The Data Artifact Management (DAM) Protocol for Agentic AI Systems
draft-sato-soos-dam-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Tom Sato | ||
| Last updated | 2026-06-30 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Additional resources |
Additional Web Page
|
||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-sato-soos-dam-00
Network Working Group T. Sato
Internet-Draft MyAuberge K.K.
Intended status: Standards Track 30 June 2026
Expires: 30 December 2026
The Data Artifact Management (DAM) Protocol for
Agentic AI Systems
draft-sato-soos-dam-00
Abstract
This document specifies the Data Artifact Management (DAM) protocol
for agentic AI systems governed by the Sovereign Object OS (SOOS)
framework. DAM defines a typed taxonomy of data artifacts produced
and consumed by AI agents, a governance envelope for each artifact
type specifying provenance, access policy, temporal validity, and
retention requirements, and the normative interface between agent-
generated artifacts and the Governance Audit Record (GAR).
DAM addresses three classes of data in agentic systems: kernel-
generated artifacts (IDP event logs, GAR records, AEP session state),
agent-generated artifacts (outputs of agent actions), and externally
ingested artifacts (data made available by resources). DAM specifies
the Data Artifact type (DA-Type) taxonomy referenced in the Resource
Governance Protocol (RGP) and the Agent Execution Protocol (AEP).
This document is a placeholder submission establishing the draft
identifier and abstract. Full specification text will be submitted
post-IETF 126 Vienna.
Further information: https://soosproject.ai/drafts/dam
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 December 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction
1.1. Problem Statement
1.2. Scope of This Document
2. Conventions and Definitions
3. Architecture Overview
3.1. DAM Position in the SOOS Stack
3.2. DA-Type Taxonomy
3.3. Artifact Lifecycle States
3.4. GAR Provenance Integration
4. Artifact Classes (Stub)
4.1. KGA -- Kernel-Generated Artifacts
4.2. AGA -- Agent-Generated Artifacts
4.3. EIA -- Externally Ingested Artifacts
5. Graph Write Authority Model (Stub)
6. Governance Envelope (Stub)
7. Open Issues
8. Security Considerations
9. IANA Considerations
10. References
10.1. Normative References
10.2. Informative References
Author's Address
1. Introduction
1.1. Problem Statement
Agentic AI systems produce, consume, and transform data continuously
across the lifecycle of a governed session. A booking agent reads
availability data from a supplier API, produces an itinerary
document, and records its reasoning chain. A disaster response
agent ingests sensor readings, produces routing plans, and generates
situation reports. An enterprise procurement agent queries inventory
databases and produces purchase orders.
In each case, the data is not homogeneous. Availability data from
a supplier API has different provenance, access policy, and retention
requirements than a GAR audit record. A routing plan produced by
an agent has different write authority semantics than an IDP event
log produced by the kernel. A sensor reading ingested from an
external source has different validation requirements than an agent
decision document.
No existing protocol specifies a unified typed taxonomy for data
artifacts in agentic AI systems, a governance envelope that travels
with each artifact type, or the normative interface between artifact
production and the GAR provenance chain. Without such a
specification, agentic systems cannot make machine-readable claims
about what data they produced, under what authority, with what
retention obligation, or how that data connects to the governance
audit record.
DAM closes this gap. DAM does not specify data encoding formats
or storage systems. DAM specifies the governance layer above those
concerns: the artifact type taxonomy, the governance envelope fields,
the write authority model, and the GAR provenance interface.
1.2. Scope of This Document
This document (DAM-00) is a placeholder submission establishing the
draft identifier, abstract, problem statement, and architecture
overview. Section headings and stub text are included to reserve
the structure of the full specification. Sections marked "(Stub)"
will be replaced with normative text in DAM-01 (post-Vienna).
The DA-Type taxonomy (Section 3.2), graph write authority model
(Section 5), and governance envelope fields (Section 6) are
architecturally locked per the SOOS UpgradeSprint Day 7 session
record (DR-GRP-DAM-01, June 30, 2026). The stub sections present
these locked decisions at the outline level.
Full text authoring for DAM is scheduled post-IETF 126 Vienna
(after GAR-03 authoring, item 16 in the post-Vienna authoring
schedule).
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
appear in all capitals, as shown here.
Data Artifact (DA):
Any discrete unit of data produced, consumed, or transformed by
an agentic AI system or its governing kernel during a governed
session. A DA is typed (Section 3.2), carries a governance
envelope (Section 6), and has a write authority class
(Section 5).
DA-Type:
The type identifier for a Data Artifact. DA-Types are organized
into three top-level classes: KGA (Kernel-Generated Artifact),
AGA (Agent-Generated Artifact), and EIA (Externally Ingested
Artifact). DA-Types are registered in the IANA DA-Type Registry
(Section 9).
Governance Envelope (GE):
The structured metadata record that travels with each Data
Artifact, specifying: provenance (who produced it, under what
session and mandate), access policy (Cedar policy reference
governing read/write), temporal validity (not-before, not-after),
and retention requirement (KERNEL_PERMANENT, SESSION_SCOPED,
OPERATOR_DEFINED, REGULATORY_MINIMUM).
KGA (Kernel-Generated Artifact):
A DA produced by the GEC kernel as a governance record. Includes
IDP event records, GAR records, AEP session state, SACR objects,
and EOD endorsement records. Subject to kernel-only write
authority (Section 5).
AGA (Agent-Generated Artifact):
A DA produced by an AI agent as an output of its action execution.
Includes documents, reports, code outputs, decisions, and
recommendations. Subject to agent-write with kernel audit
(Section 5).
EIA (Externally Ingested Artifact):
A DA made available to the agent by an external resource.
Includes API responses, database query results, file contents,
and sensor readings. Subject to kernel validation against the
active RGP Resource Envelope before agent ingestion (Section 5).
Provenance Chain:
The ordered sequence of GAR records that establishes the
production history of a Data Artifact: who produced it, in which
session, under which mandate, and with which kernel governance
events preceding production.
Retention Requirement:
The retention policy class attached to a DA in its Governance
Envelope. Four classes are defined: KERNEL_PERMANENT (GAR
records; never deleted except by legal order), SESSION_SCOPED
(valid for session duration only), OPERATOR_DEFINED (operator
configures retention period), REGULATORY_MINIMUM (minimum
retention period specified by applicable regulatory obligation).
3. Architecture Overview
3.1. DAM Position in the SOOS Stack
DAM sits above GAR in the SOOS governance stack and below the
agent execution layer (AEP) and resource governance layer (RGP).
DAM is the data governance layer: it specifies the types and
governance envelopes of the data artifacts that flow between the
layers above and the audit record layer below.
The SOOS stack layers relevant to DAM:
+----------------------------------------------------------+
| AEP / AOP / RGP (Agent Execution Layer) |
| Agent produces AGA | Agent ingests EIA | Kernel logs KGA |
+----------------------------------------------------------+
|
+----------+
| DAM |
| DA-Type |
| Gov Env |
| Write |
| Authority|
+----------+
|
+----------------------------------------------------------+
| GAR (Audit Record Layer) |
| Provenance chain | Merkle-signed session block |
+----------------------------------------------------------+
DAM is not a messaging protocol. It does not specify how Data
Artifacts are transmitted between agents or resources. It specifies
the governance metadata (DA-Type, Governance Envelope, write
authority class) that every Data Artifact in a SOOS-governed system
MUST carry.
3.2. DA-Type Taxonomy
The three top-level DA-Type classes:
+----------------------------------+---------------------------------+
| Class | Description | Examples |
+----------------------------------+---------------------------------+
| KGA | Kernel-Generated | IDP records, GAR records, |
| | Artifact: produced by | AEP session state, SACR |
| | GEC kernel as governance| objects, EOD endorsements, |
| | record | KEE-1 WAL entries |
+----------------------------------+---------------------------------+
| AGA | Agent-Generated | Documents, reports, code, |
| | Artifact: produced by | decisions, recommendations, |
| | agent as action output | itineraries, purchase orders |
+----------------------------------+---------------------------------+
| EIA | Externally Ingested | API responses, database query |
| | Artifact: made available| results, file contents, sensor |
| | by external resource | readings, supplier data |
+----------------------------------+---------------------------------+
Sub-type registries for each class will be defined in DAM-01.
DA-Type strings use the format: {CLASS}/{subtype}, e.g.,
"KGA/GAR_SESSION_BLOCK", "AGA/ITINERARY", "EIA/SUPPLIER_API_RESP".
3.3. Artifact Lifecycle States
[STUB -- to be specified in DAM-01]
Anticipated states: PENDING | DRAFT | COMMITTED | VALID |
EXPIRED | SUPERSEDED | REVOKED.
Lifecycle transitions will be governed by kernel operations
and Cedar policy evaluation. The GAR provenance chain records
each lifecycle transition.
3.4. GAR Provenance Integration
Every Data Artifact production or ingestion event in a SOOS-governed
session MUST be recorded in the GAR provenance chain. The mandatory
GAR record for artifact production carries:
(a) da_type: the DA-Type string.
(b) da_id: UUID v7 assigned at production time.
(c) producing_session_id: the AEP session in which the artifact
was produced or ingested.
(d) producing_agent_xpid: XPID of the agent that produced/ingested
the artifact. For KGA artifacts, producing_agent_xpid is the
GEC's XPID.
(e) mandate_ref: the MJWT jti that authorized the action producing
this artifact.
(f) governance_envelope_hash: SHA-256 over canonical JSON of the
artifact's Governance Envelope.
The mandatory provenance fields on Cedar evaluation records
(cedar_policy_id, cap_rrs_control_id, authority_source_uri) defined
in [I-D.sato-soos-gar] Section 8.6 apply to all DAM artifact
production events that are gated by Cedar policy evaluation.
4. Artifact Classes (Stub)
4.1. KGA -- Kernel-Generated Artifacts
[STUB -- to be specified in DAM-01]
KGA artifacts are the authoritative governance record of the SOOS
kernel. They include all records produced by the GEC in the
execution of its governance functions: IDP event logs, GAR records,
AEP session state, SACR objects, EOD endorsement records, and
KEE-1 WAL entries.
Key properties to be specified in DAM-01:
- Kernel-only write authority (no agent may write or delete KGA)
- KERNEL_PERMANENT retention class (never deleted except by legal
order with court-order attestation record in GAR)
- Tamper evidence: each KGA is covered by the Session Block Merkle
root per [I-D.sato-soos-gar] Section 14.4
4.2. AGA -- Agent-Generated Artifacts
[STUB -- to be specified in DAM-01]
AGA artifacts are the operational outputs of agent execution: the
documents, decisions, recommendations, itineraries, and other
artifacts that the agent produces as the substantive result of
its task. For a booking agent, the final itinerary is an AGA.
For a procurement agent, the purchase order is an AGA. For a
disaster response agent, the routing plan is an AGA.
Key properties to be specified in DAM-01:
- Agent-write with kernel audit: agent produces; kernel logs
production event and provenance chain in GAR
- EOD linkage: each AGA produced as the primary mission output
is linked to the EOD that pre-declared it (by da_type match
to target_state SO Type)
- AGA sub-type registry: to be defined in DAM-01
4.3. EIA -- Externally Ingested Artifacts
[STUB -- to be specified in DAM-01]
EIA artifacts are data made available to the agent by external
resources: API responses, database query results, file contents,
sensor readings. EIA ingestion is governed by the active RGP
Resource Envelope [I-D.sato-soos-rgp]: the kernel validates the
ingestion event against the Resource Envelope before the agent
is permitted to use the data.
Key properties to be specified in DAM-01:
- External-write with kernel validation: external resource produces;
kernel validates against active RGP Resource Envelope
- EIA poisoning defense: malicious data injected via an EIA that
causes the agent to violate CAP prohibitions remains detectable
in the GAR provenance chain via the EIA ingestion record
- Temporal validity: EIA artifacts carry not-before/not-after
bounds in their Governance Envelope; stale EIA ingestion is
detectable by audit
5. Graph Write Authority Model (Stub)
[STUB -- to be specified in DAM-01]
The three-tier write authority model governs who may create, modify,
or delete each class of Data Artifact:
Tier 1 -- Kernel-only write (KGA):
Only the GEC kernel may write KGA artifacts. No agent, operator,
or external resource is granted Cedar Action::WriteKGA. KGA
write operations are enforced at the TEE boundary per
[I-D.sato-soos-kee] KEE-1 property P1.
Tier 2 -- Agent-write with kernel audit (AGA):
The agent may produce AGA artifacts as outputs of authorized
actions. Each AGA production event is logged to GAR by the
kernel immediately upon production. The agent cannot suppress
or modify the GAR log entry for an AGA it produced.
Tier 3 -- External-write with kernel validation (EIA):
External resources produce EIA artifacts and make them available
to the agent. The kernel validates each EIA against the active
RGP Resource Envelope before permitting agent ingestion.
The kernel logs the ingestion event to GAR.
The graph write authority model prevents a core attack class:
an agent that attempts to modify its own audit record (KGA) or
suppress the provenance record of an artifact it produced (AGA).
Both are DENIED by Cedar and enforced at the kernel boundary.
6. Governance Envelope (Stub)
[STUB -- to be specified in DAM-01]
Each Data Artifact carries a Governance Envelope specifying:
provenance:
session_id, agent_xpid, mandate_ref, produced_at, da_type.
Identical to the GAR provenance chain record for this artifact.
access_policy:
Cedar policy reference governing read access to this artifact.
Specifies which principal types may read the artifact and under
what conditions.
temporal_validity:
not_before, not_after (ISO 8601 UTC). For KGA, not_after is
unbounded (KERNEL_PERMANENT). For EIA, not_after reflects
the data freshness window specified in the RGP Resource Envelope.
retention_requirement:
One of: KERNEL_PERMANENT | SESSION_SCOPED | OPERATOR_DEFINED |
REGULATORY_MINIMUM.
The Governance Envelope schema will be fully specified in DAM-01,
including Cedar evaluation semantics for access_policy and the
retention requirement enforcement model.
7. Open Issues
OQ-DAM-01: DA-Type sub-type registry design.
The three top-level DA-Type classes (KGA, AGA, EIA) are locked.
The sub-type registry format, registration procedure, and initial
sub-type list are deferred to DAM-01 authoring. The DA-Type
string format {CLASS}/{subtype} is adopted; the authoritative
sub-type list for the initial registry is post-Vienna.
OQ-DAM-02: EIA poisoning defense normative treatment.
The EIA poisoning attack vector (malicious data injected via
external resource causing CAP prohibition violation) is identified
in Section 4.3. Full normative defense specification (including
Cedar evaluation of ingestion events and GAR provenance linkage
to CAP DENIED actions triggered by EIA content) is deferred
to DAM-01.
OQ-DAM-03: AGA linkage to EOD target state.
Section 4.2 notes that AGA artifacts produced as primary mission
outputs should be linked to the EOD that pre-declared them.
The normative linkage mechanism (da_type to SO Type mapping in
the Mission Plan SO or AEP EOD schema) is deferred to DAM-01,
pending resolution against AOP-00 and IDP-05.
8. Security Considerations
[PLACEHOLDER -- to be completed in DAM-01]
The primary security properties of DAM, to be specified normatively
in DAM-01:
(a) KGA integrity: Kernel-only write authority (Tier 1 in Section 5)
prevents agents from modifying or suppressing governance records.
Enforced at TEE boundary per [I-D.sato-soos-kee] KEE-1 P1.
(b) AGA provenance completeness: Every AGA production event is
logged to GAR immediately upon production. Agent cannot
produce an AGA without a corresponding GAR record.
(c) EIA validation: EIA artifacts are validated against the active
RGP Resource Envelope before ingestion. An EIA that fails
Resource Envelope validation is rejected and logged to GAR.
(d) EIA poisoning: Malicious EIA content that causes a CAP
prohibition violation remains detectable in the GAR provenance
chain: the EIA ingestion event precedes the CAP DENIED record,
providing full traceability from poisoned input to blocked
output.
(e) Governance Envelope integrity: The governance_envelope_hash
in the GAR provenance record allows auditors to detect post-
production modification of a Data Artifact's Governance
Envelope.
9. IANA Considerations
[PLACEHOLDER -- to be completed in DAM-01]
DAM-01 will request the following IANA registrations:
(a) DA-Type Registry. A new registry "SOOS Data Artifact Types"
with the following top-level entries:
+-------+----------------------------+---------------------+
| Class | Description | Reference |
+-------+----------------------------+---------------------+
| KGA | Kernel-Generated Artifact | [This document] |
| AGA | Agent-Generated Artifact | [This document] |
| EIA | Externally Ingested | [This document] |
| | Artifact | |
+-------+----------------------------+---------------------+
Sub-type registrations follow first-come-first-served policy
with expert review; registration procedure to be specified
in DAM-01.
(b) Governance Envelope Field Names Registry. A new registry
"SOOS Governance Envelope Fields" registering the canonical
field names specified in Section 6.
(c) Retention Requirement Vocabulary Registry. A new registry
"SOOS Retention Requirements" with initial entries:
KERNEL_PERMANENT, SESSION_SCOPED, OPERATOR_DEFINED,
REGULATORY_MINIMUM.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174,
DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.
[I-D.sato-soos-gar]
Sato, T., "The Governance Audit Record (GAR) for
Agentic AI Systems", Internet-Draft
draft-sato-soos-gar-03, July 2026.
[I-D.sato-soos-aep]
Sato, T., "The Agent Execution Protocol (AEP) for
Agentic AI Systems", Internet-Draft
draft-sato-soos-aep-02, July 2026.
[I-D.sato-soos-kee]
Sato, T., "The Kernel Execution Environment (KEE-1)
for the Sovereign Object OS", Internet-Draft
draft-sato-soos-kee-00, July 2026.
10.2. Informative References
[I-D.sato-soos-rgp]
Sato, T., "The Resource Governance Protocol (RGP) for
Agentic AI Systems", Internet-Draft
draft-sato-soos-rgp-00, July 2026.
[I-D.sato-soos-idp]
Sato, T., "The Intent Declaration Primitive (IDP) for
Agentic AI Systems", Internet-Draft
draft-sato-soos-idp-05, July 2026.
[I-D.sato-soos-cap]
Sato, T., "The Constitutional AI Protocol (CAP) for
Agentic AI Systems", Internet-Draft
draft-sato-soos-cap-04, July 2026.
[I-D.sato-soos-aop]
Sato, T., "The Agent Orchestration Protocol (AOP) for
Agentic AI Systems", Internet-Draft
draft-sato-soos-aop-00, July 2026.
Author's Address
Tom Sato
MyAuberge K.K.
Chino, Nagano, Japan
Email: tomsato@myauberge.jp
URI: https://soosproject.ai