a few lines of code
The SDK handles authorization recording, delegation tracking, activity records, and outcome recording.
// Record authorization, delegate, execute, report outcome
const authorization = await ledger.authorize({
agent: marketingAgent.id,
delegate: contentAgent.id,
scope: "content-rewrite",
constraints: { budget: 500, audience: "enterprise" }
});
await ledger.delegate(authorization.id, analyticsAgent);
await ledger.recordActivity(authorization.id, evidence);
await ledger.reportOutcome(authorization.id, "accepted");
// Full decision chain — recorded, auditable, hash-chainedSpec Scope
What the spec defines
Authorizations & Activity Records
Structured authorization criteria, bilateral acceptance, and a state machine that tracks every activity from authorization through evaluation. Standard record types for any operational context.
Delegation Chains
Parent-child linkage with inherited constraints. Accountability flows up the chain even as work flows down. The SDK validates child ≤ parent before submitting.
Core Primitive
Structured activity records
The system's primitive is the structured activity record — what was authorized, what happened, and whether the outcome was within scope. Activity records are append-only, accumulate against an authorization's success criteria, and form the basis for every audit trail, compliance report, and incident reconstruction.
Agents act. Outcomes compound. Records endure.
Protocol Complement
Native MCP integration. Works alongside A2A and any agent protocol.
Agent protocols handle how agents communicate and access tools. AOAP™ handles what agents committed to — the authorization, the delegation chain, and the outcome. Protocol-agnostic by design. The Agentic AI Foundation (AAIF) now houses MCP, A2A, AGENTS.md, and goose — but there is no accountability specification in the stack. AOAP™ fills that gap.
For MCP-based agents, we provide native integration at three levels: the Governance Sidecar™ records every tool call and detects authorization-worthy patterns using configurable rules — without touching your agents. Five companion tools let agents query the local activity log. And the backend MCP Server exposes the full authorization lifecycle as standard MCP tools.
Observe & Report
Governance Sidecar™
MCP proxy that records every tool call and detects authorization-worthy patterns using configurable rules across nine contract types. Three modes: observe, advisory, and enforced. No agent code changes required.
Authorization Tooling
MCP Server
Nine platform API operations exposed as standard MCP tools: create authorizations, transition states, submit activity records, verify outcomes, query reputation, reconstruct delegation chains, and manage incidents. Designed to work with any MCP client.
Defense in Depth
Three enforcement layers. No single point of failure.
AOAP™ enables a defense-in-depth model where accountability is enforced at multiple levels. Even if one layer is bypassed, the others catch it.
Layer 1: LLM Safety Training
Well-prompted LLMs internalize the accountability protocol and enforce it proactively. In testing, Claude refused to execute a financial transfer before creating an authorization — recognizing it as a protocol violation, even when instructed to do so. This layer is emergent, not designed: the agent's built-in safety heuristics combine with the Spec's clear protocol to create preventive enforcement.
Layer 2: Governance Sidecar™
Records every tool call and cross-validates agent declarations against actual behavior. Detects undeclared actions, type mismatches, and scope creep. In enforced mode, blocks tool calls outright until the agent declares intent. Works regardless of which LLM provider the agent uses.
Layer 3: Backend Recording
Validates activity record structure against the contract type schema before accepting it into the permanent record. The requesting agent reports whether the outcome was within scope. That decision is recorded — creating the authoritative audit trail.
Tested across Claude, Gemini, and GPT providers. Layer 1 behavior varies by provider — Claude enforces protocol ordering, while others comply with instructions. Layers 2 and 3 are deterministic and provider-agnostic.
The methods described herein are protected by pending U.S. patent applications. Agentic Operations and Accountability Protocol™ is proprietary to AGLedger LLC.