1. Every AI agent in production has a single, durable identifier across systems.
Not five different tokens, five logs, five identities — one URN that persists across rebuilds, redeployments, and tool invocations.
2. Agent identifiers are cryptographically bound (not just opaque strings).
Each identifier is provable to a public key — not just a database row.
3. There is a signed delegation chain from each agent back to a human or business.
If asked “who is legally on the hook for this action?”, you can answer in seconds with a signed proof, not a Slack thread.
4. Delegation scope is attenuable — children cannot exceed parents.
A sub-agent or downstream call cannot acquire authority the parent did not have.
5. Every tool / MCP / function the agent can call is a first-class capability with explicit grant.
No “the agent has the API key, so it can do anything the API allows”.
6. Capabilities are scoped (parameter-level constraints), not just on/off.
e.g. payment capability scoped to USD ≤ $5M, EU/US corridors only — not a single “can transact” flag.
7. Every authorisation produces an explainable decision (not just allow / deny).
Decision carries the policy, the inputs, and the reason — replayable from public keys.
8. Decisions can be replayed offline by an external auditor.
The auditor verifies your evidence with public keys alone — no read-access to your runtime.
9. The audit log is append-only, hash-linked, and tamper-evident.
Not just an “immutable” database table — cryptographically chained.
10. Evidence packs ship in a structured, framework-mappable format.
Auditors get JSON/OSCAL, not a CSV pulled from Splunk.
11. You can revoke an agent’s authority — with cascade — in < 1 second.
Agent compromised at 02:14? Token gone, downstream grants revoked, audit recorded — before the next settlement cycle.
12. Break-glass / recovery flows leave a signed audit trail (not a black box).
Every emergency override is itself a request, decision, and proof artefact — not an admin clicking a button no auditor sees.