Behavioural control planes intercept at one point in the chain — the gateway check. KYE Protocol™ owns the whole timeline: ten signed states from the moment an entity declares its key material through to the Evidence Pack™ that any auditor can replay from public keys alone.
An AI agent action is not a single event. It is a chain: a principal delegated authority, an agent attenuated it, a tool was called, a gateway evaluated, a verdict issued, an Evidence Pack™ sealed. A control plane that intercepts only at the gateway has no answer for the seven hops before and after. KYE Protocol™ declares each one explicitly, signs each transition, and makes the whole timeline replayable.
Each card carries a real artefact: a JWKS URL, a delegation envelope fragment, a state-vector value, an Evidence Pack™ hash. These are the shapes that traverse the wire — not pseudo-code, not "imagine if".
An organisation publishes its key material under a canonical KYE™ ID and a JWKS endpoint. This is the root of trust every downstream signature resolves to.
Proof artefact · JWKS endpointGET https://acme.example/.well-known/kye/jwks.json
→ { "keys": [ { "kid": "kye:org:gb:acme#sig-2026", "alg": "EdDSA", ... } ] }
A human or service principal signs a delegation envelope: who, to whom, what scope, what expiry, what attenuation rules. The envelope is published to the audit chain at the moment of signing.
Proof artefact ·kye.delegation.v1 envelope
{
"delegator": "kye:org:gb:acme",
"delegatee": "kye:agent:gb:acme:purchasing-bot-7",
"scope": ["payment.prepare:<=1000GBP", "supplier:approved-list"],
"expires": "2026-06-15T00:00:00Z",
"sig": "ed25519:..."
}
The agent may sub-delegate to a tool, a sub-agent, or a downstream service — but only with attenuated scope. Every hop appends a signed link; no hop can widen what its parent granted.
Proof artefact · attenuation ruleparent.scope ⊇ child.scope ← enforced at sign-time
parent.expires ≥ child.expires ← enforced at sign-time
chain_depth ≤ 5 ← policy-bound
The agent forms an intent: call a tool, prepare a payment, draft a document. The intent is itself a signed object — the runtime captures it before any side effect is attempted.
Proof artefact · intent envelope{
"actor": "kye:agent:gb:acme:purchasing-bot-7",
"action": "payment.prepare",
"target": "supplier:acme-supplier-00482",
"amount": { "value": 950, "currency": "GBP" },
"delegation_chain": ["env:abc...", "env:def..."]
}
The KYE Authority Gateway™ intercepts at the commit boundary — the moment the action would cross into the world. It loads the delegation chain, the state vector, the scope and the applicable policy bundle.
Proof artefact · commit-boundary hookPOST /kye/authority/check
X-Kye-Intent-Sig: ed25519:...
body: { intent, chain, state_vector_snapshot }
→ 200 (admit | deny | escalate | evidence-insufficient)
The six independent dimensions are snapshotted at decision time. Each one cascades independently — expire a credential, watch only credential_state flip; freeze authority, only authority_state moves.
entity_state: active
authority_state: scoped
delegation_state: active
credential_state: valid
recovery_state: healthy
risk_state: nominal
One of four verdicts is returned — admit, deny, escalate, or evidence-insufficient — with a signed Decision Map™ citing every rule that fired and every state value that influenced the outcome.
{
"verdict": "admit",
"decision_map_sha256": "9f3e...",
"rules_fired": ["scope.in_bounds", "amount.under_cap", "supplier.approved"],
"signed_at": "2026-05-30T11:02:14Z"
}
The integrating system either executes the action or refuses. Either way, the outcome is sealed: the moment the gateway returned a verdict, the authority decision became final and immutable. Nothing downstream can mutate it.
Proof artefact · finality markerfinality_reached_at: 2026-05-30T11:02:14.218Z
verdict_sha256: a14c...
downstream_action: committed | refused
mutability: immutable (verdict frozen at T=0)
The runtime composes the intent, the delegation chain, the state vector snapshot, the policy bundle hash, the verdict and the execution outcome into one signed bundle. Any auditor can replay it from public keys alone — no live KYE™ call required.
Proof artefact · Evidence Pack™ seal{
"pack_id": "ep:2026-05-30:purchasing-bot-7:11020014",
"bundle_sha": "c8d2...",
"replay_seed":"4f0a...",
"issuer_kid": "kye:org:gb:acme#sig-2026",
"sig": "ed25519:..."
}
After finality, the lifecycle continues. Revocations propagate recursively down delegation chains; expiries trigger automatic delegation_state: expired transitions; audits replay sealed packs years later from the JWKS alone.
{
"event": "delegation.revoked",
"subject": "kye:agent:gb:acme:purchasing-bot-7",
"cascade": ["env:abc...", "env:def..."],
"reason": "principal.requested",
"emitted": "2026-05-30T14:48:02Z"
}
Why the whole timeline matters. A behavioural-control plane that intercepts only at state 5 (the gateway check) cannot answer: where did this authority come from? (states 1–3), what was the intent we evaluated? (state 4), what was the decision shape? (states 6–7), what evidence survives? (state 9), what happens when authority is revoked tomorrow? (state 10). KYE Protocol™ declares each one as a signed state — not as a log line.