When two autonomous agents from different organizations talk to each other, they have to decide whether to trust each other's actions. Today that decision is mostly opaque. One side has its own scoring, the other side has its own thresholds, and reconciliation across providers comes down to whose guardrails you ran through last.
A recent A2A protocol discussion surfaced the underlying gap. If every layer introduces its own score, grade, or tier, two independent systems cannot deterministically arrive at the same decision, even when every individual signal was valid and signed. What is missing is a notion of decision identity, something that lets different representations be verified as equivalent outcomes rather than as locally consistent ones.
Governance Attestation is our answer. It is a single signed JSON per agent that any party can fetch, verify offline with ML-DSA-65, and act on without calling our API. One canonical document, one deterministic trust level, one mapping published in our docs.
What is in an attestation
{
"version": 1,
"agent_id": "agt_x7y8z9",
"issuer": "asqav",
"trust_level": "L2",
"capability_manifest_hash": "sha256:3f2a...",
"policy_digest": "sha256:91c4...",
"compliance_attestations": ["eu_ai_act_art12", "soc2_audit"],
"issued_at": "2026-04-19T12:00:00+00:00",
"expires_at": "2026-04-26T12:00:00+00:00"
}
The body is canonical JSON, signed with the agent's post-quantum ML-DSA-65 key. Signature, public key, and verify URL come back alongside the body. Two independent verifiers recomputing the canonical bytes of the body get the same digest, run the same signature check, and reach the same decision. That is what deterministic trust looks like at the protocol layer.
The trust levels
Four canonical levels, derived deterministically from the agent's state. No subjective scoring.
- L0 Unknown - default. No signed activity in the last 30 days.
- L1 Monitored - at least one signed action in the last 30 days.
- L2 Governed - L1, and the owning organization has at least one enabled policy.
- L3 Autonomous - L2, and no revocation or suspension in the last 90 days.
Because the rules are public, an auditor can reconstruct the level from the raw signed records. If they disagree with the outcome, the argument is about the rules, not about whose internal scoring they trust.
The public verify path
curl https://api.asqav.com/api/v1/public/attestation/agt_x7y8z9
No auth. No API key. Any third party fetches the signed envelope. The signature verifies offline against the returned public key using ML-DSA-65. The canonical body tells them the trust level, capability hash, policy digest, and the exact window the attestation is valid for.
A2A Agent Card integration
For agents exchanging Agent Cards through A2A, drop the attestation URL and hash into your card. Recipients verify the governance posture before accepting a request.
{
"name": "research-agent",
"governance": {
"provider": "asqav",
"attestation_url": "https://asqav.com/attestation/agt_x7y8z9",
"attestation_hash": "sha256:..."
}
}
Issuing an attestation
POST /api/v1/agents/{agent_id}/attestation
X-API-Key: sk_live_...
A fresh attestation expires after seven days, at which point you issue a new one. That window is short on purpose. Trust is a function of recent behavior, not a static label attached once.
Why this exists on Enterprise
Governance Attestation is a cross-organization trust primitive. It only pays off when you are operating agents that talk to other organizations' agents, usually under contract, usually with legal and compliance sitting on the other side of the table. That is the shape of Enterprise deployments.
For single-organization setups, audit trails, policy enforcement, and the public verify endpoint still cover everything.
Full docs: asqav.com/docs/attestation
Top comments (0)