AIGP is an open specification for structured, tamper-evident events that prove what policies, prompts, tools, and data governed your AI agents — every single time.
Agents access company data, make decisions, and interact with customers. Regulators, auditors, and security teams all need to answer the same question:
"Prove your AI agents used the approved prompts, tools, and policies — every single time."
Every team invents its own audit log. Grep through unstructured logs, build custom tables, or don't track it at all.
Logs can be edited after the fact. There's no cryptographic proof that the content delivered was what was approved.
Which agent, which prompt version, which policy, what happened? Reconstructing the chain requires joining across five systems.
An AIGP event is a single JSON record that captures proof of one governance action, including selective Merkle inclusion verification.
{
"spec_version": "0.12",
"event_id": "0e58d9ff-0f7c-4ef7-8f6f-86a281e0d8fd",
"event_type": "GOVERNANCE_PROOF",
"event_category": "governance-proof",
"event_time": "2026-02-25T18:10:00.123Z",
"ingested_at": "2026-02-25T18:10:00.456Z",
"tenant_id": "tenant.4f8b6d1e9c024e1a",
"tenant_name": "Enterprise Tenant A",
"org_id": "org.global-risk-operations",
"org_name": "Global Risk Operations",
"agent_id": "agent.trade-reviewer",
"agent_name": "Trade Reviewer",
"trace_id": "492bb01803914901bd0655610b44fa58",
"span_id": "4957279025044105",
"parent_span_id": "0b005cdcf90c4f22",
"trace_flags": "01",
"sequence_number": 6,
"causality_ref": "8a2fc291-773c-4491-8ce6-02d57357a97f",
"parent_hash": "87109bdf96d8520e98721b8815716209eed4a513e817dd8b59805e174be55ce5",
"query_hash": "",
"previous_hash": "",
"source_ip": "203.0.113.42",
"request_method": "POST",
"request_path": "/v1/governance/evaluate",
"data_classification": "Internal",
"denial_reason": "",
"violation_type": "",
"severity": "",
"governance_hash": "0f51abe5b39c4154f24c9f3e59f03f2e9f54bd22ec0f5b2f129e2c1e6149d8f0",
"hash_type": "merkle-sha256",
"aigp_hash": "4fc778ac94db184f8375dececa60bc29be4138782f7d7bc3e9f14c910060e23f",
"governance_merkle_tree": {
"algorithm": "sha256",
"resource_count": 4,
"resources": [
{
"resource_type": "policy",
"resource_name": "policy.access-control-v2",
"hash": "0f51abe5b39c4154f24c9f3e59f03f2e9f54bd22ec0f5b2f129e2c1e6149d8f0",
"template_hash": "e4a7126e7a8fd85a4b0bf47726be19128f4d0d0ab7ec72f11147046f8d31f189",
"is_salted": true,
"salt_ref": "kms://vault/salts/session-42"
},
{
"resource_type": "prompt",
"resource_name": "prompt.system-instructions-v3",
"hash": "73b9a73fd7b2ec5e6f1f42d2a4ad62b0fb68484ef5f4d2eb4dc2915b47dc0189"
},
{
"resource_type": "prompt",
"resource_name": "prompt.user-context-template-v2",
"hash": "8a20c65255b78bc83f235e887d6bb6bf1a5ccc05b0ef2cfa8759baa2b5de1aee",
"template_hash": "1be70f533579f4f9d1b05622a55bfdece3dfad091a2d75636b1fb2dd7f7f5211"
},
{
"resource_type": "tool",
"resource_name": "tool.transaction-validator",
"hash": "6935d7a1995a9e7e37ab5019991de31de138a38e22e7aeaebc70ca382aa1697a",
"template_hash": "5935d7a1995a9e7e37ab5019991de31de138a38e22e7aeaebc70ca382aa1697a"
}
],
"inclusion_proofs": [
{
"leaf_hash": "8a20c65255b78bc83f235e887d6bb6bf1a5ccc05b0ef2cfa8759baa2b5de1aee",
"proof_path": [
{
"sibling_hash": "73b9a73fd7b2ec5e6f1f42d2a4ad62b0fb68484ef5f4d2eb4dc2915b47dc0189",
"sibling_position": "left"
},
{
"sibling_hash": "64725eec8917919cd93a848b8cebbc0b59d3f88263aaf9fbb1e6512d8f974883",
"sibling_position": "right"
}
]
}
]
},
"event_signature": "eyJhbGciOiJFUzI1NiIsImtpZCI6ImFpZ3Aua2V5LnYxIiwidHlwIjoiSldUIn0.eyJldmVudF9pZCI6IjBlNThkOWZmLTBmN2MtNGVmNy04ZjZmLTg2YTI4MWUwZDhmZCJ9.",
"signature_key_id": "aigp.key.v1",
"annotations": {
"signed": {
"proof_type": "full_merkle_audit",
"verdict": "GOVERNED",
"hash_stable": true,
"regulatory_hooks": ["ISO-42001", "SOC2"],
"chain_verified": true
},
"unsigned": {
"delivery_count": 268,
"first_seen": "2026-02-25T18:10:00.000Z",
"trace_profile": "w3c-trace-context",
"topology_class": "single_agent",
"events_in_chain": 5
}
}
} Canonical field constraints and descriptions are published at /schema/aigp-event.v0.12.schema.json. The inline sample is illustrative; producers should validate against the schema artifact.
Works with A2A, MCP, REST, gRPC, or anything else. The format doesn't assume a transport.
Every event includes a SHA-256 governance_hash. If content changes, the hash won't match.
Every event carries a trace_id. One query reconstructs the full governance chain.
Single wide event table — no joins for governance queries. Designed for OLAP stores.
Resources (governed, hashed) and Annotations (informational). Open types — extend without a spec change.
JWS ES256 event signing for non-repudiation. Causal ordering with sequence numbers and DAG references.
AIGP doesn't just log what happened — it produces cryptographic evidence that nothing was altered after the fact.
Each governed resource — policy, prompt, tool definition, agent config — is hashed individually. Parent hashes combine children. The root becomes the governance_hash on every AIGP event. Leaf positions are hash-sorted for determinism, so order is stable across SDKs.
Every event is signed with ES256 (ECDSA P-256) via JWS Compact Serialization. The signer's key is embedded in the event — consumers verify independently.
Monotonic sequence_number per agent and causality_ref pointers create a directed acyclic graph — no event can be inserted or reordered without breaking the chain.
Change one byte of a governed policy and the Merkle root changes. The governance_hash in the audit trail won't match — evidence of tampering is immediate and undeniable.
Vendor neutral. Interoperable. Composable by design.
Observability
trace_id correlation, span events, semantic conventions
Transport
Structured + binary mode, extension attributes, CNCF v1.0
Policy Enforcement
Policy rules, allow/deny decisions, enforcement digest
Data Lineage
Custom facets, Merkle tree leaves, RunEvent integration
Tool Protocol
Tool invocation governance, resource hashing, context capture
Agent Protocol
Agent-to-agent governance, cross-agent tracing, boundary events
AIGP ships with 31 event types across 15 categories — and you can define your own using the RESOURCE_ACTION naming convention.
Prove trading agents accessed approved limits. MNPI controls enforced.
SEC · FINRA · MiFID IIAudit patient-facing agents for HIPAA-compliant consent and PHI access controls.
HIPAA · HITECH · FDATrack which contract agents used which prompt versions and privilege rules.
ABA Model Rules · GDPR Art. 22Single audit trail across all AI agents for your CISO and compliance team.
SOC 2 · ISO 27001 · NIST AI RMFOptional Merkle leaf fields is_salted and salt_ref enable privacy-preserving verification without storing raw salt in events.
Optional is_partial, offset_unit, and offset fields prove the exact point where blocked generation was interrupted.
Stable verifier finding IDs standardize failure reporting across tools: SIGNATURE_VERIFICATION_FAILED, MERKLE_ROOT_MISMATCH, and INCLUSION_PROOF_INVALID.
Python, TypeScript, Go, Rust, Java, Kotlin, and .NET now share spec-aligned inclusion proof helpers using leaf_hash and proof_path.
Choose your SDK, emit one event, and you have cryptographic governance proof linked to your trace context.
from aigp import AIGPInstrumentor
instrumentor = AIGPInstrumentor(agent_id="agent.trading-bot-v2")
event = instrumentor.emit(
"INJECT_SUCCESS",
policy_name="policy.trading-limits",
policy_version=4,
content="Max position: $10M",
)
print(event["event_type"], event["governance_hash"])AIGP is shared under Apache 2.0. The right format will emerge from real-world use across different industries and regulatory regimes.