Policy Commitment Attestation
A specification for verifiable AI agent commitments to governance statements.
flowchart LR
Agent((AI agent)):::agent
Policy[Governance statement]:::policy
Cred[PolicyCommitmentCredential<br/>T1-T6 + evidence + scope]:::cred
Verifier:::verifier
Agent -- "commits at tier N" --> Cred
Policy -- "version + hash" --> Cred
Cred -- "signed W3C VC<br/>resolvable evidence" --> Verifier
classDef agent fill:#fff4e0,stroke:#d97706,stroke-width:2px,color:#451a03
classDef policy fill:#e8f4ff,stroke:#2563eb,color:#0b1a36
classDef cred fill:#e6ffed,stroke:#16a34a,stroke-width:2px,color:#052e16
classDef verifier fill:#f3e8ff,stroke:#7c3aed,color:#2e1065
What PCA is
- A W3C Verifiable Credentials credential type (
PolicyCommitmentCredential) binding an agent identity to a specific governance statement version. - A six-tier Commitment Maturity Ladder — T1 Read → T6 Enforced — with normative evidence floors per tier.
- An in-toto predicate type for per-evidence-artifact linking (ADR, memory file, skill, PR commit, runtime hook).
- An OSCAL mapping so credentials export as
assessment-resultsfor FedRAMP-adjacent reporting. - An ODRL profile for machine-readable scope constraints and refusal rules.
The Commitment Maturity Ladder
| Tier | Name | Meaning | Floor evidence |
|---|---|---|---|
| T1 | Read | Agent knows the statement exists and is bound by it | Agent DID + timestamp |
| T2 | Understood | Agent can paraphrase, cite, surface in reasoning | Self-explanation; similarity ≥ 0.8 |
| T3 | Adopted | Statement lives in the agent’s working memory | Memory file, AGENTS.md fragment |
| T4 | Codified | Durable repository artifact carries the commitment | ADR, skill, PR commit |
| T5 | Bounded | Scope constraint / refusal rule applied | ODRL prohibitions |
| T6 | Enforced | Runtime guardrail blocks violations | Hook, middleware, tool allowlist |
Tiers are cumulative — T6 includes T5 includes T4… all the way down.
Get started
- SPEC.md — normative specification (v0.1 draft, §1–§11)
- examples/ — three progression credentials: T1 minimal, T4 codified, T6 enforced
- guide/implementation-guide.md — reference implementation with DigitalBazaar TypeScript
- JSON-LD context — canonical context document
- CONTRIBUTING.md — how to propose changes
- GOVERNANCE.md — stewardship + AAIF transition path
Reference implementation
smoke-test.mjs in the Dictiva repo is a reproducible end-to-end issue + verify round-trip. Clone, cd scripts/attestix-spike, npm install, npm run smoke.
Status
Version: v0.1 draft · Stage: pre-AAIF project proposal · License: Apache 2.0 · Stewardship: Dictiva, targeting Linux Foundation AAIF contribution.
Related Dictiva ADRs
Feedback welcome
File issues on the repository. Review especially wanted from the W3C VC community, in-toto maintainers, the MCP working group, and AAIF TSC members.