KYE Protocol

KYE Protocol™ is an open standard for AI-agent governance that converts every delegated action — by a human, business, AI agent, service, model, tool, or workflow — into a cryptographically signed, replayable evidence chain. The v1.0 contract was frozen in April 2026 and is published under Apache 2.0, with a reference Gateway, three SDKs (TypeScript, Python, Go), and 133 conformance fixtures all passing in CI.

What It Is

KYE Protocol™ defines the runtime authority and evidence layer for delegated AI actions. It gives every actor a single URN, one delegation chain, one decision vocabulary, one cascading signal bus, and one append-only audit chain — so the question "who acted, on whose behalf, with what authority, under what scope, with what evidence?" has the same answer across every system. The protocol composes with existing identity providers (Okta, SPIFFE, Auth0), policy engines (OPA, Cedar, Cerbos), and SIEM tools rather than replacing them.

The six core primitives are:

• Identity — one URN per actor, verifiable across vendors
• Authority — signed, attenuable, revocable delegation chain back to a human or business
• Scope — action lists, environment, money limits, time windows, and obligations enforced by the PDP
• State — six independent dimensions: lifecycle, authority, delegation, credential, recovery, risk
• Audit — append-only chain, signed proof bundle, point-in-time replay verifiable with public keys alone
• On-behalf-of — actor ↔ principal binding

Protocol Architecture and Profiles

The protocol ships as 10 canonical profiles (core, connector, manifest, conformance, pdp, epdp, spdp, pep, runtime-authority, evidence-replay), 23 rule packs, 17 sector packs, and 27 dictionaries. Seven runtime profiles extend the core: Action Admissibility, Continuity, Discoverability, Ontology, Operating Model, Assurance Card, and Formal Rules. The reference Gateway runs on Cloudflare Workers + D1 + R2 + Queues — serverless, zero VMs, globally distributed.

Key runtime surfaces include:

• Decision Map™ — a per-decision graph showing actor → principal → delegation → capability → authority → scope → state → policy → decision → audit → evidence
• Evidence Pack™ — Ed25519-signed, replayable offline using only the publisher's JWKS
• Blast Radius Map™ — shows every capability, agent, payment, and decision affected by a compromised credential before revocation
• KYE Signal Bus™ — cascades stop/revoke signals through every downstream delegation in milliseconds
• Scenario Testing™ and Approval Briefs™ — pre-action stress evaluation and structured human-approval workflows

Compliance Coverage

The protocol's Compliance Mapping Rail™ binds runtime events to 289 control mappings across 13 horizontal frameworks: SOC 2, ISO 27001:2022, PCI DSS 4.0, PSD2/PSD3, DORA, NIS2, EU AI Act, ISO 42001, NIST AI RMF, NIST 800-207, NIST CSF, GDPR, and FedRAMP. Sector overlays cover banking and payments, healthcare, capital markets, custody and digital assets, insurance, AI labs, public sector, defence, energy and critical infrastructure, and manufacturing. An OSCAL exporter is included.

Deployment Model

KYE Protocol™ is a contract layer, not a hosted SaaS product. The site notes that a hosted Cloud Gateway™ SaaS is planned for v1.1 but is not yet available. Deployment options include:

• A vendor or in-house Gateway behind an existing edge
• An embedded PDP library for low-latency local decisions
• PEP middleware in a service mesh
• The Signal Bus™ subscribed to by a SIEM

The reference Gateway is described as pilot-grade (correctness-first, not throughput-tuned). Production deployments substitute a hardened build behind the same open contract. The protocol supports single-tenant and multi-tenant topologies, on-premises, hybrid, or cloud.

Update: v1.0 Contract Frozen, v1.1 in Progress

The v1.0 contract surface was frozen in April 2026, covering 174 OpenAPI operations across 87+ runtime endpoints, 337 JSON Schemas with 286 validated examples, and 133 conformance fixtures. Four new CLI sub-engine verbs were added on 2026-05-17: kye search (KYE Native Search Engine™), kye memory (KYE Memory Engine™), kye data-flow (KYE Data Mapping Agent™), and kye report (KYE Reporting Engine™), each emitting signed envelopes replayable offline. The v1.1 roadmap adds sector overlays for healthcare (42 CFR Part 2), conformance-report.json and conformance-fixture.json schemas, and extended signal-bus durability options. v2.0 targets federation v2 with multi-hop attenuation and a move of patent-track algorithms to a royalty-free open standard under the Linux Foundation or OpenWallet Foundation track.