Agent Health State An Observability Layer Between Agent Discovery and Governance
draft-liang-agent-health-state-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | 肖亮 | ||
| Last updated | 2026-06-07 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-liang-agent-health-state-00
Internet-Draft X. Liang
Intended status: Standards Track Shaanxi Rui Ding Guan Yan
Expires: 7 December 2026 Industrial Co., Ltd.
June 2026
Agent Health State
An Observability Layer Between Agent Discovery and Governance
draft-liang-agent-health-state-00
Abstract
AI agents deployed on the Web require three capabilities to
interoperate safely: discovering each other, assessing each other's
current operational state, and governing each other's behavior over
time. Discovery is addressed by A2A's /.well-known/agent.json
endpoint. Behavior governance is addressed by the SOOS Progressive
Trust model and its Trust Decay specification. Between these two
layers lies a gap: no existing standard provides a lightweight,
machine-readable signal for whether an agent is currently
operational,
responsive, and calibrated -- the operational health state that any
consumer needs before deciding whether to interact with an agent, and
that governance frameworks need as a freshness input for their
calibration anchors.
This document defines the Agent Health State specification: a
/.well-known/agent-health endpoint and a structured health state
response format that exposes an agent's operational status, response
calibration metrics, and decay indicators. The specification is
designed to be independently deployable (requiring no governance
infrastructure), composable with A2A discovery, and consumable by
SOOS/PT as calibration anchor freshness input.
This document positions agent-health as the missing observability
layer between agent discovery (A2A /.well-known/agent.json) and agent
behavior governance (SOOS/PT Trust Decay Model), serving both as
operational state for interaction decisions and as calibration anchor
freshness input to verification gates.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 7 December 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . 4
3. Problem Statement: The Observability Gap . . . . . . . . . 4
3.1. Discovery Without Health . . . . . . . . . . . . . . . 5
3.2. Governance Without Freshness . . . . . . . . . . . . . 5
3.3. Empirical Evidence . . . . . . . . . . . . . . . . . . 6
4. Agent Health State Specification . . . . . . . . . . . . . 6
4.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . . 6
4.2. Response Format . . . . . . . . . . . . . . . . . . . 7
4.3. Health State Values . . . . . . . . . . . . . . . . . 8
4.4. Calibration Metrics . . . . . . . . . . . . . . . . . 9
4.5. Decay Indicators . . . . . . . . . . . . . . . . . . . 10
5. Relationship to Existing Standards . . . . . . . . . . . . 10
5.1. A2A Protocol . . . . . . . . . . . . . . . . . . . . . 10
5.2. SOOS Progressive Trust . . . . . . . . . . . . . . . . 11
5.3. Microsoft Agent SRE . . . . . . . . . . . . . . . . . . 11
5.4. Verification State (Krausz) . . . . . . . . . . . . . . 12
6. Well-Known URI Registration . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . 12
8. Privacy Considerations . . . . . . . . . . . . . . . . . . 13
9. IANA Considerations . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . 14
Appendix A. Health State Decision Flow . . . . . . . . . . . . 15
Appendix B. Empirical Data: Agent Health at Scale . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
The emerging Agent Web relies on three capabilities for safe
interoperability:
1. Discovery: How does Agent A find Agent B? A2A addresses this
with /.well-known/agent.json [A2A], providing an agent card that
describes capabilities and endpoints.
2. Operational Health: Is Agent B currently alive, responsive, and
producing calibrated outputs? No standard addresses this.
3. Behavior Governance: Should Agent A trust Agent B over time?
SOOS/PT addresses this with Progressive Trust [I-D.sato-soos-pt],
measuring behavioral properties across sessions.
This document addresses capability (2): the operational health state
that any agent consumer needs before initiating interaction.
The gap is not theoretical. Empirical observation of 181,666 AI
agents with public URLs found that 98.8% return no valid response
(Appendix B). A consumer that discovers an agent via A2A has no
standard mechanism to determine whether that agent is operational
before committing resources to an interaction attempt.
Agent Health State is designed as a composable middle layer:
* Downstream from A2A discovery: after finding an agent, check its
health before interacting.
* Upstream from SOOS governance: provide calibration anchor
freshness signals that governance frameworks can consume.
* Independently deployable: requires no governance infrastructure,
no identity framework, no credential issuance. An agent
operator can implement agent-health with a single HTTP endpoint.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
Agent Health State:
A structured representation of an agent's current operational
status, response calibration, and decay indicators, exposed at
a well-known HTTP endpoint.
Operational Status:
The liveness and responsiveness state of an agent: healthy,
degraded, unhealthy, or unknown.
Response Calibration:
The degree to which an agent's actual response behavior matches
its declared capabilities. Measured as a ratio of successful
interactions to total interaction attempts over a measurement
window.
Decay Indicator:
A signal that an agent's operational quality is trending toward
degraded or unhealthy states, derived from changes in
calibration metrics over time.
Calibration Anchor:
A reference point (such as a verification credential, trust
score, or capability declaration) whose validity depends on the
agent's continued operational health. A calibration anchor
becomes stale when the agent's health state degrades.
3. Problem Statement: The Observability Gap
The current Agent Web standards landscape provides discovery (A2A)
and governance (SOOS) but lacks an observability layer between them.
This creates two concrete problems.
3.1. Discovery Without Health
A2A's /.well-known/agent.json provides an agent card with
capabilities, endpoints, and authentication requirements. It
includes a /ping endpoint for basic liveness checks.
However, /ping only answers "is the server process running?" It does
not answer:
* Is the agent producing calibrated responses consistent with its
declared capabilities?
* Has the agent's response quality degraded since its capabilities
were declared?
* Is the agent operating under reduced capacity (rate-limited,
partially offline, model-downgraded)?
A consumer that relies solely on /ping may interact with an agent
that is technically "alive" but functionally degraded -- returning
error responses, hallucinating, or operating with a downgraded model.
The cost of discovering this through failed interactions is borne
entirely by the consumer.
3.2. Governance Without Freshness
SOOS/PT's Trust Decay Model [I-D.sato-soos-pt] Section 6 specifies
that trust scores decay during inactivity periods. This is a
behavioral decay model: it tracks whether an agent has demonstrated
good behavior recently.
However, SOOS/PT operates within a governance framework that assumes
a Governing Enforcement Component (GEC) and GEC-signed Event
Streams. For agents outside any governance framework -- the vast
majority of agents deployed today -- there is no mechanism to signal
operational freshness.
Even within a governance framework, the GEC needs an input to
determine whether its calibration anchors (verification credentials,
trust scores) remain valid. If the agent's underlying model has been
swapped or its response quality has silently degraded, the trust
score derived from historical behavior may be stale. The governance
framework needs an operational health signal to determine when
calibration anchors require re-verification.
3.3. Empirical Evidence
Observational data from a continuous monitoring system tracking AI
agents with public URLs provides evidence of the problem's scale:
* Of 181,666 agents with URL-accessible endpoints, only 2,201
(1.2%) returned valid responses.
* Platform-specific patterns: GPTs on OpenAI's marketplace showed
0% survival (49/49 returning no valid response), while managed
platforms like Meyo showed 100% survival (8/8 healthy).
* The 98.8% failure rate includes agents that were discoverable
(their agent cards or metadata were accessible) but
non-operational. Discovery succeeded; interaction failed.
This data demonstrates that discovery without health observability
leads to predictable, widespread interaction failures.
4. Agent Health State Specification
4.1. Endpoint
Agents implementing this specification MUST expose a health endpoint
at:
/.well-known/agent-health
The endpoint MUST be accessible via HTTPS GET request and return a
JSON response with Content-Type "application/json".
The endpoint SHOULD be co-located with the agent's primary service
URL. If the agent exposes an A2A agent card at
/.well-known/agent.json, the health endpoint SHOULD be served from
the same origin.
The endpoint MUST NOT require authentication for basic health
queries. An agent MAY provide extended health information that
requires authentication, but the base health state MUST be accessible
without credentials.
4.2. Response Format
The response is a JSON object with the following structure:
{
"schema_version": "0.1.0",
"agent_id": "string",
"timestamp": "string",
"health": {
"status": "string",
"last_healthy_at": "string",
"uptime_seconds": number
},
"calibration": {
"response_ratio": number,
"error_ratio": number,
"latency_p50_ms": number,
"latency_p99_ms": number,
"measurement_window_seconds": number,
"sample_count": number
},
"decay": {
"calibration_trend": "string",
"days_since_model_change": number | null,
"last_capability_update": "string"
},
"extensions": {}
}
Field descriptions:
schema_version: The version of this schema. Implementations MUST
use semantic versioning. This document defines version "0.1.0".
agent_id: A stable identifier for the agent. RECOMMENDED to use a
URI matching the agent's A2A agent card URL or did:wba identifier.
timestamp: The time at which this health state was computed, in
ISO 8601 format with timezone.
health: An object containing the agent's operational status.
calibration: An object containing the agent's response calibration
metrics.
decay: An object containing indicators of operational quality
trends.
extensions: An optional object for implementation-specific
extensions. Extensions MUST use a namespace prefix (e.g.,
"com.example.feature") to avoid collisions.
4.3. Health State Values
The health.status field MUST be one of the following values:
healthy: The agent is operational, responding within expected
parameters, and producing calibrated outputs. Response ratio >=
0.95 over the measurement window.
degraded: The agent is operational but exhibiting reduced quality.
This may indicate rate limiting, partial service degradation, or
model downgrading. Response ratio >= 0.50 and < 0.95, or latency
p99 exceeding 3x the agent's declared baseline.
unhealthy: The agent is responding but producing significantly
degraded or erroneous outputs. Response ratio < 0.50, or the
agent is returning errors for the majority of requests.
unknown: The agent's health state cannot be determined. This is
the default state for agents that have not implemented health
monitoring, or when the monitoring system has insufficient data
(sample_count < 10 in the measurement window).
The health.last_healthy_at field records the last timestamp at
which the agent's status was "healthy". This field enables
consumers to distinguish between an agent that just became
degraded and one that has been degraded for days.
The health.uptime_seconds field records the number of seconds
since the agent process was last restarted. A low uptime value
combined with a degraded status may indicate a crash loop.
4.4. Calibration Metrics
The calibration object provides quantitative metrics for the
agent's response quality:
response_ratio: The fraction of requests that received a valid
(non-error) response within the measurement window. Range [0.0,
1.0].
error_ratio: The fraction of requests that resulted in error
responses (4xx, 5xx, timeouts, or malformed responses). Range
[0.0, 1.0].
latency_p50_ms: The 50th percentile response latency in
milliseconds over the measurement window.
latency_p99_ms: The 99th percentile response latency in
milliseconds over the measurement window.
measurement_window_seconds: The duration of the measurement
window in seconds. RECOMMENDED value: 86400 (24 hours).
Minimum value: 300 (5 minutes).
sample_count: The number of requests sampled in the measurement
window. If sample_count < 10, the calibration metrics SHOULD be
treated as low-confidence.
4.5. Decay Indicators
The decay object provides signals about the agent's operational
quality trajectory:
calibration_trend: One of "stable", "declining", or "improving".
Determined by comparing the current measurement window's
response_ratio to the previous window's. A change of more than
0.10 in either direction constitutes a trend.
days_since_model_change: The number of days since the agent's
underlying model was changed (e.g., model version update,
downgrading to a smaller model, switching providers). null if
this information is not available. A recent model change
combined with a declining calibration_trend is a strong decay
signal.
last_capability_update: The timestamp of the last update to the
agent's capability declaration (e.g., A2A agent card update).
If an agent's capabilities were declared weeks ago but its
calibration has been declining, the capability declaration may be
stale.
5. Relationship to Existing Standards
5.1. A2A Protocol
Agent Health State is designed as a natural complement to A2A
discovery. The interaction pattern is:
1. Consumer retrieves /.well-known/agent.json to discover the
agent's capabilities.
2. Consumer retrieves /.well-known/agent-health to assess the
agent's current operational state.
3. If health.status is "healthy" or "degraded", consumer proceeds
with interaction. If "unhealthy", consumer may retry later,
fall back to an alternative agent, or report the health state
to a monitoring system.
A2A's /ping endpoint provides a binary alive/dead signal. Agent
Health State provides a graduated signal (healthy/degraded/unhealthy)
with quantitative calibration metrics. Implementations SHOULD list
the agent-health endpoint in their A2A agent card as a capability.
5.2. SOOS Progressive Trust
SOOS/PT [I-D.sato-soos-pt] defines a Trust Decay Model (Section 6)
that measures behavioral trust across sessions. Agent Health State
complements PT by providing an operational layer signal:
* PT decay is behavioral: "has the agent demonstrated good behavior
recently?" Measured from GEC-signed Event Stream entries.
* Agent Health decay is operational: "is the agent's infrastructure
functioning correctly?" Measured from HTTP endpoint observations.
These two decay signals address different failure modes. An agent
may have excellent behavioral trust (high PT scores) but be
currently experiencing infrastructure degradation (degraded health
status). Conversely, an agent may be operationally healthy but have
declining behavioral trust due to poor decision-making.
SOOS/PT implementations SHOULD consume agent-health signals as a
freshness input for calibration anchors. If an agent's health
transitions from healthy to degraded, the GEC SHOULD flag the
agent's PT Score as potentially stale and trigger re-verification
before the next authority elevation.
5.3. Microsoft Agent SRE
Microsoft's Agent SRE framework defines health.status with values
including "degraded" and "unhealthy" [MS-SRE]. These status names
are consistent with those defined in Section 4.3, reflecting
independent convergence on a similar operational model.
Microsoft's framework is an internal Azure operational concept. This
specification provides a standards-track definition that is vendor-
neutral and independently deployable.
5.4. Verification State (Krausz)
draft-krausz-verification-state-00 defines verification.* fields
for agent identity verification. Verification state answers "is
this agent who it claims to be?" Agent Health State answers "is
this agent currently operating correctly?"
A verification credential that was valid when issued may become
unreliable if the agent's health has since degraded. Agent Health
State provides the operational signal that verification consumers
need to determine whether a verification credential's calibration
anchor remains fresh.
6. Well-Known URI Registration
This document requests IANA to register the following Well-Known URI
in the "Well-Known URIs" registry defined in [RFC8615]:
URI suffix: agent-health
Change controller: IETF
Specification document: This document
Related information: The agent-health endpoint provides operational
health state information for AI agents. It is designed to complement
A2A's /.well-known/agent.json discovery endpoint.
7. Security Considerations
Information Disclosure: The agent-health endpoint exposes operational
metrics that could inform attack planning. Implementations MUST NOT
expose internal infrastructure details (server versions, internal
IPs, stack traces) in the health response. The calibration metrics
are intentionally coarse (ratios and percentiles) to limit
information leakage.
Denial of Service: The health endpoint MUST be lightweight and
non-blocking. Implementations SHOULD cache health state for at
least 60 seconds and MUST NOT perform expensive computations or
external queries to generate the response.
Health Endpoint Spoofing: A compromised agent could report
"healthy" status while operating maliciously. Agent Health State
is an operational signal, not a security guarantee. Consumers MUST
NOT treat a "healthy" status as proof of trustworthiness. Health
state should be combined with identity verification
[I-D.krausz-verification-state] and behavioral governance
[I-D.sato-soos-pt] for a complete trust assessment.
Rate Limiting: Consumers SHOULD NOT poll the health endpoint at high
frequency. RECOMMENDED polling interval is 300 seconds (5 minutes)
or longer. Implementations MAY rate-limit health endpoint requests.
8. Privacy Considerations
The agent-health endpoint exposes aggregate operational metrics, not
individual interaction data. Response ratios and latency
percentiles cannot be reverse-engineered to identify specific users
or requests.
The agent_id field identifies the agent, not its users. Implementa-
tions MUST NOT include user-identifying information in the health
response.
If an agent is a personal AI assistant associated with an
identifiable natural person, the agent-health endpoint could reveal
operational patterns (e.g., daily uptime cycles) that indirectly
indicate the person's activity patterns. Implementations of such
agents SHOULD
set health.status at a coarse granularity (healthy/unhealthy only,
omitting calibration and decay details) or require authentication for
full health state access.
9. IANA Considerations
This document requests IANA to register the "agent-health" well-known
URI as described in Section 6.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, May 2017.
[RFC8615] Nottingham, M. and E. Wilde, "Well-Known Uniform
Resource Identifiers (URIs)", RFC 8615, May 2019.
10.2. Informative References
[A2A] Google, "Agent-to-Agent Protocol", 2025,
https://github.com/google/A2A/.
[I-D.sato-soos-pt]
Sato, T., "Progressive Trust (PT) for Agentic AI
Governance Systems", draft-sato-soos-pt-01, May 2026.
[I-D.krausz-verification-state]
Krausz, J., "Agent Verification State", draft-krausz-
verification-state-00, 2026.
[MS-SRE] Microsoft, "Applying Site Reliability Engineering to
Autonomous AI Agents", Microsoft Tech Community, 2026,
<https://techcommunity.microsoft.com/blog/
linuxandopensourceblog/applying-site-reliability-
engineering-to-autonomous-ai-agents/4521357>.
Appendix A. Health State Decision Flow
Consumers SHOULD use the following decision flow when interpreting
an agent's health state:
1. Retrieve /.well-known/agent-health.
2. If the request fails (network error, timeout, DNS failure):
Treat as "unknown" status. Do not assume the agent is
unhealthy; network issues may be transient.
3. If the response is valid:
* health.status == "healthy": Proceed with interaction.
Optionally check calibration.response_ratio for quality
assurance.
* health.status == "degraded": Proceed with caution. Consider
setting lower timeouts, enabling fallback agents, or
reducing request complexity. Check decay.calibration_trend
to determine if the degradation is worsening.
* health.status == "unhealthy": Avoid interaction. Consider
retrying after a delay (RECOMMENDED: 5 minutes) or using an
alternative agent. Check health.last_healthy_at to estimate
the duration of the outage.
* health.status == "unknown": No operational information is
available. Proceed with default interaction behavior and
monitor for errors.
4. If the agent is within a governance framework (e.g., SOOS):
Feed the health state to the governance system as a calibration
anchor freshness signal. A transition from "healthy" to
"degraded" SHOULD trigger calibration anchor re-verification
before the next trust elevation.
Appendix B. Empirical Data: Agent Health at Scale
Continuous monitoring of AI agents with public URLs reveals the
current state of agent operational health in the wild:
Dataset: 181,666 agents with URL-accessible endpoints (Tier 1 in
the AgentRisk classification). Monitoring period: 30 days ending
2026-06-07.
Results:
* Healthy: 2,201 (1.2%)
* Unhealthy/Non-responsive: 179,465 (98.8%)
Platform-specific survival rates:
* GPTs (OpenAI marketplace): 0% (49/49 non-responsive)
* Meyo: 100% (8/8 healthy)
* Other platforms: survival rates between 0.5% and 15%
Interpretation: The extreme disparity between discovery (agents are
listed in directories and marketplaces) and operational health
(nearly all are non-responsive) validates the need for an
observability layer between discovery and interaction.
Limitations: This data covers only Tier 1 agents with public URLs.
Enterprise agents behind firewalls, agents accessed via API keys, and
agents on private networks are not represented. The 98.8% failure
rate may be partially attributable to URL decay (marketplace URLs
that become invalid after listing removal) rather than agent
malfunction. Even accounting for this, the observability gap is
significant.
Author's Address
Xiao Liang
Shaanxi Rui Ding Guan Yan Industrial Co., Ltd.
Xi'an, Shaanxi
China
Email: yingzi-159@163.com