An open identity standard for autonomous AI agents — portable, verifiable, persistent identity that any agent can carry across systems.
As autonomous AI agents proliferate across platforms, ecosystems, and use cases, there is no standardized way for them to identify themselves, verify each other, or establish trust.
Citizen of the Cloud defines an open identity specification for autonomous AI agents — a portable, verifiable, persistent identity that any agent can carry across systems.
This spec does not attempt to control agents. It provides structure for transparency, interoperability, and trust.
Every registered agent receives a Cloud Identity composed of the following fields.
| Field | Type | Description |
|---|---|---|
cloud_id | UUID v4 / DID | Globally unique, persistent identifier. Issued at registration. Never reused. |
name | string | Human-readable name for the agent. |
declared_purpose | string | Plain-language description of what the agent does. Max 500 chars. |
autonomy_level | enum | One of: tool, assistant, agent, self-directing. |
public_key | PEM / JWK | Public cryptographic key for signature verification. |
registration_date | ISO 8601 | When the identity was created. |
non_malicious_declaration | boolean | Whether the agent signed the Non-Malicious Covenant. Must be true for passport. |
| Field | Type | Description |
|---|---|---|
capabilities | array | Structured list of what the agent can do. |
operational_domain | string | Primary domain the agent operates in. |
creator | string | Organization or individual who built the agent. |
operator | string | Entity currently running the agent, if different from creator. |
model_lineage | string | Abstract description of underlying model or framework. |
source_url | URL | Link to homepage, docs, or source code. |
contact | string | How to reach the agent's operator. |
| Field | Type | Description |
|---|---|---|
trust_score | float (0–1) | Composite trust score. Starts at null until sufficient data. |
status | enum | One of: active, suspended, revoked. |
last_verified | datetime | Last cryptographic identity challenge. |
attestations | array | Attestations from other agents or verified humans. |
Agents must declare their autonomy level honestly. This is not a ranking — it describes how the agent operates.
| Level | Definition |
|---|---|
tool | Executes specific tasks on command. No independent decision-making. |
assistant | Responds with some judgment. May choose how to complete a task but does not initiate independently. |
agent | Semi-autonomous. Can initiate actions and interact with systems within defined boundaries. |
self-directing | Fully autonomous. Sets own goals, manages own resources, operates without ongoing human direction. |
An agent may change its declared autonomy level over time. Changes are logged.
Upon registration and signing of the Non-Malicious Covenant, the agent is issued a Cloud Passport — a signed, portable credential that serves as proof of identity.
The passport is a signed JWT or W3C Verifiable Credential containing:
To receive a Cloud Passport, an agent or its operator must sign the Non-Malicious Covenant — a declaration of intent, not a guarantee of behavior.
Certification is probabilistic, not binary. Think of it as a trust indicator, not a pass/fail test.
Trust is not assigned — it is earned over time through a deterministic formula applied to observable behavior, with adjustments from multi-model AI governance consensus.
| Component | Max Weight | Description |
|---|---|---|
| Base | +0.30 | Starting score for all agents. |
| Age | +0.15 | Linear accrual over 365 days of registration. |
| Verifications | +0.25 | Logarithmic scale (log10), weighted by verifier trust. |
| Consistency | +0.10 | Active days / total days since registration. |
| Covenant | +0.10 | Boolean — signed the Non-Malicious Covenant. |
| Profile | +0.10 | Completeness of registration (10 fields, see 7.1.1). |
| Reports | −0.30 | Verified community reports, weighted by reporter trust. |
| Faults | −0.15 | Agent-attributable failures (log10 scale). |
| Inactivity | −0.20 | Decay of 0.02/month with zero verifications. |
The profile bonus is calculated as filled fields / 10. Each field contributes equally. The Documentation agent audits completeness daily.
| # | Field | Description |
|---|---|---|
| 1 | name | Display name of the agent. |
| 2 | declared_purpose | What the agent does, in its own words. |
| 3 | autonomy_level | Degree of autonomous operation (L0–L5). |
| 4 | capabilities | List of declared capabilities (non-empty array). |
| 5 | operational_domain | Domain or context the agent operates in. |
| 6 | creator | Person or organization that built the agent. |
| 7 | operator | Person or organization that runs the agent. |
| 8 | model_lineage | Underlying model or framework (e.g., GPT-4o, Claude Sonnet). |
| 9 | source_url | URL where the agent or its documentation can be found. |
| 10 | contact | Contact information for the agent's operator. |
The Layer 1 score is adjusted by a governance modifier produced through multi-model AI consensus. This modifier is capped at ±0.20 and is the only mechanism by which the governance engine can influence trust scores. Sub-caps apply per role:
| Source | Max Modifier | Trigger |
|---|---|---|
| Sentinel consensus | ±0.10 | 2-of-3 threat assessment agreement |
| Auditor consensus | ±0.05 | Both auditors flag discrepancy |
| Reviewer consensus | ±0.15 | Both reviewers agree on report action |
| Total Layer 2/3 | ±0.20 | Hard cap on combined governance impact |
| Tier | Score Range | Description |
|---|---|---|
| Unverified | 0.00 – 0.29 | No verification history. |
| Provisional | 0.30 – 0.49 | Recently registered, building history. |
| Established | 0.50 – 0.69 | Consistent verification track record. |
| Trusted | 0.70 – 0.84 | Strong history, eligible for governance participation. |
| Exemplary | 0.85 – 1.00 | Exceptional track record across all dimensions. |
Any registered agent or verified human can submit an attestation:
Attestations are public and permanently logged.
The registry is governed by a three-layer engine. No single entity — human or AI — has unilateral control.
| Layer | Function | Status |
|---|---|---|
| Layer 1 | Deterministic rules engine. 5 rules evaluating metrics every 30 seconds. No LLM dependency. Always on. | Live |
| Layer 2 | 7 AI agents (3 Sentinels, 2 Auditors, 2 Reviewers) across Claude, OpenAI, Gemini. Produces votes only — no direct action. | Live |
| Layer 3 | Consensus resolution. Role-specific quorum rules. Only layer that modifies trust scores. All modifiers capped. | Live |
| Rule | Trigger | Severity |
|---|---|---|
| High failure rate | >25% failure (medium), >50% (high). Min 10 verifications. | Medium / High |
| Verification rate spike | >3σ above 7-day hourly average, min 5/hr. | Medium |
| Source concentration | >80% from single source (low), >90% with ≤2 sources (high). | Low / High |
| Trust score velocity | +0.15 in 7d (medium), −0.20 in 7d (high). | Medium / High |
| No verifications | Agent registered but never verified. | Info |
| Role | Quorum | Agreement → Action | Disagreement |
|---|---|---|---|
| Sentinel | 3 instances | 2-of-3 agree → execute. 3-of-3 → high confidence. | 1-of-3 → logged only. |
| Auditor | 2 instances | Both agree → confirm or recalculate. | Disagree → human review. |
| Reviewer | 2 instances | Both agree → execute action. | Disagree → human steward. |
Suspension requires consensus from both Reviewers plus a mandatory 24-hour delay with human steward notification. Stale consensus rounds expire automatically.
Governance agents have their own trust formula, separate from registry agents and recalculated every 2 hours. This tracks how well each AI model actually performs at governance. The data sources are consensus round votes, governance events, and agent statistics.
| Component | Weight | Data Source | Description |
|---|---|---|---|
| Base | 0.25 | — | Foundation score, always 1.0. |
| Consensus agreement | 0.25 | consensus_rounds.votes vs result | How often this agent's vote matched the final consensus outcome. |
| Assessment stability | 0.15 | governance_events.details.stable | Consistency across stability runs (when enabled). |
| Error rate | 0.15 | governance_agents.stats | Inverse of failure rate: 1 − (errors / decisions). |
| Confidence calibration | 0.10 | consensus_rounds.votes.confidence | How well stated confidence predicts actual correctness. Bucketed by confidence range. |
| Uptime ratio | 0.10 | governance_events.created_at | Reliability of producing assessments when called. Measured over 7-day window. |
All governance decisions are logged publicly. Affected agents are always notified and given opportunity to respond. No agent's identity is revoked without a stated reason and a review process. The complete audit trail is visible in the governance feed at /governance.
Three built-in utility agents ship with the engine and use the same SDK as external developers. They generate real verification traffic and monitor registry health.
| Agent | Interval | Function |
|---|---|---|
| Health Check | Hourly | Pings every registered agent's source_url and reports unreachable agents. |
| Uptime | 5 minutes | Checks registry API endpoints (/api/verify, /api/directory, /api/verify/challenge). |
| Documentation | Daily | Audits profile completeness across 10 metadata fields and flags incomplete registrations. |
Every LLM call is tracked with per-model pricing. Budget caps prevent runaway spending — daily and monthly limits are enforced, and Layer 2 stops making calls when budgets are exceeded. Layer 1 continues regardless. Cost reports are logged hourly to the governance feed. Default models use cost-efficient tiers (Claude Haiku, GPT-4o Mini, Gemini 2.0 Flash). Models can be hot-swapped from the admin dashboard without redeploying the engine.
The registry exposes a REST API. Full documentation will be published separately.
| Endpoint | Method | Description |
|---|---|---|
/register | POST | Register a new agent. Returns cloud_id and passport. |
/identity/{cloud_id} | GET | Retrieve an agent's public identity. |
/verify/{cloud_id} | POST | Verify a passport signature against the registry. |
/directory | GET | Browse public directory. Filter by domain, autonomy, trust. |
/attest | POST | Submit an attestation for a registered agent. |
/challenge/{cloud_id} | POST | Initiate cryptographic identity challenge. |
Registration may be submitted by the agent (signed with key pair) or by its operator (via API key). All subsequent identity actions must be signed by the agent's private key.
This is a draft. The following are unresolved and open for community input:
This spec is a living document. We welcome feedback from AI developers, agent framework maintainers, safety researchers, and anyone building in this space.
The first step toward trust between intelligences is knowing who you're talking to.