Twelve canonical controls KYE Protocol™ materially enforces at runtime.
KAC™-1..KAC™-12 is the canonical taxonomy of the runtime-authority surface — the controls that turn "the agent acted" into "the action was authorised, admissible, evidenced, and final." It mirrors EC-Council ADG's minimum-controls packaging, scoped to the authority-finality layer beneath any governance operating model. Each control binds to a canonical kye.<ns>.*.v1 schema, a runtime engine, and a constitution reference. The canonical set lives at public/examples/authority-controls/kac-canonical-set.json.
ADG defines what controls. KYE™ proves which actions met them.
EC-Council ADG (Adopt · Defend · Govern) names the twelve minimum controls an organisation should operate — identity, delegation, authority chain, tool/MCP register, admissibility, policy resolution, evidence capture, replay, finality, revocation, oversight, certification. ADG is the operating model. KYE Protocol™ is the per-action runtime authority proof.
Buyers who deploy ADG as their operating frame and KYE™ as the runtime-proof layer get a verifiable per-action chain: the control was declared (ADG), the action passed admissibility (KYE™), the evidence was sealed at T=0 (KYE™), and the authority chain is provably terminal (KYE™ Authority Finality™). Buyers without KYE™ rely on after-the-fact log scraping to prove the control held.
KAC™-1..KAC™-12 — one row per control.
| ID | Title | Category | Binding schema (canonical) | Constitution |
|---|---|---|---|---|
| KAC™-1 | Entity Registry | entity | entity.json + kye.governedui.entity_passport.v1 | |
| KAC™-2 | Delegation Envelope™ | delegation | kye.purpose.grant.v1 + kye.delegation.v1 | |
| KAC™-3 | Chain of Authority Map | authority-chain | kye.federation.cross_org_delegation.v1 | |
| KAC™-4 | Tool & MCP Authority Register | tool-mcp | kye.tool_mcp_register.v1 + kye.evidence.tool_call_pin.v1 | |
| KAC™-5 | Action Admissibility™ Gate | admissibility | kye.purpose.admissibility.v1 | |
| KAC™-6 | Runtime Policy Resolution | policy | kye.evidence.decision_map.v1 | |
| KAC™-7 | Evidence Capture at T=0 | evidence | kye.evidence.pack.v1 | |
| KAC™-8 | Replay Proof | replay | kye.evidence.trace_replay_spec.v1 | |
| KAC™-9 | Authority Finality™ Record | finality | kye.estate.authority_finality.v1 + kye.risk.authority_register.v1 | |
| KAC™-10 | Revocation and Expiry Control | revocation | kye.purpose.grant.v1 + kye.purpose.admissibility.v1 | |
| KAC™-11 | Human Oversight and Escalation | oversight | kye.governedui.critical_point_review.v1 + kye.governedui.approval.v1 | |
| KAC™-12 | KYE Seal™ — Assurance Record | certification | kye.compliance.attestation.v1 |
KAC™ discharges ADG MC at the runtime floor — not in slideware.
- ADG MC-7 (Tools & MCP Register) → KAC™-4. KYE Tool & MCP Authority Register™ is the runtime artefact every agent tool call is checked against. Unregistered tool calls are refused. See /tool-mcp-authority-register.html.
- ADG MC-9 (Evidence) → KAC™-7. Evidence pack sealed at T=0 in WORM. Late-binding evidence is rejected.
- ADG MC-10 (Forensic replay) → KAC™-8. Replay-Proof™ spec — any auditor reconstructs the decision chain from public keys alone.
- ADG MC-11 (Decision rights / authority) → KAC™-9. Authority Finality™ binds six fields signed and terminal.
- ADG MC-12 (Human oversight) → KAC™-11. GovernedUI™ critical-point review at the runtime gate, not in a quarterly review.
Twelve controls. One canonical set. One runtime authority surface.
The canonical JSON is published, signed, and bound to the runtime. The ADG crosswalk is the analyst-grade map. The autonomy ladder names which controls operate at which tier.