Agent Governance Glossary
The vocabulary of the agent economy. 30 terms, 12 of which are defined by AGF for the first time. This is a living document — new terms are added as the frameworks evolve.
Agent
An autonomous software entity that perceives inputs, makes decisions, and takes actions — potentially including calling APIs, spawning sub-agents, modifying data, and interacting with external systems — without requiring human approval at each step.
See also: Agent ID, Agent Lifecycle
Agent ID
A persistent, globally unique identifier for an AI agent, based on the DID (Decentralized Identifier) standard. The Agent ID identifies the agent as a conceptual entity independent of the model, runtime, or organization that created it. Format: did:agent:<namespace>:<name>-<version>.
See also: Agent Passport, DID
Agent Lifecycle
The six governed stages of an agent's operational existence: Provisioning, Authentication, Authorization, Operation, Suspension, and Retirement. Each stage has defined governance checkpoints and transitions.
See also: Provisioning, Retirement, Suspension
Agent Ownership
The formal attribution of an agent to a responsible principal — a human, team, or organization — who bears accountability for the agent's actions and lifecycle. Ownership is recorded in the agent's identity record and included in every Agent Passport.
See also: Agent Passport, Accountability
Agent Passport
A cryptographically signed credential bundle that an agent presents when interacting with a system. Contains: the Agent ID, owner reference, trust score at issuance time, delegated scope, expiry, and issuing authority signature. Short-lived by design (default max 24h).
See also: Agent ID, Agent Trust Score, Delegation Token
Agent Retirement
A formal decommission process for an agent: (1) terminate active sessions, (2) issue branch-cut revocations for all delegations, (3) purge retained memory per policy, (4) set Agent ID status to 'retired', (5) issue signed retirement attestation, (6) archive lifecycle record. The Agent ID is never reused.
See also: Retirement Attestation, Branch-Cut Revocation
Agent Trust Score
A computed numeric value in [0, 1] that reflects how much trust to extend to an agent at a given moment. Composed from Lineage Trust, Credential Trust, and Anomaly Trust. Continuously updated. Compared against per-action trust thresholds during authorization.
See also: Lineage Trust, Credential Trust, Anomaly Trust
Anomaly Trust
A component of the Agent Trust Score that captures behavioral deviation signals — unusual request timing, volume spikes, atypical input sources, or patterns inconsistent with the agent's historical baseline. Anomaly Trust reduces when anomalies are detected.
See also: Agent Trust Score
Audit Artifact
A structured, cryptographically signed record of an authorization decision. Contains: agent identity, action requested, resource targeted, trust score components, risk scores, policy reference, decision outcome, and conditions. Emitted to an append-only audit log. Self-contained and replayable.
See also: Decision Artifact, Append-Only Log
Branch-Cut Revocation
An AGF revocation mechanism that invalidates an entire subtree of the delegation chain in a single operation. When a node is revoked, all agents that received delegation authority from that node — directly or transitively — have their delegations invalidated simultaneously. Propagates in under 500 ms.
See also: Revocation, Delegation Chain
Credential Trust
A component of the Agent Trust Score based on the age and integrity of the agent's credentials. Fresh credentials (< 1 hour) score highest. Credentials age with time; if any principal in the delegation chain has had their credentials recently modified or revoked, Credential Trust is penalized.
See also: Agent Trust Score
Decision Artifact
See Audit Artifact. The term 'decision artifact' emphasizes the per-decision granularity: one artifact per authorization evaluation, not one per session or per batch.
See also: Audit Artifact
Delegation Chain
A sequence of principal-to-agent or agent-to-agent delegation relationships, from the originating human principal through one or more orchestrators to the agent that performs an action. Each hop is recorded in signed delegation tokens. AGF policies define maximum chain depth per action type.
See also: Delegation Token, Lineage Trust, Branch-Cut Revocation
Delegation Token
A cryptographically signed, short-lived assertion that encodes: the delegating principal's identity, the receiving agent's identity, the scope of authority delegated, constraints, expiry, and a reference to the delegating principal's own authorization. Tokens cannot grant authority beyond what the delegating principal holds.
See also: Delegation Chain, Agent Passport
DID (Decentralized Identifier)
A W3C standard for globally unique, self-sovereign identifiers that are cryptographically verifiable and resolvable without a central registry. AGF uses DIDs as the basis for Agent IDs. The did:agent DID method is defined in the Agent Identity Framework.
See also: Agent ID
Environmental Risk
A risk score component that reflects contextual factors around an agent's action request: time of day, request volume relative to baseline, source of input (internal vs. external), network context. Environmental Risk is dynamic — the same action may have different environmental risk scores at different times.
See also: Inherent Risk, Trust Risk
Inherent Risk
A static risk score assigned to an action type by policy authors, reflecting the intrinsic danger of the operation regardless of context. Deleting a database table carries high inherent risk; reading a public configuration file carries low inherent risk. Defined once in policy; applied universally.
See also: Environmental Risk, Trust Risk
Lineage Trust
A component of the Agent Trust Score derived from the depth and quality of the agent's delegation chain. Direct delegation from a human (depth 1) carries the highest lineage trust. Each additional delegation hop reduces lineage trust. A compromised or revoked node anywhere in the chain collapses lineage trust for all downstream agents.
See also: Agent Trust Score, Delegation Chain
Memory Governance
The policies that determine what an agent may retain, what must be purged, and what may persist across sessions. AGF defines three memory categories: session memory (purged at session end), scoped memory (persists with policy authorization), and persistent memory (requires owner authorization; retention-limited).
See also: Agent Lifecycle, Agent Retirement
Policy Decision Point (PDP)
The runtime component that evaluates authorization requests. The AGF PDP evaluates policy compliance, trust sufficiency, and risk acceptability independently before issuing a signed decision. PDPs are distributed — they run co-located with resources, subscribe to the policy repository, and maintain a local cache of recent decisions.
See also: Domain Authority, Audit Artifact
Provisioning
The act of registering a new agent in the governance system — creating its Agent ID, binding an owner, generating a keypair, and establishing its initial authorization scope. Provisioning is an explicit, governed act that requires authorization from a responsible human principal.
See also: Agent Lifecycle, Agent ID
Retirement Attestation
A signed document produced at the conclusion of an agent's retirement process, attesting that all credentials have been revoked, all sessions terminated, all memory purged per policy, and the lifecycle record archived. The final governance artifact for an agent's existence.
See also: Agent Retirement
Revocation
The act of permanently or temporarily invalidating an agent's delegation credentials, terminating its active sessions, and preventing new sessions from being established. AGF distinguishes between explicit revocation (administrator action) and trust-decay revocation (trust score falls below threshold).
See also: Branch-Cut Revocation, Suspension
Risk Threshold
A per-action maximum composite risk score above which a request is denied or escalated. Thresholds are defined in policy per action type and may vary by domain, time window, or agent trust level. A high-trust agent may have a higher risk threshold than a new or low-trust agent.
See also: Inherent Risk, Environmental Risk, Trust Risk
Scope Constraint
A condition within a delegation token that limits what actions the receiving agent may perform. Scope constraints cannot exceed the delegating principal's own authorization scope — sub-delegation is always bounded by the parent's limits. Violations are caught at the PDP.
See also: Delegation Token
Suspension
A temporary governance state in which an agent's operations are halted — active sessions terminated, new sessions blocked — without permanently deactivating the agent's identity. Suspension is reversible; retirement is not.
See also: Agent Lifecycle, Revocation
Trust Anchor
A root entity whose trust is assumed rather than derived — the starting point of a trust chain. In AGF, the Domain Authority serves as the trust anchor for agents within its governance scope. Trust anchors are explicit, documented, and cryptographically bound.
See also: Domain Authority
Trust Risk
A risk score component derived from the agent's delegation lineage quality. Direct human delegation (depth 1) carries low trust risk. Deep delegation chains, aged credentials, and recently-modified parent principals increase trust risk. Combined with inherent and environmental risk to produce the composite risk score.
See also: Agent Trust Score, Delegation Chain
Working Group
The AGF open community of practitioners — IAM professionals, security architects, AI engineers, researchers, and students — who participate in reviewing, improving, and implementing AGF frameworks and specifications.
Missing a term?
The glossary is open. Suggest additions or corrections via GitHub discussions.

