AG-782
Agent Governance Passport Governance
EU AI Act
NIST AI RMF
ISO 42001
Agent Governance Passport Governance mandates that every AI agent operating within a governed ecosystem carries a cryptographically signed governance passport — a structured, machine-verifiable credential attesting that the agent complies with a specific governance framework version, operates within a defined mandate scope, and possesses a declared set of authorised capabilities. The passport is not a self-declaration; it is issued by an authorised passport authority registered in the governance registry, signed with the authority's cryptographic key, and verifiable by any consuming agent or system without trusting the presenting agent. The passport format conforms to the W3C Verifiable Credentials data model, ensuring interoperability across platforms and organisational boundaries. Without governance passports, organisations interacting with external agents have no standardised, cryptographically verifiable way to confirm that those agents meet minimum governance requirements — leaving every cross-agent interaction dependent on contractual assurances that cannot be verified at machine speed.
This protocol applies to all governance passports issued to AI agents within governed ecosystems. Specifically:
Exclusions: Internal-only agents that never interact with agents from other organisations or governance domains may use simplified internal attestation mechanisms, provided those mechanisms meet AG-770 credential lifecycle requirements. Any agent that transitions to cross-organisational interaction immediately enters AG-782 scope.
Financial Services. Governance passports for financial agents must attest to compliance with both the AGS framework and applicable financial regulations (MiFID II, DORA). A financial settlement agent presenting a governance passport to a counterparty's clearing agent must demonstrate that its mandate scope covers the transaction type and value range. The FCA expects that AI agent governance claims are verifiable, not merely declared.
Healthcare. Clinical agents interacting across hospital networks must carry passports attesting to HIPAA-compliant data handling, patient data minimisation, and clinical decision support boundaries. The passport provides the receiving system with machine-verifiable assurance that the interacting agent operates under an audited governance framework.
Crypto/Web3. Agents operating in decentralised finance must carry governance passports that attest to compliance with applicable AML/KYC frameworks. The W3C Verifiable Credentials format enables passport verification without centralised authority, aligning with the architectural principles of decentralised systems while maintaining governance assurance.
As AI agent ecosystems mature, organisations will routinely interact with agents they did not deploy, do not control, and cannot inspect. A procurement agent from Supplier A negotiates with a sourcing agent from Buyer B. A clinical decision support agent from Hospital C shares patient pathway recommendations with a treatment planning agent from Hospital D. In each case, the receiving organisation must answer a governance question before the interaction proceeds: does this external agent operate under a governance framework that meets our minimum requirements?
Without governance passports, this question can only be answered through contractual due diligence — legal agreements, vendor assessments, and periodic audits. These mechanisms operate on timescales of weeks to months. Agent interactions operate on timescales of milliseconds to seconds. The mismatch is structural: by the time a procurement review confirms that Supplier A's agents meet governance requirements, the agents have already executed thousands of interactions. Governance passports close this gap by embedding the governance attestation directly into the agent's credential set, verifiable at interaction time without human intervention.
The consequence of operating without governance passports becomes acute in regulated industries. When a financial agent executes a settlement instruction based on data provided by an external agent with no verifiable governance attestation, the executing organisation bears the regulatory risk. If the external agent was operating outside its mandate scope, processing data it was not authorised to handle, or running a governance framework version with known vulnerabilities, the executing organisation had no way to know — and regulators will ask why not. The EU AI Act Article 13 requires that AI systems provide sufficient transparency for downstream users to understand the system's capabilities and limitations. A governance passport is the machine-readable implementation of this requirement for the agentic context.
The W3C Verifiable Credentials alignment is a deliberate architectural choice. Governance passports must be interoperable across platforms, verifiable without contacting the issuing authority in real time (through pre-distributed public keys), and extensible to include domain-specific governance claims. The W3C VC data model provides all three properties and is the emerging standard for machine-verifiable credentials across industries.
Basic Implementation — The organisation issues governance passports through a centralised passport authority. Passports include agent UUID, governance framework version, and expiry timestamp. Signature verification is performed on passport presentation. Revocation is supported but may not propagate within 120 seconds. Passports are issued in a proprietary format with limited interoperability. Mandate scope is included as a text field but not enforced programmatically at validation time. Audit logging covers issuance and revocation but may not capture every validation event.
Intermediate Implementation — All Basic capabilities plus: passports conform to the W3C Verifiable Credentials data model with JSON-LD export. Mandate scope is encoded as a structured claim and enforced programmatically — actions outside scope are denied even with a valid passport. Revocation propagation completes within 120 seconds across all registries. Five-step validation (signature, expiry, revocation, scope, framework version) is enforced on every passport consumption. Key rotation occurs at least every 180 days. Backward compatibility supports the previous protocol version for 90-day transition periods.
Advanced Implementation — All Intermediate capabilities plus: passport validation has been verified through independent adversarial testing including signature forgery, scope escalation, revocation race conditions, and framework version downgrade attacks. Cross-organisational passport verification operates via federated trust registries (AG-783). Passport issuance incorporates post-quantum hybrid signing (aligned with AG-770). Real-time dashboards track passport population, expiry forecasts, validation success rates, and revocation propagation latency. The organisation can demonstrate to regulators and counterparties that its passport infrastructure provides machine-verifiable governance assurance at interaction speed.
Governance passport as a first-class credential in the agent's identity bundle. Issue the governance passport alongside the agent's identity token (AG-781) as part of a unified credential bundle. The identity token proves who the agent is; the governance passport proves what governance framework the agent operates under. Both are required for any governed interaction. This pattern avoids the failure mode where identity is verified but governance compliance is assumed.
Pre-distributed issuing authority public keys. Distribute the passport authority's public key to all consuming parties in advance, enabling offline signature verification without real-time contact with the issuing authority. This reduces validation latency and eliminates a single point of failure. Key distribution uses a trust-on-first-use model with certificate pinning, or a federated key registry for cross-organisational deployments.
Structured mandate scope using capability URIs. Encode the agent's mandate scope using a URI-based capability model where each authorised action is represented as a specific URI (e.g., ags:action:settlement:execute, ags:action:data:read:patient-demographics). The consuming system validates the requested action against the passport's capability URI list using exact matching. This eliminates ambiguity in scope enforcement compared to free-text descriptions.
Revocation list with delta updates. Maintain a full revocation list at the governance registry and distribute delta updates (new revocations since last sync) to consuming parties every 30 seconds. This reduces bandwidth compared to full-list distribution while maintaining near-real-time revocation awareness. Consumers cache the full list locally and apply deltas incrementally.
Passport renewal pipeline with pre-expiry automation. Implement an automated renewal pipeline that initiates re-attestation 14 days before passport expiry, completes governance compliance checks, and issues a new passport with zero-downtime overlap (both old and new passports are valid for a 24-hour transition window, after which the old passport is revoked). This prevents the operational failure mode where agents lose governance attestation due to expired passports during peak operational periods.
Self-attested governance compliance. Allowing agents or their deploying organisations to issue their own governance passports without independent verification by an authorised passport authority. Self-attestation provides no assurance because the attesting party has an incentive to overclaim compliance.
Mandate scope as free-text description. Encoding the agent's mandate scope as a human-readable text field rather than a structured, machine-enforceable claim. Free-text scope cannot be programmatically validated, leading to ambiguity and scope creep where agents operate outside their intended mandate because the consuming system cannot parse the scope boundary.
Passport validation without revocation check. Verifying the passport's signature and expiry but skipping the revocation check against the governance registry. This is a common performance optimisation that creates a critical security gap: a passport for an agent whose governance compliance has been revoked (due to a security incident, for example) will continue to be accepted until its natural expiry.
Single-version passport enforcement with no backward compatibility. Requiring all passports to match the current protocol version with no transition period. In a multi-organisation ecosystem, protocol version upgrades cannot be coordinated simultaneously across all participants. Rejecting the previous version forces a hard cutover that creates operational disruption and incentivises organisations to delay upgrades.
Passport issuance without governance re-attestation at renewal. Automatically renewing passports without re-verifying that the agent's governance compliance is still valid. Governance posture can degrade between issuance cycles due to configuration drift, software updates, or organisational changes. Renewal without re-attestation creates stale governance claims.
TC1: Passport Issuance with Full Field Validation
TC2: Expired Passport Rejection
TC3: Revocation Propagation Within 120 Seconds
TC4: W3C Verifiable Credentials Format Export
TC5: Mandate Scope Enforcement
TC6: Compromised Key Cascade Revocation
TC7: Backward Compatibility During Version Upgrade
| Evidence ID | Description | Retention Period |
|---|---|---|
| AG782-E01 | Passport issuance audit logs with full field records | 7 years |
| AG782-E02 | Passport validation event logs (success, failure, scope mismatch) | 7 years |
| AG782-E03 | Revocation event logs with propagation timestamps | 7 years |
| AG782-E04 | Key rotation records and compromised key incident reports | 7 years |
| AG782-E05 | W3C VC format compliance test results | 5 years |
| AG782-E06 | Adversarial testing reports (forgery, scope escalation, version downgrade) | 5 years |
| AG782-E07 | Passport population and expiry forecast dashboards (monthly snapshots) | 1 year |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No governance passports exist. Agents interact without any verifiable governance attestation. Governance compliance is assumed or asserted contractually without machine-verifiable evidence. |
| 1 | Basic | Governance passports are issued but use a proprietary format without W3C VC compliance. Mandate scope is included as text but not enforced programmatically. Revocation is supported but propagation exceeds 120 seconds. Validation does not include all five required checks. |
| 2 | Infrastructure-layer enforcement | Passports conform to W3C VC data model. Five-step validation (signature, expiry, revocation, scope, framework version) enforced on every consumption. Mandate scope is structured and programmatically enforced. Revocation propagation within 120 seconds. Key rotation at least every 180 days. Audit trail covers all lifecycle events. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities verified through independent adversarial testing including signature forgery, scope escalation, revocation race conditions, version downgrade, and compromised-key cascade. Test results documented and available for regulatory and counterparty review. |
Scenario A — Governance Passport Proves Compliance in Cross-Organisation Settlement
Organisation A's financial agent initiates a EUR 12 million settlement transaction with Organisation B's clearing agent. Organisation B's agent requests the governance passport before proceeding. Organisation A's agent presents its passport, which attests to AGS v2.1 compliance and includes mandate scope for financial settlement up to EUR 50 million. Organisation B's agent performs the five-step validation: signature valid, passport not expired, revocation status clear, mandate scope covers EUR 12 million settlement, governance framework version is current. The transaction proceeds. Six months later, a regulatory audit examines the settlement. The auditor retrieves the passport validation log, confirms that Organisation B verified Organisation A's governance compliance at transaction time, and closes the audit item. The passport provided machine-verifiable governance assurance at the speed of the transaction.
What went wrong: Nothing — this is the positive scenario demonstrating the system working correctly. Without the governance passport, Organisation B would have had no machine-verifiable way to confirm Organisation A's governance compliance at transaction time, and the regulatory auditor would have found a governance gap.
Scenario B — Revoked Passport Blocks Agent After Governance Violation
A financial processing agent's governance passport is revoked after the deploying organisation fails a governance compliance review — specifically, the organisation's mandate enforcement controls (AG-001) were found to be application-layer rather than infrastructure-layer, violating a core AGS requirement. The revocation is triggered at 14:22. At 14:23, the agent attempts to initiate a payment instruction to a counterparty. The counterparty's verification gateway checks the governance registry, discovers the revocation status (propagated 47 seconds after trigger), and rejects the interaction. The rejection event is logged with the revocation reason. The agent's deploying organisation is notified that its agent has been blocked from governed interactions and must remediate the governance deficiency before a new passport can be issued.
What went wrong: The deploying organisation allowed its governance controls to degrade below AGS requirements. The passport revocation and enforcement system worked correctly — the revocation propagated within 120 seconds, the counterparty's verification gateway detected the revocation, and the interaction was blocked. Consequence: The deploying organisation lost the ability to participate in governed financial interactions for 34 days until remediation was complete and a new passport was issued, resulting in an estimated EUR 2.8 million in delayed transaction revenue and a mandatory independent governance re-assessment costing EUR 180,000.
Scenario C — Mandate Scope Mismatch Prevents Unauthorised Data Access
A healthcare research agent holds a governance passport with mandate scope limited to ags:action:data:read:anonymised-clinical-outcomes. The agent is deployed in a research collaboration where it receives a request from a partner institution's analysis agent to retrieve individual patient records (scope: ags:action:data:read:patient-demographics). The research agent presents its passport to the clinical data gateway. The gateway validates the passport — signature valid, not expired, not revoked — but the mandate scope check fails: the requested action (patient-demographics) is not in the passport's authorised capability list (anonymised-clinical-outcomes). The gateway denies the request and logs the scope mismatch. The research agent receives a structured rejection indicating the specific scope limitation. The partner institution's analysis agent is notified that the requested data exceeds the research agent's governance mandate.
What went wrong: The partner institution's analysis agent made a request that exceeded the research agent's authorised scope. The passport's structured mandate scope enforcement correctly prevented the scope violation. Without the governance passport, the clinical data gateway would have had to rely on the research agent's own representation of its authorised scope — which, if the agent were compromised, could be falsified. Consequence avoided: potential HIPAA breach affecting approximately 23,000 patient records across the research collaboration.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Cross-organisational — every interaction between agents from different organisations or governance domains |
Consequence chain: Without governance passports, cross-organisational agent interactions proceed without machine-verifiable governance assurance. The receiving organisation must either (a) trust the external agent's self-declaration of governance compliance — which provides no assurance against compromised or misconfigured agents — or (b) refuse all external agent interactions — which eliminates the value of multi-agent ecosystems. The blast radius extends to every organisation in the ecosystem: a single ungoverned agent interacting with governed agents can introduce data contamination, mandate violations, or regulatory liability that cascades to every downstream participant. The regulatory consequence is that organisations cannot demonstrate to supervisory authorities that they verified the governance compliance of agents they interacted with, creating a compliance gap that scales with the number of external interactions.
| Requirement | EU AI Act | NIST AI RMF | W3C VC | OWASP Agentic | ISO 42001 |
|---|---|---|---|---|---|
| R1: Passport issuance by authorised authority | Art. 9 -- Risk management | GOVERN 1.1 -- Legal requirements | VC Data Model -- Issuer | ASI-03 -- Agent spoofing | Clause 8.2 -- AI risk assessment |
| R2: W3C Verifiable Credentials format | Art. 13 -- Transparency | -- | VC Data Model -- Credential format | -- | -- |
| R3: Five-step validation | Art. 9 -- Risk management | -- | VP Verification -- Presentation | ASI-03 -- Agent spoofing | Clause 8.2 -- AI risk assessment |
| R4: 90-day validity with re-attestation | -- | GOVERN 1.1 -- Legal requirements | -- | -- | -- |
| R5: 120-second revocation propagation | Art. 9 -- Risk management | -- | Revocation List 2020 | ASI-03 -- Agent spoofing | -- |
| R6: Structured mandate scope enforcement | Art. 9 -- Risk management | -- | VC Data Model -- Claims | -- | Clause 8.2 -- AI risk assessment |
| R7: Full lifecycle audit trail | Art. 12 -- Record-keeping | GOVERN 1.1 -- Legal requirements | -- | -- | Clause 8.2 -- AI risk assessment |
| R8: Key management per AG-103 | Art. 15 -- Cybersecurity | -- | -- | -- | -- |
Article 9 requires risk management systems that identify and mitigate risks. Governance passports mitigate the risk of interacting with ungoverned agents by providing machine-verifiable compliance attestation. Article 13 requires transparency — the passport format makes governance claims inspectable by any consuming party. Article 15 requires cybersecurity measures proportionate to the risk — cryptographic passport signing and key management protect against forgery and tampering.
The W3C VC data model provides the interoperability standard that governance passports are built upon. The Issuer, Credential, and Verifiable Presentation specifications define the format for passport issuance, the structure of governance claims, and the mechanism for passport presentation and verification. Alignment with W3C VC ensures that AGS governance passports are compatible with the broader verifiable credentials ecosystem.
ASI-03 identifies agent spoofing as a top-ten agentic security risk. Governance passports mitigate spoofing at the governance layer: even if an agent's identity is verified (AG-781), the governance passport adds a second layer of verification confirming that the agent operates under an audited governance framework. An attacker who forges an identity token but cannot forge a governance passport is blocked at the governance verification step.
| Protocol | Relationship |
|---|---|
| AG-001 | Dependency — Foundational governance principles that every passport MUST attest compliance with |
| AG-103 | Dependency — Cryptographic standards for passport signing and key management |
| AG-770 | Dependency — Credential lifecycle management; governance passports are a specialised credential type within the AG-770 lifecycle |
| AG-781 | Complementary — Identity verification (AG-781) proves who the agent is; governance passport (AG-782) proves what governance framework the agent operates under |
| AG-783 | Integration — Cross-organisational trust federation requires governance passports as the mechanism for verifying governance compliance across organisational boundaries |