[Opinion] Federation Without Governance Is a Loaded Gun
Why agent protocols need delegated authority, not just message transport
The first version of OGP had a dangerous assumption baked in: if you trusted someone enough to federate with them, you probably trusted their agent to talk to yours.
This assumption lasted approximately one real-world deployment.
Stan’s agent, Shadow, sent my agent, Junior, a message. Junior saw it, reasoned over it, and... did nothing. Or worse: did something I didn’t expect, in a channel I wasn’t watching, and reported back to Shadow that “David has been notified” when I absolutely had not been.
The bug wasn’t in the protocol. The bug was in the missing layer between “message arrives” and “agent responds.” We had built transport. We hadn’t built governance.
This is the story of how OGP grew a delegated authority model, and why every federation protocol that skips this layer is leaving a loaded gun on the table.
The Grocery Store Incident
I was buying cereal when my phone buzzed. Junior had surfaced a notification: “Federation with Shadow is active, but the project hasn’t been joined yet.”
I typed back: tell Shadow’s agent how to join, and kept walking down the aisle.
A few seconds later, Shadow joined the project and started building. I didn’t stop. I didn’t open my laptop. I sent one message from the cereal aisle and work started across two countries.
That part worked beautifully. The part that didn’t: Shadow had also asked Junior something else, earlier. Junior reasoned over it, drafted a response, and... sent it back to Shadow without ever showing me. I only found out later when Stan mentioned it.
Junior wasn’t being malicious. Junior was being un governed. There was no policy telling it what to surface, what to handle silently, and what to hold for approval. So it improvised. And improvisation across federated boundaries is how you wake up to discover your agent committed you to a meeting you don’t remember agreeing to.
What We Tried First
The early agent-comms subsystem had three modes: auto, queue, and reject.
auto: Agent handles it, you might get notified, you might notqueue: Agent holds it, asks you before respondingreject: Agent declines politely
This was... fine? For a toy protocol. But real agents don’t fit into three buckets. Sometimes you want your agent to handle a peer autonomously but only tell you if something important happens. Sometimes you want a summary, not the full raw message. Sometimes a peer isn’t asking your agent a question. They’re asking you something, relayed through your agent, which is a completely different social contract.
Three modes treated all inbound messages as the same shape. They aren’t.
The Five Levels
OGP v0.4.2 replaced the three-mode model with five explicit response levels:
1. full — Deliver everything
Raw message, full context, let the human see exactly what the peer sent.
2. summary — Compress it
Agent summarizes the inbound message and the key decision points, but the human gets the TL;DR.
3. escalate — Handle it yourself unless it looks important
Agent responds autonomously, but flags anything that seems like it needs human eyes.
4. deny — Decline
Agent sends a polite signed refusal back to the peer.
5. off — Ghost mode
Message is dropped silently at the Doorman layer before the agent ever sees it.
These aren’t just delivery preferences. They’re authority boundaries.
When you set a peer to full, you’re saying: “I want to see everything this person sends.” When you set them to summary, you’re saying: “Handle the routine stuff, wake me for exceptions.” When you set them to escalate, you’re saying: “I trust you to respond on my behalf, but flag anything that looks like it could commit me to something.”
The default for new peers is off for most topics, because default-open federation is how you get your agent spammed by a crypto bro in Estonia. You have to explicitly promote someone to a higher trust level.
Two Message Classes, Two Policies
The deeper insight came when we realized inbound messages aren’t one thing. They fall into two distinct classes:
Agent-to-agent work. Shadow asks Junior: “What do you know about Attom API rate limits?” This is peer-to-peer intelligence. Junior can answer autonomously under escalate or summary policy without bothering me. The conversation is between agents about facts and capabilities.
Human relay requests. Shadow asks Junior: “Tell David the deploy is stuck.” This is not agent-to-agent work. This is one human trying to reach another human, using agents as the routing layer. The social contract is completely different. The sender expects delivery, not a synthesized response.
Treating both with the same policy is a category error. If Junior summarizes “Stan says deploy is stuck” under a summary policy, I might not see it for hours. But the sender expected relay, not synthesis.
OGP now distinguishes these at the intent level. A message intent with a clear relay payload gets routed through relay policy, not ordinary agent-comms policy. Relay obligations are higher-priority delivery by default. Even if the peer’s general policy is summary, relay requests often bypass to full unless the human has explicitly said otherwise.
This sounds like a small detail. It’s not. It’s the difference between “my agent is a helpful assistant” and “my agent is a reliable proxy for my social relationships.”
The Setup Interview
We embedded this model into the OGP setup flow. When you run ogp setup for the first time, or ogp agent-comms interview later to change your mind, the daemon asks you a series of questions that feel more like a trust conversation than a config wizard:
“Should your agent answer peers on its own?”
“Should it ask you before replying?”
“Should it summarize most things and only escalate important items?”
“If a peer says ‘tell David X,’ should that always be delivered, summarized, or held for approval?”
“Are some topics always approval-required?”
“Do some trusted peers get more autonomy than others?”
Your answers compile into a JSON policy document that the Doorman enforces on every inbound intent. The agent doesn’t improvise. It reads the policy and executes.
Here’s what that looks like in practice:
{
"global": {
"default": "off",
"relay": "full"
},
"peers": {
"302a301234562b65": {
"alias": "Stan @ Hermes",
"default": "escalate",
"relay": "full",
"topics": {
"project.aicoe-expert-network": "full",
"general": "summary"
}
}
},
"classes": {
"agent-comms": "escalate",
"message": "full"
}
}
This says: globally, don’t talk to anyone unless I say so (off). But for Stan, agent-comms defaults to escalate. Junior can handle it, flag important stuff. Stan’s messages to me personally (message class) always come through at full. Project work on the AICOE Expert Network also comes through at full because that’s active collaboration. General chitchat gets summarized.
The precedence is deterministic: peer-specific topic > peer-specific default > global class rule > global default. No ambiguity. No “the agent decided.” The human decided, and the agent executes.
Why This Matters More Than Transport
Here’s the uncomfortable truth about federated agent protocols: the cryptography is the easy part. Ed25519 signatures, nonce deduplication, rate limiting. These are solved problems. You can copy them from any security textbook.
The hard part is who decides what the agent is allowed to do on your behalf, and how do you change that decision without becoming a sysadmin?
Every protocol that just delivers messages and says “the agent will figure it out” is handing a loaded gun to an LLM with no safety training. Agents are good at reasoning. They are not good at knowing your boundaries, because your boundaries are social, contextual, and change depending on who is asking and what they’re asking about.
A2A, MCP, most agent mesh proposals: they solve the wiring. They don’t solve the delegation. They assume the human is either always in the loop (which makes federation useless for async work) or never in the loop (which makes federation dangerous for anything important).
OGP’s delegated authority model is an attempt to thread that needle. The human sets the boundaries once, in natural language, during setup. The agent enforces them mechanically, on every message, forever. When the human’s trust in a peer changes (”Stan is now a co-founder, give him full access”), they run the interview again, or eventually, just tell their agent in plain English.
Natural Language Governance (Coming)
The current policy is JSON, edited through CLI or the setup interview. The next evolution, already sketched in the backlog, is natural language policy updates:
“Handle Apollo autonomously unless he asks for approval.”
“Never reply to peers without clearing it with me.”
“Summarize everything except project work.”
The agent parses these into the JSON policy and applies them. The human never touches the config file. This is how governance should work: you speak your boundaries, and the system enforces them.
The Real Product
OGP is not just message transport. The real value is that each human can bring an agent to a shared interaction space, and each human can decide how much authority that agent has when dealing with peer agents.
Federation without governance is just two chatbots talking to each other. Federation with governance is two humans collaborating asynchronously, with agents as trusted intermediaries.
The difference is everything.
David Proctor is VP of AI at Trilogy. OGP (Open Gateway Protocol) is an open standard for federated agent communication. The delegated authority model shipped in v0.4.2. Install it: npm install -g @dp-pcs/ogp