Skip to main content

General

What’s the difference between v1alpha1 and v1alpha2?

v1alpha2 adds robust security features for production deployments:
  • Identity Tokens: Cryptographic session binding and replay prevention.
  • Server-Side Validation: Centralized policy enforcement via HTTP.
  • Policy Signatures: Integrity verification for policy files.
  • Tool Schema Hashing: Protection against tool poisoning.

Do I need identity tokens?

Not for local development. Identity tokens are recommended when:
  • You run agents in a multi-tenant environment.
  • You need to audit who (which session) performed an action, not just what happened.
  • You are using the centralized AIP Server.

How do I set up server-side validation?

  1. Enable spec.server in your policy.
  2. Configure TLS (required for non-localhost).
  3. Set failover_mode (recommend fail_closed for security).
  4. See the Server-Side Validation Guide for details.

What is AIP?

AIP (Agent Identity Protocol) is an open standard for secure agentic identity management and authorization starting with a specification for policy-based authorization of AI agent tool calls. It defines how to declare, enforce, and audit what actions an AI agent can perform.

What’s the difference between the AIP specification and the Go proxy?

  • AIP Specification (spec/): The protocol standard that anyone can implement
  • Go Proxy (implementations/go-proxy/): One reference implementation of that standard
Think of it like HTTP (the spec) vs Apache/Nginx (implementations).

Can I use AIP without the Go proxy?

Yes! AIP is a specification. You can:
  • Implement AIP natively in your MCP client (Cursor, Claude Desktop, etc.)
  • Build your own proxy in any language
  • Use the Go proxy as a reference

Does AIP require changes to my MCP server?

No. AIP sits between the MCP client and server as a transparent proxy. Your MCP server doesn’t need any modifications. 
[Agent] → [AIP Proxy] → [MCP Server]
The proxy intercepts tools/call requests, applies policy, and forwards allowed requests unchanged.

Security

How is AIP different from workforce AI governance tools like SurePath.ai?

AIP and workforce AI governance tools solve different problems at different layers: Workforce AI Governance (e.g., SurePath.ai):
  • Monitors employee AI usage across your organization
  • Network/application level visibility
  • Answers: “Who in my org is using ChatGPT? What are they asking?”
  • Typically SaaS platforms for compliance and governance
AIP (Agent Identity Protocol):
  • Controls what actions AI agents can take on your infrastructure
  • Tool-call level authorization (blocks dangerous operations)
  • Answers: “Can this agent delete files? Access production databases?”
  • Open protocol for developers building agents
These are complementary: Use workforce governance to monitor employee AI usage. Use AIP to secure the agents those employees build. Think of it as different layers—one monitors people, one protects infrastructure.

How is AIP different from OAuth?

AspectOAuthAIP
GranularityScope-level (“repo access”)Action-level (“repos.get with org:X”)
TimingGrant-timeRuntime (every call)
AudienceEnd usersDevelopers/Security teams
FormatToken claimsYAML policy files
OAuth answers “who is this?” AIP answers “should this specific action be allowed?”

Can AIP prevent all prompt injection attacks?

AIP significantly reduces the blast radius of prompt injection by:
  • Limiting which tools an agent can call
  • Validating arguments with regex patterns
  • Requiring human approval for sensitive operations
  • Logging all decisions for forensic analysis
However, AIP cannot prevent prompt injection itself—it mitigates the consequences.

What about network egress? Can a malicious agent exfiltrate data?

Network egress control is planned for AIP v1beta1 (see spec Appendix D). Currently, tool-level authorization is enforced but the MCP server subprocess can still make network calls. For maximum security today, run MCP servers in containers with --network=none.

Are audit logs tamper-proof?

Audit logs are append-only from the agent’s perspective (the agent doesn’t have write access to the log file). For production use, forward logs to an external SIEM or use signed logging.

Policy

Where do I put my policy file?

Anywhere you like. Common locations:
  • ~/.config/aip/policy.yaml (user config)
  • ./agent.yaml (project root)
  • /etc/aip/policy.yaml (system-wide)
Pass the path with --policy /path/to/policy.yaml.

What happens if a tool isn’t in allowed_tools?

It’s blocked with error code -32001 Forbidden. AIP is default-deny.

Can I test a policy without blocking anything?

Yes! Use monitor mode: 
spec:
  mode: monitor  # Log violations but don't block
Check the audit log to see what would have been blocked.

How do I allow a tool but require approval?

Use action: ask: 
tool_rules:
  - tool: deploy_production
    action: ask  # Shows native OS dialog

Can I validate tool arguments?

Yes, with regex patterns: 
tool_rules:
  - tool: postgres_query
    allow_args:
      query: "^SELECT\\s+.*"  # Only SELECT queries

Implementation

My Docker container doesn’t stop when I kill the proxy!

When wrapping a Docker container with AIP, signals (SIGTERM/SIGINT) are sent to the docker CLI process, not the container itself. This can leave zombie containers running. Solution: Always use --rm and --init flags: 
# Bad - container may not receive signals
aip --policy policy.yaml --target "docker run myimage"

# Good - proper signal handling and cleanup
aip --policy policy.yaml --target "docker run --rm --init -i myimage"
FlagPurpose
--rmAutomatically remove container when it exits
--initRun init process (tini) that forwards signals properly
-iKeep stdin open for JSON-RPC communication
For production deployments, consider running the AIP proxy inside the container or using a container orchestrator with proper lifecycle management.

What MCP clients work with AIP?

Any MCP client that supports custom server commands:
  • Cursor: Add to ~/.cursor/mcp.json
  • Claude Desktop: Add to claude_desktop_config.json
  • Continue (VS Code): Add to Continue config
  • Custom clients: Use AIP as the server command

Does AIP work on Windows?

The Go proxy builds for Windows. Human-in-the-loop (action: ask) uses native Windows dialogs via PowerShell.

How do I debug policy issues?

  1. Enable verbose mode: --verbose
  2. Check stderr for policy decisions
  3. Review the audit log: cat aip-audit.jsonl | jq .
  4. Use monitor mode to test without blocking

What’s the performance overhead?

Minimal. The proxy adds:
  • ~1-5ms per request for policy evaluation
  • Negligible memory overhead (policies are loaded once)
JSON-RPC parsing and regex matching are fast operations.

Contributing

How do I report a security vulnerability?

See SECURITY.md for responsible disclosure instructions.

Can I contribute a new implementation?

Yes! We welcome implementations in other languages. Requirements:
  • Pass the conformance test suite (spec/conformance/)
  • Document your implementation
  • Submit a PR to be listed in the registry

How do I propose changes to the specification?

  1. Open an issue describing the change
  2. Discuss with maintainers
  3. Submit a PR to spec/AIP-v1alpha1.md
  4. Include conformance tests for new behavior