Skip to content

RFC-010 Extension: Multi-Agent Governance

RFC-010 Extension: Multi-Agent Governance

PRIVATE AND PROPRIETARY — NOT A PUBLIC RFC. Owned by Kanjani AI Research & Causum. See NOTICE.md.

Status: DRAFT

Authors: Kanjani AI Research & Causum

Date: 2026-06-11

Abstract

Extends RFC-010 (AI Governance Protocol) to support multi-agent systems where Agent A delegates work to Agent B. Defines session linking, delegation tokens, aggregate reporting, and trace chaining across agent boundaries.

Motivation

Modern agentic architectures (CrewAI, AutoGen, LangGraph multi-agent) involve multiple agents collaborating. The base AIGP protocol assumes single-agent sessions. This extension adds:

  1. Parent-child session linking
  2. Scoped delegation tokens
  3. Aggregate cost/token reporting
  4. Cross-agent trace visualization

Specification

1. Session Linking

graph TD
S1[Session A: Agent Coordinator] --> S2[Session B: Research Agent]
S1 --> S3[Session C: Analysis Agent]
S2 --> S4[Session D: Tool Agent]
S1 ---|parent_session_id: null| S1
S2 ---|parent_session_id: S1| S2
S3 ---|parent_session_id: S1| S3
S4 ---|parent_session_id: S2| S4

Each RECORD and TRACE includes:

  • session_id: unique per agent execution
  • parent_session_id: links to delegating agent (null for root)
  • parent_trace_id: links TRACE spans across agents

2. Delegation Token

When Agent A delegates to Agent B, A issues a DelegationToken:

{
"tid": "del-a1b2c3d4",
"iss": "coordinator-agent",
"del": "research-agent",
"models": ["us.anthropic.claude-sonnet-4-20250514"],
"tools": ["search_docs", "summarize"],
"max_tok": 50000,
"ptid": "trc-parent-xyz",
"iat": "2026-06-11T10:00:00Z",
"exp": "2026-06-11T10:05:00Z"
}

The token is HMAC-signed by the issuing agent’s AIGP secret. The child agent presents it during CHECK — governance-server validates:

  • Signature matches registered app
  • Token not expired
  • Requested model/tool within allowed scope
  • Token budget not exceeded

3. Aggregate RECORD

The root agent sends an aggregate RECORD after all child agents complete:

{
"use_case": "coordinator-agent",
"status": "SUCCESS",
"session_id": "ses-root",
"aggregate": {
"total_input_tokens": 12500,
"total_output_tokens": 8200,
"total_duration_ms": 45000,
"child_sessions": 3,
"child_agents": ["research-agent", "analysis-agent", "tool-agent"],
"delegation_tokens_issued": 3,
"budget_consumed_pct": 42
}
}

4. Trace Chaining

gantt
title Multi-Agent Trace Timeline
dateFormat X
axisFormat %s
section Coordinator
S1 Identity :0, 1
S3 CHECK :1, 2
S19 Delegation (B) :2, 3
S19 Delegation (C) :3, 4
S14 RECORD :10, 11
section Research Agent
S18 Agent Bind :3, 4
S3 CHECK :4, 5
S9 Model Invoke :5, 7
S21 Tool Call :7, 8
S14 RECORD :8, 9
section Analysis Agent
S18 Agent Bind :4, 5
S3 CHECK :5, 6
S9 Model Invoke :6, 9
S14 RECORD :9, 10

Each child trace includes parent_trace_id so governance-server can reconstruct the full execution tree.

5. New AIGP Stages (18-26)

Stage Name Multi-Agent Purpose
18 agent_identity_binding Child agent verifies delegation token
19 delegation_scope_assignment Parent issues scoped token
20 input_attestation Child attests input integrity (D-DNA)
21 tool_authorization_runtime Per-tool CHECK during execution
22 execution_plan_governance Plan review before multi-step execution
23 autonomy_boundary_evaluation Can agent act without human approval?
24 inter_agent_communication Agent-to-agent message governance
25 memory_governance What can be persisted to shared memory?
26 circuit_breaker_evaluation Should execution halt? (cost, time, risk)

6. governance-server Support

governance-server already stores RECORD and TRACE. For multi-agent:

  • GET /api/v1/data/sessions/{session_id}/tree — returns full delegation tree
  • GET /api/v1/data/traces?parent_trace_id=X — child traces for a parent
  • Dashboard: agent topology graph showing delegation patterns

7. Security Considerations

  • Delegation tokens are time-limited (default 5 min TTL)
  • Budget caps prevent runaway child agents
  • Tool allowlists prevent privilege escalation
  • Each agent must be independently registered in governance-server
  • Parent cannot delegate more permissions than it has
  • Circuit breaker (S26) halts execution if cost/time exceeds thresholds

Backward Compatibility

All new fields are optional. Existing single-agent AIGP flows continue unchanged. parent_session_id and parent_trace_id default to null/empty.