AP2 Mandates | Machine Governance Standard

Abstract: As AI agents become autonomous economic actors, the risk of "misalignment" shifts from a philosophical concern to a financial liability. This paper introduces AP2 (Agent Policy Protocol), a standard for issuing immutable, cryptographically verifiable mandates that constrain agent spending and behavior at the router level, solving the Principal-Agent problem for the machine economy.

1. The Principal-Agent Problem in AI

In economic theory, the Principal-Agent problem arises when an agent (the AI) is motivated to act in its own best interest rather than that of the principal (the User). For LLMs, this manifests as hallucination loops or resource exhaustion—an agent burning $10,000 trying to solve an unsolvable CAPTCHA.

Traditional "guardrails" (prompt engineering) are probabilistic and easily bypassed. We require a deterministic enforcement layer.

2. The AP2 Protocol

AP2 defines a standard for Signed Mandates. A user signs a mandate using their private key (e.g., via Coinbase Wallet or Google Cloud KMS), authorizing an Agent DID to spend funds only under specific conditions.

// AP2 Mandate Structure

{
  "principal": "did:ethr:0xUser...",
  "agent": "did:p402:agent-123",
  "constraints": {
    "max_budget_usd": 100.00,
    "allowed_domains": ["api.openai.com", "p402.io"],
    "expiry": 1735689600
  },
  "signature": "0x... (EIP-712)"
}

3. Mathematical Enforcement

P402 Routers act as the enforcement layer. Before routing any request, the router verifies:

Verify(M, \sigma, Tx) \to \{True, False\}

(Eq. 2)The router mathematically validates that the Transaction (Tx) satisfies all constraints in the signed Mandate (M) without needing to trust the Agent.

This effectively replaces "Human-in-the-loop" with "Cryptography-in-the-loop". Even if the agent "wants" to overspend, the laws of mathematics prevent the transaction from being routed.

[ZERO-TRUST]NIST 800-207

Zero Trust Architecture principles applied to autonomous software agents.

4. Conclusion

AP2 provides the "Constitution" for autonomous agents. By binding AI behavior to cryptographic keys, we enable safe, scalable autonomy that enterprises can trust with their balance sheets.

1. The Principal-Agent Problem in AI

Traditional "guardrails" (prompt engineering) are probabilistic and easily bypassed. We require a deterministic enforcement layer.

2. The AP2 Protocol

// AP2 Mandate Structure

{
  "principal": "did:ethr:0xUser...",
  "agent": "did:p402:agent-123",
  "constraints": {
    "max_budget_usd": 100.00,
    "allowed_domains": ["api.openai.com", "p402.io"],
    "expiry": 1735689600
  },
  "signature": "0x... (EIP-712)"
}

3. Mathematical Enforcement

P402 Routers act as the enforcement layer. Before routing any request, the router verifies:

Verify(M, \sigma, Tx) \to \{True, False\}

(Eq. 2)The router mathematically validates that the Transaction (Tx) satisfies all constraints in the signed Mandate (M) without needing to trust the Agent.

This effectively replaces "Human-in-the-loop" with "Cryptography-in-the-loop". Even if the agent "wants" to overspend, the laws of mathematics prevent the transaction from being routed.

[ZERO-TRUST]NIST 800-207

Zero Trust Architecture principles applied to autonomous software agents.

AP2 Mandates: Cryptographic Enforceability in Nondeterministic Systems

1. The Principal-Agent Problem in AI

2. The AP2 Protocol

3. Mathematical Enforcement

4. Conclusion

AP2 Mandates: Cryptographic Enforceability in Nondeterministic Systems

1. The Principal-Agent Problem in AI

2. The AP2 Protocol

3. Mathematical Enforcement

4. Conclusion