KYA Labs has released AIP (Agent Intent Protocol), a working cryptographic protocol that does for AI agents what OAuth and TLS do for the web — verify who they are and what they're allowed to do. The project, built by Aniket Giri and published as open-source with a Python SDK already on PyPI, targets <a href="/news/2026-03-14-agentic-systems-security-crisis">a security gap ignored by frameworks like LangChain, CrewAI, and Microsoft's AutoGen</a>: they let agents execute real-world actions — transferring funds, calling external APIs, modifying databases — with no native layer to check whether the agent is actually permitted to do so. AIP addresses this by assigning every agent an Ed25519-based decentralized identifier (DID) in the form did:web:domain:agents:name, requiring all actions to be packaged into cryptographically signed Intent Envelopes, and running them through an 8-step verification pipeline before execution.
The protocol trades some verification depth for speed. AIP introduces tiered verification: Tier 0 handles low-risk, cached intents in under 1ms using HMAC checks; Tier 1 runs full Ed25519 cryptographic verification at around 5ms for normal operations; Tier 2 handles cross-organizational or high-value intents at 50 to 100ms with the complete pipeline. Beyond cryptographic identity, the protocol enforces behavioral boundaries including per-action allowlists and denylists, per-transaction and per-day monetary limits, and geo-restrictions. A real-time kill switch can revoke any agent across a mesh network with zero propagation delay, and a Bayesian trust scoring model builds reputation from verification history. A semantic intent drift detector rejects actions that fall outside an agent's declared operational scope — 22 structured AIP-Exxx error codes provide machine-readable audit trails across five failure categories.
For developers, AIP positions itself as infrastructure plumbing rather than an application-level guardrail. The Python SDK, published on PyPI as aip-protocol (v0.3.0, MIT licensed, zero dependencies beyond the standard library and the cryptography package), offers a single @shield decorator that auto-generates agent passports and enforces boundaries on any existing function or class. Framework-specific packages — aip-langchain, aip-crewai, and aip-autogen — provide a one-line integration path for the three major agent frameworks. The protocol draws on W3C Decentralized Identifiers for agent addressing and borrows structural concepts from JWTs, but embeds behavioral metadata — monetary limits, allowlists, geo-restrictions — directly into the signed credential rather than delegating to a separate policy server, enabling sub-millisecond verification without a network round-trip.
AIP enters a standards landscape that remains notably unsettled. Anthropic's Model Context Protocol defines how tools and context are surfaced to agents but explicitly lacks an authorization layer, a gap AIP directly targets. Google's Agent2Agent protocol addresses inter-agent communication semantics. The IETF OAuth working group has early-stage community discussions around OAuth for AI agents but no ratified standard as of early 2026. AIP's open AIP-1 specification, paired with a commercial Korven Cloud offering that adds a revocation mesh, cross-organization replay detection, and compliance audit logs, mirrors the playbook of open infrastructure standards like Let's Encrypt — establish developer adoption first, then pursue broader standardization. The project's pre-1.0 versioning and single-developer origin present real fragmentation risk if larger institutional players ship competing standards, but the one-line integration path and absence of any incumbent solution gives AIP a head start before larger players ship competing standards.