Agent Identity Protocol (AIP) Specification
Version: v1alpha1Status: Draft
Last Updated: 2026-01-20
Authors: Eduardo Arango ([email protected])
Abstract
The Agent Identity Protocol (AIP) defines a standard for policy-based authorization of AI agent tool calls. AIP enables runtime environments to enforce fine-grained access control over Model Context Protocol (MCP) tool invocations, providing a security boundary between AI agents and external resources. This specification defines:- The policy document schema (
AgentPolicy) - Evaluation semantics for authorization decisions
- Error codes for denied requests
- Audit log format for compliance
Table of Contents
- Introduction
- Terminology
- Policy Document Schema
- Evaluation Semantics
- Error Codes
- Audit Log Format
- Conformance
- Security Considerations
- IANA Considerations
- Appendix A: Complete Schema Reference
- Appendix B: Changelog
- Appendix C: References
- Appendix D: Future Extensions
- Appendix E: Implementation Notes
1. Introduction
1.1 Motivation
AI agents operating through the Model Context Protocol (MCP) have access to powerful tools: file systems, databases, APIs, and cloud infrastructure. Without a policy layer, agents operate with unrestricted access to any tool the MCP server exposes. AIP addresses this gap by introducing:- Capability declaration: Explicit allowlists of permitted tools
- Argument validation: Regex-based constraints on tool parameters
- Human-in-the-loop: Interactive approval for sensitive operations
- Audit trail: Immutable logging of all authorization decisions
1.2 Goals
- Interoperability: Any MCP runtime can implement AIP
- Simplicity: YAML-based policies readable by security teams
- Defense in depth: Multiple layers (method, tool, argument)
- Fail-closed: Unknown tools are denied by default
1.3 Non-Goals
The following are explicitly out of scope for this version of the specification:- Network egress control (see Appendix D: Future Extensions)
- Subprocess sandboxing (implementation-defined)
- Identity federation (future specification)
- Rate limiting algorithms (implementation-defined)
1.4 Relationship to MCP
AIP is designed as a security layer for MCP. It interceptstools/call requests and applies policy checks before forwarding to the MCP server.
2. Terminology
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119.| Term | Definition |
|---|---|
| Agent | An AI system that invokes MCP tools on behalf of a user |
| Policy | A document specifying authorization rules (AgentPolicy) |
| Tool | An MCP tool exposed by an MCP server |
| Decision | The result of policy evaluation: ALLOW, BLOCK, or ASK |
| Violation | A policy rule was triggered (may or may not block) |
3. Policy Document Schema
3.1 Document Structure
An AIP policy document is a YAML file with the following top-level structure:3.2 Required Fields
| Field | Type | Description |
|---|---|---|
apiVersion | string | MUST be aip.io/v1alpha1 |
kind | string | MUST be AgentPolicy |
metadata.name | string | Unique identifier for this policy |
3.3 Metadata
3.4 Spec Fields
3.4.1 mode
Controls enforcement behavior.| Value | Behavior |
|---|---|
enforce | Violations are blocked (default) |
monitor | Violations are logged but allowed |
3.4.2 allowed_tools
A list of tool names that the agent MAY invoke.3.4.3 allowed_methods
A list of JSON-RPC methods that are permitted. If not specified, implementations MUST use the default safe list:* MAY be used to allow all methods.
3.4.4 denied_methods
A list of JSON-RPC methods that are explicitly denied. Denied methods take precedence over allowed methods.3.4.5 protected_paths
A list of file paths that tools MUST NOT access. Any tool argument containing a protected path MUST be blocked.- Expand
~to the user’s home directory - Automatically protect the policy file itself
3.4.6 strict_args_default
Whentrue, tool rules reject any arguments not explicitly declared in allow_args.
Default: false
3.5 Tool Rules
Tool rules provide fine-grained control over specific tools.3.5.1 Actions
| Action | Behavior |
|---|---|
allow | Permit (subject to argument validation) |
block | Deny unconditionally |
ask | Require interactive user approval |
3.5.2 Rate Limiting
Format:<count>/<period>
| Period | Aliases |
|---|---|
second | sec, s |
minute | min, m |
hour | hr, h |
"10/minute", "100/hour", "5/second"
Rate limiting algorithm is implementation-defined (token bucket, sliding window, etc.).
3.5.3 Argument Validation
Theallow_args field maps argument names to regex patterns.
- Use a regex engine with linear-time guarantees (RE2 or equivalent)
- Match against the string representation of the argument value
- Treat missing constrained arguments as a violation
3.6 DLP Configuration
Data Loss Prevention (DLP) scans tool responses for sensitive data.4. Evaluation Semantics
4.1 Name Normalization
Tool names and method names MUST be normalized before comparison using the following algorithm:- Fullwidth characters:
delete→delete - Ligatures:
file→file - Zero-width characters:
delete→delete
4.2 Method-Level Authorization
Method authorization is the FIRST line of defense, evaluated BEFORE tool-level checks.4.3 Tool-Level Authorization
Tool authorization applies totools/call requests.
4.4 Decision Outcomes
| Decision | Mode=enforce | Mode=monitor |
|---|---|---|
| ALLOW | Forward request | Forward request |
| BLOCK | Return error | Forward request, log violation |
| ASK | Prompt user | Prompt user |
| RATE_LIMITED | Return error | Return error (always enforced) |
| PROTECTED_PATH | Return error | Return error (always enforced) |
4.5 Argument Validation
STRING() function converts values to string representation:
- String → as-is
- Number → decimal representation
- Boolean → “true” or “false”
- Null → empty string
- Array/Object → JSON serialization
5. Error Codes
AIP defines the following JSON-RPC error codes:| Code | Name | Description |
|---|---|---|
| -32001 | Forbidden | Tool not in allowed_tools list |
| -32002 | Rate Limited | Rate limit exceeded |
| -32004 | User Denied | User rejected approval prompt |
| -32005 | User Timeout | Approval prompt timed out |
| -32006 | Method Not Allowed | JSON-RPC method not permitted |
| -32007 | Protected Path | Access to protected path blocked |
5.1 Error Response Format
5.2 Error Code Details
-32001 Forbidden
Returned when a tool is not in theallowed_tools list and has no tool_rules entry with action: allow.
-32002 Rate Limited
Returned when a tool’s rate limit is exceeded.6. Audit Log Format
Implementations SHOULD log all authorization decisions in JSON Lines format.6.1 Required Fields
| Field | Type | Description |
|---|---|---|
timestamp | ISO 8601 | Time of the decision |
direction | string | upstream (client→server) or downstream (server→client) |
decision | string | ALLOW, BLOCK, ALLOW_MONITOR, RATE_LIMITED |
policy_mode | string | enforce or monitor |
violation | boolean | Whether a policy violation was detected |
6.2 Optional Fields
| Field | Type | Description |
|---|---|---|
method | string | JSON-RPC method name |
tool | string | Tool name (for tools/call) |
args | object | Tool arguments (SHOULD be redacted) |
failed_arg | string | Argument that failed validation |
failed_rule | string | Regex pattern that failed |
6.3 Example
6.4 DLP Events
DLP redaction events SHOULD be logged separately:7. Conformance
7.1 Conformance Levels
| Level | Requirements |
|---|---|
| Basic | Method authorization, tool allowlist, error codes |
| Full | Basic + argument validation, rate limiting, DLP, audit logging |
| Extended | Full + Human-in-the-Loop (action=ask) |
7.2 Conformance Testing
Implementations MUST pass the conformance test suite to claim AIP compliance. The test suite consists of:- Schema validation tests: Verify policy parsing
- Decision tests: Input → expected decision
- Normalization tests: Verify Unicode handling
- Error format tests: Verify JSON-RPC errors
spec/conformance/ for test vectors.
7.3 Implementation Requirements
Implementations MUST:- Parse
apiVersion: aip.io/v1alpha1documents - Reject documents with unknown
apiVersion - Apply NFKC normalization to names
- Return specified error codes
- Support
enforceandmonitormodes
- Log decisions in the specified format
- Support DLP scanning
- Support rate limiting
- Use any regex engine with RE2 semantics
- Implement additional security features (egress control, sandboxing)
8. Security Considerations
8.1 Policy File Protection
The policy file itself MUST be protected from modification by the agent. Implementations MUST automatically add the policy file path toprotected_paths.
8.2 Regex Denial of Service (ReDoS)
Implementations MUST use a regex engine that guarantees linear-time matching (RE2 or equivalent). Pathological patterns like(a+)+$ MUST NOT cause exponential execution time.
8.3 Unicode Normalization
Implementations MUST apply NFKC normalization to prevent homoglyph attacks. However, implementers should be aware that NFKC does not normalize all visually similar characters (e.g., Cyrillic ‘а’ vs Latin ‘a’).8.4 Monitor Mode Risks
Monitor mode allows all requests through. Implementations SHOULD warn users when monitor mode is enabled in production environments.8.5 Audit Log Integrity
Audit logs SHOULD be written to a location not writable by the agent. Implementations MAY support log signing or forwarding to external systems.9. IANA Considerations
This specification requests registration of the following:9.1 Media Type
- Type name: application
- Subtype name: vnd.aip.policy+yaml
- Required parameters: None
- File extension: .yaml, .yml
9.2 URI Scheme
This specification uses theaip.io namespace for versioning:
aip.io/v1alpha1- This specification
Appendix A: Complete Schema Reference
Appendix B: Changelog
v1alpha1 (2026-01-20)
- Initial draft specification
- Defined core policy schema
- Defined evaluation semantics
- Defined error codes
- Defined audit log format
Appendix C: References
- Model Context Protocol (MCP)
- JSON-RPC 2.0 Specification
- RFC 2119 - Key words for use in RFCs
- Unicode NFKC Normalization
- RE2 Syntax
Appendix D: Future Extensions
This appendix describes features under consideration for future versions of AIP.D.1 Network Egress Control
Status: Proposed for v1beta1Motivation
Tool-level authorization prevents agents from calling dangerous tools, but a compromised or malicious MCP server can still exfiltrate data through:- Outbound HTTP requests embedded in tool implementations
- DNS exfiltration
- Covert channels in allowed network traffic
Proposed Schema Extension
Implementation Considerations
Egress control is inherently platform-specific:| Platform | Mechanism | Limitations |
|---|---|---|
| Linux | eBPF, seccomp-bpf, network namespaces | Requires CAP_BPF or root |
| macOS | Network Extension, sandbox-exec | Requires entitlements |
| Windows | Windows Filtering Platform (WFP) | Requires admin |
| Container | --network=none, network policies | Requires container runtime |
| Cross-platform | DNS-based filtering, HTTP proxy | Bypassable, incomplete |
Open Questions
- Should egress rules be per-tool or global?
- How to handle DNS resolution (allow DNS but block resolved IP)?
- Should there be a “learning mode” to auto-generate allowlists?
- How to handle localhost connections (MCP servers often bind locally)?
D.2 Identity Federation
Status: Under Discussion Allow policies to reference external identity providers:D.3 Policy Inheritance
Status: Under Discussion Allow policies to extend base policies:D.4 Telemetry and Metrics
Status: Under Discussion Standardized metrics export for observability:Appendix E: Implementation Notes
This appendix provides guidance for implementers.E.1 Reference Implementation
The reference implementation is available at: https://github.com/ArangoGutierrez/agent-identity-protocol It provides:- Go-based proxy (
aip-proxy) - Policy engine (
pkg/policy) - DLP scanner (
pkg/dlp) - Audit logger (
pkg/audit)
E.2 Testing Against Conformance Suite
E.3 Registering Your Implementation
Implementations that pass the conformance suite may be listed in the official registry. Submit a PR to the AIP repository with:- Implementation name and URL
- Conformance level achieved (Basic/Full/Extended)
- Platform support matrix