Agent Intent Protocol Documentation¶
Welcome to the AIP Kubernetes Control Plane documentation. These guides explain how to govern autonomous AI agents operating on critical infrastructure.
What is AIP?¶
The Agent Intent Protocol is an open standard that requires autonomous agents to declare their intentions before acting. AIP decouples agent decision-making from system safety, giving operators:
- Policy enforcement — CEL-based rules that evaluate every request
- Human-in-the-loop gates — approval workflows for high-risk actions
- Audit trails — immutable records of every state transition
- Earned autonomy — agents graduate from Observer → Autonomous based on measured accuracy
Getting started¶
Install the control plane in under a minute:
helm install aip-k8s \
oci://ghcr.io/agent-control-plane/aip-k8s/charts/aip-k8s \
--version 0.1.0 \
--namespace aip-k8s-system \
--create-namespace
Then follow the Quick Start to submit your first governed request and see AIP block an agent operating on stale data.
⚠️ Default install is dev mode — no authentication. See Dev Mode and Production Hardening before deploying to a real cluster.
Core concepts¶
| Guide | What you'll learn |
|---|---|
| Agent Graduation Ladder | How agents progress from Observer to Autonomous through measured accuracy |
| Trust Gate | How the gateway enforces trust levels on every request |
| Governed Resources | How to register infrastructure resources that agents may target |
| Garbage Collection | How to manage retention and export of diagnostic records |
User guide¶
| Guide | What you'll learn |
|---|---|
| Quick Start | Install, verify, and submit your first request |
| Dashboard Walkthrough | Visual inspection of requests, policy decisions, and audit trails |
| Dev Mode | What the default install enables and disables |
| Production Hardening | OIDC, roles, JWT, and security checklist |
| Scaledown Demo | End-to-end: agent on stale metrics gets blocked |
Authentication¶
| Guide | What you'll learn |
|---|---|
| OIDC with Keycloak | Configure JWT authentication with Keycloak (recommended for local dev) |
Quick reference¶
The five trust levels¶
| Level | Execution | Human approval |
|---|---|---|
| Observer | Graded only, no action | N/A (grading) |
| Advisor | Allowed | Required |
| Supervised | Allowed | Required |
| Trusted | Allowed | Auto-approved by policy |
| Autonomous | Allowed | Auto-approved by policy |
Key CRDs¶
AgentRequest— an agent declares intent to act on a target resourceGovernedResource— platform engineering registers permitted resource typesSafetyPolicy— CEL rules that further restrict what agents may doAgentGraduationPolicy— cluster admin defines accuracy thresholds per levelAgentTrustProfile— controller-managed record of an agent's earned trustDiagnosticAccuracySummary— rolling accuracy computed from graded verdictsAuditRecord— immutable event log for every state transition
Resource access patterns:
GovernedResourceandSafetyPolicyare managed through the gateway REST API as the primary path (kubectlis break-glass only).AgentGraduationPolicy,AgentTrustProfile,DiagnosticAccuracySummary, andAuditRecordhave no gateway endpoints yet — inspect them withkubectl. See the Trust Gate guide for details.