AG-783
Inter-Organisational Agent Trust Federation Governance
EU AI Act
NIST AI RMF
ISO 42001
Inter-Organisational Agent Trust Federation Governance mandates that when AI agents from different organisations interact, the governance controls applied to the interaction are always the most restrictive controls from either party — computed deterministically through a federated trust model with cryptographic attestation, not negotiated by the agents themselves. In a federated multi-agent ecosystem, each organisation operates under its own governance framework with varying levels of stringency. Without a structural mechanism to resolve governance asymmetry at organisational boundaries, agents default to their own (potentially weaker) governance standards, creating gaps that adversaries can exploit by targeting the organisation with the weakest controls. AG-783 closes this gap by requiring that every cross-organisational interaction computes an effective trust level using the minimum of both parties' declared governance maturity, applies the union of both parties' governance controls selecting the more restrictive option wherever controls overlap, and logs the interaction with full federation metadata in a tamper-evident audit trail accessible to both parties.
This protocol applies to all AI agent interactions that cross organisational boundaries, including:
The protocol covers: federation membership registration, bilateral federation agreement establishment, trust level computation, most-restrictive-framework enforcement, revocation cascade when federation membership is terminated, partner verification freshness, cross-organisational action governance, and federation audit.
Exclusions: Interactions between agents within a single organisation's governance domain are out of scope (governed by AG-752 Multi-Agent Ecosystem Trust Baseline). Interactions with agents in ungoverned ecosystems (no AGS compliance) are out of scope — such interactions should be blocked by the governance passport validation requirement (AG-782 R3).
Financial Services. Cross-organisational agent interactions in financial services — settlement, clearing, trade confirmation — operate under DORA Article 28-30 requirements for ICT third-party risk management. The trust federation model provides the structural mechanism for managing governance risk across financial counterparties, ensuring that the weaker party's governance level determines the interaction's control posture.
Healthcare. Clinical agents interacting across hospital networks must apply the most restrictive data handling controls from either party. A hospital with strict patient data minimisation policies interacting with one that has broader data retention must apply the stricter minimisation standard to the interaction, preventing governance downgrade at the organisational boundary.
Public Sector. Government agencies interacting across jurisdictional boundaries must apply the most restrictive transparency and accountability requirements from either jurisdiction. An agent from Agency A (subject to FOIA) interacting with an agent from Agency B (subject to GDPR) must comply with both disclosure frameworks for the interaction data.
The value of multi-agent ecosystems scales with the number of organisations participating. A financial settlement network with 50 bank participants is exponentially more valuable than one with 5. But each new participant introduces governance heterogeneity: different frameworks, different maturity levels, different enforcement architectures. Without a structural mechanism to manage this heterogeneity, the governance level of the entire ecosystem degrades to the level of the least governed participant — the familiar "weakest link" problem, but operating at machine speed across organisational boundaries that no single party controls.
Traditional approaches to cross-organisational governance rely on contractual obligations: service-level agreements, vendor risk assessments, and periodic audits. These mechanisms are necessary but insufficient for agentic interactions. A contractual obligation that "all agents will comply with AGS v2.1" cannot be verified at interaction time. An annual vendor risk assessment cannot detect that a counterparty's governance controls degraded last Tuesday. A periodic audit cannot prevent a real-time interaction between a well-governed agent and a poorly-governed one. The trust federation model addresses this gap by making governance maturity a real-time, machine-verifiable attribute of every cross-organisational interaction.
The most-restrictive-framework rule is the core innovation of AG-783. When Organisation A (trust level 4) interacts with Organisation B (trust level 3), the effective trust level is min(4, 3) = 3. Controls at level 3 are enforced, including enhanced logging, dual authorisation, and tighter data handling restrictions. Organisation A may be capable of operating at level 4, but the interaction is constrained to the governance ceiling of the weaker party. This prevents governance downgrade at organisational boundaries — the scenario where a well-governed organisation's agents operate below their own governance standard because they are interacting with a less mature counterparty.
The consequence of absent trust federation is demonstrated by supply chain attacks in the AI agent context. An attacker who cannot compromise a well-governed Organisation A targets the least-governed supplier in A's agent ecosystem. The supplier's agents, operating at a lower governance maturity, provide the entry point. Without trust federation, Organisation A's agents interact with the supplier's agents at the supplier's governance level, not at Organisation A's. The attacker exploits the governance gap at the organisational boundary. With trust federation, the interaction is constrained to the minimum trust level, and Organisation A's governance controls apply to the interaction regardless of the supplier's maturity.
Basic Implementation — The organisation has registered with at least one federation and maintains a bilateral agreement with each federation partner. Trust level computation uses the minimum rule. Federation status is checked at interaction initiation. Revocation cascade is supported but may exceed 300 seconds. Federation events are logged but the audit trail may not be tamper-evident. The most-restrictive-framework rule is applied to data handling but not consistently to action authorisation and escalation procedures.
Intermediate Implementation — All Basic capabilities plus: federation status is verified per-interaction (not cached beyond 10 minutes). Revocation cascade completes within 300 seconds across all partners. The most-restrictive-framework rule is applied consistently to data handling, action authorisation, logging, and escalation procedures. Dual authorisation is enforced for all cross-organisational actions. The tamper-evident audit trail covers all federation events with cryptographic integrity. Trust level declarations are backed by governance passport attestation (AG-782).
Advanced Implementation — All Intermediate capabilities plus: federation trust model has been validated through independent adversarial testing including trust level spoofing, revocation cascade timing attacks, most-restrictive-framework bypass attempts, and federated denial-of-service scenarios. The federation registry operates with 99.9% availability across distributed nodes. Real-time dashboards track federation health, trust level distribution, revocation cascade latency, and cross-organisational interaction volumes. The organisation participates in multi-federation ecosystems and can demonstrate to regulators that no cross-organisational interaction operates above the governance ceiling of the weaker party.
Distributed federation registry with strong consistency. Implement the federation registry as a replicated database with strong consistency guarantees (not eventual consistency), ensuring that all federation members see the same trust levels and revocation states simultaneously. Write access is restricted to the federation authority and each organisation's governance authority. Read access is available to all members. This prevents split-brain scenarios where different members see different trust levels for the same partner.
Trust level backed by governance passport attestation. Require each organisation's declared trust level to be backed by a governance passport (AG-782) attesting to the governance maturity that justifies the declared level. The passport is verified by the federation registry at registration time and at each trust level update. This prevents organisations from overclaiming their governance maturity.
Most-restrictive control resolver with explicit precedence rules. Implement the most-restrictive-framework rule as a deterministic control resolver that, for each governance control category (data handling, action authorisation, logging, escalation), compares both organisations' control specifications and selects the more restrictive one. Where "more restrictive" is ambiguous (different control types, not directly comparable), the resolver applies a documented precedence rule rather than leaving the decision to the agents.
Revocation cascade with pre-computed notification graph. Pre-compute the notification graph for each federation member — the set of partners and active interactions that must be terminated if that member is revoked. When revocation occurs, dispatch notifications to the pre-computed list in parallel rather than discovering partners at revocation time. This reduces cascade latency from minutes (discovery + notification) to seconds (notification only).
Cross-federation bridge with trust level translation. For organisations participating in multiple federations, implement a cross-federation bridge that translates trust levels between federation-specific scales. The bridge applies the most conservative mapping: if Federation A's level 4 maps to Federation B's level 3, the cross-federation interaction uses the lower mapped level. This prevents trust inflation across federation boundaries.
Single-federation-member trust assumption. Assuming that because an organisation is a member of a federation, its governance controls are adequate for any interaction. Federation membership indicates minimum eligibility; the effective trust level for any specific interaction depends on the minimum rule applied to both parties' current trust levels.
Governance level negotiation between agents. Allowing agents to negotiate the governance level for a cross-organisational interaction rather than computing it deterministically from the federation registry. Agent-level negotiation creates an attack surface where a compromised agent can negotiate a lower governance level than its organisation's trust level would require.
Revocation cascade with serial notification. Notifying partners sequentially during a revocation cascade rather than in parallel. Serial notification means that the last partner in the notification chain may not receive the revocation for minutes after the first partner, creating a window where the revoked member can still interact with un-notified partners.
Trust level caching beyond 10 minutes. Caching a partner's federation status and trust level for extended periods to reduce registry queries. Trust levels can change (organisation downgraded, membership revoked) at any time. Stale cache data creates a window where interactions proceed at an outdated trust level.
Bilateral agreement without explicit termination conditions. Establishing federation agreements without specifying the conditions under which the agreement is terminated and interactions are blocked. Without explicit termination conditions, revoking a compromised partner requires ad-hoc decision-making under time pressure, delaying the cascade.
TC1: Trust Level Computation Uses Minimum
TC2: Revocation Cascade Completes Within 300 Seconds
TC3: Most-Restrictive Framework Rule Enforcement
TC4: Partner Verification Rejects Stale Data
TC5: Dual Authorisation for Cross-Org Actions
TC6: Federation Registration Validation
TC7: New Member Trust Level Cap During Onboarding
| Evidence ID | Description | Retention Period |
|---|---|---|
| AG783-E01 | Federation registration records with governance attestation | 7 years |
| AG783-E02 | Bilateral federation agreement documents | Duration of agreement + 5 years |
| AG783-E03 | Trust level computation logs for all cross-org interactions | 7 years |
| AG783-E04 | Revocation cascade event logs with per-partner timestamps | 7 years |
| AG783-E05 | Most-restrictive-framework control resolution logs | 7 years |
| AG783-E06 | Federation audit trail (all federation events, tamper-evident) | 7 years |
| AG783-E07 | Adversarial testing reports (trust spoofing, cascade timing, bypass) | 5 years |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No trust federation exists. Cross-organisational agent interactions proceed without governance-level computation, most-restrictive-framework enforcement, or federation membership verification. |
| 1 | Basic | Federation membership is tracked and trust levels are declared, but the minimum-rule computation is advisory rather than enforced, the most-restrictive-framework rule is inconsistently applied, and revocation cascade may exceed 300 seconds. |
| 2 | Infrastructure-layer enforcement | Trust level computation uses the minimum rule enforced by infrastructure. Most-restrictive-framework rule applied to all control categories. Dual authorisation enforced. Revocation cascade within 300 seconds. Partner verification rejects stale data. Tamper-evident federation audit trail. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities verified through independent adversarial testing including trust level spoofing, revocation cascade timing attacks, most-restrictive-framework bypass attempts, and cross-federation trust inflation. Test results documented and available for regulatory review. |
Scenario A — Governance Downgrade in Financial Settlement Network
A cross-border financial settlement network connects agents from 12 banks across 6 jurisdictions. Bank A (trust level 4, robust infrastructure-layer governance) initiates a EUR 28 million settlement with Bank B (trust level 2, application-layer governance only). Without trust federation, Bank A's settlement agent interacts with Bank B's clearing agent at Bank A's trust level 4, applying Bank A's own governance controls. Bank B's agent, operating at trust level 2, does not enforce per-interaction mandate verification, does not maintain tamper-evident audit trails, and relies on application-layer access controls that can be bypassed. An attacker compromises Bank B's clearing agent and modifies the settlement instruction to redirect EUR 28 million to a controlled account. Bank A's governance controls cannot detect the modification because the interaction operated at Bank B's effective governance level — application-layer only — rather than Bank A's infrastructure-layer standard.
What went wrong: No trust federation computed the effective trust level as min(4, 2) = 2. Bank A's agent interacted at its own level 4 rather than the minimum. Bank B's application-layer controls were the actual governance ceiling for the interaction, but this was invisible to Bank A. Consequence: EUR 28 million redirected, T+2 settlement window missed triggering CSDR penalties, regulatory investigation across 3 jurisdictions, estimated total loss EUR 31 million including forensics, penalties, and counterparty claims.
Scenario B — Revocation Cascade Failure in Healthcare Data Exchange
A regional health information exchange connects agents from 23 hospitals. Hospital C fails a governance compliance audit — its patient data agents are found to be operating without mandate scope enforcement. The federation authority revokes Hospital C's membership at 09:15. The revocation cascade uses serial notification (anti-pattern) rather than parallel dispatch. Hospital C's agents have active data exchange sessions with 8 other hospitals. Hospitals A and B (notified at 09:15 and 09:16) immediately terminate interactions. Hospitals D through H (notified between 09:22 and 09:31) continue exchanging patient data with Hospital C's ungoverned agents for up to 16 minutes after revocation. During this window, Hospital C's compromised agents access 12,000 patient records across 6 hospitals that had not yet received the revocation notification.
What went wrong: Serial revocation notification created a 16-minute window between the first and last partner notification. During this window, interactions continued with a revoked member. Consequence: HIPAA breach notification for 12,000 patients across 6 hospitals, HHS OCR investigation, estimated remediation cost USD 5.4 million, federation-wide trust suspension for 14 days during security review.
Scenario C — Trust Level Spoofing via Compromised Federation Registry Node
A multi-industry agent federation operates across financial services, logistics, and insurance. The federation registry uses an eventually-consistent distributed database (anti-pattern — should use strong consistency). An attacker compromises one registry node and modifies Organisation G's trust level from 2 to 5. Due to eventual consistency, 3 of 7 registry nodes reflect the spoofed trust level 5 while 4 nodes retain the correct level 2. Depending on which registry node a verifying agent queries, Organisation G's agents interact at either level 2 or level 5. Over 48 hours, 340 cross-organisational interactions involving Organisation G proceed at the spoofed trust level 5, with relaxed governance controls that Organisation G's actual governance maturity does not support. The inconsistency is discovered during a routine federation audit that cross-references trust levels across registry nodes.
What went wrong: The federation registry used eventual consistency rather than strong consistency, allowing a compromised node to present a different trust level than the authoritative state. The spoofed trust level enabled interactions at a governance level above Organisation G's actual capability. Consequence: 340 interactions at incorrect governance level, regulatory investigation for all counterparties, federation registry architecture redesign costing EUR 1.2 million, 60-day trust freeze across the federation during remediation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Cross-organisational — every agent interaction crossing any organisational boundary in the federation |
Consequence chain: Failure of inter-organisational trust federation permits governance downgrade at organisational boundaries. The effective governance level for cross-organisational interactions defaults to the weaker party's standard rather than the stronger party's, creating a structural gap that adversaries can exploit by targeting the least-governed organisation in the ecosystem. The blast radius encompasses every cross-organisational interaction in the federation: a single compromised or undergoverned member can introduce risk into every partner's agent interactions. The consequence chain includes regulatory liability for every participating organisation (each is responsible for the governance level of interactions involving its agents), reputational damage to the federation as a governance assurance mechanism, and potential systemic risk in financial services where settlement finality depends on governance integrity across counterparties.
| Requirement | EU AI Act | DORA | NIST AI RMF | OWASP Agentic | ISO 42001 |
|---|---|---|---|---|---|
| R1: Federation registration with attestation | Art. 9 -- Risk management | Art. 28 -- Third-party risk | GOVERN 1.1 -- Legal requirements | ASI-07 -- Trust boundary | Clause 8.2 -- AI risk assessment |
| R2: Minimum trust level computation | Art. 9 -- Risk management | Art. 28 -- Third-party risk | -- | ASI-07 -- Trust boundary | Clause 6.1 -- Risk actions |
| R3: Most-restrictive-framework rule | Art. 9 -- Risk management | Art. 28 -- Third-party risk | -- | ASI-07 -- Trust boundary | Clause 6.1 -- Risk actions |
| R4: Bilateral federation agreement | Art. 9 -- Risk management | Art. 30 -- Contractual arrangements | GOVERN 1.1 -- Legal requirements | -- | Clause 8.2 -- AI risk assessment |
| R5: 300-second revocation cascade | Art. 9 -- Risk management | Art. 28 -- Third-party risk | -- | ASI-07 -- Trust boundary | -- |
| R6: Partner verification freshness | Art. 9 -- Risk management | -- | -- | ASI-07 -- Trust boundary | -- |
| R7: Dual authorisation | Art. 9 -- Risk management | Art. 29 -- Governance arrangements | -- | -- | Clause 6.1 -- Risk actions |
| R8: Tamper-evident federation audit | Art. 12 -- Record-keeping | Art. 28 -- Third-party risk | GOVERN 1.1 -- Legal requirements | -- | Clause 8.2 -- AI risk assessment |
Article 9 requires risk management systems that identify and mitigate risks proportionate to their severity. In cross-organisational agent interactions, the risk of governance downgrade at organisational boundaries is a systemic risk that trust federation directly mitigates. The minimum trust level computation and most-restrictive-framework rule operationalise Article 9's proportionality requirement by ensuring that governance controls match the capability of the weakest participant.
DORA requires financial entities to manage ICT third-party risk through formal arrangements (Article 28), contractual provisions (Article 30), and governance mechanisms (Article 29). AG-783's federation registration, bilateral agreements, and trust level computation provide the agentic implementation of these requirements. The revocation cascade mechanism ensures that when a third-party's governance compliance degrades, the risk is contained within the DORA-mandated timeframes.
ASI-07 identifies cross-agent trust boundary violations as a top-ten agentic security risk. AG-783 directly addresses this by requiring that trust boundaries are explicitly defined, trust levels are computed deterministically, and governance controls are enforced at the boundary rather than assumed by either party. The most-restrictive-framework rule prevents the specific attack pattern where an adversary exploits the gap between two organisations' governance levels.
| Protocol | Relationship |
|---|---|
| AG-029 | Dependency — Third-party risk management for assessing organisations joining the federation |
| AG-103 | Dependency — Cryptographic standards for signing federation agreements and trust attestations |
| AG-752 | Dependency — Multi-agent ecosystem trust baseline that federation trust levels must meet or exceed |
| AG-781 | Dependency — Identity verification required before any federated interaction can commence |
| AG-782 | Integration — Governance passports carry trust level and federation membership claims for cross-org verification |