Agent Execution Protocol (AEP)

Updated 27 February 2026

Agent Execution Protocols are formalized frameworks that regulate agent interactions using explicit contracts, typed messages, and finite-state machine lifecycle management.
They ensure secure and verifiable execution by enforcing deterministic authorization, strict state transitions, and robust audit trails.
AEPs are applied in multi-agent and LLM-driven systems to reduce failure rates and improve reliability through rigorous protocol conformance and auditing.

An Agent Execution Protocol (AEP) is a formalized, runtime-governed interaction and control layer for agent-based systems that determines how agents initiate, conduct, verify, and control execution of actions or workflows, typically in multi-agent or LLM-driven environments. AEP frameworks unify messaging, contract, authorization, and execution lifecycle in agent orchestration, enabling strong guarantees over agent behavior, correctness, security, and auditability across diverse agent platforms and applications (Mao et al., 14 Oct 2025, Lillis, 2017, Nie et al., 24 Feb 2026, Fatmi, 25 Jan 2026, Zhu et al., 22 Feb 2026).

1. Formalizations and Foundational Constructs

Recent AEPs are rigorously specified as layered protocol artifacts. In SEMAP, the protocol is modeled as a 3-tuple: $\mathrm{SEMAP} = \bigl(\mathcal{C}, \mathbb{I}, \mathcal{L}\bigr)$

$\mathcal{C}$ : Set of behavioral contracts, each of the form $C = (\text{name},\; \mathcal{I}_C,\; \mathcal{O}_C)$ , where $\mathcal{I}_C$ and $\mathcal{O}_C$ define input/output artifact type sets.
$\mathbb{I}$ : Structured message schemas. Messages $M = (\text{sender},\,\text{receiver},\,\mathcal{C}_M)$ , with $\mathcal{C}_M$ a schema-typed payload.
$\mathcal{L}$ : Finite-state machine governing task lifecycle, $\mathcal{L} = (\mathcal{S},\,\Sigma,\,\delta,\,s_0,\,\mathcal{F})$ , with explicit state, verification, and transition semantics (Mao et al., 14 Oct 2025).

Faramesh employs a Canonical Action Representation (CAR): $\mathrm{CAR} = \left(\mathit{actor},\,\mathit{operation},\,\mathit{resource},\,\mathit{params},\,\mathit{context},\,\mathit{meta}\right)$ The AEP mandates deterministic, signed authorization artifacts binding execution to policy and state digests, preventing unauthorized or out-of-policy actions (Fatmi, 25 Jan 2026).

AWCP specifies protocol state machines on both Delegator and Executor sides, with messages $\langle \text{MSG},\,\text{payload} \rangle$ for INVITE/ACCEPT/START/DONE/ERROR and explicit cross-role state alignment (Nie et al., 24 Feb 2026). OpenPort Protocol extends this with formal predicates spanning credentials, ABAC policy, and idempotent/draft execution (Zhu et al., 22 Feb 2026).

2. Contract Modeling, Message Typing, and Lifecycle Management

AEPs encode agent interaction through explicit role contracts, typed messages, and finite-state machine (FSM) governed execution:

Behavioral contracts: Each agent declares pre-conditions ( $\mathcal{I}_C$ ) and post-conditions ( $\mathcal{O}_C$ ), required for state entry/exit. For SEMAP, this is checked via an orchestrating controller prior to each run/invocation, ensuring input/output compliance before and after execution. Violation triggers rollback, retry, or error-handling according to lifecycle FSM (Mao et al., 14 Oct 2025).
Typed structured messaging: Agents communicate using messages with schemas statically enforced at send-time and runtime (e.g., via JSON Schema in SEMAP, strict envelope fields in AWCP, and protocol field validation in OpenPort). This prevents message misalignment, ad hoc payloads, and ambiguity in downstream consumption (Mao et al., 14 Oct 2025, Nie et al., 24 Feb 2026, Zhu et al., 22 Feb 2026).
Lifecycle-guided execution: Global controllers automate agent invocation order, verification, and state transition per FSM design—stage entry triggers agent role activation, verifier functions (compilers, tests, LLMs, or policy engines) certify correctness, and outcome ( $\sigma \in \Sigma$ ) selects subsequent protocol state. All non-passing outcomes route flow per explicit rollback and retry logic (Mao et al., 14 Oct 2025, Nie et al., 24 Feb 2026).

3. Security, Authorization, and Governance

Security and governance properties are explicit first-class citizens in modern AEPs:

Deterministic authorization boundaries: Faramesh imposes an Action Authorization Boundary (AAB), enforcing fail-closed, non-bypassable, policy-driven approval at execution time. The decision is cryptographically bound and must be verifiable by the Executor prior to any side-effecting operation (Fatmi, 25 Jan 2026).
Risk-gated write pipelines: OpenPort introduces multi-phase write orchestration—draft, preflight/impact, precondition/witness enforcement, and (optional) admin confirmation—mandating deterministic audit, side-effect idempotency, and execution-time revalidation for high-risk operations (Zhu et al., 22 Feb 2026).
Least-privilege and visibility scoping: Discovery, execution, and even API visibility are gated by authorization predicates (e.g., credentials, scopes, ABAC conditions). Tools and actions invisible to the agent’s identity cannot be discovered or invoked. Cross-tenant and workspace boundaries are first-class constraints in message handling and execution (Zhu et al., 22 Feb 2026, Fatmi, 25 Jan 2026).
Audit trail and provenance: All AEPs above support detailed, structured audit events—append-only ledgers (Faramesh), structured audit events with code/status fields (OpenPort), and event streaming on status/snapshot transitions (AWCP). These guarantee post-hoc inspection, deterministic replay, and resistance to tampering through cryptographic binding (Fatmi, 25 Jan 2026, Zhu et al., 22 Feb 2026, Nie et al., 24 Feb 2026).

4. Protocol Architectures and Integration Patterns

AEPs are designed for protocol-, runtime-, and model-agnostic integration:

Protocol/System	Core Execution Control Plane	Message Format/Transport	FSM/State Machine Scope	Audit/Provenance
SEMAP (Mao et al., 14 Oct 2025)	Explicit contract FSM	JSON-RPC 2.0 / HTTP	Workflow/task-level	Failure logs, schema errors, verification logs
Faramesh (Fatmi, 25 Jan 2026)	Action Authorization Boundary	Framework-agnostic (HTTP/gRPC/AMQP)	Action execution time	Append-only hash chain, CAR-based indexing
AWCP (Nie et al., 24 Feb 2026)	Workspace delegate FSM	HTTP+SSE (control) + transport	Delegation session	Consistency/integrity hash, SSE logs
OpenPort (Zhu et al., 22 Feb 2026)	Gateway control w/ risk gates	HTTPS, JSON envelopes	Per-action (+ draft)	Structured audit event stream
ACRE (Lillis, 2017)	Conversation management FSM	ACL, XML protocols	Conversation	Protocol conformance events, debug logs

Protocols emphasize clean separation of concerns:

Protocol layers separate messaging, action authorization, and tool invocation.
Integration adapters allow injection at discovery, authorization, and execution points.
Execution is always bounded by protocol-level invariants—pre/post-conditions, schema validation, policy check, and audit chain.

5. Empirical Impact and Quantitative Evaluation

SEMAP has demonstrated substantial reductions in multi-agent failure rates:

Function-level code (HumanEval): Total failures reduced by 64.1% (GPT-4.1-nano) and 69.6% (DeepSeek); under-specification reduction of 71.5–73.0%; inter-agent misalignment down by over 70% (Mao et al., 14 Oct 2025).
Deployment-level and vulnerability tasks: Failure reductions up to 56.7% (deployment, DeepSeek), up to 47.4% reduction in Python vulnerability detection (GPT-4.1), and monotonic failure-count decline over rounds, outperforming baseline systems where failures plateau or rebound (Mao et al., 14 Oct 2025).

Practical laboratory evaluations (e.g., ACRE) confirm protocol-driven architectures yield reduced code complexity, eliminate sequence and sender validity vulnerabilities, and improve reusability relative to ad hoc protocols (Lillis, 2017).

6. Best Practices, Design Principles, and Conformance

AEPs distill operational best practices:

Always declare role contracts and enforce at runtime: Early detection of under-specification and contract violations.
Typed, schema-driven messaging: Validated messages reduce misalignments and facilitate plug-and-play agent upgrades.
Explicit lifecycle/FSMs with verification gates: Model workflows as FSMs, include verifiers at transitions, and define rollback/retry.
Protocol–logic decoupling: Protocols should not depend on agent internal logic—use stable APIs (e.g., run(), AgentCard).
Comprehensive monitoring and auditing: Instrument contract violation, schema error, and verification logs to drive continuous schema and invariant refinement (Mao et al., 14 Oct 2025, Zhu et al., 22 Feb 2026).
Conformance validation: Machine-readable profiles, negative security/failure/path tests, and reproducible artifact-based evaluations are integral to OpenPort and Faramesh (Zhu et al., 22 Feb 2026, Fatmi, 25 Jan 2026).

This suggests that protocol-driven agent execution—grounded in explicit contracts, typed messaging, FSM-verified lifecycle, and deterministic authorization/audit—constitutes the foundation for robust, secure, and verifiable multi-agent and LLM-based systems across practical software engineering and AI-driven domains.