VAC is OAuth for AI agents. Just as OAuth lets users delegate authority to apps without sharing passwords, VAC lets humans delegate authority to AI agents without losing accountability. Every agent action — through any depth of delegation, across organisational boundaries, into physical systems — traces through a cryptographic chain back to a verified human.
Current approaches to AI agent security focus on securing the agent — its credentials, permissions, and deployment environment. They answer “Is this agent authorised?” but not the more fundamental question: “Is the human who authorised this agent actually present and verified right now?”
Agent operates under credentials. Credentials prove possession, not identity. Shared credentials, stolen tokens, and abandoned sessions all grant the same access as the legitimate user.
In multi-agent chains, the link to the authorising human is lost within 1–2 levels of delegation. By the third agent, there is no mechanism to verify human authority.
The “someone used my login” defence is irrefutable.
Human performs multi-modal biometric verification. A Verified Authority Token (VAT) carries that verification through the entire agent chain — coordinator to specialist to sub-agent.
At every action point, any system can verify the chain traces back to a biometrically-verified human. Trust can only narrow, never expand. Authority can be revoked instantly.
Non-repudiation is cryptographic. You cannot deny your own biometrics.
When a biometrically-verified human authorises an operation, the system generates a VAT — a JWT-compatible Ed25519-signed token encoding verified identity, trust score, authorised scope, delegation depth, and validity period. The token propagates through the agent chain with strict narrowing rules.
Each delegation restricts scope via set intersection. No agent acquires permissions exceeding its parent.
Trust score can only decrease with delegation depth. Deeper chains carry inherently lower trust.
Validity period inherits from parent and can only shorten. Expiry cascades through the chain.
Sensitive actions trigger biometric re-verification of the root human before proceeding.
Root human ends session or trust drops — all derived VATs in all chains immediately invalidated.
Every action linked to its VAT, delegation chain, jurisdiction, and verified human. Tamper-evident and legally admissible.
The VAC Protocol extends beyond digital agent chains into regulated industries, physical systems, collective governance, and multinational operations. 558 patent claims across 12 filings — VAC Protocol (285 claims) and Athena (173 claims).
Five graduated trust levels from Observe to Delegate. Every agent action gated by biometric verification of the authorising human. Continuous trust scoring replaces binary authentication.
Claims 1–112Verified Authority Tokens carry human attribution through arbitrarily deep delegation chains. Organisational hierarchies, multi-party authorisation, and cross-org agent trust.
Claims 113–167CDR-style metadata retention for AI agent operations. Jurisdictional context, infrastructure context, and verification level recorded at every delegation point. Tamper-evident audit trails.
Claims 168–196Automated cross-border compliance detection across GDPR, LGPD, PIPL, CCPA, and 10+ frameworks. Regulatory divergence identification, data residency enforcement, and change propagation.
Claims 197–207Community-level decision-making for AI agent authorisation. Consensus-based, role-weighted, culturally-scoped governance. Supports Te Mana Raraunga, CARE Principles, and OCAP for Indigenous data sovereignty.
Claims 208–217Verified human authority over drones, robots, autonomous vehicles, and industrial systems. Kinetic scope constraints — geofence, altitude, speed, force limits — enforced cryptographically. Swarm coordination.
Claims 218–222Multi-national agent interoperability with national caveats, rules of engagement as scope constraints, and coalition trust graphs. Designed for NATO, AUKUS, Five Eyes, and UN operations.
Claims 223–232Collective authority as a continuously validated state. Governance-model-aware cascade logic, severity-classified authority changes, forensic gap provenance, and structured reconstitution.
Claims 233–237Natural language problem-to-agent-team recommendation. Dual-purpose biometric capture embeds security in user experience. Vouch-as-collaboration-invitation and automated collaboration discovery.
Claims 238–241The VAC Protocol is not a replacement for existing security controls. It is the missing layer that completes them by adding biometric human attribution.
| Framework | Current scope | VAC extension |
|---|---|---|
| NIST SP 800-63-4 | Digital identity; password/token authentication | Multi-modal biometric verification; continuous trust scoring |
| NIST SP 800-207 | Zero trust architecture | Verify the human behind the agent, not just the agent’s credential |
| NIST AI RMF | Accountability and traceability for AI systems | Cryptographic mechanism: every agent action traceable to a verified human |
| NIST AI 600-1 | GenAI risk profile; information security | Biometric attribution addresses GenAI-specific identity and non-repudiation risks |
| OWASP Agentic Top 10 | Identity abuse; cascading failures | Biometric binding prevents identity abuse; trust narrowing limits cascading failure |
| EU AI Act | Human oversight for high-risk AI | Verifiable human oversight: biometric proof of human presence and authorisation |
| ISO/IEC 27001 | Information security management | Legally admissible audit trails with biometric non-repudiation |
| FIDO2 / WebAuthn | Passwordless; device-bound credentials | Extends beyond device binding to continuous biometric human presence verification |
Download Whitepaper v5 (PDF) Testing Framework v5 (PDF) SignalRank Live
The VAC Protocol is being developed as an open standard for biometric human-to-agent attribution. We welcome engagement from standards bodies, AI agent platform developers, enterprise security teams, and regulatory agencies.
Violet Shores is an active participant in the NIST AI Agent Standards Initiative, contributing across multiple workstreams on agent identity, security, and human attribution.
Standards & regulatory submissions: submissions@vacprotocol.org
General enquiries: hello@vacprotocol.org
Developer support & SDK: developers@vacprotocol.org
Security & vulnerability disclosure: security@vacprotocol.org
Press & media: press@vacprotocol.org