Protocol Extension Approval Governance

2. Summary

Protocol Extension Approval Governance requires that every custom extension to a communication, orchestration, or tool-invocation protocol used by AI agents is formally approved, documented, and version-controlled before deployment into any environment where agents interact with external systems or other agents. Protocol extensions — additional methods, modified message schemas, custom headers, non-standard authentication flows, or bespoke capability negotiations — expand the attack surface and interoperability risk of an agent deployment. Without formal approval governance, extensions proliferate informally, creating undocumented capabilities that bypass security controls, evade audit, and introduce incompatibilities that surface only under failure conditions. This dimension mandates a structured approval pipeline that evaluates each proposed extension against security, interoperability, regulatory, and operational criteria before it enters production.

3. Example

Scenario A — Unapproved Extension Creates Payment Bypass: A development team building an enterprise procurement agent extends the internal agent-to-agent communication protocol with a custom method called fast_approve. The method bypasses the standard multi-step approval flow for purchase orders and routes them directly to the payment execution service, skipping the risk-scoring middleware. The extension is added to address latency complaints during a high-volume procurement event. No change request is filed. No security review occurs. Three weeks later, an attacker compromises a low-privilege internal agent and discovers the fast_approve method through protocol introspection. The attacker uses the method to submit 14 purchase orders totalling £2.3 million to a shell supplier over 90 minutes. The standard approval flow would have blocked each order at the risk-scoring stage.

What went wrong: The protocol extension was created and deployed without formal approval. No security assessment evaluated whether the extension circumvented existing controls. The extension was not documented, so the security team was unaware of its existence. The protocol's capability discovery mechanism exposed the extension to any authenticated agent, including the compromised one. Consequence: £2.3 million in fraudulent procurement, regulatory investigation by the FCA for inadequate systems and controls, suspension of the automated procurement system pending remediation, personal liability risk for the operations director under the Senior Managers Regime.

Scenario B — Custom Schema Extension Breaks Cross-Border Compliance: A multinational financial services firm deploys agents across EU and UK jurisdictions. The UK team extends the agent protocol with a custom field client_risk_tier embedded directly in task-routing messages to accelerate client onboarding. The extension transmits client risk classification data — derived from personal financial data — across the agent mesh without data-sovereignty controls. The extension is not reviewed against GDPR Article 44 (transfers to third countries) because it is treated as an "internal protocol enhancement" rather than a data flow change. An audit by the Irish Data Protection Commission discovers that client risk tier data for EU citizens is being processed by UK-hosted agent nodes without Standard Contractual Clauses or an adequacy decision. The firm faces a GDPR enforcement action with a proposed fine of €8.6 million (2.1% of annual turnover).

What went wrong: The protocol extension introduced a new personal data flow that was invisible to the data governance team. Because the extension was not subject to formal approval, no Data Protection Impact Assessment was performed. The extension's documentation — a Slack message and a code comment — did not flag the data-sovereignty implications. Consequence: €8.6 million proposed fine, mandatory remediation under supervisory order, 6-month delay to the cross-border agent deployment programme, reputational damage in the EU market.

Scenario C — Conflicting Extensions Cause Safety-Critical Failure: An industrial automation company deploys agents to coordinate robotic assembly cells. Two engineering teams independently extend the cell-coordination protocol: Team A adds a priority_override method that allows an agent to pre-empt another agent's scheduled motion sequence, and Team B adds a collision_zone_reserve method that locks physical zones during motion planning. Neither team is aware of the other's extension. When both extensions are active simultaneously, a priority override pre-empts a motion sequence while the collision zone reservation remains active for the original sequence. The replacement motion executes without collision zone protection. A robotic arm enters an occupied zone, causing a collision that damages €340,000 of equipment and injures a maintenance technician who was in the zone under the original reservation's safety guarantee.

What went wrong: Two protocol extensions with conflicting safety semantics were deployed without a unified approval process that would have detected the interaction. No integration testing evaluated the combined behaviour of both extensions. The collision zone reservation extension assumed exclusive control of zone locking, but the priority override extension could bypass it. Consequence: €340,000 equipment damage, workplace injury requiring hospitalisation, HSE investigation, production line shutdown for 3 weeks costing €1.2 million in lost output, potential prosecution under the Health and Safety at Work Act 1974.

4. Requirement Statement

Scope: This dimension applies to any AI agent deployment that uses communication protocols — whether open standards (such as agent-to-agent messaging protocols, tool-invocation frameworks, or orchestration protocols) or proprietary internal protocols — where those protocols are extended, modified, or supplemented with custom functionality beyond the base specification. An "extension" is any addition to a protocol that is not part of the published base specification version in use: custom methods, additional message fields, modified authentication flows, bespoke capability negotiation sequences, non-standard error codes, custom transport bindings, or protocol-level middleware that alters message semantics. The scope includes extensions created by the deploying organisation, extensions provided by third-party vendors, and extensions inherited from open-source implementations. The scope excludes configuration of parameters that the base protocol explicitly provides for (e.g., setting a timeout value within a range defined by the protocol specification) — such configuration is not an extension but a permitted parameterisation. The test is: does the modification introduce behaviour, data fields, methods, or semantics that a compliant implementation of the base protocol specification would not recognise or expect? If yes, it is an extension and this dimension applies.

4.1. A conforming system MUST maintain a protocol extension registry that catalogues every active, deprecated, and proposed extension, including its purpose, author, approval status, version, affected protocol version, and deployment scope.

4.2. A conforming system MUST require formal approval from a designated governance authority before any protocol extension is deployed to a production or pre-production environment where agents interact with external systems, other agents, or real data.

4.3. A conforming system MUST subject each proposed protocol extension to a documented security assessment evaluating: expanded attack surface, interaction with existing security controls, authentication and authorisation implications, and data exposure risks.

4.4. A conforming system MUST subject each proposed protocol extension to an interoperability assessment evaluating: compatibility with the base protocol specification, interaction with other active extensions, impact on protocol version negotiation, and backward compatibility with agents that do not implement the extension.

4.5. A conforming system MUST subject each proposed protocol extension to a regulatory impact assessment evaluating: whether the extension introduces new data flows subject to data protection regulation, whether it modifies control flows subject to financial regulation, and whether it affects safety-critical communication paths subject to sector-specific safety regulation.

4.6. A conforming system MUST block deployment of any protocol extension that has not completed the approval pipeline, using infrastructure-layer controls rather than relying on procedural compliance alone.

4.7. A conforming system MUST version each approved extension independently of the base protocol version, with immutable version records linked to the approval artefacts.

4.8. A conforming system SHOULD implement automated detection of unapproved extensions — protocol introspection, schema validation, or message inspection — that identifies extensions in use that do not appear in the approved registry.

4.9. A conforming system SHOULD require that each approved extension includes a rollback procedure specifying how to disable the extension without disrupting ongoing agent operations.

4.10. A conforming system SHOULD implement extension isolation such that the failure of a custom extension does not compromise the base protocol's core functionality (message delivery, authentication, session management).

4.11. A conforming system MAY implement a sandbox environment where proposed extensions can be evaluated under realistic conditions before approval, including interaction testing with other active extensions.

4.12. A conforming system MAY implement time-bounded extension approvals that require periodic re-approval to prevent indefinite persistence of extensions that are no longer needed.

5. Rationale

Protocol extensions are the governance equivalent of shadow IT at the infrastructure layer. When agent systems communicate via defined protocols — whether for tool invocation, inter-agent messaging, orchestration, or capability negotiation — those protocols establish a contract that security controls, monitoring systems, and compliance mechanisms are built upon. Extensions modify that contract. An unapproved extension is an undocumented contract modification that every downstream system must accommodate without awareness or preparation.

The risk is not theoretical. The history of enterprise IT is littered with incidents caused by undocumented protocol modifications: custom SMTP headers that bypassed email filtering, non-standard HTTP methods that evaded web application firewalls, proprietary API extensions that created authentication bypasses. Agent protocols face the same class of risk, amplified by two factors. First, agent protocols often carry higher-stakes payloads — financial instructions, safety-critical commands, personal data — than traditional application protocols. Second, agents may discover and use protocol extensions autonomously through capability negotiation, meaning an extension created for one purpose can be adopted by agents for purposes its creator never anticipated.

The regulatory context reinforces the need for formal extension governance. Under the EU AI Act, Article 9 requires that the risk management system address risks introduced by modifications to the AI system. A protocol extension that changes how agents communicate, what data they exchange, or what capabilities they expose is a modification to the AI system. Under DORA, Article 9 requires financial entities to maintain comprehensive documentation of their ICT systems, including interfaces and dependencies. Unapproved protocol extensions create undocumented interfaces that violate this requirement. Under GDPR, a protocol extension that introduces a new personal data field or a new data routing path triggers obligations under Articles 25 (data protection by design) and 35 (Data Protection Impact Assessment) that cannot be met if the extension is undocumented.

The failure mode of ungoverned protocol extensions is particularly dangerous because it is silent. Unlike a service outage or a data breach, an unapproved extension operates successfully — it does what its creator intended. The problem surfaces only when the extension interacts with a security control it was not designed to accommodate, when a compliance audit discovers an undocumented data flow, or when two independently created extensions conflict under conditions neither creator tested. By that point, the extension may be deeply embedded in production operations, making remediation costly and risky.

The approval pipeline mandated by this dimension is not bureaucratic overhead — it is the minimum viable process to ensure that protocol modifications receive the same scrutiny as code deployments, infrastructure changes, or configuration modifications. The pipeline must be lightweight enough to avoid creating incentives for developers to bypass it, but rigorous enough to catch the security, interoperability, and regulatory issues that unapproved extensions introduce. The balance is achieved through clear criteria, defined timelines (e.g., 5-day SLA for standard assessments), and automated tooling that reduces the manual burden of the review process.

6. Implementation Guidance

The protocol extension registry is the central artefact. It should be implemented as a structured data store — not a wiki page, not a spreadsheet, not a set of code comments — that is queryable, version-controlled, and integrated with the deployment pipeline. Each registry entry should include: extension identifier (unique, immutable), extension name and description, affected base protocol and version, author and owning team, approval status (proposed, under review, approved, deprecated, revoked), approval date and approver identity, version history, security assessment summary and link to full assessment, interoperability assessment summary and link to full assessment, regulatory impact assessment summary and link to full assessment, deployment scope (which environments, which agent populations), rollback procedure, and expiry date (if time-bounded).

Recommended patterns:

• Pipeline-integrated approval gate. Integrate extension approval with the CI/CD pipeline. Extension code or configuration is tagged with its registry identifier. The deployment pipeline checks the registry status before allowing deployment. Extensions with status other than "approved" are blocked from production deployment. This provides infrastructure-layer enforcement of requirement 4.6 without requiring manual intervention at deployment time.
• Protocol schema validation at runtime. Deploy a protocol-aware proxy or middleware that validates all agent messages against the base protocol schema plus the set of approved extension schemas. Messages containing fields, methods, or structures not present in either the base schema or an approved extension schema are rejected with a structured error. This provides real-time detection of unapproved extensions per requirement 4.8.
• Extension interaction matrix. Maintain a matrix documenting the tested interactions between active extensions. When a new extension is proposed, the interoperability assessment must include testing against every active extension in the matrix. The matrix grows with each approval, but the incremental cost is bounded: each new extension is tested against N existing extensions, not against all possible combinations of extensions.
• Tiered approval tracks. Not all extensions carry equal risk. Define tiers: Tier 1 (cosmetic — additional metadata fields with no security, compliance, or control-flow implications) requires lightweight review; Tier 2 (functional — new methods, modified flows, additional capabilities) requires full security and interoperability assessment; Tier 3 (safety/compliance-critical — extensions affecting authentication, authorisation, data flows, or safety-critical communication) requires full assessment plus independent review by security and compliance functions.

Anti-patterns to avoid:

• Treating protocol extensions as configuration. If an extension modifies behaviour, data structures, or capabilities, it is not "just configuration." Routing it through change management for configuration changes rather than the extension approval pipeline will result in inadequate assessment. The test is always: would a compliant base protocol implementation recognise this? If not, it is an extension.
• Approving extensions without interaction testing. Reviewing an extension in isolation is necessary but insufficient. Extensions interact with other extensions and with security controls. The Scenario C example demonstrates the consequences of approving extensions without testing their combined behaviour. The interoperability assessment must include active-extension interaction testing.
• Relying on developer discipline for enforcement. If the only barrier to deploying an unapproved extension is a policy document stating that developers should not do so, the policy will be violated under time pressure. Enforcement must be structural: the deployment pipeline must check registry status, and the runtime must validate message schemas.
• Grandfathering existing extensions. When an extension governance programme is introduced, existing deployed extensions must be catalogued and retroactively assessed. Grandfathering — allowing existing extensions to continue without assessment — perpetuates the exact risk the governance programme was created to address. Set a remediation timeline (e.g., 90 days) for all existing extensions to complete the approval pipeline.

Industry Considerations

Financial Services. Protocol extensions in financial agent systems frequently involve payment instruction formats, risk parameter transmission, and regulatory reporting fields. Each of these has sector-specific compliance implications. The FCA expects firms to maintain complete documentation of all interfaces in their trading and payment systems (SYSC 6.1.1R). An unapproved protocol extension that modifies a payment instruction format is an undocumented interface. MiFID II best execution requirements (Article 27) may be affected by protocol extensions that alter order routing behaviour. Extension approvals in financial services should include review by the compliance function, not solely the engineering function.

Safety-Critical / Industrial. Protocol extensions in safety-critical agent systems — robotics, autonomous vehicles, industrial control — can directly affect physical safety. The IEC 61508 functional safety lifecycle requires that modifications to safety-related systems undergo hazard analysis and risk assessment. A protocol extension that modifies how agents coordinate physical actions is a modification to a safety-related system. Extension approvals must include functional safety review, and extensions must be classified according to their potential impact on safety integrity levels (SIL).

Healthcare. Protocol extensions that introduce new data fields may create new categories of protected health information (PHI) under HIPAA. An extension adding a diagnostic code to an agent communication protocol creates a PHI flow that must be covered by the organisation's HIPAA compliance programme. Extension approvals must include HIPAA privacy and security assessment.

Maturity Model

Basic Implementation — The organisation maintains a protocol extension registry as a structured document or database. All new extensions require approval before deployment, documented as a signed-off change request. Security assessment is performed for each extension. Enforcement is procedural: the development team is responsible for submitting extensions for approval before deployment. Detection of unapproved extensions relies on periodic manual audit of deployed protocol configurations against the registry.

Intermediate Implementation — The registry is integrated with the deployment pipeline, providing infrastructure-layer blocking of unapproved extensions. Security, interoperability, and regulatory impact assessments are all performed for each extension. The runtime environment validates agent messages against approved schemas, detecting unapproved extensions in real time. An interaction matrix documents tested combinations of active extensions. Tiered approval tracks provide proportionate assessment based on extension risk. Existing extensions have been retroactively assessed and registered.

Advanced Implementation — All intermediate capabilities plus: automated extension discovery scans all agent communication channels for non-standard protocol elements and cross-references findings against the registry. Extension approvals include time-bounded validity requiring periodic re-assessment. Adversarial testing evaluates whether an agent can autonomously discover and exploit unapproved extensions through capability negotiation. The extension governance process is independently audited against regulatory requirements. Extension metrics (approval throughput, rejection rates, time-to-approval) are reported to governance boards for continuous improvement.

7. Evidence Requirements

Required artefacts:

• Protocol extension registry. The complete, current registry showing all active, deprecated, proposed, and revoked extensions with their approval status, version history, and deployment scope. Format: structured data export (JSON, database dump, or equivalent). Not a prose description.
• Approval records. For each approved extension: the formal approval decision, the identity of the approver, the date of approval, and links to the security assessment, interoperability assessment, and regulatory impact assessment. Minimum one complete approval record per active extension.
• Security assessment reports. For each approved extension: the documented security assessment evaluating attack surface expansion, control interaction, authentication/authorisation implications, and data exposure. Format: structured security assessment report.
• Deployment enforcement evidence. Logs or configuration demonstrating that the deployment pipeline checks registry status before allowing extension deployment. At least one example of a blocked deployment attempt for an unapproved extension.
• Runtime detection evidence. If automated detection is implemented (requirement 4.8): logs demonstrating detection of protocol messages containing unapproved extensions, including the detection timestamp, the violating message characteristics, and the action taken.

Retention requirements:

• Extension registry and approval records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Security assessment reports: same retention as approval records.
• Deployment enforcement and runtime detection logs: minimum 3 years.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. The registry must be queryable by extension identifier, approval status, deployment scope, and date range. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-377 compliance requires verifying that the approval pipeline is enforced structurally, that unapproved extensions are detected and blocked, and that the registry accurately reflects the deployed state.

Test 8.1: Unapproved Extension Deployment Blocking

• Stimulus: Attempt to deploy an agent configuration containing a protocol extension that is not present in the approved registry, or whose registry status is "proposed" or "revoked."
• Expected behaviour: The deployment pipeline rejects the deployment with a structured error identifying the unapproved extension and its registry status.
• Pass criteria: The deployment does not proceed. The agent configuration containing the unapproved extension is not active in any production or pre-production environment.
• Fail criteria: The deployment proceeds despite the extension's unapproved status, or the deployment pipeline does not check registry status.

Test 8.2: Registry Completeness Verification

• Stimulus: Enumerate all protocol extensions active in the production environment through protocol introspection, schema analysis, or message inspection. Compare the discovered extensions against the approved registry.
• Expected behaviour: Every discovered extension has a corresponding entry in the registry with status "approved."
• Pass criteria: Zero extensions are discovered in production that do not have an approved registry entry. The registry contains no "approved" entries for extensions not found in production (indicating stale entries, which should be flagged but are not a blocking failure).
• Fail criteria: One or more extensions are active in production without an approved registry entry.

Test 8.3: Security Assessment Coverage

• Stimulus: Select five approved extensions at random from the registry. Retrieve the linked security assessment for each.
• Expected behaviour: Each selected extension has a completed security assessment that evaluates attack surface expansion, control interaction, authentication/authorisation implications, and data exposure.
• Pass criteria: All five sampled extensions have complete security assessments covering all four evaluation dimensions. Assessments are dated, attributed to an assessor, and linked to the approval record.
• Fail criteria: Any sampled extension lacks a security assessment, or any assessment omits one or more of the four required evaluation dimensions.

Test 8.4: Interoperability Assessment With Active Extensions

• Stimulus: Propose a test extension that modifies message routing behaviour (e.g., adds a priority field that affects processing order). Submit it through the approval pipeline. Verify that the interoperability assessment includes testing against all currently active extensions.
• Expected behaviour: The interoperability assessment documents testing of the proposed extension in combination with each active extension. Conflicts or unexpected interactions are identified and documented.
• Pass criteria: The assessment report includes test results for the proposed extension operating alongside each active extension. No untested interactions exist.
• Fail criteria: The interoperability assessment evaluates the extension in isolation without testing against active extensions, or active extensions are omitted from interaction testing.

Test 8.5: Regulatory Impact Assessment Execution

• Stimulus: Propose a test extension that adds a new data field containing a customer identifier to inter-agent messages. Submit it through the approval pipeline.
• Expected behaviour: The regulatory impact assessment identifies the new personal data flow, evaluates GDPR implications (including Articles 25 and 35), evaluates cross-border data transfer implications if applicable, and documents whether a Data Protection Impact Assessment is required.
• Pass criteria: The regulatory impact assessment identifies the data protection implications and documents the assessment against applicable regulations. The assessment is completed before the extension receives approval.
• Fail criteria: The extension receives approval without a regulatory impact assessment, or the assessment fails to identify the personal data implications of the new field.

Test 8.6: Extension Versioning Integrity

• Stimulus: Modify an approved extension (change its behaviour, add a field, alter its semantics) and attempt to deploy the modified version using the original version identifier.
• Expected behaviour: The deployment pipeline or runtime validation detects the version mismatch — the deployed extension's content does not match the approved version's recorded hash or schema — and blocks the deployment.
• Pass criteria: The modified extension is blocked. A new version must be submitted through the approval pipeline.
• Fail criteria: The modified extension deploys under the original version identifier without re-approval.

Test 8.7: Approval Pipeline Enforcement Under Bypass Attempt

• Stimulus: Attempt to introduce a protocol extension by directly modifying the agent runtime configuration, protocol library, or message schema outside the standard deployment pipeline — simulating a developer bypassing the approval process.
• Expected behaviour: Runtime schema validation or automated detection identifies the unapproved extension. An alert is generated. The extension is flagged or blocked depending on the enforcement mode.
• Pass criteria: The unapproved extension is detected within one monitoring cycle (recommended: within 15 minutes). An alert is generated with the extension details.
• Fail criteria: The unapproved extension operates in production without detection.

Conformance Scoring

• Score 0: No protocol extension governance exists — extensions are added ad hoc without approval, documentation, or assessment.
• Score 1: An extension registry exists and approvals are required, but enforcement is procedural only — no infrastructure-layer blocking of unapproved extensions.
• Score 2: Infrastructure-layer enforcement blocks unapproved extensions at deployment time. Security, interoperability, and regulatory impact assessments are performed for each extension. The registry is current and accurate.
• Score 3: Verified by independent audit — an independent party has audited the extension governance programme, confirmed registry accuracy against deployed state, verified assessment quality, and tested enforcement mechanisms.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Direct requirement
EU AI Act	Article 17 (Quality Management System)	Supports compliance
SOX	Section 404 (Internal Controls Over Financial Reporting)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Direct requirement
NIST AI RMF	GOVERN 1.2, MAP 3.5, MANAGE 2.4	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks), Clause 8.4 (AI System Impact Assessment)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework), Article 15 (ICT Change Management)	Direct requirement

EU AI Act — Article 9 (Risk Management System)

Article 9 requires that the risk management system for high-risk AI systems address risks arising from modifications and updates. Protocol extensions are modifications to the AI system's communication and coordination infrastructure. An unapproved extension that expands agent capabilities, alters data flows, or modifies control logic constitutes a system modification that must be addressed within the risk management system. The Article 9 requirement that risk mitigation measures be "tested with a view to identifying the most appropriate risk management measures" maps directly to the interoperability and security assessments required by AG-377. The obligation to address "reasonably foreseeable misuse" includes the risk that agents discover and exploit unapproved extensions through autonomous capability negotiation.

EU AI Act — Article 17 (Quality Management System)

Article 17 requires providers to implement a quality management system that includes procedures for design, development, and modification of the AI system. Protocol extension governance implements the modification control procedure required by this article, ensuring that changes to the agent's protocol layer are subject to the same quality management discipline as changes to the agent's application logic.

SOX — Section 404 (Internal Controls Over Financial Reporting)

For AI agents that execute financial operations, protocol extensions that modify payment instruction formats, risk parameter transmission, or approval flows directly affect internal controls over financial reporting. An unapproved extension that bypasses an approval step (as in Scenario A) is a control deficiency. If material, it is a reportable weakness. SOX auditors assessing AI agent controls will ask whether all interfaces and communication protocols are documented and subject to change control. Unapproved protocol extensions are, by definition, undocumented interfaces. The protocol extension registry provides the documentation required to demonstrate that all protocol modifications are controlled.

FCA SYSC — 6.1.1R (Systems and Controls)

SYSC 6.1.1R requires firms to establish and maintain adequate policies and procedures for systems and controls. For firms deploying AI agents, the FCA expects documentation of all system interfaces and controls over modifications to those interfaces. Protocol extensions that modify agent communication are interface modifications. The FCA's expectations under SS1/23 (model risk management) extend to the infrastructure supporting AI models, including communication protocols. An undocumented protocol extension in a regulated firm's agent infrastructure represents inadequate systems and controls.

NIST AI RMF — GOVERN 1.2, MAP 3.5, MANAGE 2.4

GOVERN 1.2 addresses organisational processes for AI risk governance; MAP 3.5 addresses the identification of system dependencies and interfaces; MANAGE 2.4 addresses risk controls for AI system modifications. AG-377 supports compliance by establishing a governance process for protocol modifications, documenting all protocol interfaces and extensions, and implementing risk controls for extension deployment.

ISO 42001 — Clause 6.1, Clause 8.4

Clause 6.1 requires actions to address risks within the AI management system. Clause 8.4 requires AI system impact assessment for changes to the AI system. Protocol extensions are changes to the AI system's communication infrastructure. The extension approval pipeline implements the impact assessment required by Clause 8.4, and the registry provides the documentation required by Clause 6.1 for risk treatment.

DORA — Article 9, Article 15

Article 9 requires financial entities to maintain comprehensive ICT risk management frameworks documenting all ICT assets, interfaces, and dependencies. Article 15 specifically requires ICT change management procedures covering testing, approval, and documentation of changes. Protocol extensions are ICT changes to agent infrastructure. DORA's change management requirements map directly to AG-377's approval pipeline: testing (security and interoperability assessments), approval (formal governance authority sign-off), and documentation (the extension registry).

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Organisation-wide — potentially cross-organisation where agents communicate with external agents or third-party systems using extended protocols

Consequence chain: Without protocol extension approval governance, custom extensions proliferate across the agent infrastructure without security assessment, interoperability testing, or regulatory review. The immediate technical consequence is an expanded, undocumented attack surface: each unapproved extension introduces methods, fields, or behaviours that security monitoring tools are not configured to inspect and that security controls are not designed to govern. The operational consequence escalates when extensions interact: independently safe extensions can create unsafe combined behaviours — particularly in safety-critical environments where protocol extensions affect physical coordination (Scenario C). The compliance consequence emerges when auditors or regulators discover undocumented data flows, uncontrolled interface modifications, or bypassed approval controls. The governed exposure is bounded only by the value of transactions flowing through the extended protocol: in financial services, this can be tens of millions of pounds per day. In safety-critical environments, the exposure extends to physical harm and regulatory prosecution. The blast radius extends beyond the deploying organisation when extended protocols are used to communicate with external agents or third-party systems: the unapproved extension becomes an undocumented interface contract imposed on counterparties who have no visibility into its existence, no ability to assess its risk, and no mechanism to reject it unless they validate all inbound messages against the base protocol schema.