Open Protocol Standard · OMNIX QUANTUM LTD · May 2026

Verifiable Authority for
Autonomous AI Agents

The Agent Trust Fabric is an open protocol for cryptographically verifiable AI agent authority governance — PQC-secured, formally specified, independently verifiable offline by any auditor.

Explore the RFCs Try the Verifier
3
RFCs Published
40
Formal Invariants
34
Conformance Tests
2
Academic DOI/SSRN
The Problem

Three structural gaps in AI governance

Every regulated AI deployment faces the same trio of unresolved challenges. ATF is a protocol designed to address all three with cryptographic guarantees.

🔗

Opaque Delegation

When an autonomous agent acts, there is typically no signed, auditable record linking that agent's authority to a human principal. Who authorized it? What scope? When did it expire?

→ ATF Delegation Receipts — PQC-signed chains from human to agent
⏱️

No Runtime Continuity Guarantee

Autonomous sessions degrade mid-execution — temporal windows close, authority budgets are consumed, context drifts. No formal mechanism detects illegitimacy before the next decision.

→ CES — continuous session health at nanosecond precision
🧊

Evidence Evaporation

Decision evidence typically exists only in live databases. After migration, decommissioning, or a security incident, the ability to independently verify past decisions is permanently lost.

→ EAP + OEP — immutable forensic archive, offline-verifiable forever
Architecture

The ATF Protocol Stack

Six layers. Authority propagates downward from human to agent. Evidence propagates upward — every artifact PQC-signed, independently verifiable.

L5
Immutable Evidence Archive + OEP
Merkle-chained COLD blocks · Self-contained Evidence Packages · Offline forensic verification by regulators
RFC-ATF-3 · EAP-INV-001–007 · OEP-INV-001–006 · FVP-INV-007
L4
Governance Policy Interoperability (GPIL)
Three interoperability levels (CI/PI/GPI) · Policy Parameter Registry · Cross-Runtime Governance Contracts
RFC-ATF-3 · GPIL-INV-001–003 · ELR-INV-001–004
L3
Runtime Continuity (RCR + CES + AFG)
Continuity Eligibility Score sampled throughout execution · Authority Fragmentation Guard · Escalation Protocol
RFC-ATF-2 · RGC-INV-001–008 · CES = T×0.30 + B×0.30 + D×0.20 + I×0.20
L2
Temporal Admissibility (TAR)
Hard time bounds for every decision session · nanosecond-precise admission timestamp · TTL enforcement
RFC-ATF-1 §6 · ATF-INV-004
L1
Delegation Receipt (DR)
Task scope · Authority budget · MAR enforced · PQC-signed by delegator · Chain-traceable to human root
RFC-ATF-1 §5 · ATF-INV-001 (MAR) · ATF-INV-002/005/006
L0
Human Authority Root (AIR)
Agent Identity Receipt · Unique AID · ML-DSA-65 public key · Authority budget ceiling · Tier classification
RFC-ATF-1 §4 · ATF-INV-003 (Chain Root Traceability)
Specifications

Three open protocol specifications

Each RFC extends the previous without replacing it — a layered invariant stack that grows formally verifiable.

RFC-ATF-1 · v1.0.0

Agent Trust Fabric Delegation Protocol

Defines the Agent Identity Record, Delegation Receipt, Trust Lattice, and Monotonic Authority Reduction invariant. Every delegation produces a PQC-signed artifact verifiable by any party without platform access.

6 Invariants ML-DSA-65 MAR Trust Lattice
DOI: 10.5281/zenodo.20155016 ↗ SSRN 6757339 ↗ Read RFC →
RFC-ATF-2 · v1.0.0

Runtime Governance Continuity

Extends RFC-ATF-1 into the full execution lifecycle. Introduces the Continuity Eligibility Score, Authority Fragmentation Guard, and Escalation Protocol — covering temporal expiry, budget exhaustion, context drift, and integrity degradation mid-execution.

+8 Invariants CES Formula AFG Halt Protocol
SSRN 6763978 ↗ Read RFC →
RFC-ATF-3 · v1.0.0

Policy Interoperability, Evidence Lifecycle & Forensic Verification

Addresses what happens to governance evidence after execution. GPIL for cross-runtime compatibility, the Evidence Archive Pipeline for immutable retention, and the OEP format for forensic deliverables verifiable by regulators years after decommissioning.

+26 Invariants GPIL EAP OEP FEI-Compliant
Read RFC →
RFC-ATF-2 · Core Metric

Continuity Eligibility Score

A real-time composite metric [0–100] quantifying the runtime health of an agent's authorization. Sampled at every governance decision point. Protocol invariant — weights are immutable.

CES = T × 0.30 + B × 0.30 + D × 0.20 + I × 0.20
T — Temporal (30%)
Fraction of TAR window remaining. Degrades as time passes.
B — Budget (30%)
Authority budget remaining vs. admission. Degrades as decisions consume it.
D — Context (20%)
Contextual fidelity = 100 − drift%. Degrades with market/state drift.
I — Integrity (20%)
Chain health. Degrades on hash mismatches or PQC failures.
NOMINAL
≥ 75.0
MONITORING
≥ 50.0
WARNING
≥ 25.0
CRITICAL
≥ 10.0
HALT
< 10.0
Formal Invariant System

40 formally specified invariants

Grouped by protocol family. Model-checked properties — not configuration. Any implementation claiming compliance must enforce all invariants in its declared profile.

ATF × 6 RFC-ATF-1

  • ATF-INV-001 — Monotonic Authority Reduction (MAR)
  • ATF-INV-002 — Receipt Signing (ML-DSA-65)
  • ATF-INV-003 — Chain Root Traceability
  • ATF-INV-004 — Budget Ceiling
  • ATF-INV-005 — Receipt Immutability
  • ATF-INV-006 — Independent Verifiability

RGC × 8 RFC-ATF-2

  • RGC-INV-001 — CES Formula Fixed
  • RGC-INV-002 — RCR Chain Integrity
  • RGC-INV-003 — HALT Protocol
  • RGC-INV-004 — Escalation Event Integrity
  • RGC-INV-005 — AFG Budget Ceiling
  • RGC-INV-006 — Reauthorization Integrity
  • RGC-INV-007 — CES Threshold Immutability
  • RGC-INV-008 — TAR Anchor Integrity

GPIL × 3 RFC-ATF-3

  • GPIL-INV-001 — Interoperability Layer Hierarchy
  • GPIL-INV-002 — Policy Parameter Bounds
  • GPIL-INV-003 — CRGC Integrity

ELR × 4 RFC-ATF-3

  • ELR-INV-001 — Evidence Class Assignment
  • ELR-INV-002 — Retention Tier Ordering
  • ELR-INV-003 — Seal Integrity
  • ELR-INV-004 — Transition Audit

EAP × 7 RFC-ATF-3

  • EAP-INV-001 — Genesis Block Integrity
  • EAP-INV-002 — Block Content Hash
  • EAP-INV-003 — Hash Chain Integrity
  • EAP-INV-004 — Block Immutability
  • EAP-INV-005 — Emergency Seal Protocol
  • EAP-INV-006 — HOT→WARM→COLD Ordering
  • EAP-INV-007 — Entry Hash Determinism

OEP+FEA+FVP × 12 RFC-ATF-3

  • OEP-INV-001–006 — Evidence Package integrity
  • FEA-INV-001–005 — Forensic export access control
  • FVP-INV-007 — Two-plane verification independence
Conformance Program

Three compliance profiles

Progressive conformance tiers. Each profile has a defined set of invariants, a conformance test suite, and a badge implementors can include in their documentation.

Tier 1

ATF-Compliant

RFC-ATF-1 · 6 invariants
  • Delegation Receipt structure
  • ML-DSA-65 PQC signing
  • MAR invariant (ATF-INV-001)
  • Chain root traceability
  • Content hash verification
  • Offline independent verification
ATF-Compliant
Conformance details →
Tier 2

ATF-RGC-Compliant

RFC-ATF-1 + RFC-ATF-2 · 14 invariants
  • All Tier 1 requirements
  • CES formula (exact weights)
  • RCR chain with TAR anchor
  • HALT protocol (RGC-INV-003)
  • Authority Fragmentation Guard
  • Escalation event integrity
ATF-RGC-Compliant
Conformance details →
Tier 3

ATF-FEI-Compliant

RFC-ATF-1 + 2 + 3 · 40 invariants
  • All Tier 1 + Tier 2 requirements
  • Evidence lifecycle pipeline
  • Immutable archive (HOT/WARM/COLD)
  • OEP self-contained packages
  • Two-plane forensic verification
  • Policy interoperability (GPIL)
ATF-FEI-Compliant
Conformance details →
Published Research

Academic record

Permanently archived specifications and research artifacts with academic citation infrastructure.

RFC-ATF-1: Agent Trust Fabric Delegation Protocol

First publication of the ATF delegation protocol. Defines AIR, DR, Trust Lattice, and 6 core invariants. Includes TLA+ formal specification.

DOI: 10.5281/zenodo.20155016 SSRN: 6757339

RFC-ATF-2: Runtime Governance Continuity

Extension specifying CES, AFG, Escalation Protocol, and 8 RGC invariants. Full formal model-checking specifications.

SSRN: 6763978 Zenodo DOI: pending

RFC-ATF-3: Evidence Lifecycle & Policy Interoperability

GPIL taxonomy, EAP pipeline, OEP format, and 26 new invariants. Defines the forensic verification standard.

Publication pending

TLA+ Formal Verification

5 formal properties model-checked against the ATF specification. Included in Zenodo v1.0.0 archive.

GitHub: ATF-TLA-SPEC.tla
Regulatory Alignment

Designed for regulated environments

ATF addresses requirements across the major regulatory frameworks governing AI systems in 2026.

Article 13 (Transparency) and Article 14 (Human Oversight) for high-risk AI systems. DR chains provide the signed, auditable human oversight record mandated by Art. 14.

Art. 13 Transparency Art. 14 Human Oversight

Implements the GOVERN function — accountability, traceability, and organizational responsibility for AI decision-making. CES provides continuous measurable accountability.

GOVERN Function MANAGE Function

Aligns with DFSA MKT and CIR rules for audit trails and technology risk management in financial services. Evidence Package (OEP) satisfies forensic audit requirements.

DFSA MKT Rules ADGM CIR

All delegation receipts and evidence artifacts are signed with ML-DSA-65 (Dilithium-3), the NIST-standardized post-quantum digital signature algorithm. PQC-hardened by design.

FIPS 204 Post-Quantum
Implementation

Who should implement ATF?

ATF is relevant to any organization deploying autonomous AI agents in contexts where authorization provenance, execution continuity, or forensic evidence retention are material requirements.

Category 01

AI Orchestration Platforms

Multi-agent frameworks, LLM orchestrators, and autonomous workflow engines that need to prove every agent action was within explicitly delegated scope.

Get ATF-Compliant →
Category 02

Regulated Financial AI

Trading algorithms, credit decisioning, and risk management systems operating under DFSA, FCA, or MiFID II — where agent authority chains are regulatory evidence.

Get ATF-RGC-Compliant →
Category 03

Healthcare & Safety-Critical AI

Clinical decision support, autonomous diagnosis support, and safety-critical systems under EU AI Act Article 6 high-risk classification.

Get ATF-FEI-Compliant →
Category 04

Sovereign AI Infrastructure

Government, defense, and national AI initiatives requiring cryptographic proof of human control over autonomous decision chains, resistant to post-quantum adversaries.

Get ATF-FEI-Compliant →
Get Started

Start implementing ATF

Reference implementation, conformance test vectors, JSON schemas, and verifier tools — all in one open repository.

Step 01

Read the RFC

Start with RFC-ATF-1 for the delegation protocol. Each RFC is self-contained and builds on the previous.

Browse RFC Index →
Step 02

Run the Reference Implementation

Python reference implementation with full test suite. Install, verify examples, run conformance vectors.

View on GitHub →
Step 03

Verify Your Receipts

Use the public verifier to validate ATF receipts — checks content hash, MAR invariant, CES formula, and field structure.

Open Verifier →
Step 04

Claim Conformance

Run the conformance test suite against your implementation and declare your profile tier in your documentation.

Conformance Program →