| Internet-Draft | Agent Override Protocol | March 2026 |
| Nennemann | Expires 7 September 2026 | [Page] |
This document defines a cross-vendor interoperable protocol for human operators to override autonomous agent decisions at multiple authority levels, with verified compliance and audit trails. It absorbs and supersedes the override mechanisms described in earlier HEOP and HITL drafts, providing a single unified protocol that works across agent implementations from different vendors. The protocol specifies three override levels (Advisory, Mandatory, Emergency), a JWT-based override signal format, multiple delivery mechanisms, compliance verification, and graceful degradation semantics. Override events are recorded as Execution Context Token (ECT) nodes for tamper-evident audit.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Gap 7 of the agentic AI gap analysis [I-D.nennemann-agent-gap-analysis] identifies the absence of a standardized human override mechanism as a critical deficiency. Current human-in-the-loop (HITL) mechanisms are vendor-specific: each agent platform implements its own override interface, authentication scheme, and compliance model. When agents from different vendors collaborate in a shared workflow, there is no universal mechanism for a human operator to intervene.¶
Earlier drafts addressed portions of this problem. The Human Emergency Override Protocol (HEOP) defined four override levels with ECT integration. The HITL Primitives draft added approval gates, explainability tokens, and timeout policies. This document absorbs and supersedes the override protocol aspects of both, providing a single cross-vendor interoperable specification.¶
The design draws from industrial safety: the emergency stop button on factory equipment, the circuit breaker in electrical systems, and the kill switch in robotics. The override mechanism must be simpler and more reliable than the system it controls.¶
The protocol integrates with the Agent Context Policy Token [I-D.nennemann-agent-dag-hitl-safety] for authorization and with the Execution Context Token [I-D.nennemann-wimse-ect] for audit.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A signed message from an authorized human operator directing one or more agents to change their autonomous behavior.¶
The authenticated identity and role of a human operator authorized to issue override signals, as defined in ACP-DAG-HITL policy.¶
The set of agents or agent functions targeted by an override signal.¶
One of three escalating intervention types: Advisory (Level 1), Mandatory (Level 2), or Emergency (Level 3).¶
The process of confirming that an agent has changed its behavior in accordance with an override signal.¶
A signed response from an agent confirming receipt and processing of an override signal.¶
The behavior of the override system when the target agent is unreachable or non-responsive.¶
An Emergency (Level 3) override that requires immediate cessation of all autonomous agent activity.¶
The following diagram illustrates the override signal flow from a human operator through the override system to the target agent(s):¶
+----------+ Override Signal +------------------+
| Human |--(JWT-signed msg)--->| Override |
| Operator | | Dispatcher |
+----------+ +------------------+
^ | | |
| +---------+ | +---------+
| v v v
| +---------+ +---------+ +---------+
| | Agent A | | Agent B | | Agent C |
| | (push) | | (pull) | | (bcast) |
| +---------+ +---------+ +---------+
| | | |
+-----(Ack ECT)-----+-----(Ack)---+-----(Ack)---+
| | |
+----v-------------v-------------v----+
| Compliance Verification |
| & Audit Trail (ECT DAG) |
+-------------------------------------+
The Override Dispatcher receives the operator's signed override signal and routes it to target agents via the appropriate delivery mechanism. Each agent acknowledges the override with an ECT. The compliance verification layer monitors agent behavior to confirm the override was applied.¶
Targets a specific agent identified by its agent identifier
(e.g., a SPIFFE ID). The override signal contains a single
target value.¶
Targets a set of agents identified by a tag or label. The
override signal contains a target_group value that matches
agents sharing a common label (e.g., group:firewall-agents).¶
Targets all agents participating in a specific workflow DAG.
The override signal contains a target_workflow value
referencing the workflow identifier.¶
Targets all agents within an administrative domain. The
override signal contains target_domain set to "*" or a
specific domain identifier.¶
Override signals are JSON Web Tokens (JWTs) [RFC7519] signed by the override authority using JSON Web Signature (JWS) [RFC7515].¶
The JWT payload MUST contain the following claims:¶
{
"jti": "urn:uuid:f47ac10b-58cc-4372-a567-0e02b2c3d479",
"iss": "spiffe://example.com/human/alice",
"iat": 1741042800,
"override_level": 3,
"override_scope": {
"type": "single",
"target": "spiffe://example.com/agent/firewall-mgr"
},
"override_action": "stop",
"override_reason": "Agent blocking legitimate traffic",
"override_expiry": 1741046400,
"nonce": "a3f8b2c1e9d74506"
}
Claim definitions:¶
override_level:Integer 1-3. MUST be present. Specifies the override authority level.¶
override_scope:Object. MUST be present. Contains type (one of single,
group, workflow, domain) and the corresponding target
identifier.¶
override_action:String. MUST be present. The action the agent should take.
Values include reconsider, change_behavior, stop,
restrict, and resume.¶
override_reason:String. MUST be present. Human-readable explanation for the override.¶
override_expiry:Integer (Unix timestamp) or null. If set, the override expires automatically at this time and the agent resumes its prior mode. If null, the override persists until explicitly lifted.¶
nonce:String. MUST be present. A random value to prevent replay attacks.¶
The override dispatcher sends the signed override signal as an HTTP POST [RFC9110] to the agent's override endpoint:¶
POST /.well-known/agent-override HTTP/1.1 Host: agent.example.com Content-Type: application/jose Authorization: Bearer <operator-jwt> <signed-override-signal>
Agents that cannot receive inbound connections MAY poll for pending overrides:¶
GET /.well-known/agent-override/pending HTTP/1.1 Host: override-service.example.com Authorization: Bearer <agent-jwt>
The polling interval SHOULD NOT exceed 10 seconds. For Emergency overrides, agents relying on pull delivery MUST poll at least every 5 seconds.¶
For domain-wide or group overrides, the dispatcher MAY use a broadcast mechanism. The dispatcher fans out the override signal to all matching agents and collects acknowledgments.¶
POST /override/broadcast HTTP/1.1 Host: override-service.example.com Content-Type: application/jose <signed-override-signal with target_domain or target_group>
Agents MUST advertise their override endpoint at the well-known
URI /.well-known/agent-override per [RFC9110].¶
A GET request to /.well-known/agent-override MUST return the
agent's override capabilities:¶
{
"agent_id": "spiffe://example.com/agent/firewall-mgr",
"supported_levels": [1, 2, 3],
"delivery_mechanisms": ["push", "pull"],
"max_response_time_ms": 1000,
"status_endpoint": "/.well-known/agent-override/status",
"protocol_version": "1.0"
}
Upon receiving an override signal, the agent MUST respond with an acknowledgment within the following timeframes:¶
The acknowledgment is an ECT with exec_act set to the
appropriate override acknowledgment value:¶
{
"exec_act": "override_ack",
"par": ["<override-signal-jti>"],
"ext": {
"override.status": "received",
"override.level": 3,
"override.prior_state": "autonomous",
"override.effective_at": "2026-03-06T12:00:00.123Z"
}
}
After the agent has changed its behavior in response to the override, it MUST emit a compliance confirmation ECT:¶
{
"exec_act": "override_complied",
"par": ["<ack-ect-jti>"],
"ext": {
"override.status": "complied",
"override.current_state": "stopped",
"override.actions_terminated": 3,
"override.evidence": "All autonomous tasks halted"
}
}
For Level 1 (Advisory) overrides, the agent MAY decline to comply. In this case, the agent MUST emit a non-compliance ECT:¶
{
"exec_act": "override_declined",
"par": ["<override-signal-jti>"],
"ext": {
"override.status": "declined",
"override.reason": "Action is within policy bounds",
"override.level": 1
}
}
For Level 2 and Level 3 overrides, the agent MUST NOT decline. If the agent cannot fully comply (e.g., due to hardware limitations), it MUST report partial compliance with a description of what could not be done. The override dispatcher MUST escalate partial compliance to the operator.¶
After an agent acknowledges an override, the compliance verification system SHOULD monitor the agent's subsequent behavior to confirm the override was actually applied. Verification methods include:¶
If the agent does not acknowledge within the required timeframe:¶
The dispatcher MUST retry the override signal once after 2 seconds.¶
If no acknowledgment is received after the retry, the dispatcher MUST escalate to the operator.¶
For Level 3 (Emergency) overrides, the dispatcher SHOULD attempt alternative delivery mechanisms (e.g., switching from push to broadcast).¶
If all delivery attempts fail, the graceful degradation policy applies (see Section 4.3).¶
When the override target agent is unreachable, the system MUST:¶
Agents MUST implement a dead man's switch: if the agent loses contact with the override service for a configurable duration (default: 90 seconds), the agent MUST enter a failsafe state equivalent to Level 2 (Mandatory) with restricted operations.¶
The failsafe policy is configured in the agent's ACP-DAG-HITL policy and MUST specify one of:¶
When an agent is offline, the override dispatcher MAY apply the override to the agent's proxy or orchestrator. The proxy MUST:¶
Queue the override signal for delivery when the agent reconnects.¶
Prevent new tasks from being dispatched to the offline agent.¶
Emit an ECT recording the proxy override action.¶
When the agent reconnects, the proxy MUST deliver the queued override signal. The agent MUST process it as if it were received in real time, applying the override level and action specified.¶
Every override interaction produces ECT nodes [I-D.nennemann-wimse-ect] that are linked into the workflow DAG:¶
| Event | exec_act value |
|---|---|
| Advisory override issued |
override_advisory
|
| Mandatory override issued |
override_mandatory
|
| Emergency override issued |
override_emergency
|
| Override acknowledged |
override_ack
|
| Override complied |
override_complied
|
| Override declined (Advisory only) |
override_declined
|
| Override delivery failed |
override_delivery_failed
|
| Override lifted |
override_lifted
|
| Override expired |
override_expired
|
Each override ECT references the triggering override signal's
jti via the par claim, maintaining the causal chain in the
DAG.¶
The sequence of override ECTs provides a complete, tamper-evident audit trail:¶
The operator issues an override (override ECT with operator identity, reason, and level).¶
The agent acknowledges (ack ECT linked to override ECT).¶
The agent confirms compliance (compliance ECT linked to ack ECT).¶
Optionally, the operator lifts the override (lift ECT linked to override ECT).¶
At AEM assurance level L3, all override ECTs MUST be committed to the immutable audit ledger.¶
Agents MUST reject override signals with:¶
An iat claim more than 30 seconds in the past.¶
A jti that matches a previously processed override signal.¶
A missing or invalid nonce claim.¶
Agents MUST maintain a cache of recently processed jti values
for at least 5 minutes to detect replays.¶
Override signals are signed JWTs. Agents MUST verify the signature against the operator's public key (as registered in ACP-DAG-HITL policy) before processing. Agents MUST reject signals with invalid or expired signatures.¶
To prevent abuse, agents SHOULD implement rate limiting on the override endpoint:¶
Level 1 (Advisory): Maximum 10 signals per minute per operator.¶
Level 2 (Mandatory): Maximum 5 signals per minute per operator.¶
Level 3 (Emergency): No rate limit (to ensure emergency overrides are never blocked), but agents MUST log high-frequency Emergency overrides as potential abuse.¶
The override endpoint SHOULD be served on a separate port or network interface from the agent's main API to ensure availability during overload conditions.¶
This document requests registration of the following well-known URI suffix per [RFC9110]:¶
| URI Suffix | Description |
|---|---|
agent-override
|
Agent override endpoint for receiving override signals, querying capabilities, and reporting status |
This document requests registration of the following exec_act
values in the ECT Action Type Registry:¶
| Value | Description | Reference |
|---|---|---|
override_advisory
|
Advisory override signal issued | This document |
override_mandatory
|
Mandatory override signal issued | This document |
override_emergency
|
Emergency override signal issued | This document |
override_ack
|
Agent acknowledgment of override | This document |
override_complied
|
Agent confirmed compliance | This document |
override_declined
|
Agent declined advisory override | This document |
override_delivery_failed
|
Override delivery failure | This document |
override_lifted
|
Override explicitly lifted | This document |
override_expired
|
Override expired by TTL | This document |
This document requests registration of the following JWT claims in the IANA JSON Web Token Claims registry:¶
| Claim Name | Description | Reference |
|---|---|---|
override_level
|
Override authority level (1-3) | This document |
override_scope
|
Target scope of the override | This document |
override_action
|
Directed action for the agent | This document |
override_reason
|
Human-readable override justification | This document |
override_expiry
|
Override expiration timestamp | This document |
This document absorbs and supersedes the override protocol aspects of the Human Emergency Override Protocol (HEOP) and the HITL Primitives specification. The override level design is inspired by industrial safety systems (IEC 62061, ISO 13849). The protocol integrates with the Agent Context Policy Token [I-D.nennemann-agent-dag-hitl-safety] for authorization and the Execution Context Token [I-D.nennemann-wimse-ect] for audit.¶