Agent Control Protocol (ACP) is a formal technical specification for governance of autonomous agents in B2B institutional environments. ACP acts as an admission control layer between agent intent and system state mutation: before execution, every agent action must pass a cryptographic admission check that validates identity, capability scope, delegation chain, and policy compliance. ACP defines mechanisms for cryptographic identity, capability-based authorization, deterministic risk evaluation, verifiable chained delegation, transitive revocation, and immutable auditing, enabling autonomous agents to operate under explicit institutional control. ACP operates as an additional layer on top of RBAC and Zero Trust, without replacing them. It addresses a gap these models do not solve: governing what autonomous agents can do, under what conditions, with what limits, and with full traceability for external auditing, including across organizational boundaries. The specification includes a multi-organization interoperability model in which independently governed systems validate cross-organizational execution requests through a shared verification pipeline. Divergence between policy evaluations is detected and reported, but not resolved by the protocol, preserving institutional sovereignty. All cryptographic operations use Ed25519 with JCS canonicalization. The specification is language-agnostic, with a reference implementation in Go.

翻译：Agent控制协议（ACP）是一套用于B2B机构环境中自治主体治理的正式技术规范。ACP作为连接Agent意图与系统状态变更的准入控制层：在执行之前，每个Agent动作必须通过一个加密准入检查，该检查验证身份、能力范围、委托链及策略合规性。ACP定义了加密身份、基于能力的授权、确定性风险评估、可验证链式委托、可传递撤销及不可变审计等机制，使自治主体能够在明确的机构控制下运行。ACP作为RBAC和零信任架构的补充层运行，而非取代它们。它解决了这些模型未解决的关键缺口：在何种条件下、以何种限制、如何全面追溯跨组织边界的自治主体行为进行治理与外部审计。该规范包含一个跨组织互操作模型，其中独立治理的系统通过共享验证流水线验证跨组织的执行请求。协议检测并报告策略评估间的分歧，但不解决分歧，从而维护各机构的自主权。所有加密操作使用Ed25519与JCS规范化。该规范是语言无关的，并附带Go语言参考实现。