The missing governance layer for AI agents.
OAuth tells agents who they are. MCP tells agents what tools exist. AAAP tells agents what they're allowed to do — and which human said so.
AAAP is an open standard protocol for human-in-the-loop governance of AI agent actions. When an AI agent wants to do something risky — delete files, push code, drop databases, modify infrastructure — AAAP ensures a human approves first.
97% of deployed AI agent systems have no mechanism for end-users to approve what the agent does on their behalf (OWASP, 2026). AAAP fixes this.
1. EVALUATE — Agent submits action to AAAP server
2. SCORE — Risk engine scores 0-100
3. NOTIFY — If risky, push notification to human's phone
4. DECIDE — Human approves or denies (with biometric)
5. ENFORCE — Agent gets decision, proceeds or aborts
6. AUDIT — Immutable log entry created
- Framework-agnostic — works with any agent (LangChain, CrewAI, MCP, Claude, Codex, custom)
- Simple — two HTTP calls for the common case (evaluate + poll)
- Asynchronous — human doesn't need to be online at evaluation time
- Configurable — risk policies are per-organization, not hardcoded
- Auditable — every action, score, and decision is logged
- Built on standards — OAuth 2.0, CIBA (RFC 9126), JSON-RPC
| Document | Description |
|---|---|
| AAAP Specification v1.0 | Full protocol specification (RFC-style, 14 sections) |
| OWASP Agentic Top 10 Mapping | How AAAP covers 8 of 10 OWASP risks |
| NIST Submission | Response to NIST AI Agent Standards Initiative |
AAAP provides runtime mitigation for 8 of 10 OWASP Agentic Top 10 risks:
| # | Risk | Coverage |
|---|---|---|
| 1 | Excessive Agency | Full |
| 2 | Prompt Injection | Partial |
| 3 | Tool Misuse | Full |
| 4 | Uncontrolled Autonomy | Full |
| 5 | Cascading Failures | Partial |
| 6 | Insecure Identity | Full |
| 7 | Insufficient Logging | Full |
| 8 | Supply Chain Attacks | Partial |
| 9 | Memory Poisoning | Indirect |
| 10 | Multi-Agent Trust | Full |
OAuth/OIDC: "Who is this agent?"
MCP: "What tools can this agent use?"
A2A: "How do agents communicate?"
ACP: "Is this action cryptographically authorized?"
AAAP: "Should this specific action be allowed,
and which human said so?"
- Server (Agent Guard): AuthSec — production-deployed API
- Client (Agent Shield): authsec-agent-shield — system-level protection binary
- Mobile Approver: AuthSec Mobile (iOS/Android) — biometric approval via CIBA push
- Claude Code (Anthropic) — blocked
rm -rf,git push --force,git reset --hard - Docker — blocked
docker rm -f - Kubernetes — blocked
kubectl delete namespace production - MySQL — blocked
DROP TABLE users - PostgreSQL — blocked via psql shim
- Azure CLI — blocked
az vm delete
- Website: authsec.ai
- Shield: github.com/authsec-ai/authsec-agent-shield
- Contact: ritam@authsec.com
Apache-2.0