AxioRankDocs

AGS-1 Specification

The Agent Security Gateway Specification. The five gates every agent action passes through before it reaches an MCP server, an API, or a database. RFC 2119.

Status

Draft (living). Version AGS-1. Maintained by AxioRank (Crawlog LLC). Canonical at axiorank.com/spec. Source and issues at github.com/AxioRank/agent-security-gateway. An agent can fetch this text as markdown from /spec with Accept: text/markdown.

An Agent Security Gateway sits between an AI agent and everything it touches: MCP servers, APIs, databases, and other agents. Before any agent action reaches a destination, the gateway governs it. This document specifies what "governs" means, so that the model is something other parties can recognize, require, and verify, not a single vendor's feature.

            AI Agent
               |
               v
      +-------------------+
      |  Agent Security   |
      |     Gateway       |
      +-------------------+
               |
        +------+------+
        v      v      v
       MCP    APIs   Databases

The keywords MUST, MUST NOT, SHOULD, and MAY are used as in RFC 2119.

Scope

AGS-1 governs agent actions: the side-effecting calls an agent makes after it reasons (a tool call, an HTTP request, a database query, a message to another agent). It does not govern the model, the prompt, or the reasoning. The position is deliberate and narrow: everything an agent does, nothing it thinks.

A conforming gateway intercepts every in-scope action and applies the five gates below before the action reaches its destination.

The five gates

AGS-1.1 Identity

Every action MUST carry a short-lived, attributable identity. The gateway MUST resolve the acting agent and its delegation chain (the operators and any human approver behind the agent) before the action proceeds. Long-lived, ambient, or shared credentials MUST NOT stand in for per-action identity.

AGS-1.2 Policy

The gateway MUST evaluate every action against an explicit policy and MUST default to deny. A deny decision MUST override any allow. Policy MAY route an action to a human for approval (a hold). The decision is one of allow, deny, or hold.

AGS-1.3 Inspection

The gateway MUST inspect the action's content for leaked secrets, sensitive data, destructive operations, and injection or exfiltration patterns, and MUST assign a risk score from 0 to 100. Inspection MUST run on the hot path, before the action reaches its destination, not after.

AGS-1.4 Audit

The gateway MUST record every decision in a tamper-evident, append-only log. The record MUST bind the agent, the action, the decision, the risk score, and the matched policy. The log SHOULD be independently verifiable (for example, a signed Merkle log with periodic witnessed tree heads), so that no party, including the gateway operator, can alter history undetected.

AGS-1.5 Proof

The gateway SHOULD be able to emit, for any action, an offline-verifiable proof that the action was governed: who acted, the decision, the policy that applied, the data-flow verdict, and the delegation chain. A third party (a downstream service, another agent, an auditor) MUST be able to verify the proof against a pinned public key with no trust in, and no live call to, the gateway operator.

The reference proof artifact is the Agent Action Seal, an Ed25519-signed token minted inline at the moment of the action. Its wire format and verification rules are specified in SEAL.md and implemented by the @axiorank/audit-verify package.

Conformance

A gateway is AGS-1 Core conforming if it satisfies gates AGS-1.1 through AGS-1.4 for every in-scope action.

A gateway is AGS-1 Provable conforming if it additionally satisfies AGS-1.5 and its audit log is independently verifiable.

A gateway MUST NOT advertise conformance for a class of actions it does not intercept. Coverage is part of the claim: "AGS-1 Provable for outbound MCP and HTTP tool calls" is a conformance statement; "AGS-1 Provable" with no scope is not.

An implementation MAY publish a machine-readable conformance descriptor at /.well-known/agent-security-gateway declaring its level and the scope of actions it covers, so that a counterparty can discover and check the claim programmatically. See the conformance guide for the descriptor shape, a gate-by-gate implementation map, and the badge.

Direction

AGS-1 is direction-agnostic. The same five gates apply whether the gateway governs the agents you run (outbound) or verifies the agents that reach your surfaces (inbound). An inbound gateway resolves the visiting agent's identity (for example, Web Bot Auth, RFC 9421), applies policy, and records the decision the same way.

Why publish this

The agentic web needs a shared answer to "was this action governed, and can I check?" Publishing the model as a specification lets any framework, vendor, or in-house platform implement it and lets any buyer require it. AxioRank implements AGS-1 Provable; the specification is meant to outlive any single implementation.

AGS-1 is a living draft. Feedback and implementations are welcome at github.com/AxioRank/agent-security-gateway.

Introduction

Zero-Trust security and identity for AI agents. One control plane that governs every tool call.

AGS-1 Conformance

How to conform to the Agent Security Gateway Specification, how AxioRank satisfies each of the five gates, how to declare a scoped conformance claim, and how to publish the descriptor and badge.

On this page

ScopeThe five gatesAGS-1.1 IdentityAGS-1.2 PolicyAGS-1.3 InspectionAGS-1.4 AuditAGS-1.5 ProofConformanceDirectionWhy publish this