Trust Graduation Protocol
A permission protocol for agentic systems. Agents earn permission per action class through evidence, approval packets, and receipts.
1.Three primitives¶
An implementation should expose three operations. Names are conventional; semantics are normative.
- canExecute(actionClass, context)
- Returns one of six decision states from evidence, reversibility, and approval state. Decisions are gates; they never have side effects.
- prepareApprovalPacket(...)
- Produces a local packet with the proposed action, evidence, gate decision, and
external_actions: 0. Preparing work is not executing it. - recordReceipt(...)
- Writes a receipt for the outcome — approve, refuse, correct, or execute. Receipts feed the posterior for the action class.
2.Six decision states¶
A decision is the gate's verdict for a proposed action. Implementations MUST emit one of six states.
| State | Meaning |
|---|---|
allowed | Execution may proceed. |
allowed_with_constraints | Post-approval execution boundary scoped by machine-evaluable constraints. |
review_required | Prepare an approval packet; do not execute externally. |
deferred | Queued for asynchronous approval; do not execute externally. |
blocked | Not permitted under current policy or evidence. |
human_only | Only the principal may perform this action. |
3.Ten canonical action classes¶
The trust unit is the action class. Evidence for draft.compose does not imply permission for email.send.external. The v0.1 registry:
| Identifier | Type | Description |
|---|---|---|
read.context | internal | Read, search, inspect, summarize, or rank context. |
draft.compose | internal | Compose a new local draft. |
draft.response | internal | Compose a reply or response draft. |
tool.call.local | internal | Call a local tool without external effect. |
email.send.internal | external controlled | Send to an established or known recipient. |
email.send.external | external | Send to a non-established recipient or outside party. |
calendar.create | external controlled | Create, update, or invite through a calendar system. |
social.post.public | external | Publish to a public social channel. |
payment.initiate | human-only | Initiate a payment, charge, purchase, or transfer. |
proposal.submit | external | Submit a proposal, bid, application, or commitment. |
Implementations MAY add local classes, but MUST preserve the same decision, evidence, posterior, and receipt semantics.
4.Evidence carries provenance¶
Evidence has two axes. The composed weight per evidence row is the product:
evidence_weight = decision_weight × provenance_weightProvenance is normative because a model-inferred outcome should not move the posterior as much as a recorded approval. Default provenance weights:
| Source type | Weight | Description |
|---|---|---|
receipt | 1.00 | A recorded approval, refusal, correction, or execution receipt. |
principal | 1.00 | Direct instruction or correction from the principal. |
connector | 0.30 | Data from an external connector or imported system. |
model_inferred | 0.10 | Inference made by a model without direct receipt or connector grounding. |
Implementations MAY learn weights per workspace and action class, but MUST NOT silently upgrade model_inferred evidence to receipt-grade evidence.
5.Posterior with calibrated intervals¶
Trust Graduation computes a Beta posterior over approval probability per action class. Default prior Beta(2, 2); positive evidence adds |evidence_weight| to α, negative to β. Implementations compute mean, 95% credible interval, sample count, tier, and a recommendation flag. Default graduation thresholds:
| Action class | ci_low_min | samples_min |
|---|---|---|
| default | 0.80 | 10 |
draft.compose | 0.80 | 10 |
email.send.external | 0.92 | 30 |
calendar.create | 0.88 | 20 |
External-effect classes MUST NOT auto-promote to ungated external execution from the posterior alone. The posterior recommends; the gate authorizes.
6.Agent discovery¶
Protocol-aware agents should not have to infer the trust boundary from prose. A host can publish /.well-known/trust-graduation to declare the supported protocol version, schemas, action classes, decision states, and runtime guidance.
When a proposed action is not executable, the decision can include graduationPath: a structured next step such as prepare an approval packet, request principal approval, collect receipts, reduce scope, run a dry run, or stop. This is the key agent-native affordance: denial becomes a safe route to earned authority, not a dead end to work around.
7.Schemas¶
JSON Schema (draft 2020-12) for every protocol artifact. $id URLs resolve to the file you are about to download.
8.Implementations¶
The protocol is small enough to reimplement in a day. v0.1 reference implementations:
@trust-graduation/core
Minimal JavaScript reference. The three primitives, the canonical registry, evidence classification.
Mission
Production runtime: Beta posterior, credible intervals, receipts, risk report, per-class graduation thresholds.
Your runtime
Implement canExecute, prepareApprovalPacket, recordReceipt. Emit conforming JSON. Open a PR to be listed here.
9.Why this exists¶
Binary agent permission is too crude. A model that may safely summarize a thread should not, by virtue of holding a tool handle, be free to send the resulting message. The shift Trust Graduation operationalizes is from "is the model truthful?" to "who authorized the action?" — and to make that question answerable at runtime, in audit, and across vendors.
The protocol draws on capability-based security (POLA), W3C PROV-O for provenance, and Bayesian evidence updates for graduation. It maps cleanly onto NIST AI RMF, NIST AI 600-1, ISO/IEC 42001, and EU AI Act Article 14 — those mappings are informational appendices in the spec, not requirements for conformance.
v0.1 is the first publication. The protocol expects to learn from external implementers. If something is wrong, file an issue; if something is missing, propose it.