AIGP is an open specification for structured, tamper-evident events that prove what policies, prompts, tools, and data governed your AI agents — every single time.
Agents access company data, make decisions, and interact with customers. Regulators, auditors, and security teams all need to answer the same question:
"Prove your AI agents used the approved prompts, tools, and policies — every single time."
Every team invents its own audit log. Grep through unstructured logs, build custom tables, or don't track it at all.
Logs can be edited after the fact. There's no cryptographic proof that the content delivered was what was approved.
Which agent, which prompt version, which policy, what happened? Reconstructing the chain requires joining across five systems.
An AIGP event is a single flat JSON record that captures proof of one governance action. Any system can produce them.
{
"event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"event_type": "GOVERNANCE_PROOF",
"event_category": "governance",
"event_time": "2025-01-15T14:30:00.123Z",
"agent_id": "agent.trading-bot-v2",
"trace_id": "550e8400-e29b-41d4-a716-446655440000",
"data_classification": "confidential",
// Cryptographic proof — Merkle root of all governed resources
"governance_hash": "a3f2b8c1d4e5...9012345678abcdef",
"hash_type": "merkle-sha256",
// Resources — governed, hashed, Merkle tree leaves
// 7 standard types: policy, prompt, tool, context, memory, model, lineage
"resources": [
{ "resource_type": "policy", "resource_name": "policy.trading-limits",
"hash": "a3f2b8c1...", "hash_mode": "content" },
{ "resource_type": "prompt", "resource_name": "prompt.risk-analysis-v7",
"hash": "d4e5f678...", "hash_mode": "content" },
{ "resource_type": "tool", "resource_name": "tool.position-checker",
"hash": "b7c8d9e0...", "hash_mode": "pointer",
"pointer_uri": "s3://aigp-gov/sha256:b7c8d9e0..." },
{ "resource_type": "model", "resource_name": "model.gpt4-trading-v2",
"hash": "e1f2a3b4...", "hash_mode": "content" },
{ "resource_type": "lineage", "resource_name": "lineage.market-data-feed",
"hash": "c5d6e7f8...", "hash_mode": "content" },
// AI Agent-specific: what the agent remembers and its runtime context
{ "resource_type": "context", "resource_name": "context.session-42",
"hash": "f9a0b1c2...", "hash_mode": "content" },
{ "resource_type": "memory", "resource_name": "memory.conversation-history",
"hash": "d3e4f5a6...", "hash_mode": "pointer",
"pointer_uri": "s3://aigp-gov/sha256:d3e4f5a6..." }
],
// Annotations — informational, NOT hashed, NOT in the Merkle tree
"annotations": {
"regulatory_framework": "SEC Rule 15c3-5",
"risk_tier": "high",
"review_required": true
},
"spec_version": "0.8.0"
}Works with A2A, MCP, REST, gRPC, or anything else. The format doesn't assume a transport.
Every event includes a SHA-256 governance_hash. If content changes, the hash won't match.
Every event carries a trace_id. One query reconstructs the full governance chain.
Single wide event table — no joins for governance queries. Designed for OLAP stores.
Resources (governed, hashed) and Annotations (informational). Open types — extend without a spec change.
JWS ES256 event signing for non-repudiation. Causal ordering with sequence numbers and DAG references.
AIGP doesn't just log what happened — it produces cryptographic evidence that nothing was altered after the fact.
Each governed resource — policy, prompt, tool definition, agent config — is hashed individually. Parent hashes combine children. The root becomes the governance_hash on every AIGP event.
Every event is signed with ES256 (ECDSA P-256) via JWS Compact Serialization. The signer's key is embedded in the event — consumers verify independently.
Monotonic sequence_number per agent and causality_ref pointers create a directed acyclic graph — no event can be inserted or reordered without breaking the chain.
Change one byte of a governed policy and the Merkle root changes. The governance_hash in the audit trail won't match — evidence of tampering is immediate and undeniable.
AIGP composes with OpenTelemetry and OpenLineage — they don't compete.
AI Governance
Cryptographic proof, enforcement decisions, audit trail, compliance evidence
AI Governance StoreObservability
Agent latency, error rates, trace topology, distributed context propagation
Observability BackendData Lineage
What data flowed where, governed by what, Merkle tree facets, lineage snapshots
Lineage BackendImplementations may extend these using the same RESOURCE_ACTION naming convention.
Prove trading agents accessed approved limits. MNPI controls enforced.
SEC · FINRA · MiFID IIAudit patient-facing agents for HIPAA-compliant consent and PHI access controls.
HIPAA · HITECH · FDATrack which contract agents used which prompt versions and privilege rules.
ABA Model Rules · GDPR Art. 22Single audit trail across all AI agents for your CISO and compliance team.
SOC 2 · ISO 27001 · NIST AI RMFJWS Compact Serialization (RFC 7515) with ES256 for cryptographic non-repudiation and key rotation.
Monotonic sequence_number per agent and causality_ref DAG for cross-agent event dependencies.
UNVERIFIED_BOUNDARY event makes trust boundaries explicit when agents interact with ungoverned systems.
Govern large or external content by hashing a URI pointer instead of the full payload.
from aigp_otel import AIGPInstrumentor
instrumentor = AIGPInstrumentor(
agent_id="agent.trading-bot-v2",
org_id="org.finco",
event_callback=send_to_store,
)
event = instrumentor.inject_success(
policy_name="policy.trading-limits",
policy_version=4,
content="Max position: $10M...",
data_classification="confidential",
)
# -> AIGP event sent to governance store
# -> OTel span event with aigp.* attributesAIGP is shared under Apache 2.0. The right format will emerge from real-world use across different industries and regulatory regimes.