| Internet-Draft | Agent Problem Statement | March 2026 |
| Nennemann | Expires 7 September 2026 | [Page] |
The IETF autonomous agent landscape spans over 260 drafts touching agent communication, identity, safety, and operations, yet critical gaps remain where standardization is absent or insufficient. This document provides a condensed problem statement identifying eleven protocol gaps, classifies them by severity, and maps them to a suite of companion drafts that form a coherent solution framework. It is intended as an actionable reference for working group chairs, area directors, and protocol designers evaluating where autonomous-agent standardization efforts should focus.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Autonomous software agents are moving from research prototypes to production deployments in network management, cloud orchestration, supply-chain logistics, and AI-driven workflows. A survey of IETF work reveals over 260 drafts relevant to agent capabilities, yet no single reference architecture ties them together. Several critical capabilities -- runtime behavioral verification, failure cascade prevention, cross-vendor human override -- lack any standardization at all.¶
This document distills the findings of a comprehensive gap analysis [ARXIV-GAP] into an actionable problem statement. It identifies eleven gaps, groups them by severity, and presents a solution roadmap of nine companion drafts. The full analysis, including a survey of existing IETF work across WIMSE, RATS, OAuth/GNAP, SCITT, and NMOP, is available in [I-D.nennemann-agent-dag-hitl-safety] and the companion arXiv paper [ARXIV-GAP].¶
The intended audience is working group chairs, area directors, and protocol designers who need a concise summary of what is missing and what to build next.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The following terms are used throughout this document:¶
A software component that acts on behalf of a principal (human or organizational) to perform tasks autonomously.¶
A cryptographically signed token carrying execution context for an agent action. See [I-D.nennemann-wimse-ect].¶
A policy specifying permitted behaviors, resource limits, and escalation rules for an agent. See [I-D.nennemann-agent-dag-hitl-safety].¶
A control pattern requiring human approval before an agent action takes effect.¶
A failure mode where an error in one agent propagates through a multi-agent workflow, causing successive agents to fail.¶
A message from a human operator instructing an agent to halt, modify, or roll back its current action.¶
The autonomous agent ecosystem can be organized into four layers, each with distinct standardization gaps. The following diagram presents this reference architecture:¶
+-------------------------------------------------------------+ | HUMAN OPERATORS | | [Override & HITL Layer -- GAP 7] | +-------------------------------------------------------------+ | AGENT INTERACTION LAYER | | +---------+ +---------+ +---------+ +---------+ | | | Agent A |<>| Agent B |<>| Agent C |<>| Agent D | | | +----+----+ +----+----+ +----+----+ +----+----+ | | | GAP 3: | GAP 10: | GAP 1: | | | | Consensus | Cap.Neg. | Behav. | | | | | | Verif. | | +-------+------------+------------+------------+--------------+ | EXECUTION LAYER (ECT) | | DAG Execution | Checkpoints | Rollback | Circuit Breakers | | [GAP 2: Cascade Prevention] [GAP 4: Rollback] | +-------------------------------------------------------------+ | POLICY & GOVERNANCE LAYER | | ACP-DAG-HITL | Trust Scoring | Assurance Profiles | | [GAP 5: Federated Privacy] [GAP 6: Cross-Domain Audit] | +-------------------------------------------------------------+ | INFRASTRUCTURE LAYER | | Identity | Discovery | Registration | Protocol Bridges | | [GAP 8: Cross-Protocol] [GAP 9: Resource Accounting] | | [GAP 11: Performance Benchmarking] | +-------------------------------------------------------------+
Provides override and human-in-the-loop controls. Gap 7 addresses the absence of a cross-vendor override protocol.¶
Where agents communicate, negotiate capabilities (Gap 10), reach consensus (Gap 3), and undergo behavioral verification (Gap 1).¶
Manages DAG-based workflows with cascade prevention (Gap 2) and rollback (Gap 4), built on Execution Context Tokens [I-D.nennemann-wimse-ect].¶
Enforces privacy in federated learning (Gap 5) and cross-domain audit trails (Gap 6).¶
Handles identity, discovery, cross-protocol migration (Gap 8), resource accounting (Gap 9), and performance benchmarking (Gap 11).¶
No standardized mechanism exists for runtime verification of agent policy compliance. RATS [RFC9334] covers platform attestation but not behavioral conformance. Without this, operators cannot detect drifted, compromised, or out-of-bounds agents -- especially dangerous in multi-agent workflows where one misbehaving agent corrupts downstream results. Addressed by [I-D.nennemann-agent-behavioral-verification].¶
Multi-agent dependency chains lack standardized circuit breakers, failure isolation, or cascade containment. Current ad-hoc timeout and retry logic is neither interoperable nor sufficient for DAG-structured workflows. A single agent failure can cascade through an entire deployment with no automated containment. Addressed by [I-D.nennemann-agent-cascade-prevention].¶
No standardized consensus protocol exists for heterogeneous agents with different capabilities, trust levels, and policy constraints. Distributed systems consensus (Raft, Paxos) does not address agent-specific semantics like weighted voting and capability-based participation. Multi-vendor coordination remains impossible without proprietary mechanisms. Addressed by [I-D.nennemann-agent-consensus].¶
No generalized rollback mechanism exists for autonomous agent actions. Protocol-specific approaches (e.g., NETCONF confirmed-commit) do not extend to arbitrary agent actions or coordinated multi-agent rollbacks. Operators cannot safely deploy agents for critical operations without manual intervention for every action. Addressed by [I-D.nennemann-agent-cascade-prevention].¶
Agents sharing operational data across domains need privacy guarantees beyond transport encryption: differential privacy parameters, data minimization for shared telemetry, and consent management. Without these, organizations face unacceptable privacy risks in federated agent ecosystems. Addressed by [I-D.nennemann-agent-federation-privacy].¶
No standardized format exists for cross-domain audit trails that preserve causal ordering and provide tamper-evident logging. Execution Audit Tokens [I-D.nennemann-exec-audit] provide per-action records, but aggregation and correlation across domains remain undefined. Compliance requirements for automated decision-making make this urgent. Addressed by [I-D.nennemann-agent-cross-domain-audit].¶
No cross-vendor protocol exists for sending override signals (emergency stop, graceful pause, forced rollback) to running agents. ACP-DAG-HITL [I-D.nennemann-agent-dag-hitl-safety] defines when human approval is required but not how to deliver override signals. This is a fundamental safety gap. Addressed by [I-D.nennemann-agent-override-protocol].¶
Agents migrating between protocol environments (e.g., A2A to MCP) have no standard for preserving execution context, identity, and state across protocol boundaries. ECT [I-D.nennemann-wimse-ect] provides a protocol-neutral token but not migration procedures. Addressed by [I-D.nennemann-agent-federation-privacy].¶
No mechanism exists for tracking and reconciling agent resource consumption across administrative domains. This is a prerequisite for sustainable multi-domain agent ecosystems with cost attribution. Addressed by [I-D.nennemann-agent-cross-domain-audit].¶
Agents lack a standardized protocol to dynamically advertise functions, agree on interaction protocols, and establish compatible parameters. HTTP content negotiation [RFC9110] provides basic discovery but not agent-specific capability semantics. Addressed by [I-D.nennemann-agent-consensus].¶
No standardized metrics or methodology exists for evaluating agent performance across dimensions of accuracy, latency, resource efficiency, safety compliance, and behavioral consistency. Addressed by [I-D.nennemann-agent-behavioral-verification].¶
The following table maps each companion draft to the gaps it addresses:¶
| Companion Draft | Gaps Addressed | Priority |
|---|---|---|
| [I-D.nennemann-wimse-ect] | Foundation | CRITICAL |
| [I-D.nennemann-agent-dag-hitl-safety] | Foundation | CRITICAL |
| [I-D.nennemann-exec-audit] | Foundation | HIGH |
| [I-D.nennemann-agent-behavioral-verification] | 1, 11 | CRITICAL |
| [I-D.nennemann-agent-cascade-prevention] | 2, 4 | CRITICAL |
| [I-D.nennemann-agent-consensus] | 3, 10 | HIGH |
| [I-D.nennemann-agent-cross-domain-audit] | 6, 9 | HIGH |
| [I-D.nennemann-agent-override-protocol] | 7 | HIGH |
| [I-D.nennemann-agent-federation-privacy] | 5, 8 | HIGH |
Defines Execution Context Tokens that carry task identity, delegated authority, and constraints across agent boundaries. Foundational for all other drafts.¶
Specifies Agent Context Policy tokens for DAG-based delegation with human-in-the-loop safety gates. Foundational for policy enforcement across all gaps.¶
Defines per-action audit tokens for tamper-evident recording of agent actions. Foundation for cross-domain audit trails.¶
Defines behavioral profiles, verification evidence formats, and appraisal procedures for runtime agent compliance. Addresses Gaps 1 and 11.¶
Specifies circuit breakers, failure isolation, checkpointing, and rollback mechanisms for multi-agent workflows. Addresses Gaps 2 and 4.¶
Defines protocols for multi-agent agreement with weighted voting, capability negotiation, and policy-constrained proposals. Addresses Gaps 3 and 10.¶
Specifies audit trail aggregation, correlation, and query across administrative domains, plus resource accounting. Addresses Gaps 6 and 9.¶
Defines a cross-vendor protocol for emergency stop, graceful pause, parameter modification, and forced rollback signals. Addresses Gap 7.¶
Specifies privacy-preserving mechanisms for federated agent learning and cross-protocol migration procedures. Addresses Gaps 5 and 8.¶
The companion drafts have the following dependency structure:¶
behavioral-verification ---+
| |
v |
cascade-prevention |
| |
v v
override-protocol cross-domain-audit
| |
v v
consensus federation-privacy
Behavioral verification is foundational: its attestation format is consumed by cascade prevention and cross-domain audit. Cascade prevention defines failure containment that override protocol builds upon. Consensus extends behavioral verification with multi-agent agreement. Cross-domain audit provides the infrastructure that federation privacy adds privacy controls to.¶
Work should proceed in three phases:¶
Behavioral Verification (Gaps 1, 11) and Cascade Prevention (Gaps 2, 4). These are CRITICAL severity gaps with direct safety implications. Without runtime verification and failure containment, no autonomous agent deployment can be considered safe.¶
Human Override (Gap 7) and Cross-Domain Audit (Gaps 6, 9). Override capability is a prerequisite for any production deployment. Audit trails are required for regulatory compliance in enterprise environments.¶
Consensus (Gaps 3, 10) and Federation Privacy (Gaps 5, 8). These enable multi-vendor and multi-domain agent ecosystems but depend on the safety and accountability foundations from Phases 1 and 2.¶
The gaps identified in this document have cross-cutting security implications:¶
Behavioral Verification (Gap 1): Without runtime verification, compromised agents exploit trusted identities to perform unauthorized actions undetected.¶
Cascade Prevention (Gap 2): Absence of containment creates a denial-of-service vector where compromising a single agent disrupts entire multi-agent workflows.¶
Human Override (Gap 7): Without a standard override protocol, safety-critical agent actions may not be stoppable in emergency situations.¶
Cross-Domain Audit (Gap 6): Audit trail gaps across domain boundaries enable agents to evade detection and accountability.¶
Federated Privacy (Gap 5): Sharing agent data across domains without privacy controls exposes network topology, operational patterns, and business logic.¶
Implementers of autonomous agent systems SHOULD treat the CRITICAL and HIGH severity gaps as security requirements and prioritize their resolution. The companion drafts each contain detailed security considerations specific to their scope.¶
This document has no IANA actions.¶
The author thanks the participants of the WIMSE, RATS, and NMOP working groups for discussions that informed this analysis. The full gap analysis is available as [ARXIV-GAP].¶