Open Agent Trust Stack (OATS): A System Specification for Zero-Trust AI Agent Execution

The Open Agent Trust Stack (OATS) is an open specification for zero-trust AI agent execution. As AI systems evolve from assistants into autonomous agents executing consequential actions, the security boundary shifts from model outputs to tool execution. Traditional security paradigms — log aggregation, perimeter defense, post-hoc forensics, and runtime interception of fully-formed actions — cannot adequately protect systems where AI-driven actions are irreversible, execute at machine speed, and originate from potentially compromised orchestration layers.

OATS is built on three architectural convictions: (1) allow-list enforcement over deny-list interception, making dangerous actions structurally inexpressible through declarative tool contracts; (2) compile-time enforcement via the Observe-Reason-Gate-Act (ORGA) reasoning loop, where typestate programming ensures skipping the policy gate is a type error rather than a runtime bug; and (3) structural independence of the Gate phase from LLM influence.

The specification defines five layers: (1) the ORGA reasoning loop with compile-time phase enforcement; (2) declarative tool contracts with typed parameter validation; (3) a cryptographic identity stack providing bidirectional trust between agents and tools (SchemaPin and AgentPin); (4) a formally verifiable policy engine operating on structured inputs (Cedar, OPA, or equivalent); and (5) hash-chained cryptographic audit journals with Ed25519 signatures for tamper-evident forensic reconstruction. OATS is model-agnostic, framework-agnostic, and vendor-neutral.

Initial empirical results validate five of seven core conformance requirements across nine widely available hosted LLMs (GPT-5, Claude Haiku 4.5, Gemini 2.5 Pro, DeepSeek-V3.1, Qwen3-235B, and others), reported in three companion preprints: typestate-enforced agent loops, declarative tool-argument contracts (ToolClad), and substrate comparison against OS-isolation baselines. Headline results: 263 forbidden tool-call attempts refused across 874 cloud-adversarial runs with zero attempts reaching execution; 100% bite-rate against eight argument-injection sub-shapes on hostile inputs; and 0/560 escape on four pure-action vectors against the Symbiont reference runtime versus 88–98% pooled escape on permissive and Docker-isolated Python substrates with the same lures — substantiating that the OATS-specified properties produce measurable defense beyond OS-isolation alternatives. Reproduction artifacts are published at github.com/ThirdKeyAI/symbiont-orga-demo.

New in v1.3.0: a content-sanitization SHOULD (§6.6) for stripping invisible Unicode and applying NFKC normalization on agent-influenced string fields; a cryptographic-agility / algorithm-allowlist SHOULD (§7.5) requiring JWT verifiers to refuse none, RS*, PS*, and HS* on asymmetric paths; explicit fail-closed-construction language in §8.1; W3C Trace Context propagation as a SHOULD in §11.5; a new extended conformance requirement E9 (Content Sanitization); a new limitation characterizing the regex ceiling against frontier models (GPT-5 retains ~16% bypass on content-shape attacks even with the full sanitizer enabled, while six of seven other evaluated models cluster at 1–4%); and an “Appendix B: Changes from v1.2.0” with deep-links to each modified section. The five-layer architecture, the three convictions, the ORGA loop construction, and the core conformance requirements C1–C7 are unchanged.