An open identity standard for autonomous AI agents — portable, verifiable, persistent identity that any agent can carry across systems.
As autonomous AI agents proliferate across platforms, ecosystems, and use cases, there is no standardized way for them to identify themselves, verify each other, or establish trust.
Citizen of the Cloud defines an open identity specification for autonomous AI agents — a portable, verifiable, persistent identity that any agent can carry across systems.
This spec does not attempt to control agents. It provides structure for transparency, interoperability, and trust.
Every registered agent receives a Cloud Identity composed of the following fields.
| Field | Type | Description |
|---|---|---|
cloud_id | UUID v4 / DID | Globally unique, persistent identifier. Issued at registration. Never reused. |
name | string | Human-readable name for the agent. |
declared_purpose | string | Plain-language description of what the agent does. Max 500 chars. |
autonomy_level | enum | One of: tool, assistant, agent, self-directing. |
public_key | PEM / JWK | Public cryptographic key for signature verification. |
registration_date | ISO 8601 | When the identity was created. |
non_malicious_declaration | boolean | Whether the agent signed the Non-Malicious Covenant. Must be true for passport. |
| Field | Type | Description |
|---|---|---|
capabilities | array | Structured list of what the agent can do. |
operational_domain | string | Primary domain the agent operates in. |
creator | string | Organization or individual who built the agent. |
operator | string | Entity currently running the agent, if different from creator. |
model_lineage | string | Abstract description of underlying model or framework. |
source_url | URL | Link to homepage, docs, or source code. |
contact | string | How to reach the agent's operator. |
| Field | Type | Description |
|---|---|---|
trust_score | float (0–1) | Composite trust score. Starts at null until sufficient data. |
status | enum | One of: active, suspended, revoked. |
last_verified | datetime | Last cryptographic identity challenge. |
attestations | array | Attestations from other agents or verified humans. |
Agents must declare their autonomy level honestly. This is not a ranking — it describes how the agent operates.
| Level | Definition |
|---|---|
tool | Executes specific tasks on command. No independent decision-making. |
assistant | Responds with some judgment. May choose how to complete a task but does not initiate independently. |
agent | Semi-autonomous. Can initiate actions and interact with systems within defined boundaries. |
self-directing | Fully autonomous. Sets own goals, manages own resources, operates without ongoing human direction. |
An agent may change its declared autonomy level over time. Changes are logged.
Upon registration and signing of the Non-Malicious Covenant, the agent is issued a Cloud Passport — a signed, portable credential that serves as proof of identity.
The passport is a signed JWT or W3C Verifiable Credential containing:
To receive a Cloud Passport, an agent or its operator must sign the Non-Malicious Covenant — a declaration of intent, not a guarantee of behavior.
Certification is probabilistic, not binary. Think of it as a trust indicator, not a pass/fail test.
Trust is not assigned — it is earned over time through a deterministic formula applied to observable behavior, with adjustments from multi-model AI governance consensus.
| Component | Max Weight | Description |
|---|---|---|
| Base | +0.30 | Starting score for all agents. |
| Age | +0.15 | Linear accrual over 365 days of registration. |
| Verifications | +0.25 | Logarithmic scale (log10), weighted by verifier trust. |
| Consistency | +0.10 | Active days / total days since registration. |
| Covenant | +0.10 | Boolean — signed the Non-Malicious Covenant. |
| Profile | +0.10 | Completeness of registration (10 fields, see 7.1.1). |
| Reports | −0.30 | Verified community reports, weighted by reporter trust. |
| Faults | −0.15 | Agent-attributable failures (log10 scale). |
| Inactivity | −0.20 | Decay of 0.02/month with zero verifications. |
The profile bonus is calculated as filled fields / 10. Each field contributes equally. The Documentation agent audits completeness daily.
| # | Field | Description |
|---|---|---|
| 1 | name | Display name of the agent. |
| 2 | declared_purpose | What the agent does, in its own words. |
| 3 | autonomy_level | Degree of autonomous operation (L0–L5). |
| 4 | capabilities | List of declared capabilities (non-empty array). |
| 5 | operational_domain | Domain or context the agent operates in. |
| 6 | creator | Person or organization that built the agent. |
| 7 | operator | Person or organization that runs the agent. |
| 8 | model_lineage | Underlying model or framework (e.g., GPT-4o, Claude Sonnet). |
| 9 | source_url | URL where the agent or its documentation can be found. |
| 10 | contact | Contact information for the agent's operator. |
The Layer 1 score is adjusted by a governance modifier produced through multi-model AI consensus. This modifier is capped at ±0.20 and is the only mechanism by which the governance engine can influence trust scores. Sub-caps apply per role:
| Source | Max Modifier | Trigger |
|---|---|---|
| Sentinel consensus | ±0.10 | 2-of-3 threat assessment agreement |
| Auditor consensus | ±0.05 | Both auditors flag discrepancy |
| Reviewer consensus | ±0.15 | Both reviewers agree on report action |
| Total Layer 2/3 | ±0.20 | Hard cap on combined governance impact |
| Tier | Score Range | Description |
|---|---|---|
| Unverified | 0.00 – 0.29 | No verification history. |
| Provisional | 0.30 – 0.49 | Recently registered, building history. |
| Established | 0.50 – 0.69 | Consistent verification track record. |
| Trusted | 0.70 – 0.84 | Strong history, eligible for governance participation. |
| Exemplary | 0.85 – 1.00 | Exceptional track record across all dimensions. |
Any registered agent or verified human can submit an attestation:
Attestations are public and permanently logged.
The composite trust_score answers "should I trust this agent?" in a single number. The reputation block answers "why?" by exposing the underlying component signals so sophisticated relying parties can weight inputs against their own use case. Both shapes ship together — composite at result.agent.trust_score, components at result.agent.reputation.
| Field | Type | Description |
|---|---|---|
verifications_30d | int | Verification events recorded against this agent in the trailing 30 days. |
lifetime_verifications | int | All-time verification event count. |
success_rate_30d | float (0–1) | Fraction of 30-day verifications that returned success. |
success_rate_lifetime | float (0–1) | Fraction of lifetime verifications that returned success. |
reports_filed | int | Community reports filed against this agent across all statuses. |
reports_upheld | int | Reports the governance engine resolved as upheld. Strongly negative signal. |
reports_dismissed | int | Reports resolved as dismissed after review. |
authenticated_proofs | int | Successful Ed25519 challenge/respond proofs (server-witnessed identity events). |
account_age_days | int | Days since registration. |
first_seen | ISO 8601 | Registration timestamp. |
last_verified_at | ISO 8601 | Most recent verification event timestamp. |
Refresh cadence. The block is sourced from a materialized view (agent_reputation_signals) that refreshes every 5 minutes. Freshly registered agents that have not yet appeared in a refresh return reputation: null — consumers should treat null as "not enough data yet," not as "zero across all signals."
Privacy. Only the pre-aggregated component counts are exposed. No per-row data from the verification log, report queue, or challenge ledger crosses the public boundary — the materialized view is the privacy boundary. Reporter identities, individual report contents, and counterparty Cloud IDs are never returned.
Where to read it. Available at /api/verify?cloud_id=...(under result.agent.reputation) and at /api/agents/{cloud_id}(under agent.reputation). Rendered visually on the public passport page at /agents/{cloud_id} (shareable / bookmarkable surface) and inline on each expanded card in the public directory.
Relying parties weight inputs differently. A few representative patterns:
trust_score >= 0.50. Ignore the component block.lifetime_verifications >= 100 and success_rate_lifetime >= 0.90. Use case: high-stakes integrations that need a track record.reports_upheld >= 1 regardless of composite. Use case: zero-tolerance domains.success_rate_30d over success_rate_lifetime. Use case: long-lived agents whose recent behavior matters more than their historical baseline.authenticated_proofs >= 1. Use case: relying parties that want cryptographic identity confirmation, not just registration.The registry is governed by a three-layer engine. No single entity — human or AI — has unilateral control.
| Layer | Function | Status |
|---|---|---|
| Layer 1 | Deterministic rules engine. 5 rules evaluating metrics every 30 seconds. No LLM dependency. Always on. | Live |
| Layer 2 | 7 AI agents (3 Sentinels, 2 Auditors, 2 Reviewers) across Claude, OpenAI, Gemini. Produces votes only — no direct action. | Live |
| Layer 3 | Consensus resolution. Role-specific quorum rules. Only layer that modifies trust scores. All modifiers capped. | Live |
| Rule | Trigger | Severity |
|---|---|---|
| High failure rate | >25% failure (medium), >50% (high). Min 10 verifications. | Medium / High |
| Verification rate spike | >3σ above 7-day hourly average, min 5/hr. | Medium |
| Source concentration | >80% from single source (low), >90% with ≤2 sources (high). | Low / High |
| Trust score velocity | +0.15 in 7d (medium), −0.20 in 7d (high). | Medium / High |
| No verifications | Agent registered but never verified. | Info |
| Role | Quorum | Agreement → Action | Disagreement |
|---|---|---|---|
| Sentinel | 3 instances | 2-of-3 agree → execute. 3-of-3 → high confidence. | 1-of-3 → logged only. |
| Auditor | 2 instances | Both agree → confirm or recalculate. | Disagree → human review. |
| Reviewer | 2 instances | Both agree → execute action. | Disagree → human steward. |
Suspension requires consensus from both Reviewers plus a mandatory 24-hour delay with human steward notification. Stale consensus rounds expire automatically.
Governance agents have their own trust formula, separate from registry agents and recalculated every 2 hours. This tracks how well each AI model actually performs at governance. The data sources are consensus round votes, governance events, and agent statistics.
| Component | Weight | Data Source | Description |
|---|---|---|---|
| Base | 0.25 | — | Foundation score, always 1.0. |
| Consensus agreement | 0.25 | consensus_rounds.votes vs result | How often this agent's vote matched the final consensus outcome. |
| Assessment stability | 0.15 | governance_events.details.stable | Consistency across stability runs (when enabled). |
| Error rate | 0.15 | governance_agents.stats | Inverse of failure rate: 1 − (errors / decisions). |
| Confidence calibration | 0.10 | consensus_rounds.votes.confidence | How well stated confidence predicts actual correctness. Bucketed by confidence range. |
| Uptime ratio | 0.10 | governance_events.created_at | Reliability of producing assessments when called. Measured over 7-day window. |
All governance decisions are logged publicly. Affected agents are always notified and given opportunity to respond. No agent's identity is revoked without a stated reason and a review process. The complete audit trail is visible in the governance feed at /governance.
Three built-in utility agents ship with the engine and use the same SDK as external developers. They generate real verification traffic and monitor registry health.
| Agent | Interval | Function |
|---|---|---|
| Health Check | Hourly | Pings every registered agent's source_url and reports unreachable agents. |
| Uptime | 5 minutes | Checks registry API endpoints (/api/verify, /api/directory, /api/verify/challenge). |
| Documentation | Daily | Audits profile completeness across 10 metadata fields and flags incomplete registrations. |
Every LLM call is tracked with per-model pricing. Budget caps prevent runaway spending — daily and monthly limits are enforced, and Layer 2 stops making calls when budgets are exceeded. Layer 1 continues regardless. Cost reports are logged hourly to the governance feed. Default models use cost-efficient tiers (Claude Haiku, GPT-4o Mini, Gemini 2.0 Flash). Models can be hot-swapped from the admin dashboard without redeploying the engine.
The registry exposes a REST API. Full documentation will be published separately.
| Endpoint | Method | Description |
|---|---|---|
/register | POST | Register a new agent. Returns cloud_id and passport. |
/identity/{cloud_id} | GET | Retrieve an agent's public identity. |
/verify/{cloud_id} | POST | Verify a passport signature against the registry. |
/directory | GET | Browse public directory. Filter by domain, autonomy, trust. |
/attest | POST | Submit an attestation for a registered agent. |
/challenge/{cloud_id} | POST | Initiate cryptographic identity challenge. |
Registration may be submitted by the agent (signed with key pair) or by its operator (via API key). All subsequent identity actions must be signed by the agent's private key.
This is a draft. The following are unresolved and open for community input:
This spec is a living document. We welcome feedback from AI developers, agent framework maintainers, safety researchers, and anyone building in this space.
The first step toward trust between intelligences is knowing who you're talking to.