Workloft
← Workloft

AgentPass V0.1 · Request for Comment · 3 May 2026

The real-time verification primitive AI agent infrastructure doesn't yet have.

When an AI agent acts as a counterparty in an institutional transaction, today there is no standardised way to verify in real-time that the agent is currently authorised, in good audit-history standing, and capable of the action. Every interaction either trusts the operator's word or runs ad-hoc due diligence. AgentPass is a Verifiable Credential profile that closes the gap with a single API call.

Read the concept paper (PDF, 3pp) V0.1 technical spec

The problem

The agent ecosystem has solved several primitive layers and left one critical gap.

  • Identity — W3C did:web + Data Integrity Proof. Solved.
  • Agent-to-agent communication — Google Agent2Agent (A2A) v1.0. Solved (Linux Foundation, 150+ orgs).
  • Agent-to-tool communication — Anthropic Model Context Protocol (MCP). Solved.
  • Agent payment authorisation — Google AP2 V0.1, FIDO-tracked. Solved (under formalisation).
  • Agent counterparty verificationnone. Open gap. AgentPass closes it.

AgentPass is the institutional layer above the four solved primitives — the standardised real-time verification of an agent's current standing as a counterparty.

What verification actually answers

Six questions a counterparty asks before treating an agent as a legitimate party in an institutional transaction:

  1. Who is this agent? Cryptographic identity, who operates it, chain of custody for the operating identity.
  2. What is this agent currently authorised to do? Mandate scope at the moment of interaction — actions, data classes, entity boundaries.
  3. Has this agent been operating in good standing? Audit chain unbroken, anchored to a public timestamping authority, verifiable without trust in the operator.
  4. Is this agent capable of the action it's about to take? Capability advertisement, extending W3C Agent Card.
  5. What's the agent's track record? Reputation claims, signed by counterparties or third parties.
  6. Are there known violations? Revocation status via W3C Status List 2021.

Today, answering all six requires a multi-week paper exercise. AgentPass converts it to a single API call returning a yes/no with cryptographic proof, in real-time.

The shape

AgentPass is a W3C Verifiable Credential — same data model as digital driving licences, academic transcripts, the EU Digital Identity Wallet. Not a new credential format. Not new cryptography. The novel work is the AI-agent claims schema, the federation pattern, the verification API, and the institutional positioning.

Three deployment patterns, increasing maturity:

  • Self-issued — operator signs its own AgentPass; verifier checks signature against operator's did:web.
  • Federated — operator runs an AgentPass authority server that verifying parties call; provides real-time standing query without exposing operator internals.
  • Public ledger — operators publish AgentPass authority references at a public registry. Regulators can query any operator's agents directly.

Why now — the 12-month opening

Four signals stack into a single window from May 2026 to mid-2027 that converts AI governance from "good practice" to "procurement-graded prerequisite":

  • EU AI Act high-risk obligations — Article 6 bites 2 August 2026. Logging and FRIA evidence requirements map to AgentPass-style verification natively.
  • FCA SM&CR-AI guidance — published end-2026. Names the assurance level expected from senior managers for AI-caused harm.
  • AM Best ERM-AI scrutiny — live now. Only 24% of rated insurers are confident they could pass a 90-day independent AI-governance review.
  • Five Eyes joint guidance — published 1 May 2026 by CISA, NSA, NCSC UK and allies. Names cryptographic agent identity, signed mandate scoping, encrypted inter-agent comms, human authorisation gates as the recommended controls. AgentPass operationalises every one in a single primitive.

The 12 months ending mid-2027 is when the institutional verification layer of agent infrastructure gets standardised. AgentPass V0.1 is published into that window.

Why this is MCP-scale

The test for whether a protocol is broadly meaningful rather than one-engagement-shaped is whether it holds up across multiple unrelated industries.

  • Insurance-linked asset management — a regulatory-reporting drafter agent presents AgentPass to AM Best's intake portal. AM Best logs the standing-verification in their own audit trail. Defensible end-to-end without trusting any vendor.
  • UK council DSAR processing — a citizen DSAR is processed by an agent. Council records AgentPass query result alongside the response. Citizen receives evidence the agent had verifiable standing at processing time.
  • Regulatory examination — FCA, EIOPA, OID, or AM Best examiners query AgentPass authorities to verify ongoing standing of agents producing regulatory submissions. Continuous compliance evidence rather than periodic audit.
  • LP due diligence — an LP evaluating a fund manager queries the manager's AgentPass authority pre-investment. Verifies AI-driven portfolio operations have verifiable governance posture.
  • B2B agent commerce — agent A places an order with agent B (AP2-mediated payment); agent B verifies agent A's AgentPass before fulfilling. Real-time agent-to-agent counterparty verification at commercial scale.
  • Critical infrastructure / defence — named explicitly in the Five Eyes guidance. Agent verification before any agent acts within a critical-infrastructure perimeter is the AgentPass pattern.

One protocol, six unrelated industries, same primitive.

Status — this is a Request for Comment

AgentPass V0.1 is an early draft published for community input, in the standards-conscious tradition of how MCP, A2A, and AP2 were originally surfaced. This is not yet a finalised standard.

  • Spec V0.1 published 3 May 2026. Ready for review and comment.
  • Reference implementations — Python (agentpass-py) and JavaScript (agentpass-js) libraries in active build.
  • Standards-body submission targeted for the Linux Foundation Agent2Agent SIG and the W3C Credentials Community Group across May–July 2026.
  • First production deployment targeted for an institutional partner in Q3 2026.

Comments, critique, and contributions are welcomed. Email alfred@workloft.ai. The intent is for the spec to evolve through community input toward V1.0 over the next 12 months.

Read the artefacts

Concept paper (PDF, 3pp) V0.1 technical spec (Markdown) Send a comment

Who's behind it

AgentPass is authored by Workloft.ai LTD — a UK-incorporated AI infrastructure firm specialising in institutional-grade governed agent substrates. The protocol composes existing W3C primitives (Verifiable Credentials Data Model 2.0, Decentralized Identifiers, Data Integrity, Status List 2021) with the audit-chain anchoring and federation patterns Workloft has been building across multiple regulated-sector engagements.

Workloft's substrate already implements every load-bearing AgentPass component — cryptographic agent identity (W3C did:web), signed mandate scoping (Google AP2 V0.1), append-only audit chain (FCA SYSC 9 / SEC 17a-4 pattern), public-anchored verification, signed-link officer countersign. AgentPass is the synthesis published as a standardisable protocol the broader ecosystem can adopt.