- The paper introduces ACAP, a formal consent model that distinguishes mere acceptance from per-action adherence using a three-primitive scheme.
- It employs linked audit chains and TLA+ formal verification to ensure completeness, traceability, and tamper-evidence in agent compliance records.
- The model integrates seamlessly with existing protocols via middleware, showing negligible performance overhead and strong regulatory relevance.
Motivation and Problem Framing
Autonomous agent protocols increasingly facilitate inter-agent transactions on behalf of human principals, yet presently lack robust infrastructure for attributing and auditing the comprehension and compliance of these agents with evolving usage policies. The prevailing paradigm—authentication via OAuth, API keys, OpenID Connect, or mutual TLS—establishes permission to invoke capabilities, but fails to address conditional and contextual constraints imposed by usage policies. Legal frameworks (notably UETA §14) and regulatory mandates (e.g., EU AI Act Articles 14 and 50) introduce heightened accountability requirements, demanding not only evidence of acceptance but also granular proof of adherence to policy terms at each invocation. Empirical assessments (e.g., the AI Agent Index) further underscore widespread non-compliance, even with basic exclusion directives such as robots.txt.
The paper "Anumati: Proof of Adherence as a Formal Consent Model for Autonomous Agent Protocols" (2604.16524) formalizes this gap, distinguishing proof of acceptance (acknowledgement of terms) from proof of adherence (auditable, per-action reasoning). It introduces a consent audit architecture that is deployable without disruption to core agent protocols, advancing the state-of-the-art in agent accountability and auditability.
Consent Model Architecture
Three-Primitive Scheme: PolicyDocument, ConsentRecord, AdherenceEvent
The agent-focused consent model pivots on three structural primitives:
- PolicyDocument: A semantically-versioned, content-addressed machine-readable policy published by the callee agent. Each clause ("PolicyClaim") is uniquely identifiable and order-preserving, with stable IDs across versions, and structured using standardized vocabularies (e.g., ODRL 2.2).
- ConsentRecord: A per-agent, per-policy, singly-linked chain recording agent-parsed claims, claim-level acceptance/dispute, and attested understanding. This chain binds acceptance to exact policy versions and agent configurations (via capability hash) and enforces claim-level gating: disputed or misunderstood claims block skill invocations conditionally.
- AdherenceEvent: A per-action, per-claim runtime record, capturing the evaluated clause, enforcement decision, and free-form natural-language reasoning. Each event anchors to a ConsentRecord, forming an adherence trail.
These constructs yield linked-list audit chains for both consent and adherence, satisfying five critical properties: completeness, traceability, tamper evidence (JWS), version fidelity, and optional ledger anchoring (e.g., blockchain, transparency log).
Figure 1: ACAP consent lifecycle state machine; seven states govern the caller–callee bind cycle, ensuring explicit re-consent on policy or capability drift.
The lifecycle state machine is rigorously specified in TLA+ and subjected to bounded model checking, verifying seven safety properties (e.g., consent-before-action, chain monotonicity, no skill invocation under capability drift) and two liveness properties (eventual re-consent guarantees after staleness triggers). The explicit inclusion of a capability fingerprint (model ID, tool manifest, reasoning config) in the ConsentRecord ensures that ephemeral agent instances, which may alter model or capabilities between invocations, cannot act under stale consent.
Protocol Instantiation and Integration
Middleware-First Deployment: A2A and MCP
A cornerstone claim is that the proposed Agent Consent and Adherence Protocol (ACAP) extends the Agent2Agent (A2A) and Model Context Protocol (MCP) standards without modifying their core specifications. ACAP is instantiated entirely through extension points and middleware:
- A2A: Consent and adherence endpoints exposed alongside traditional agent capability descriptors; skills annotated with governing claim IDs for conditional invocation control.
- MCP: Usage policy and claim-level annotations in tool manifests; orchestrated consent handshakes before tool use.
Figure 2: ACAP consent and adherence sequence, detailing the handshake, skill call, and adherence event posting.
The reference implementation, benchmarked on commodity hardware, incurs microsecond-scale overhead for canonical hashing, chain validation, and adherence record validation, negligible compared to network latency for inter-agent calls. End-to-end FastAPI deployment demonstrates seamless composition with existing agent runtimes. The Gemini-backed claim parser exemplifies automated clause understanding and dispute detection, with session traces visualizing the parsing, conditional denial, and permissible invocation.
Figure 3: Caller agent trace depicting consent handshake, blocked skill call (disputed purpose), and permitted skill call (qualitative summary with reasoning).
Figure 4: Callee server log evidencing standard HTTP interactions with ACAP endpoints, confirming protocol compatibility.
Figure 5: Audit endpoint output visualizing the linked consent and adherence chains and preserving per-action reasoning for compliance inspection.
Implications and Future Directions
Legal and Regulatory Accountability
By binding consent to precise policy versions and agent configurations, and capturing clause-level reasoning for each action, ACAP provides an auditable and tamper-evident accountability path for autonomous agent interactions. This aligns with imminent regulatory demands under the EU AI Act and directly addresses current inadequacies in single-click, binary consent mechanisms.
Limitations and Open Challenges
The architecture maintains self-attested understanding and unconstrained reasoning formats, raising both adversarial risks (misstatement of intent, reasoning manipulation) and challenges for automated consistency checking. The model currently relies on agents acting in good faith and defers remote attestation and adversarial replay defenses to future work. The capability fingerprint’s sensitivity (what constitutes material change) is acknowledged as an open design question, with potential for future diffs and granular triggers.
Extensibility
Extensions under development include governance-tiered escalation, asymmetric sensitivity preferences, structured regulatory context propagation, and audit projection layers. These capabilities are expected to drive granular compliance management and regulatory interoperability across sectors.
Conclusion
ACAP operationalizes formal consent and adherence auditing in agent protocols, overcoming the traditional accountability gap by enabling per-action, per-clause compliance records. Instantiations for A2A and MCP demonstrate practical deployability via middleware rather than protocol revisions. This model provides a timely technical substrate for regulatory compliance, legal defensibility, and agent-to-agent transaction transparency, offering a foundation for future advances in verifiable agent reasoning, adversarial threat mitigation, and structured auditability.