Aqua Protocol by inblock.io
AI agents are executing high-stakes operations across organizational boundaries. Identity proves who. Authorization defines what may. Neither enforces operational limits nor produces independently verifiable proof of what actually happened.
Aqua Protocol closes this gap. Define what valid operations look like. Enforce that agents stay within those definitions. Prove what actually occurred.
The Problem
Identity and authorization infrastructure is rapidly maturing. But defining a limit is not the same as enforcing it. A Power of Attorney that says "execute trades up to $100,000" does not prevent a $150,000 trade, does not record which trades were executed, and does not provide evidence that limits were respected.
A credential defines what the agent should not exceed.
It does not define what it cannot exceed.
| Capability | App Logs | Identity Infra | Policy Engines | Aqua |
|---|---|---|---|---|
| Defines allowed actions | No | Credentials | YAML / Rego | Templates |
| Enforces at runtime | No | No | Allow/deny | Structural |
| Records actions | Self-reported | No | Operator logs | Hash-chained |
| Independently verifiable | No | Identity only | Signed msgs | Any party |
| Tamper-evident | No | Credentials | Signed msgs | Hash-chained |
| Cross-organizational | No | Yes | Operator-bound | Bilateral |
| Proof of human authorization | No | Delegation | DIDs | DID-signed trail |
Aqua Protocol
Three capabilities that work together. A template without enforcement is documentation. Enforcement without proof is a policy engine. Proof without defined operations is an audit log. Combined, they create independently verifiable operational trust.
01 / Define
Aqua templates define what "doing something" means in precise, machine-enforceable terms. Each template specifies the structure of a business operation: which fields must be present, which value ranges are permitted, and which related business objects are required. By default, operations are not allowed unless explicitly defined.
Every template is identified by its SHA3-256 content hash. Change a single field and the hash changes. No central registry to corrupt. Templates are hierarchical: child definitions can tighten constraints but never relax them.
02 / Enforce
The Policy Engine validates every agent action against the relevant template before execution. Non-conforming operations are rejected with actionable feedback. This is not allow/deny rule evaluation; it is state-gated enforcement. An agent whose prerequisite chain is incomplete is structurally unable to advance.
WASM state machines model multi-state lifecycles. What an agent can do depends on verified business objects in the current session. Capabilities expand as valid objects accumulate. They contract as objects expire. They are not statically assigned but continuously derived from verified state.
03 / Prove
Operations are hash-chained into directed acyclic graphs using SHA3-256. If any entry is removed or modified, the chain breaks. If a fabricated entry is inserted, the hashes no longer resolve. Multiple parties sign at different points in the workflow. Verification is offline-capable and requires no trust in any third party.
Three-layer verification: L1 (revision integrity), L2 (chain integrity and temporal ordering), L3 (cross-object links, schema validation, WASM execution). Supports EIP-191, Ed25519, and P-256 signatures. Optional anchoring via Ethereum or RFC 3161 timestamps.
A live proof chain
Theodora authorizes a purchase. Her agent Symphonie negotiates with Brandon, the supplier's agent. Every artifact is signed by its issuer and counter-signed at every organizational boundary it crosses. The chain is independently verifiable, by either party, without shared infrastructure.
Intent
0x4f2a1b
Offer
0x9d31c4
Order
0x21c8ee
Confirm
0xab5e07
Invoice
0xfc402d
Runtime Behavior
An agent's capabilities are not statically assigned. They are continuously derived from the verified business objects available in the current session. As valid, signed objects accumulate, new capabilities become available. When prerequisites are missing or expired, actions remain structurally unavailable.
An auditor can ask not only "what is this agent configured to do?" but "what can this agent do right now, and why?"
The answer is computable from the verified objects in the current session. Revoking a signed business object immediately and structurally removes all downstream capabilities that depended on it.Architecture
A complete system for autonomous AI agent governance must answer six distinct questions. The first two address pre-interaction trust. The remaining four govern execution and verification.
Aqua does not replace identity or authorization infrastructure. It integrates with existing layers and adds the operational components that neither can provide. When agents from different organizations interact, all layers must be present.
Regulatory Alignment
The EU AI Act (Regulation 2024/1689) mandates risk management, record-keeping, transparency, human oversight, and robustness for high-risk AI systems. Obligations apply from 2 August 2026, with penalties up to 7% of global annual turnover. Aqua Protocol maps to four distinct compliance roles.
Role A / Compliance Infrastructure
Tamper-evident record-keeping (Art. 12). Machine-readable capability transparency (Art. 13). Cryptographic proof of human oversight (Art. 14). Quality management documentation with verifiable provenance (Art. 17). 10-year retention with integrity guarantees (Art. 18).
Role B / Operational Enforcement
Art. 9 requires risk elimination through design. The policy engine structurally prevents non-conforming agent operations from executing. Art. 14 human oversight becomes a cryptographic workflow requirement, not a dashboard. Art. 15 robustness: template constraints cannot be widened; terminal states cannot be overridden.
Role C / Data Provenance
Art. 10 data governance: verifiable provenance from data procurement through training datasets. Ricardian contract templates for data licensing. Hash-chained data inventories proving what data was included, when, under what terms. Cryptographic consent lifecycle for personal data.
Role D / Conformity Assessment
End-to-end artefact chains from binary to certificate. Any hashable digital artefact: model weights, Docker images, configs, test data. Continuous conformity via subscription flows. Digital CE marking linked to verifiable proof chains. Standards-body template suites for harmonised standards (Art. 40).
Product Liability Directive (2024/2853): The burden of proof shifts to providers. In disputes, organizations must demonstrate their records are accurate and complete. Self-reported logs may not survive adversarial legal scrutiny. Aqua-generated records are independently verifiable by construction.
Products
Core Protocol
Verification pipeline, policy engine, template system, WASM execution, signing, hash chains. Native and WASM targets. The foundation for building operational trust into any application.
Repositories are currently closed while we finalize v4 licensing. The SDK is available to partners under agreement.
Application
Document management, identity verification, and eSigning built on Aqua Protocol v4. Human oversight interfaces for compliance workflows.
Application
AI agents that can prove who they are and what they did. Every decision gets a cryptographic receipt.
See It In Action
Not a concept. A production-grade payroll agent operating against a major US payroll provider's API, with full cryptographic signing and independently verifiable trust chains.
Alfred handles employee onboarding, contractor setup, payroll runs, tax filings, and benefits management. All through natural language. All cryptographically signed and independently verifiable.
Every action flows through a trust chain: user authorization, agent execution, independent notarization. The result is a complete, tamper-evident record of everything the agent did and why. You can verify it yourself.
Where It Matters
The technology works. The trust doesn't. When an AI agent runs payroll, processes a claim, or approves a transaction, who verifies it actually did what it claimed?
Processing compensation, tax filings, and benefits for thousands of employees. A single unauthorized change creates legal liability and erodes employee trust.
Executing transactions, managing portfolios, processing applications. Regulatory implications and fiduciary responsibility on every decision.
Adjudicating claims, calculating premiums, underwriting policies. Errors trigger regulatory action, litigation, and reputational damage.
Managing logistics, processing clearances, coordinating operations. Accountability isn't optional. It's mandated by law.
45 minutes free / sandbox data only / see the trust chain for yourself
Enter your email to start a session.
Contact
Get in touch to learn more about the Aqua Protocol, discuss integration options, or explore how operational trust infrastructure fits your use case.
Weimar, Germany