Agent Accountability: Composition and Conformance
draft-mih-sato-agent-accountability-composition-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Steven Mih , Tom Sato , Songbo Bu , Iman Schrock | ||
| Last updated | 2026-07-05 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-mih-sato-agent-accountability-composition-00
Network Working Group S. Mih
Internet-Draft Action State Group, Inc.
Intended status: Informational T. Sato
Expires: 6 January 2027 MyAuberge K.K.
S. Bu
Independent
I. Schrock
EMILIA Protocol, Inc.
5 July 2026
Agent Accountability: Composition and Conformance
draft-mih-sato-agent-accountability-composition-00
Abstract
Autonomous and semi-autonomous software agents increasingly take
consequential actions across administrative and trust domains.
Holding such an action accountable — to a regulator, auditor, or
counterparty who does not trust the operator — requires answering
several questions, each answerable by an independently-verifiable
profile: whether the agent was permitted to act (CAN), which
accountable human authorized the specific action (WHO), what the
agent actually did (WHAT), and whether the runtime enforced correctly
(AUDIT).
This document specifies, in Informational terms, how such profiles
compose — by a shared action-digest, each verifying independently —
and defines a shared conformance-vector suite against which any
profile may be tested. It complements existing audit-architecture
and record-format work rather than replacing it, reusing existing
signing, transport, and transparency mechanisms. Its focus is an
assurance tier those documents leave open: most agent records today
are self-attested by an interested party; this document makes
reachable and testable an anchored, third-party-verifiable tier, in
which a record is registered to a transparency service (SCITT) so a
party who trusts neither the agent nor the operator can verify it.
Self-attestation remains a valid baseline; convergence on the
disinterested tier — by any conforming profile — is the goal, not a
single mandated format.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Mih, et al. Expires 6 January 2027 [Page 1]
Internet-Draft Agent Accountability Composition July 2026
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 6 January 2027.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview: Questions and Composition . . . . . . . . . . . . . 3
3. The Composition Model . . . . . . . . . . . . . . . . . . . . 4
4. Trust-Root Separation . . . . . . . . . . . . . . . . . . . . 4
5. Slot Profiles . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. The CAN Slot . . . . . . . . . . . . . . . . . . . . . . 5
5.2. The WHO Slot: Named-Human Authorization . . . . . . . . . 5
5.3. The WHAT Slot . . . . . . . . . . . . . . . . . . . . . . 7
5.4. The AUDIT Slot . . . . . . . . . . . . . . . . . . . . . 7
6. Assurance Tiers . . . . . . . . . . . . . . . . . . . . . . . 7
7. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 8
8. Extension Points . . . . . . . . . . . . . . . . . . . . . . 8
9. Relationship to Existing Work . . . . . . . . . . . . . . . . 8
10. Security Considerations . . . . . . . . . . . . . . . . . . . 8
11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
13. Informative References . . . . . . . . . . . . . . . . . . . 9
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
Mih, et al. Expires 6 January 2027 [Page 2]
Internet-Draft Agent Accountability Composition July 2026
1. Introduction
Autonomous agents are non-deterministic, act without per-step human
oversight, cross administrative and trust boundaries, and delegate to
other agents. The assumptions that let earlier systems be trusted —
predictability, runtime supervision, a nameable human in the loop —
do not hold by default. When behaviour cannot be supervised as it
happens, trust must relocate to evidence that can be checked
afterward and, because agents act across organizational boundaries,
checked without trusting the operator.
Identity and authorization are necessary but not sufficient: they
establish which agent and what it was permitted to do, but the risks
that characterize agent systems — goal drift, prompt injection,
fabricated tool results, action outside scope — occur in the gap
between what was authorized and what was actually done. Holding a
consequential agent action accountable therefore requires answering
several questions, each answerable by an independently-verifiable
profile: whether the agent was permitted to act (CAN), which
accountable human authorized the specific action (WHO), what the
agent actually did (WHAT), and whether the runtime enforced correctly
(AUDIT).
This document does not define a new audit architecture; it
complements the existing architecture and record-format work in this
space (see Relationship to Existing Work) and specifies the piece
they leave open: how profiles answering these questions compose, by a
shared action-digest, into one record, and how conformance — both to
that composition and to an anchored, third-party-verifiable assurance
tier — is tested. Two principles frame it: (1) composition by shared
digest, not containment — each profile verifies independently and
refers to the same action by a shared digest; and (2) producer-
agnostic neutrality — no profile is a required root of trust for
another. The set of questions is open and extensible (agent identity
and belief-provenance are natural further slots), and the composed
evidence serves both after-the-fact accountability and the forward-
looking authorization and trust decisions that rely on it.
1.1. Terminology
Slot; profile; composition vector; profile-tagged digest; trust root.
[Define in a later revision; align with the constituent-profile
terminology.]
2. Overview: Questions and Composition
The work centers on a set of interchangeable *slots*, each a question
that a conforming *profile* answers:
Mih, et al. Expires 6 January 2027 [Page 3]
Internet-Draft Agent Accountability Composition July 2026
* *CAN* — the "may": was the agent permitted to act?
* *WHO* — which accountable human authorized this exact action?
* *WHAT* — the "did": what did the agent actually do (verdict-
complete; a byte-stable serialization of the observed record, not
a replay)?
* *AUDIT* — did the runtime enforce correctly, in causal order,
tamper-evidently?
Any conforming profile may fill a slot; the profiles cited in this
document are the first instances, not the definition. An action
fills the slots its trust requirement calls for; not every action
populates every slot. The set is extensible (see Extension Points).
3. The Composition Model
Profiles compose by reference to a shared *subject digest* over the
action — subject_digest = SHA-256(JCS(action)) — which is the join
key all slots refer to. A profile-tagged *authority-reference
digest* binds a slot's evidence to the registered object it commits
to, and a *receipt-payload digest* binds transparency receipts.
Digests committing to signed bytes require deterministic encoding.
Digest equality is a join key: it does not, by itself, prove truth,
authorization, sufficiency, completeness, or policy compliance.
Native profile verification, digest recomputation, receipt or
transparency verification, completeness and sequencing checks, and
relying-party acceptance remain separate results.
[Full three-digest binding rules, profile-label discipline, and raw-
bytes-vs-ASCII -hex rules to be imported from the digest-binding
thread / conformance issue in a later revision.]
4. Trust-Root Separation
Each slot may root in a different trust anchor (e.g. a human device
key, a kernel attestation key ([RFC9334]), a transparency-log
operator). The composition holds even if any one party is
compromised or under review. No slot is a required root of trust for
another; profiles remain producer-agnostic.
Mih, et al. Expires 6 January 2027 [Page 4]
Internet-Draft Agent Accountability Composition July 2026
5. Slot Profiles
The profiles in this section are first instances filling the slots
named above, recorded so the composition can be tested against
something concrete. They are not the slot definitions; any
conforming profile may fill a slot (see Overview). Each profile's
text is contributed and maintained by its authors.
5.1. The CAN Slot
[Profile text to be contributed by the slot's owners.]
5.2. The WHO Slot: Named-Human Authorization
The WHO slot answers a single question: which named, accountable
human — or quorum of distinct humans — authorized this exact action
before it ran. It is deliberately narrow. It does not define the
composition model itself, a sufficiency or policy decision, a new
audit-record format, or a replacement for agent or workload identity:
"which agent acted" is a different slot, and "was this authorization
sufficient for this action" is a layer above the composition. It
binds the authorization to the exact observed action by the
composition's shared action digest — the subject digest of the
Composition Model — and exposes the binding metadata a composition
verifier needs, and nothing more. Digest equality itself neither
authorizes the action nor proves completeness.
In the first-instance profile
([I-D.schrock-human-authorization-binding], with the receipt format
in [I-D.schrock-ep-authorization-receipts]), the WHO record is an
authorization receipt: a device-bound signature by a named principal
— or a set of distinct principals — over the canonical bytes of one
action, verifiable offline against the signer's public key. Any
record form meeting the producer and verifier requirements below
conforms.
A conforming WHO producer MUST state: the authorizing principal
identifier(s) — the named human(s), not the agent; for a quorum, the
quorum descriptor (an M-of-N threshold or an ordered sequence) and
the eligible or actual signer identifiers; the subject of the action
being authorized; the covered action bytes or data model, the
canonicalization rule (if any), the digest algorithm and version, and
the domain-separation context; the binding between the subject digest
and the receipt signature(s) — the signed payload MUST cover the
digest; the validity window and any freshness or one-time-use
semantics; and the failure behavior when a required binding input,
signer, or quorum member is absent — fail closed: absence of
authorization is not authorization.
Mih, et al. Expires 6 January 2027 [Page 5]
Internet-Draft Agent Accountability Composition July 2026
A conforming WHO verifier MUST be able to produce a result that
states: whether each signature validates under the profile rules; the
exact digest bytes it recomputed and the canonicalization and hash
parameters used; whether the digest is covered by each signature; for
a quorum, whether the threshold is met, whether the counted signers
are distinct principals, whether every counted signer signed the same
canonical action bytes under the same digest context, and — for an
ordered quorum — whether the required order held; whether the receipt
is within its validity window and any one-time-use constraint; and
the verified-versus-accepted distinction (below). The verifier MUST
keep signature validation, digest recomputation, quorum evaluation,
and freshness as separate results, and MUST NOT collapse them into a
single opaque "authorized" boolean.
The WHO slot separates two claims a composition verifier must never
conflate: VERIFIED — the signature(s) and the digest binding hold,
given a public key; objective and offline — and ACCEPTED — the
relying party additionally trusts the authorizing principal(s) via
out-of-band key pinning; a relying-party decision, not a property of
the receipt. A WHO verifier MUST surface these separately: a valid
signature over the bound digest proves VERIFIED and never implies
ACCEPTED, and neither implies the authorization was sufficient for
the action.
At the composition join, the WHO slot exposes a minimal, disclosure-
aware reference: the subject digest and its declared digest context;
the authorizing principal identifier(s) — or, under selective
disclosure, a commitment to them; the quorum descriptor, if any, with
a distinctness assertion; and the binding assertion that the
signature(s) cover the subject digest. The reference carries no
agent identity, no policy verdict, and no sufficiency claim.
Where a WHO record is also registered to a transparency service (see
Assurance Tiers), the transparency receipt proves registration of the
submitted statement under the service policy; it does not prove that
a named human authorized the action. A WHO verifier MUST keep native
signature validation, digest recomputation, and transparency-receipt
validation as separate results.
In addition to the composition-level negative classes (see
Conformance), a WHO profile MUST reject each of the following, and
the verifier MUST report which check failed: semantically similar
action input with different canonical bytes; a changed subject; a
changed authorizing-principal reference; replay of the receipt under
a different action (a different subject digest); a quorum satisfied
by a non-distinct principal filling two slots; an ordered quorum
satisfied out of order; a threshold not met; a mismatched or absent
receipt signature; a signature that verifies but whose signed payload
Mih, et al. Expires 6 January 2027 [Page 6]
Internet-Draft Agent Accountability Composition July 2026
does not cover the subject digest (an unbound signature); a stale
receipt; a post-hoc ratification presented as pre-execution
authorization; a reusable authorization presented under one-time
semantics, or a one-time authorization presented as reusable; and WHO
digest bytes that do not match an adjacent slot's digest for the same
claimed action under compatible digest contexts (per the binding
rules of the Composition Model, to be imported). [The WHO positive-
vector classes are imported with the conformance suite in a later
revision.]
5.3. The WHAT Slot
[Profile text to be contributed by the slot's owners.]
5.4. The AUDIT Slot
[Profile text to be contributed by the slot's owners.]
6. Assurance Tiers
A record answering these questions may be produced at different
assurance levels, and the distinction is the crux for a relying party
who does not trust the operator:
* *Self-attested (baseline).* The record is signed by the agent or
its operator and held by an interested party. This is useful
telemetry and a reasonable default, but it cannot, by itself,
satisfy a regulator, counterparty, or insurer who does not trust
the producer.
* *Anchored / third-party-verifiable.* The record, or a digest of
it, is registered to a transparency service — the SCITT substrate
([RFC9943]) — yielding a receipt that lets a party who trusts
neither the agent nor the operator verify the record's existence,
its content at registration time, and non-equivocation,
independent of any single producer's infrastructure.
This document does not mandate the anchored tier; self-attestation
remains valid. It specifies how any conforming profile MAY reach the
anchored tier by registering to a transparency service, and how that
tier is tested (see Conformance) — so that third-party-verifiability
is a property profiles can converge on, not a single format they must
adopt.
Mih, et al. Expires 6 January 2027 [Page 7]
Internet-Draft Agent Accountability Composition July 2026
7. Conformance
Conformance is expressed as a shared vector suite: a positive
composition vector (one action threaded through the populated slots)
plus, per slot, the negative-case classes it MUST expose (e.g. non-
deterministic encoding, ASCII-hex-as-bytes, profile-label mismatch,
receipt bound to a different statement, broken join digest).
A conformance vector freezes only after it has been recomputed by at
least two independent implementations. This document specifies no
implementation; each slot is implemented independently, and any party
may verify against the vectors.
8. Extension Points
Additional question-slots compose by the same digest discipline.
Belief-provenance ("why the agent believed what it acted on") is a
named extension socket. [Others as identified.]
9. Relationship to Existing Work
This document complements, rather than replaces, existing efforts.
An architecture for auditing agent delegation and interactions is
developed separately ([I-D.kuehlewind-audit-architecture], with its
interaction, action, delegation, and authorization-transition record
types); record and logging formats and action-lineage protocols are
defined in adjacent documents (e.g., [I-D.sharif-agent-audit-trail],
[I-D.bates-atp], [I-D.aylward-aiga] — cited as live adjacent work,
not positioned). The four questions here map onto those record types
rather than redefining them.
What this document adds is the piece those leave open: the
composition of independently-verifiable profiles by a shared action-
digest, a shared conformance-vector suite, and the anchored, third-
party-verifiable assurance tier (see Assurance Tiers). It defines no
new signing, transport, or transparency mechanism. Specific
documents will be cited normatively and informatively in a later
revision.
10. Security Considerations
The security properties are those of the composed profiles plus the
binding rules here; no single layer suffices. The agent is not
trusted. Distributed trust roots mean no single verifier or
transparency service is assumed sufficient. This document does not
address an adversarial party that refuses to record at its own
boundary, nor collusion across all roles, nor model alignment.
[Expand.]
Mih, et al. Expires 6 January 2027 [Page 8]
Internet-Draft Agent Accountability Composition July 2026
11. Privacy Considerations
Records may be rich in information about users and the data an agent
processed. Profiles SHOULD support content-private, hash-only
(detached-payload) records so a registered statement carries only a
digest, with content held under deployment controls. The shared join
digest enables cross-slot correlation; pairwise or encrypted
correlation identifiers SHOULD be available where correlation is not
required. [Expand.]
12. IANA Considerations
This document has no IANA actions. [A registry of slot identifiers /
profile labels may be proposed in a later revision.]
13. Informative References
[RFC9943] Birkholz, H., Delignat-Lavaud, A., Fournet, C., Deshpande,
Y., and S. Lasker, "An Architecture for Trustworthy and
Transparent Digital Supply Chains", RFC 9943,
DOI 10.17487/RFC9943, June 2026,
<https://www.rfc-editor.org/rfc/rfc9943>.
[RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote ATtestation procedureS (RATS)
Architecture", RFC 9334, DOI 10.17487/RFC9334, January
2023, <https://www.rfc-editor.org/rfc/rfc9334>.
[I-D.kuehlewind-audit-architecture]
Kühlewind, M. and H. Birkholz, "An Architecture for
Auditing AI Agent Delegation and Interactions", Work in
Progress, Internet-Draft, draft-kuehlewind-audit-
architecture-00, 18 May 2026,
<https://datatracker.ietf.org/doc/html/draft-kuehlewind-
audit-architecture-00>.
[I-D.sharif-agent-audit-trail]
Sharif, R., "Agent Audit Trail: A Standard Logging Format
for Autonomous AI Systems", Work in Progress, Internet-
Draft, draft-sharif-agent-audit-trail-00, 29 March 2026,
<https://datatracker.ietf.org/doc/html/draft-sharif-agent-
audit-trail-00>.
[I-D.bates-atp]
Bates, D. A., "Agent Transaction Protocol (ATP)", Work in
Progress, Internet-Draft, draft-bates-atp-00, 11 May 2026,
<https://datatracker.ietf.org/doc/html/draft-bates-atp-
00>.
Mih, et al. Expires 6 January 2027 [Page 9]
Internet-Draft Agent Accountability Composition July 2026
[I-D.aylward-aiga]
Aylward, E. R., "Artificial Intelligence Governance
Architecture (AIGA)", Work in Progress, Internet-Draft,
draft-aylward-aiga-00, 13 January 2026,
<https://datatracker.ietf.org/doc/html/draft-aylward-aiga-
00>.
[I-D.schrock-human-authorization-binding]
Schrock, I., "Binding Named-Human Authorization Evidence
into Agent-Action Records", Work in Progress, Internet-
Draft, draft-schrock-human-authorization-binding-00, 3
July 2026, <https://datatracker.ietf.org/doc/html/draft-
schrock-human-authorization-binding-00>.
[I-D.schrock-ep-authorization-receipts]
Schrock, I., "Authorization Receipts for High-Risk Agent
Actions", Work in Progress, Internet-Draft, draft-schrock-
ep-authorization-receipts-05, 3 July 2026,
<https://datatracker.ietf.org/doc/html/draft-schrock-ep-
authorization-receipts-05>.
Acknowledgments
[To be completed with the constituent-profile authors and reviewers,
with permission.]
Authors' Addresses
Steven Mih
Action State Group, Inc.
Email: steven@actionstate.ai
Tom Sato
MyAuberge K.K.
Japan
Email: tomsato@myauberge.jp
Songbo Bu
Independent
Email: bluedognull@gmail.com
Iman Schrock
EMILIA Protocol, Inc.
Email: team@emiliaprotocol.ai
Mih, et al. Expires 6 January 2027 [Page 10]