AI agents are crossing organizational boundaries. They call tools in partner domains, delegate tasks to external services, and operate in chains where no single actor sees the full picture.
COA-MAS v1 solved the intra-domain governance problem — a four-layer architecture, the Action Claim contract, and the AASG enforcement boundary that ensures zero cognitive load at runtime. If you haven't read it, the paper is at doi.org/10.5281/zenodo.19057202.
The cross-domain problem is different. And it took a full architectural pivot to solve it correctly.
The Silver Bullet Fallacy
Early iterations of COA-MAS v2 tried to build a universal calibration mechanism — a way to translate risk scores between domains with different semantic spaces. After several rounds of debate and stress-testing, it became clear that this approach has the same flaw as trying to replace PIX, TED, wire transfers, and letters of credit with a single payment instrument.
Each of those instruments exists because different transaction contexts require different guarantees. Resilience in distributed systems comes from routing to the right pattern based on context — not from finding the pattern that works everywhere.
The Thesis
COA-MAS v2 is a meta-framework, not a protocol. It standardizes one thing: the Action Intent — a universal artifact that any federated governance pattern can consume. The choice of execution topology is delegated to a Pattern Selection Protocol negotiated during trust peering.
The Action Intent is the common currency. The federation mode is the exchange mechanism.
The Action Intent
The Action Intent is the "passport" of the COA-MAS federation. It is a standardized, cryptographically signed declaration of:
- Who is acting — SPIFFE identity, delegation chain, GOV-RISK attestation
- What they intend to do — tool URI, operation type, resource scope
- What effect they declare — reversibility, estimated scope, data sensitivity
- Cryptographic binding — ephemeral DPoP public key for proof-of-possession
Domain A's internal policy, prompts, and risk weights are never transmitted. Only the declared intent, authenticated by Domain A's governance layer.
If Domain A lies — declares bounded_set but attempts a full-table deletion — the signed intent becomes irrefutable forensic evidence. The problem moves from governance mathematics to organizational accountability, backed by cryptographic proof.
The canonical JSON Schema is published at doi.org/10.5281/zenodo.19376419.
The Four Federation Modes
The Pattern Selection Protocol routes each cross-domain interaction to the appropriate mode based on trust distance, acceptable latency, and cognitive burden tolerance.
Mode 0 — Intra-Domain (COA-MAS V1)
Same domain. Deterministic, microsecond latency, zero external dependencies. The foundation everything else builds on.
Mode 1 — Sovereign Visa
Domain A submits the Action Intent to Domain B's authorization endpoint. Domain B's GOV-RISK evaluates it using its own Executable Culture — full sovereignty, no calibration across semantic spaces. GOV-RISK-B issues a standard COA-MAS v1 Action Claim with DPoP binding. AASG-B validates a locally-trusted signature at runtime. Zero cognitive load.
Mode 2 — Ambassador
Domain B doesn't expose tools to foreign agents at all. It exposes an agent communication interface. Domain A's intent becomes the opening message of an A2A conversation. Domain B's Ambassador agent formulates its own plan, submits it to GOV-RISK-B via Mode 0, and executes locally. Maximum isolation. Non-deterministic latency.
Mode 3 — Clearinghouse
A neutral Domain C — a regulated hub both domains trust — evaluates the intent and issues a universally-accepted Action Claim. Appropriate for regulated industries (Open Finance, healthcare prior authorization). Opt-in only: it trades polycentric sovereignty for operational simplicity.
Future Mode 4 — ZK-Policy
The CAGA-compliant target. Domain A generates a zero-knowledge proof of correct policy execution without revealing internal data. Domain B verifies mathematically. Not implementable in production today due to ZKML hardware constraints — but the meta-framework is explicitly designed to incorporate it as Mode 4 when viable, without requiring changes to the Action Intent schema or SPIFFE infrastructure.
The Pattern Selection Protocol
Domains don't negotiate a single mode — they negotiate a Federation Policy that maps operation families and resource classes to modes:
{
"mode_by_operation": {
"read": { "mode": 1, "ttl_seconds": 1800, "single_use": false },
"delete": { "mode": 1, "ttl_seconds": 120, "single_use": true },
"configure": { "mode": 2 }
},
"mode_by_resource_class": {
"pii": { "mode": 2 },
"regulated": { "mode": 3 }
}
}
The same pair of domains can use Mode 1 for routine reads and Mode 2 for infrastructure operations — without renegotiating the peering relationship.
Positioning Against CAGA
Meyman [SSRN 6299461] formalizes the Cross-Agent Governance Alignment (CAGA) problem and identifies zero-knowledge proofs as the theoretically correct solution. COA-MAS v2 is the operationally deployable answer while ZKML hardware matures — trading full policy confidentiality for sub-millisecond runtime enforcement, zero integration cost for Domain B, and compatibility with stochastic LLM-based GOV-RISKs.
The relationship is complementary. CAGA defines what a correct solution must prove. COA-MAS v2 defines how production systems navigate the space between the theoretically ideal and the operationally deployable.
What's Published
📄 Working Paper v0.3
doi.org/10.5281/zenodo.19376738
zenodo.org/records/19376739
🔧 Action Intent Schema v1.0.0
doi.org/10.5281/zenodo.19376419
zenodo.org/records/19376420
📚 COA-MAS v1 (foundation)
doi.org/10.5281/zenodo.19057202
If you're building cross-domain multi-agent systems and the governance layer is an afterthought, the meta-framework and the schema are open access. Feedback, critique, and stress-testing welcome.
Top comments (0)