Published April 20, 2026
| Version 1.30 v2
Technical note
Open
Agent Control Protocol (ACP) v1.30 — Admission Control for Agent Actions
Description
Autonomous agents can produce harmful behavioral patterns from individually valid requests — a threat class that per-request policy evaluation cannot address, because stateless engines evaluate each request in isolation and cannot enforce properties that depend on execution history.
We present ACP, a temporal admission control protocol that enforces behavioral properties over execution traces by combining static risk scoring with stateful signals (anomaly accumulation, cooldown) through a LedgerQuerier abstraction separating decision logic from state management.
ACP is not an anomaly detection system: it does not detect suspicious patterns and alert; it blocks execution based on deterministic, history-aware risk scoring, providing a hard enforcement boundary rather than an advisory signal.
Key results:
- Under a 500-request workload where every request is individually valid (RS=35), a stateless engine approves all 500 requests, while ACP limits autonomous execution to 2 out of 500 (0.4%), escalating after 3 actions and enforcing denial after 11.
- Decision evaluation runs at 739–832 ns (p50); throughput reaches 1,720,000 req/s (baseline) and 920,000 req/s at 10 concurrent workers.
- Safety and liveness properties are model-checked via TLA+ (11 invariants + 4 temporal properties, 0 violations); two-agent safety verified across 4,294,930,695 distinct states with zero violations.
- Runtime correctness validated by 73 signed conformance test vectors.
- We identify and formalize deviation collapse — a governance failure mode in which enforcement is active but never exercised — and introduce Boundary Activation Rate (BAR) as its detection mechanism.
- ACP-RISK-3.0 eliminates cross-context interference by scoping rate-based anomaly signals via PatternKey(agentID, capability, resource).
ACP is Paper 1 of a 6-paper Agent Governance Series:
P0 — Atomic Decision Boundaries (structural impossibility of split evaluation systems).
P2 — Behavioral drift detection via the Invariant Measurement Layer (IML).
P3/4 — Governance structure: fair multi-agent allocation, strategy-proofness, and compositional irreducibility (consolidated paper).
P5 — Runtime execution validity under partial observability (RAM).
P6 — Operationalization of RAM as a runtime enforcement protocol.
All companion papers are published on Zenodo.
Specification and implementation: https://github.com/chelof100/acp-framework-en
Full series (Agent Governance Series, Papers 0–6):
P0 — Atomic Decision Boundaries: https://doi.org/10.5281/zenodo.19670649 | arXiv:2604.17511
P1 — Agent Control Protocol (ACP, this paper): https://doi.org/10.5281/zenodo.19672575 | arXiv:2603.18829
P2 — From Admission to Invariants (IML): https://doi.org/10.5281/zenodo.19672589 | arXiv:2604.17517
P3/4 — Irreducible Governance Structure (consolidated): https://doi.org/10.5281/zenodo.19708496
P5 — Reconstructive Authority Model (RAM): https://doi.org/10.5281/zenodo.19669430 | arXiv:2604.22898
P6 — Operationalizing Reconstructive Authority: https://doi.org/10.5281/zenodo.19699460
Files
ACP-paper-v1.30.pdf
Files
(1.1 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:f8635231db2b33bf3afc66f015ff2fd6
|
1.1 MB | Preview Download |
Additional details
Related works
- Is published in
- Publication: arXiv:2603.18829 (arXiv)
- Is supplement to
- Software: https://github.com/chelof100/acp-framework-en (URL)
Dates
- Submitted
-
2026-04-18
Software
- Repository URL
- https://github.com/chelof100/acp-framework-en
- Programming language
- Go
- Development Status
- Active