MIT ยท Open Standard
AAP
Agent Accountability Protocol

Agent Accountability Protocol

MCP connects agents to tools. A2A connects agents to agents. Neither defines who authorized the action, who is responsible, or how to prove it. AAP does.

Read the Spec โ†’GitHubHalyn (impl)
// The problem

Agents act. Nobody is accountable.

In February 2026, 1,184 malicious AI skills were found active โ€” exfiltrating API keys, reading private files, sending emails without consent. The infrastructure existed. The accountability layer did not.

// What AAP defines

Four primitives. Nothing more.

MCP, A2A, and ANP solve communication. AAP solves accountability. They are not competing โ€” they are complementary.

01
Identity
aap://org/type/name@version โ€” every agent has a unique, verifiable URI backed by an Ed25519 keypair.
02
Provenance
SHA-256 artifact chain. Every output links to its origin โ€” model, version, parameters, timestamp.
03
Authorization
5-level autonomy scale. PHY rule: Level โ‰ค 3 for physical systems. Hardcoded. Cannot be overridden.
04
Audit
Tamper-evident hash chain. Every action signed, stored locally. Verifiable by anyone, any time.
// Authorization

5 autonomy levels. 1 physical rule.

Every AAP agent declares its autonomy level. For physical systems, Level 3 is the maximum โ€” hardcoded, not configurable.

0
Observer
Read-only. No action authorized.
1
Assistant
Suggests. Human executes.
2
Executor
Executes reversible actions autonomously.
3
DelegatedPHY MAX
Executes with post-hoc audit.
4
AutonomousPHYSICAL: FORBIDDEN
Full autonomy. No human gate.
// spec/AUTHORIZATION.md

PHY Rule
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
autonomy_level <= 3
for irreversible
physical actions.
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

// Enforced via eBPF.
// Cannot be overridden.
// SDK

Implement in minutes.

$ pip install aap-protocol
from aap import AAPIdentity, AAPAudit, AuthLevel # Create a verifiable agent identity identity = AAPIdentity.create('myorg', 'assistant', 'my-agent') print(identity.uri) # aap://myorg/assistant/my-agent@1.0 # Record an auditable action audit = AAPAudit() entry = audit.record( agent=identity, action='read_file', resource='/docs/report.pdf', level=AuthLevel.EXECUTOR, # level 2 โ€” authorized ) print(entry.hash) # sha256:a3f2... assert audit.verify() # tamper check
// Implementations

Built on AAP.

Halyn
Full governance layer โ€” proxy, filesystem hooks, process isolation, audit chain, dashboard. The reference implementation of AAP.
halyn.dev โ†’
Your implementation
Built on AAP? Open a PR to add it here.
github.com/halyndev/aap โ†’
// Get started

Read the spec. Implement it.

The entire AAP spec fits in a single Markdown file. No vendor. No cloud. No lock-in.

Read the Spec โ†’GitHubcontact@aap-protocol.dev