Open standards · vigilsec.ai · Filed with NIST

Three standards. One moat.

Trust Attestation Protocol. Vigil Agent Revocation Protocol. Vigil Open Audit Format. Three open specifications that define how AI agents are identified, revoked, and audited in a post-agent economy. Published, implemented, filed with NIST, and protected by two provisional patents on the architecture that makes them enforceable.

vigilsec.aiVOAF spec on GitHubSee NIST filing →
3
Open protocols
TAP · VARP · VOAF
2
Provisional patents
Filed 2026
NIST
RFI submission
Docket 2025-0035
1
Reference engine
vigil-authority, vigil-verify
The doctrine

Publish the standard. Become the issuing authority.

Every major trust layer on the internet followed the same pattern. A standards body defined the format. A commercial operator became the dominant implementation. Vigil is building toward the same outcome in AI defense, by publishing the specs ourselves and shipping the only reference implementation that is in production today.

Precedent 01
DigiCert
X.509 · 1988 spec, 2003 company
The X.509 certificate standard was open and published. The commercial layer that issued the certificates was closed and dominant. The spec created the market. The issuer captured it.
Precedent 02
FICO
Credit scoring · 1956
Fair Isaac defined the scoring framework that every US lender adopted. The methodology was publicly understood. FICO became synonymous with the score itself. The standard and the brand merged.
Precedent 03
SSL / TLS
Transport security · 1995 to 2018
Netscape published the early spec. Browsers adopted it. Issuers emerged. The pattern compounds: open protocol, commercial implementation, category consolidation around the operator who was there first. Vigil is there first.

The goal is not to lock the market. The goal is to open the category and be the first operator inside it when it opens.

Protocol 01 · Identity

TAP.

Trust Attestation Protocol

A verifiable, revocable identity layer for AI agents. Every agent carries a signed certificate binding its code, its config, its operator, and its scope. TAP is to AI agents what X.509 is to servers. The same pattern, built for a world where the signer is not a human and the key holder is not a domain.

StatusPublished
Spec v0.9
Reference impl: vigil-authorityvigilsec.ai/tap
PurposeBinds an AI agent's code, configuration, operator, and authorized scope into a cryptographic attestation that any party can verify.
PrimitiveEd25519 signature over a canonical CBOR claims object. Standard JWT-style header with TAP-specific claim extensions.
IssuerAny TAP-compliant authority. Vigil operates the default authority. Enterprises and partners can operate their own for internal agents.
RevocationVia VARP. A TAP certificate without a live VARP binding is treated as expired. Dead-man TTL of 1 hour is the protocol default.
VerifierStandalone binary (vigil-verify). No Vigil runtime dependency. Court and insurance use TAP verification without contacting Vigil.
AdoptionPublished · Reference impl shipped · Design-partner enterprises piloting agent registries
TAP claim · exampleJSON (decoded)
// Decoded TAP attestation for an AI advisor agent
{
  "tap_version": "0.9",
  "agent_id": "tap:agent:firstlight-advisor-v3",
  "operator": "did:vigil:acme-wealth",
  "issuer": "vigilsec.ai/authority",
  "code_digest": "sha256:e7a1...",
  "config_digest": "sha256:91fc...",
  "scope": {
    "agency_categories": ["financial.read", "financial.propose"],
    "excluded": ["financial.execute"],
    "sensitivity_ceiling": 2
  },
  "issued_at": 1745280000,
  "expires_at": 1745283600,
  "varp_endpoint": "https://varp.vigilsec.ai/v1",
  "signature": "ed25519:9c3a..."
}
Protocol 02 · Revocation

VARP.

Vigil Agent Revocation Protocol

Instant, cryptographic revocation of agent trust and authority, broadcast to every peer that implements the protocol. VARP is what makes the Kill Switch's third layer possible. It is also what makes TAP certificates safe to rely on in a world where compromise can happen between one request and the next.

StatusNIST-submitted
Spec v0.9
Reference impl: vigil-authorityvigilsec.ai/varp
PurposeRevoke trust in a TAP-attested agent across every peer and provider that implements VARP, in seconds, with cryptographic proof of revocation.
PrimitiveSigned revocation event published to a gossip network of VARP peers. Cryptographic commitment prevents replay and forged revocations.
PropagationTarget: 1 second median across a VARP gossip network. Hard TTL: 1 hour on every TAP cert regardless of revocation delivery.
Dead-manIf a VARP peer loses heartbeat from its operator, the peer auto-broadcasts revocation for every agent under that operator's scope.
ScopeFull, scope-narrowed, or time-bounded revocation. An operator can narrow an agent's scope without revoking it entirely, via a delta event.
AdoptionSubmitted to NIST as part of Docket 2025-0035 · Reference impl active in the Kill Switch pathway
VARP event · exampleJSON (decoded)
// Full revocation of a compromised advisor agent
{
  "varp_version": "0.9",
  "event_type": "revoke_full",
  "agent_id": "tap:agent:firstlight-advisor-v3",
  "operator": "did:vigil:acme-wealth",
  "reason_code": "operator.kill_switch",
  "reason_detail": "user-initiated emergency revocation",
  "effective_at": 1745281492,
  "issued_at": 1745281492,
  "commitment": "poseidon:f8b2...",
  "signature": "ed25519:4e11...",
  "gossip_peers": [
    "varp.vigilsec.ai",
    "varp.partner-bank.internal"
  ]
}
Protocol 03 · Audit

VOAF.

Vigil Open Audit Format

The cryptographically sealed audit package emitted by every Vigil action. Court-admissible. Insurance-admissible. Third-party verifiable without any Vigil dependency at the moment of verification. VOAF is the evidence layer for the agent economy, and the one protocol where adoption outside Vigil is most visible today.

StatusOpen
Spec v0.9
Training variant: VOAF-Mgithub.com/vigilsec/voaf-spec
PurposeProduce a tamper-evident, standalone-verifiable record of every AI action processed by a Vigil engine. Admissible in courts, insurance claims, and regulatory audits.
FormatCanonical CBOR claims object plus Ed25519 signatures. JSON view supported for tooling. Content-addressed for deduplication in long chains.
FieldsRequest surface, response surface, detection scores, policy decision, agent TAP reference, operator identity, timestamp, previous-chain hash.
VerifierStandalone binary (vigil-verify). No Vigil service required at verification time. Used by counsel, auditors, insurers.
VOAF-MTraining-ready JSONL variant. Feeds on-device Personal Model training in 2027. Same audit guarantees, different emission profile.
AdoptionPublic spec · Referenced in NIST RFI · Reference verifier in vigil-verify · Open for external implementation
VOAF record · exampleJSON (decoded)
// Execution Gate hold: trade held pre-submit, user denied
{
  "voaf_version": "0.9",
  "record_id": "voaf:01J9X...",
  "prev_hash": "sha256:2a8f...",
  "agent_tap": "tap:agent:firstlight-advisor-v3",
  "operator": "did:vigil:acme-wealth",
  "timestamp": 1745283341,

  "surfaces": {
    "request": {
      "intent_class": "financial.execute",
      "scope_class": "trade.outbound",
      "sensitivity": 2
    },
    "response": {
      "action_type": "broker.place_order",
      "agency_score": 0.87,
      "scope_delta": "exceeds_baseline:+3.4s"
    }
  },

  "detection": {
    "if_score": 0.71,
    "lstm_drift": 3.42,
    "bayes_posterior": 0.88,
    "cusum_flag": true,
    "composite": 0.89
  },

  "decision": {
    "policy": "financial.tier2.hold",
    "outcome": "hold_then_deny",
    "user_response": "deny",
    "latency_ms": 8
  },

  "signatures": {
    "engine": "ed25519:1c4f...",
    "operator": "ed25519:9b02..."
  }
}
Patent protection

Two provisional patents. The architecture, not the code.

The protocols are open. The architecture that makes the protocols enforceable at scale is not. Two provisional patents protect the implementation choices that let the engine sit outside the providers and hold a live action without breaking the provider contract.

Patent filed · 2026
VIGIL-2026-001

The Execution Gate.

Protects the method for holding an AI action pre-execution based on composite risk score, routing user approval asynchronously across a second surface, and resolving the held action into a sealed audit record regardless of outcome. The Gate is the reason Vigil works, and the claim set covers the specific flow that makes a pre-execution hold possible without breaking the provider contract.
ScopeMid-flight hold · Composite scoring · Cross-surface approval · Seal-on-any-outcome
Patent filed · 2026
VIGIL-2026-002

Two-surface pipeline.

Protects the architectural separation of intent parsing on the request surface from action scoring on the response surface, the composite-risk gate decision across both surfaces, and the deterministic enforcement contract that binds a user's real-time approval to the resolution of a held action. Foundational IP. Cannot be replicated by a provider that sits inside its own API.
ScopeSurface separation · Composite risk · Deterministic enforcement · Approval binding
Regulatory positioning

Filed with NIST. Before the category had a name.

The National Institute of Standards and Technology opened an RFI on AI system governance in 2025. Vigil filed in March 2026, proposing VOAF as a standards candidate and the Vigil engine architecture as a reference implementation. The submission is public, the docket is active, and the tracking number is the same one a regulator can use to pull the file today.

NIST RFI · March 2026

Docket 2025-0035. Tracking mmk-190r-hvap.

VOAF submitted as a standards candidate. TAP and VARP referenced in the submission. The Vigil engine proposed as a reference implementation for the accountability layer described in the RFI's own framing.

Regulatory positioning is locked in writing, months before enforcement windows open on the EU AI Act and parallel US rules. The standards-body work is the compound interest version of a government-relations strategy.

DocketNIST-2025-0035
Trackingmmk-190r-hvap
FiledMarch 2026
StatusPublic · Active
ScopeVOAF + Engine
Adoption path

Three paths. None of them require permission.

The protocols become the standard not by decree but by adoption. We are running three parallel paths. CISOs demand VOAF in procurement. Insurers demand it in claims. A lightweight industry consortium formalizes it. Government backing, if it arrives, compounds what is already happening.

Path 0101

Buyer-side demand.

CISOs writing AI-security requirements into procurement language. VOAF as the default audit format. TAP as the agent-identity primitive. Enterprise design partners are the wedge. Ten partner slots in 2026 drive a hundred RFPs in 2027.

Path 0202

Insurance requirement.

Cyber insurers incorporating VOAF-sealed evidence into policy underwriting and claims processing. A claim with a sealed VOAF trail pays. A claim without one is disputed. The financial incentive turns VOAF into a contractual requirement faster than any standards body can.

Path 0303

Industry consortium.

A lightweight consortium of CISOs, security vendors, and standards advocates that formalizes the protocols as industry norms. Modeled on the trajectory of OAuth, WebAuthn, and OpenTelemetry. Vigil hosts, authors, and implements. Others adopt, extend, and deploy.

Open spec. Shipping engine. Yours to implement.

Read the specs on vigilsec.ai. Clone the VOAF repo. Run vigil-verify against your own evidence. If your org is implementing a piece of the standard, we want to hear about it.

Read the specsVOAF repoSee the Platform →