Agent Control Protocol: Admission Control for Agent Actions

Autonomous agents can produce harmful behavioral patterns from individually valid requests. This class of threat cannot be addressed by per-request policy evaluation, because stateless engines evaluate each request in isolation and cannot enforce properties that depend on execution history. We present ACP, a temporal admission control protocol that enforces behavioral properties over execution traces by combining static risk scoring with stateful signals (anomaly accumulation, cooldown) through a LedgerQuerier abstraction that separates decision logic from state management. Under a 500-request workload where every request is individually valid (RS=35), a stateless engine approves all 500 requests. In contrast, ACP limits autonomous execution to 2 out of 500 (0.4 percent), escalating risk after 3 actions and enforcing denial after 11. We identify a bounded state-mixing vulnerability where agent-level anomaly aggregation can inadvertently elevate risk across unrelated contexts. We resolve this in ACP-RISK-3.0 by scoping temporal signals to the tuple (agentID, capability, resource), preserving deterministic enforcement within each context. Performance evaluation demonstrates decision latencies of 767 to 921 ns (p50) and throughput up to 920000 req/s. The protocol's safety and liveness are model-checked via TLA+ (9 invariants, 4 temporal properties, 0 violations across 5684342 states) and validated at runtime by 73 signed conformance vectors. Specification and implementation: https://github.com/chelof100/acp-framework-en