An Agent Security Gateway sits between an AI agent and everything it touches: MCP servers, APIs, databases, and other agents. Before any agent action reaches a destination, the gateway governs it. AGS-1 specifies what "governs" means, so the model is something any party can recognize, require, and verify, not a single vendor's feature.
- Read the spec: SPEC.md (RFC 2119), also at axiorank.com/spec.
- The proof artifact: SEAL.md (the Agent Action Seal).
- Reference verifier:
@axiorank/audit-verify(zero dependencies, MIT).
AI Agent
|
v
+-------------------+
| Agent Security |
| Gateway |
+-------------------+
|
+------+------+
v v v
MCP APIs Databases
A conforming gateway intercepts every in-scope agent action and applies these gates before the action reaches its destination.
| Gate | Name | Requirement (summary) |
|---|---|---|
| AGS-1.1 | Identity | A short-lived, attributable identity with the full delegation chain. No ambient or shared credentials. |
| AGS-1.2 | Policy | An explicit policy that defaults to deny. The decision is allow, deny, or hold. |
| AGS-1.3 | Inspection | Content scored for secrets, sensitive data, destructive operations, and injection, 0 to 100, on the hot path. |
| AGS-1.4 | Audit | A tamper-evident, append-only log that should be independently verifiable, even against the operator. |
| AGS-1.5 | Proof | An offline-verifiable proof an action was governed, checkable against a pinned key with no trust in the operator. |
- AGS-1 Core: satisfies gates AGS-1.1 through AGS-1.4 for every in-scope action.
- AGS-1 Provable: additionally satisfies AGS-1.5, and the audit log is independently verifiable.
Coverage is part of the claim. State the scope of actions you intercept, for example "AGS-1 Provable for outbound MCP and HTTP tool calls". A bare "AGS-1 Provable" with no scope is not a conformance statement.
Publish a machine-readable descriptor at /.well-known/agent-security-gateway
so a counterparty can discover and check the claim. AxioRank serves the reference
example at axiorank.com/.well-known/agent-security-gateway.
The full convention, a gate-by-gate implementation map, and the badge are in the
conformance guide.
[](https://axiorank.com/spec)The badge is neutral. Any implementation that meets the spec for its stated scope can show it.
AGS-1 is a living draft, maintained by AxioRank (Crawlog LLC). AxioRank implements AGS-1 Provable; the specification is meant to outlive any single implementation. Feedback and implementations are welcome: open an issue or a pull request.
The spec text and this repository are MIT licensed. See LICENSE. Implement it freely.