Open Agent Trust Stack (OATS): A System Specification for Zero-Trust AI Agent Execution

Open Agent Trust Stack (OATS) is an open specification for zero-trust AI agent execution. It is designed for environments where AI agents perform consequential actions such as querying databases, modifying files, invoking cloud services, and interacting with enterprise systems. OATS shifts the security boundary from model output filtering to pre-execution action governance.

The specification is built on three core principles: allow-list enforcement through declarative tool contracts, compile-time enforcement of the Observe-Reason-Gate-Act (ORGA) reasoning loop, and structural isolation of the policy gate from LLM influence. OATS defines five layers: the ORGA loop, typed tool contracts, a cryptographic identity stack for agents and tools, a formally verifiable policy engine, and tamper-evident cryptographic audit journals.

OATS is model-agnostic, framework-agnostic, and vendor-neutral. This version presents the system architecture, conformance requirements, threat model, and evaluation framework for secure, policy-governed agent execution in enterprise and high-assurance environments.