Context
The ARD spec's trustManifest.attestations array is designed for extensible attestation types. The current examples cover compliance certifications (SOC2-Type2, HIPAA-Audit) and identity proofs (SPIFFE-X509). This issue proposes adding runtime governance attestations as a recognized category, with TRACE-v0.2 as the first defined type.
The gap
Compliance certifications prove what an organization claims about its practices. Runtime governance attestations prove what an agent actually did during execution — the session evidence, not the audit. These are complementary, not competing.
Today there is no recognized attestation type in ARD that captures:
- Which Cedar/OPA policy was in force (and its exact hash)
- Whether the agent ran inside a verifiable hardware environment (TEE measurement)
- A signed tool-call transcript that an auditor can verify offline
- A SCITT-anchored record for append-only audit history
TRACE-v0.2 covers all of these.
TRACE overview
TRACE (Trust Runtime Attestation and Compliance Evidence) is an open EAT-profile (RFC 9711) standard for AI agent governance records.
Proposed changes (see PR #6)
- §5.2 — add
TRACE-v0.2 to the attestation type field description
- §5.2.1 Runtime Governance Attestations (new section) — TRACE-v0.2 spec, example entry, discovery filter
examples/agentrust-io-catalog.json — reference ai-catalog.json for a governed-agent registry
agentrust.io as a governed-agent federated registry
Beyond the spec change, we're proposing that agentrust.io operate as a specialized ARD federated registry indexed under:
urn:ai:agentrust.io:registry:governed-agents
This registry returns only TRACE-attested, policy-governed agents. ARD registries can route queries with trustManifest.attestations.type: ["TRACE-v0.2"] to agentrust.io via federation referrals, without embedding trust logic in the originating registry.
Connection to ARDS authors
R.V.Guha (co-author) and the AGT team both have Microsoft ties. Happy to discuss through any channel — this is a genuine architectural complement, not a competing proposal.
Feedback welcome
- Should runtime governance attestations be a separate subsection from compliance certifications? Or a note inline?
- Is there a preferred way to register new attestation types formally?
- Interested in agentrust.io contributing a reference ARD registry implementation?
Context
The ARD spec's
trustManifest.attestationsarray is designed for extensible attestation types. The current examples cover compliance certifications (SOC2-Type2, HIPAA-Audit) and identity proofs (SPIFFE-X509). This issue proposes adding runtime governance attestations as a recognized category, with TRACE-v0.2 as the first defined type.The gap
Compliance certifications prove what an organization claims about its practices. Runtime governance attestations prove what an agent actually did during execution — the session evidence, not the audit. These are complementary, not competing.
Today there is no recognized attestation type in ARD that captures:
TRACE-v0.2 covers all of these.
TRACE overview
TRACE (Trust Runtime Attestation and Compliance Evidence) is an open EAT-profile (RFC 9711) standard for AI agent governance records.
docs/adr/0032)Proposed changes (see PR #6)
TRACE-v0.2to the attestation type field descriptionexamples/agentrust-io-catalog.json— referenceai-catalog.jsonfor a governed-agent registryagentrust.io as a governed-agent federated registry
Beyond the spec change, we're proposing that agentrust.io operate as a specialized ARD federated registry indexed under:
This registry returns only TRACE-attested, policy-governed agents. ARD registries can route queries with
trustManifest.attestations.type: ["TRACE-v0.2"]to agentrust.io via federationreferrals, without embedding trust logic in the originating registry.Connection to ARDS authors
R.V.Guha (co-author) and the AGT team both have Microsoft ties. Happy to discuss through any channel — this is a genuine architectural complement, not a competing proposal.
Feedback welcome