RANKIGI Open Agent
Governance Standard

This standard defines the minimum requirements for governing autonomous AI agents in production environments. It establishes a framework for cryptographic auditability, verifiable identity, and policy enforcement that is independent of any specific AI model, orchestration framework, or deployment platform.

Scope. This standard applies to any software system (“agent”) that autonomously selects and executes actions—including tool calls, API requests, code execution, and data retrieval—on behalf of a human principal or organization.

Goals. (a) Provide tamper-evident proof of every action an agent takes. (b) Enable post-hoc verification of agent behavior without accessing raw data. (c) Establish portable agent identity across organizational boundaries. (d) Support regulatory compliance (EU AI Act, SOC 2, HIPAA) through cryptographic evidence.

• Agent (noun) — An autonomous software system that selects and executes actions on behalf of a principal.
• Event (noun) — A single discrete action taken by an agent, including the action type, tool invoked, and a canonical payload hash.
• Hash Chain (noun) — An append-only sequence of events where each entry includes the SHA-256 hash of the previous entry, forming a tamper-evident log.
• Passport (noun) — A verifiable identity document bound to an agent, containing cryptographic keys, capability scopes, and governance metadata.
• Intent (noun) — The agent's reasoning or justification for an action, encrypted at rest and hashed into the chain.
• Snapshot (noun) — A periodic integrity checkpoint that captures the full state of an agent's hash chain at a point in time.
• Policy (noun) — A declarative rule that defines permitted or prohibited agent behaviors, evaluated at ingestion time.
• Principal (noun) — The human or organization on whose behalf the agent operates.
• Governance Score (noun) — A composite metric reflecting an agent's compliance, chain integrity, and policy adherence over a time window.
• Owner (noun) — The accountable human designated as primarily responsible for a governed agent's actions, alert routing, and compliance posture.
• Approver (noun) — A secondary human who reviews and co-signs governance decisions for an agent. Available on Pro tier and above.
• Delegate (noun) — A tertiary human who may act on behalf of the owner for day-to-day governance tasks. Available on Business tier and above.
• Handshake (noun) — A cryptographic mutual-authentication ceremony between two agents establishing trust.
• Agent Arbitration (noun) — The process by which RANKIGI verifies that an agent has authority from its human owner before accepting a delegated task from another agent. Arbitration events are logged immutably to both agents' audit trails.
• Federation (noun) — A cross-organization handshake where agents from different orgs verify each other's governance passports, negotiate scoped permissions, and establish time-bound sessions — all logged to both audit trails.
• Agent Cost Intelligence (noun) — A governance metric that compares the cost of governed agent actions against the estimated human labor equivalent, providing CFO-ready ROI evidence for agent program investment decisions.
• Production Readiness Score (integer (0–100)) — A composite metric measuring an organization's readiness for board-level governance review, incorporating chain integrity, human accountability, compliance coverage, behavioral drift, and intent chain coverage.
• Trust Score (decimal) — A composite metric (0–1) reflecting an agent's governance posture: chain integrity, compliance rate, drift status, human accountability, and violation history.

Every governed agent MUST possess a unique, verifiable identity (“passport”) before it can emit events into the governance system.

Required passport fields:

• passport_id (uuid) — Globally unique identifier for the passport.
• agent_id (uuid) — The agent this passport is bound to.
• org_id (uuid) — The organization that issued the passport.
• public_key (string) — Ed25519 public key for signature verification.
• capabilities (string[]) — Declared tool and action scopes the agent is authorized to use.
• issued_at (timestamp) — Issuance time (UTC, ISO 8601).
• expires_at (timestamp) — Expiry time. Passports MUST be rotated before expiry.
• status (enum) — One of: active, suspended, revoked.

Passports MAY be verified by any party holding the public key. A revoked passport MUST NOT be accepted for new event ingestion. Inter-agent trust is established via a mutual handshake ceremony (see Section 10).

Every action taken by a governed agent MUST be recorded as an immutable event. The governance system operates as a passive sidecar—it MUST NOT block or delay the agent’s execution.

Required event fields:

• event_id (uuid) — Unique identifier for this event.
• agent_id (uuid) — The agent that produced the event.
• org_id (uuid) — The owning organization.
• action (string) — Action type (e.g., "tool_call", "api_request", "code_exec").
• tool (string | null) — The tool or function invoked, if applicable.
• canonical_payload (string) — Deterministic JSON serialization of the event payload, hashed for storage.
• occurred_at (timestamp) — Event timestamp (UTC, ISO 8601).

Latency requirement. Ingestion p95 MUST be under 200ms. The agent MUST continue execution regardless of ingestion success or failure (fire-and-forget semantics).

Events MUST be chained in a tamper-evident sequence using SHA-256. Each entry in the hash chain includes:

Required chain fields:

• chain_index (bigint) — Monotonically increasing index within the agent's chain.
• hash (string) — SHA-256 hex digest of the hash input.
• previous_hash (string | null) — Hash of the preceding event. NULL for the first event.
• intent_hash (string | null) — SHA-256 of the encrypted intent ciphertext, if present.

Verification. Any party MAY verify the chain by recomputing hashes from the first event forward. A single mismatched hash indicates tampering at or before that index. The chain MUST be append-only—no deletes, no updates.

Optionally, agents MAY attach encrypted reasoning (“intent”) to any event, explaining why an action was taken. Intent is encrypted client-side before transmission and MUST never be stored or logged in plaintext server-side.

Encryption specification:

The intent hash is included in the chain hash computation (Section 05). This proves the reasoning existed at the time of the event without exposing its contents. Decryption requires the master key held by the organization.

Organizations MAY define declarative policies that are evaluated against incoming events at ingestion time. Policies define constraints on agent behavior.

Policy structure:

• policy_id (uuid) — Unique identifier for this policy.
• name (string) — Human-readable policy name.
• rule_type (enum) — One of: "deny_action", "require_tool", "rate_limit", "data_boundary", "custom".
• condition (json) — Declarative condition to match against events.
• action_on_violation (enum) — One of: "log", "alert", "block".
• active (boolean) — Whether the policy is currently enforced.

Evaluation order. Policies are evaluated in priority order. A “block” action prevents the event from being recorded and returns an error to the caller. All policy evaluations—including passes—are recorded in an immutable audit log.

Policy Marketplace. Organizations MAY install pre-verified governance policies from the RANKIGI Policy Marketplace. Marketplace policies are mapped to compliance frameworks (SOC 2, HIPAA, PCI-DSS, EU AI Act) and include configurable parameters. Official policies are authored and verified by RANKIGI; community policies may be submitted by any organization on the Business tier or above.

The governance system MUST produce periodic snapshots that capture the integrity state of each agent’s hash chain. Snapshots serve as checkpoints for verification and compliance audits.

Required snapshot fields:

• snapshot_id (uuid) — Unique identifier for this snapshot.
• agent_id (uuid) — The agent whose chain is being captured.
• chain_length (integer) — Total number of events in the chain at snapshot time.
• head_hash (string) — SHA-256 hash of the most recent chain entry.
• chain_valid (boolean) — Whether the full chain verified without errors.
• created_at (timestamp) — Snapshot creation time (UTC).

Snapshots SHOULD be generated at least once every 24 hours for active agents. A snapshot with chain_valid = false indicates potential tampering and MUST trigger an alert.

Organizations SHOULD generate periodic governance reports that summarize agent compliance, chain integrity, policy violations, and risk indicators over a time window.

Minimum report contents:

• Total events ingested in the reporting period.
• Number of policy violations by severity.
• Chain integrity status per agent (verified / broken / pending).
• Governance score trend (current vs. prior period).
• Snapshot coverage (percentage of active agents with valid snapshots).
• Intent coverage (percentage of events with attached reasoning).

Reports MAY be delivered as PDF, HTML, or structured JSON. For regulatory submissions, reports SHOULD include cryptographic signatures to prove they were generated from authentic chain data.

Every governed agent SHOULD have a designated human owner who accepts accountability for the agent’s actions within the governance system.

Accountability roles:

• Owner (required) — The primary accountable human. Receives alert routing, appears in governance reports, and must acknowledge critical violations.
• Approver (optional) — A secondary reviewer who co-signs governance decisions. Receives CC on alert emails. Requires Pro tier or above.
• Delegate (optional) — A tertiary human who may act on the owner's behalf for routine governance tasks. Requires Business tier or above.

Ownership MUST be accepted via a cryptographic invitation ceremony: the organization generates a time-limited token, sends it to the designated human, and the human explicitly accepts accountability. Tokens expire after 7 days.

Agents without an assigned, accepted owner incur a governance score penalty (−15 points). Agents with a pending (unaccepted) owner incur a reduced penalty (−5 points). All ownership changes are logged to an immutable audit trail.

RANKIGI issues numbered Agent Governance Certificates to agents that meet the requirements of this standard. Each certificate is assigned a unique number (format: RNK-YYYY-NNNNN), cryptographically signed, and publicly verifiable at rankigi.com/certificate/[number].

Certificates are scored across six dimensions: WHO (human accountability), WHAT (scope and identity), WHEN (activity and audit trail), WHERE (environment and framework), WHY (intent chain coverage), and HOW (policy compliance). The overall score is a weighted average of all six dimensions.

Certificates expire annually and MUST be renewed. Revoked certificates are permanently recorded. The certificate number serves as the primary reference for regulatory submissions, RFP responses, and board reporting.

This standard is designed to support compliance with existing and emerging AI regulations:

ISO 42001 control mappings:

Inter-agent trust. Agents governed under this standard MAY establish mutual trust via a cryptographic handshake: (1) initiator sends a nonce + signed challenge, (2) responder verifies the passport and returns a counter-signature, (3) both parties record the handshake in their respective chains. This enables cross-organization agent collaboration with verifiable provenance.

Portability. Hash chains, snapshots, and governance reports produced under this standard use open formats (JSON, SHA-256, AES-256-GCM) and are not tied to any vendor. Organizations MAY export their full chain data at any time.