Every AI agent action needs a cryptographic record proving who authorized it, what the constraints were, and whether they were honored. Existing protocols were built for humans — not autonomous agents. IPP was built for this.
Every enterprise security framework built in the last thirty years assumes a human is the actor at the center of every consequential action. AI agents have invalidated that assumption entirely.
OAuth requires a human to click a consent screen. AI agents running autonomously for days cannot do this. Developers work around it with broad pre-granted scopes and shared service accounts — creating exactly the exposure OAuth was designed to prevent.
When a CFO says "optimize cash positions and move idle balances over $10M into short-term treasuries," that instruction contains a goal, a constraint, and a boundary. OAuth's scopes — "read email," "write calendar" — were never designed to carry machine-enforceable human intent.
When one agent spawns a sub-agent, there is no protocol-level mechanism ensuring the derived agent cannot exceed the original human's intent. Each delegation step is a potential scope expansion with no cryptographic check.
OAuth logs tell you what an agent was allowed to do. They cannot tell you why it did it, who authorized it, what the constraints were, or who is legally accountable. That is a provenance gap. And it is the one regulators are about to close.
IPP introduces four foundational properties enforced through Ed25519 digital signatures, Decentralized Identifiers, and the Narrowing Invariant — a novel enforcement mechanism that makes scope expansion cryptographically detectable.
Every action taken by every agent is traceable through an unbroken chain of cryptographic signatures to a human Principal — a person with a name, a legal jurisdiction, and accountability. Not a service account. A person.
Every Intent Token carries explicit, machine-readable constraints on authorized scope. Those constraints travel through every delegation level and cannot be expanded by any intermediate agent. The Narrowing Invariant enforces this cryptographically.
Every token is cryptographically signed. The record is verifiable by any third party — auditors, regulators, counterparties — without requiring communication with the original issuer. Legally defensible by design.
Compliant implementations work regardless of AI framework, cloud environment, or programming language. Any conformant implementation can verify any conformant token. Framework-agnostic. Cloud-agnostic. Open standard.
The IPP Python SDK adds cryptographic governance to any existing LangChain, AutoGen, or CrewAI agent without modifying its logic. Drop it in. Every action is now governed, audited, and provably authorized.
| Requirement | OAuth / SAML | Intent Provenance Protocol |
|---|---|---|
| Human authentication | ✓Strong | —Complementary layer |
| Bounded intent — machine-enforceable | ✕Not supported | ✓Core primitive |
| Delegation chain — cryptographic | ✕Not supported | ✓Narrowing Invariant |
| Scope narrows — cannot expand | ✕Not enforced | ✓Protocol-enforced |
| Action provenance — append-only audit | ✕Not supported | ✓Provenance chain |
| Legal attribution — defensible | ✕Not supported | ✓Non-repudiation by design |
| Cross-org trust — no central authority | ✕Requires federation | ✓Decentralized verification |
| Revocation — mid-chain propagation | ✕Token-level only | ✓Full ancestry revocation |
| Authorship — permanent cryptographic record | ✕Not supported | ✓Genesis Seal |
IPP is not an identity platform. It is the intent provenance standard that identity platforms implement.
Identity and access platforms govern who an agent is and what it can access. IPP governs why it acted, under whose bounded human intent, and provides the cryptographic proof that the action stayed within those bounds. These are complementary layers — IPP sits beneath identity platforms and above the cryptographic infrastructure they depend on.
17 years in cybersecurity and spent my career watching enterprises struggle to answer basic accountability questions about their systems.
When AI agents arrived, the same gap appeared — but at a scale and speed that existing protocols cannot address. So I built the infrastructure layer to fix it.
My name is embedded mathematically in every token this protocol produces. It cannot be removed.
Five structural failures that no patch can fix — and what the protocol layer beneath AI agents actually needs to look like. The argument every enterprise security leader needs to read before August 2026.
How IPP prevents scope creep in agent delegation chains — cryptographically, without a central authority.
August 2026 enforcement means organizations must prove AI actions were authorized at time of execution.
Every enterprise deploying AI agents today is accumulating compliance exposure they cannot yet address. The window to build the infrastructure is closing.