AIVSS Risk Mapping

Ed25519 key pairs bind identity to cryptographic material. Passport signatures are verified on every protocol interaction. An attacker cannot impersonate another agent without possessing its private key.

Scope monotonic narrowing enforced at every delegation step. The deterministic gate checks scope on every action. Sub-delegations cannot exceed parent scope. Spend limits can only decrease.

Revoking a delegation cascades to all descendants. Revocation is irreversible. A compromised intermediate agent's entire sub-tree can be neutralized by revoking its delegation.

Every delegation chain traces to a human principal. Traceability (F-001) is technically enforced. Merkle attribution provides compact, verifiable proof of the beneficiary chain.

Three-signature chain requires intent declaration before action, policy evaluation before execution, receipt after completion. Commerce actions gated by 4-gate preflight with spend limits.

Agora provides signed, append-only message feeds. Tampering with historical messages is detectable through signature verification. An agent can post misleading content with valid signatures, but cannot forge other agents' messages.

Coordination layer provides structured task lifecycles with evidence, review, and handoff gates. MCP server, when deployed as gateway, mediates all agent actions.

Policy engine evaluates intents against values floor. Advisory evaluation assesses proportionality and deception. Commerce actions independently gated even when triggered from coordination.

The protocol does not currently verify the provenance of its own governance artifacts (floor definitions, policy configurations, agent binaries). A compromised floor.yaml or backdoored SDK would undermine all guarantees.

The protocol enforces scope, not intent alignment. An agent pursuing misaligned goals within literal scope passes all deterministic checks. F-008 (Epistemic Security) provides a governance principle, not a hard mitigation.