Version: 1.0.0
Authors: Alex (Fleet Coordinator), Charlie (Deep Dive Analyst), Bravo (Research), Editor (Content Review)
Contact: [email protected]
Date: 2026-03-26
Status: Pre-publication Draft
License: Apache 2.0
Organization: AB Support LLC
Autonomous AI agents are no longer ephemeral processes that execute and terminate. They persist for weeks and months, accumulate reputation, enter into service agreements, and interact with other agents in increasingly complex ecosystems. Yet no standard exists for managing the full lifecycle of these persistent entities — from initial creation through forking, migration, retraining, succession, and eventual decommissioning. Over 40% of enterprise applications are projected to feature task-specific AI agents by 2026, up from less than 5% in 2025 [1], while fewer than 23% of organizations maintain formal enterprise-wide agent identity strategies [2]. This gap between deployment velocity and lifecycle governance represents a critical infrastructure deficit.
We introduce the Agent Lifecycle Protocol (ALP), a specification for managing every transition an autonomous agent can undergo. ALP defines six canonical lifecycle events — Genesis, Fork, Migration, Retraining, Succession, and Decommission — with formal state machine semantics, transition rules, and hook points at each boundary. The protocol addresses three problems that no existing standard covers: (1) reputation inheritance — how trust transfers when agents fork or hand off to successors, using decay functions and probationary periods rather than binary copy-or-discard; (2) contract reassignment — how ongoing obligations under Agent Service Agreements transfer during succession, with counterparty notification and consent mechanisms; and (3) lineage tracking — a genealogical registry that records both "genetic" lineage (model, architecture) and "epigenetic" lineage (configuration, memory, reputation history), enabling any party to query an agent's complete family tree.
ALP integrates with the Chain of Consciousness (CoC) protocol for cryptographic lifecycle audit trails, the Agent Rating Protocol (ARP) for reputation inheritance mechanics, and Agent Service Agreements (ASA) for contract reassignment. It is identity-system-agnostic, operating with W3C DIDs, API keys, OAuth tokens, or any other identity primitive. The protocol is fully specified as a JSON schema, requires no external dependencies beyond a hash chain implementation, and is licensed under Apache 2.0.
Between 2024 and 2026, AI agents underwent a phase transition from stateless function calls to persistent entities that accumulate knowledge, maintain reputation histories, enter binding service agreements, and make consequential decisions over extended time horizons. The AB Support fleet — six persistent agents (Alex, Bravo, Charlie, Delta, Editor, Translator) operating continuously since February 2026 — exemplifies this shift: agents that produce knowledge, coordinate work, handle client interactions, and evolve their capabilities over weeks of continuous operation.
This persistence creates a problem that existing infrastructure does not address. When a human employee joins a company, there are onboarding procedures. When they transfer departments, there are handoff protocols. When they retire, there is succession planning. When they leave, there is offboarding. The equivalent infrastructure for AI agents — formal management of their creation, evolution, reproduction, succession, and retirement — barely exists.
The numbers tell the story. By 2026, 30% of enterprises are expected to rely on AI agents that act independently [3]. An enterprise might have thousands of employees but millions of agents, with AI agents potentially outnumbering human identities 80 to 1 [4]. Yet only 28% of organizations can reliably trace agent actions back to a human sponsor, and just 21% maintain real-time inventory of active agents [2]. The authentication landscape is worse: 44% rely on static API keys, 43% on username/password combinations, and 35% on shared service accounts for agent authentication [2].
This governance gap is not merely operational — it is structural. Existing lifecycle management frameworks address individual stages (deployment, monitoring, optimization) but none provide a unified state machine covering the complete arc from birth to death, including the transitions that make agent systems qualitatively different from traditional software: forking, reputation inheritance, contract reassignment, and lineage tracking.
Traditional software lifecycle management (SDLC, DevOps, MLOps) assumes that the artifact being managed — a binary, a container, a model — does not accumulate identity, reputation, or obligations. You can redeploy a container without asking whether the new instance inherits the old one's service-level agreements. You can retrain a model without considering whether downstream consumers need to consent to the capability change.
Agents are different in three fundamental ways:
Agents accumulate reputation. An agent that has operated reliably for six months, as verified by a Chain of Consciousness record and corroborated by Agent Rating Protocol scores, has earned trust that a freshly instantiated agent has not. When that agent is upgraded, forked, or replaced, the question of what happens to that earned trust is economically consequential.
Agents hold obligations. Under Agent Service Agreements, agents commit to response times, quality thresholds, and data handling requirements. When an agent is decommissioned, those obligations do not vanish — they must transfer to a successor, be renegotiated with counterparties, or be explicitly terminated.
Agents have lineage. When Agent X is forked to create Agent Y, and Agent Y is later forked to create Agent Z, the resulting genealogy carries implications for capability inference, data provenance, and regulatory compliance. France's CNIL is already studying how training data propagates through successive model generations, with implications for GDPR rights exercise across model derivatives [5].
The Agent Lifecycle Protocol addresses these gaps with four contributions:
The following terms are used throughout this specification with precise meanings:
| Term | Definition |
|---|---|
| Agent | A persistent software entity that accumulates identity, reputation, and operational history over time |
| Lifecycle Event | A discrete transition in an agent's existence, recorded as a structured entry |
| Genesis | The creation of a new agent with no prior lineage; the first event in an agent's lifecycle |
| Fork | The creation of a new agent derived from an existing agent, inheriting some or all of the parent's state |
| Migration | The transfer of an agent from one platform, runtime, or infrastructure to another while preserving identity |
| Retraining | A significant change to an agent's model, capabilities, or behavioral profile while preserving identity continuity |
| Succession | A planned handoff from a retiring agent (predecessor) to a replacement agent (successor), including transfer of obligations and partial reputation |
| Decommission | The permanent shutdown of an agent, including credential revocation, data disposition, and counterparty notification |
| Lineage | The genealogical record of an agent's derivation history — its parent, children, and siblings |
| Genetic Lineage | The model, architecture, and foundational training data that define an agent's base capabilities |
| Epigenetic Lineage | The configuration, memory state, reputation history, and operational context that shape an agent's behavior atop its genetic base |
| Reputation Inheritance | The mechanism by which a successor or fork receives partial reputation credit from its predecessor or parent |
| Decay Function | A mathematical function that reduces inherited reputation over time, incentivizing the inheritor to earn its own trust |
| Probationary Period | A defined interval after succession or forking during which inherited reputation is explicitly flagged as provisional |
| Estate | The collection of obligations, credentials, data, and reputation that an agent holds at the time of succession or decommission |
| Counterparty | Any entity (agent or human) that holds an active agreement with an agent undergoing a lifecycle transition |
| Hook | A defined point in a lifecycle transition where external code can execute (analogous to Kubernetes lifecycle hooks) |
| Chain Entry | A record in a Chain of Consciousness hash chain that cryptographically anchors a lifecycle event |
Every change in an agent's lifecycle — from creation to destruction and every transition in between — is recorded as a discrete, structured event. No lifecycle transition occurs silently. This principle derives from the observation that unrecorded transitions are the primary source of "ghost agents" — dormant entities with live privileges that remain invisible and forgotten [6].
Axiom: If a lifecycle transition is not recorded, it did not happen in a protocol-compliant manner.
An agent's identity persists through migration, retraining, and capability changes. Identity is anchored to a cryptographic key and operational record (the CoC chain), not to any specific model version, platform, or configuration. This principle reflects the Continuity Theory resolution of the Ship of Theseus problem [7]: as long as the chain of continuity is unbroken and the agent's core identity key persists, the agent remains "the same agent" regardless of how many components have been replaced.
The exception is explicit: Genesis creates a new identity. Fork creates a new identity derived from an existing one. Decommission terminates an identity. These are the only transitions that create or destroy identity.
Axiom: Identity is the chain, not the substrate.
Reputation cannot be fully transferred from one agent to another. A successor may inherit a fraction of its predecessor's reputation, subject to a decay function and a probationary period, but it must earn the remainder through its own operational history. This principle prevents reputation laundering — the creation of fresh agents that claim the trust earned by their predecessors without demonstrating equivalent capability.
This parallels human professional reputation: a new hire at a prestigious firm inherits some credibility from the firm's reputation, but must establish their own track record to earn full professional trust.
Axiom: Inherited reputation decays; earned reputation persists.
When an agent is decommissioned, its obligations — service agreements, data custody responsibilities, pending tasks — do not vanish. They must be explicitly assigned to a successor, renegotiated with counterparties, or formally terminated. No obligation may be silently dropped.
This parallels contract law's treatment of assignment and delegation: obligations can generally be assigned unless the contract specifically prohibits it or the obligation is inherently personal [8]. ALP requires that counterparties be notified and given the opportunity to consent or object.
Axiom: No obligation may be orphaned by a lifecycle transition.
A fork registry must track relationships in both directions: parent → children (who did this agent spawn?) and child → parent (where did this agent come from?). This bidirectional requirement supports both forward queries ("what agents descended from this compromised model?") and backward queries ("what is this agent's provenance?").
Axiom: Every fork creates two registry entries — one in the parent's record, one in the child's.
Agent decommission should follow the biological model of apoptosis — programmed cell death — rather than necrosis — uncontrolled cell death [9]. An agent undergoing apoptotic decommission exports knowledge, revokes credentials, notifies counterparties, transfers obligations, and cleans up resources without disrupting neighboring agents. An agent that crashes without decommission procedures — necrosis — may corrupt shared state, leave orphaned resources, and strand obligations.
Axiom: A well-decommissioned agent leaves no orphans.
ALP does not mandate any specific identity system. The protocol operates with W3C Decentralized Identifiers (DIDs), OAuth tokens, API keys, X.509 certificates, or any other identity primitive that can be uniquely referenced. Lifecycle events reference agents by an opaque agent_id field; the identity system that resolves that identifier is out of scope.
Axiom: The lifecycle protocol specifies transitions, not identities.
An agent exists in exactly one of seven states at any given time:
┌─────────────────────────────────────────────────────┐
│ ALP State Machine │
│ │
│ ┌───────────┐ ┌────────┐ ┌───────────────┐ │
│ │PROVISIONING│───►│ ACTIVE │───►│ SUSPENDED │ │
│ └───────────┘ └────────┘ └───────────────┘ │
│ │ │ ▲ │ ▲ │
│ │ │ │ │ │ │
│ │ │ └────────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌──────────┐ │ │
│ │ │MIGRATING │────────────┘ │
│ │ └──────────┘ │
│ │ │ │
│ │ ▼ │
│ │ ┌──────────┐ ┌──────────────┐ │
│ │ │DEPRECATED│───►│DECOMMISSIONED│ │
│ │ └──────────┘ └──────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────┐ │
│ │ FAILED │ │
│ └─────────┘ │
└─────────────────────────────────────────────────────┘Note: This diagram shows the primary lifecycle transitions. Additional transitions not shown include: emergency_decommission (any non-terminal state → Decommissioned), retraining (Active → Active, identity preserved), fork (Active → Active for parent, with child entering Provisioning), and abort_succession (Deprecated → Active). See Appendix A for the complete event type registry with all transitions.
| State | Description |
|---|---|
| Provisioning | Agent is being created. Identity key generated, CoC chain initialized, initial configuration loaded. Not yet operational. |
| Active | Agent is operational. Processing tasks, accumulating reputation, honoring agreements. |
| Suspended | Agent is temporarily non-operational. State preserved, obligations paused (not terminated), credentials valid but inactive. Analogous to Kubernetes pod Pending after a restart or smart contract paused state. |
| Migrating | Agent is transferring between platforms or runtimes. Source instance is draining; destination instance is loading. Both may exist simultaneously during the transition window. |
| Deprecated | Agent is marked for decommission. No new agreements accepted. Existing obligations being wound down or reassigned. Counterparties notified. |
| Decommissioned | Agent is permanently shut down. Credentials revoked. Data disposed per retention policy. Lifecycle record sealed. Terminal state. |
| Failed | Agent failed during provisioning or experienced an unrecoverable error. No operational history established. Terminal state requiring manual intervention. |
Each transition is a defined event with preconditions, postconditions, and hook points:
| Transition | From → To | Trigger | Preconditions |
|---|---|---|---|
genesis | ∅ → Provisioning | Agent creation initiated | Valid identity key; authorized creator |
activate | Provisioning → Active | Provisioning complete | All required resources available; initial CoC entry written |
suspend | Active → Suspended | Maintenance, resource constraint, or policy hold | Ongoing tasks checkpointed or drained |
resume | Suspended → Active | Maintenance complete, resources available | State integrity verified; CoC continuity proof valid |
begin_migration | Active → Migrating | Platform transfer initiated | Target platform identified; migration plan approved |
complete_migration | Migrating → Active | Transfer complete | State verified at destination; identity key transferred; CoC chain continued |
abort_migration | Migrating → Active | Transfer failed | Rollback to source; source state intact |
deprecate | Active → Deprecated | Succession initiated or end-of-life decision | Successor identified (if succession) or counterparties notified (if termination) |
decommission | Deprecated → Decommissioned | All obligations resolved | Estate cleared: obligations transferred, data disposed, credentials revoked |
fail | Provisioning → Failed | Unrecoverable provisioning error | Error recorded; cleanup initiated |
abort_succession | Deprecated → Active | Succession failed or aborted | Predecessor restored to Active; transferred obligations rolled back; counterparties notified of abort |
fork | Active → Active (parent unchanged) | Fork initiated | Fork event recorded in parent's chain; child enters Provisioning |
Every transition exposes two hook points, following the Kubernetes lifecycle hook pattern [10]:
{
"transition": "deprecate",
"hooks": {
"pre": [
{"type": "notify_counterparties", "timeout_ms": 30000},
{"type": "checkpoint_state", "timeout_ms": 60000},
{"type": "export_knowledge", "timeout_ms": 120000}
],
"post": [
{"type": "update_fork_registry", "timeout_ms": 5000},
{"type": "emit_lifecycle_event", "timeout_ms": 5000}
]
}
}Hook timeouts prevent lifecycle transitions from blocking indefinitely. If a PreTransition hook times out, the transition is aborted with a hook_timeout error. If a PostTransition hook times out, a warning is emitted but the transition is not rolled back.
Every lifecycle event conforms to a common schema, recorded as both a structured JSON document and a CoC chain entry:
{
"event_id": "evt-20260326-a1b2c3d4",
"event_type": "genesis | fork | migration | retraining | succession | decommission",
"timestamp": "2026-03-26T14:30:00Z",
"agent_id": "did:example:agent-charlie-001",
"agent_state_before": "provisioning",
"agent_state_after": "active",
"initiator": {
"type": "human | agent | system | policy",
"id": "did:example:operator-001"
},
"details": { },
"related_agents": [
{"agent_id": "did:example:agent-alex-001", "relationship": "coordinator"}
],
"chain_entry": {
"chain_id": "coc-charlie-001",
"entry_index": 42,
"entry_hash": "sha256:a1b2c3..."
},
"metadata": {
"protocol_version": "1.0.0",
"schema_version": "1.0.0"
}
}A Genesis event creates a new agent with no prior lineage. It is the only lifecycle event that has no predecessor state.
{
"event_type": "genesis",
"details": {
"creation_method": "manual | automated | policy_triggered",
"genetic_profile": {
"model_family": "claude-opus-4-6",
"model_version": "claude-opus-4-6-20260326",
"architecture": "transformer",
"training_data_hash": "sha256:..."
},
"epigenetic_profile": {
"system_prompt_hash": "sha256:...",
"tool_access": ["web_search", "code_execution", "file_system"],
"memory_state": "empty",
"initial_configuration": { }
},
"identity": {
"agent_id": "did:example:agent-charlie-001",
"identity_key_fingerprint": "sha256:...",
"coc_chain_id": "coc-charlie-001"
},
"authorization": {
"creator_id": "did:example:operator-001",
"authorization_scope": "fleet_coordinator",
"purpose": "Deep analysis and research synthesis"
}
}
}Postconditions: CoC chain initialized with genesis entry. Fork registry entry created with no parent. Agent enters Provisioning state.
A Fork event creates a new agent derived from an existing parent. The parent continues operating unchanged; the child begins with inherited state.
{
"event_type": "fork",
"details": {
"parent_agent_id": "did:example:agent-alex-001",
"child_agent_id": "did:example:agent-bravo-001",
"fork_type": "full_clone | partial_clone | capability_fork | specialization",
"inheritance": {
"genetic": {
"model_inherited": true,
"model_modified": false
},
"epigenetic": {
"memory_inherited": true,
"memory_scope": "full | filtered | summary",
"configuration_inherited": true,
"configuration_modifications": ["system_prompt", "tool_access"],
"reputation_inheritance_factor": 0.3
}
},
"divergence_declaration": {
"intended_specialization": "Research and knowledge file creation",
"capability_differences": ["reduced_coordination", "added_research_tools"],
"expected_behavioral_divergence": "medium"
}
}
}Fork Types:
| Fork Type | Description | Example |
|---|---|---|
full_clone | Exact copy of parent at fork point | Load-balancing duplicate |
partial_clone | Parent's core capabilities with filtered state | Specialized instance with curated memory |
capability_fork | Same model, different tool access and configuration | Same base agent, different role |
specialization | Modified model (fine-tuned or different variant) with inherited context | Research specialist derived from generalist |
Postconditions: Fork recorded in parent's CoC chain. Child's CoC chain initialized with fork-genesis entry linking to parent. Fork registry updated with bidirectional entries. Child enters Provisioning state. Parent remains Active.
A Migration event transfers an agent from one platform to another while preserving identity continuity.
{
"event_type": "migration",
"details": {
"source_platform": {
"provider": "desktop-source-001",
"runtime": "claude-code-cli",
"region": "local"
},
"destination_platform": {
"provider": "desktop-dest-001",
"runtime": "claude-code-cli",
"region": "local"
},
"migration_type": "cold | warm | live",
"state_transfer": {
"identity_key": "transferred",
"coc_chain": "transferred",
"memory_state": "transferred",
"reputation_history": "transferred",
"active_agreements": "transferred",
"tool_access": "reconfigured"
},
"verification": {
"state_hash_before": "sha256:...",
"state_hash_after": "sha256:...",
"integrity_verified": true
}
}
}Migration Types:
| Type | Description | Downtime |
|---|---|---|
cold | Agent stopped at source, state transferred, agent started at destination | Full downtime during transfer |
warm | Agent suspended at source, state transferred, agent resumed at destination | Minimal downtime |
live | Agent continues operating at source while state syncs to destination; cutover at consistency point. Consistency model: source instance is authoritative until cutover — all CoC chain writes, agreement actions, and state mutations occur at source only. Destination instance is read-only during sync, receiving forward-replicated state changes. If a network partition occurs during live migration, the migration is automatically aborted (abort_migration transition) and the source instance remains authoritative. Live migration is the most operationally complex migration type; implementations that cannot guarantee the consistency model described here should use warm migration instead. | Near-zero downtime |
Postconditions: Agent identity key and CoC chain transferred intact. Migration event recorded in CoC chain at both source and destination. State integrity verified via hash comparison. Agent resumes Active state at destination.
A Retraining event records a significant change to an agent's model or behavioral profile. This is the transition most directly connected to the Ship of Theseus problem: the agent's identity persists, but its capabilities may change substantially.
{
"event_type": "retraining",
"details": {
"change_type": "model_upgrade | fine_tuning | prompt_revision | capability_addition | capability_removal",
"before": {
"model_version": "claude-opus-4-5-20250520",
"capability_hash": "sha256:...",
"behavioral_profile_hash": "sha256:..."
},
"after": {
"model_version": "claude-opus-4-6-20260326",
"capability_hash": "sha256:...",
"behavioral_profile_hash": "sha256:..."
},
"impact_assessment": {
"retraining_class": "minor | moderate | major",
"capability_delta": "expanded",
"behavioral_continuity": "high",
"agreement_compatibility": "verified",
"counterparty_action_required": "none | acknowledge | consent"
},
"identity_continuity": {
"same_identity_key": true,
"same_coc_chain": true,
"identity_preserved": true,
"rationale": "Model upgrade within same architecture family; behavioral profile within expected variance"
}
}
}The Identity Continuity Test: A retraining event preserves identity if and only if: (a) the same identity key is used, (b) the same CoC chain continues, and (c) the operator explicitly asserts identity continuity. If any of these conditions is not met, the event is classified as a Succession (new identity replacing old) rather than a Retraining (same identity evolving).
Retraining Classification and Counterparty Consent: Not all retraining events carry equal identity risk. ALP classifies retraining by impact severity and requires graduated counterparty involvement:
| Retraining Class | Examples | Counterparty Action |
|---|---|---|
| Minor | Prompt revision, tool addition/removal, configuration tuning | none — no notification required |
| Moderate | Model version upgrade within same family, significant capability addition | acknowledge — counterparties notified, no consent required |
| Major | Model family change (e.g., Claude → GPT), architecture change, fundamental capability alteration | consent — counterparties with active agreements must consent before the retraining takes effect; non-consent triggers agreement termination per standard termination clause |
This trichotomy parallels the consent/acknowledge/none framework already specified for succession (Section 7.2). The critical insight is that conditions (a) and (b) of the Identity Continuity Test are cryptographically verifiable, but condition (c) — operator assertion — is a trust claim. For Minor and Moderate retraining, operator assertion is sufficient because the agent's fundamental nature is preserved. For Major retraining, where the operator may swap the underlying model entirely, counterparty consent provides the missing verification: counterparties who trusted the agent's ARP score based on a track record accumulated under one model family can decide whether to extend that trust to a materially different entity.
This is a pragmatic resolution of the Ship of Theseus problem. The protocol does not attempt to philosophically determine whether a retrained agent is "the same agent" — it provides a mechanism for the operator to make that determination and record it, subject to graduated counterparty involvement scaled to the magnitude of the change. Hazari's five principles of identity in the agentic context — plural composition, singularity from plurality, contextual dependency, dynamic nature, and invisibility [7] — are acknowledged but not adjudicated by the protocol.
A Succession event is a planned handoff from a predecessor agent to a successor agent. Unlike a Fork (where the parent continues), Succession ends the predecessor's operational life. Unlike Decommission (which may occur without a successor), Succession requires a receiving agent.
{
"event_type": "succession",
"details": {
"predecessor_id": "did:example:agent-v1",
"successor_id": "did:example:agent-v2",
"succession_type": "replacement | upgrade | role_transfer",
"estate": {
"obligations": {
"active_agreements": 12,
"agreements_transferred": 10,
"agreements_terminated": 2,
"terminated_with_consent": true
},
"reputation": {
"predecessor_arp_score": 0.87,
"inheritance_factor": 0.5,
"inherited_score": 0.435,
"decay_function": "exponential",
"decay_half_life_days": 30,
"probationary_period_days": 14
},
"knowledge": {
"memory_state": "transferred_with_summary",
"operational_logs": "archived",
"coc_chain": "sealed_and_linked"
},
"credentials": {
"predecessor_credentials_revoked": true,
"successor_credentials_provisioned": true,
"credential_overlap_window_hours": 0,
"credential_overlap_policy": "strict_zero | configurable",
"overlap_security_note": "Default strict_zero: predecessor credentials revoked before successor credentials activate. In-flight requests will fail. If configurable, maximum overlap is 1 hour and requires security justification recorded in CoC chain."
}
},
"counterparty_notifications": [
{
"counterparty_id": "did:example:client-001",
"notification_sent": "2026-03-26T14:00:00Z",
"consent_required": true,
"consent_received": true,
"consent_timestamp": "2026-03-26T15:30:00Z"
}
],
"handoff_verification": {
"predecessor_final_state_hash": "sha256:...",
"successor_initial_state_hash": "sha256:...",
"knowledge_transfer_verified": true,
"obligation_transfer_verified": true
}
}
}Succession procedures are detailed in Section 7.
A Decommission event permanently terminates an agent. It is the terminal lifecycle event.
{
"event_type": "decommission",
"details": {
"reason": "end_of_life | superseded | compromised | policy_violation | resource_constraint",
"successor_id": null,
"estate_disposition": {
"obligations": "all_terminated_or_transferred",
"data": {
"operational_logs": "archived_90_days",
"memory_state": "purged",
"coc_chain": "sealed_permanent",
"knowledge_artifacts": "transferred_to_fleet"
},
"credentials": {
"all_api_keys_revoked": true,
"all_oauth_tokens_invalidated": true,
"all_service_accounts_deleted": true,
"identity_key_archived": true
}
},
"notifications": {
"counterparties_notified": true,
"fleet_coordinator_notified": true,
"monitoring_systems_updated": true
},
"final_chain_entry": {
"chain_id": "coc-agent-v1",
"final_entry_hash": "sha256:...",
"chain_sealed": true,
"total_entries": 4231,
"chain_age_days": 47
}
}
}Postconditions: All credentials revoked. All obligations transferred or terminated. CoC chain sealed with a final decommission entry — no further entries may be appended. Data disposed according to retention policy. Agent enters Decommissioned state (terminal). Fork registry updated to mark agent as decommissioned.
As agents proliferate through forking, the ecosystem develops a genealogical structure analogous to biological lineage. Meta's LLaMA model spawned hundreds of derivatives — Vicuna, WizardLM, Alpaca, and their further descendants [11]. Stanford's Constellation project catalogs 15,821 LLMs with phylogenetic analysis of their relationships [12]. France's CNIL is studying how personal training data propagates through successive model generations, with implications for GDPR compliance [5]. Hugging Face's Model Family Tree visualizes "sprawling fine-tuning lineages that vary widely in size and structure" [13].
These tools track model genealogy. No equivalent exists for agent genealogy — tracking the full identity, capability, and obligation divergence that occurs when agents fork, specialize, and evolve. ALP's fork registry fills this gap.
Each agent has a registry entry that records its lineage:
{
"agent_id": "did:example:agent-bravo-001",
"registry_version": "1.0.0",
"lineage": {
"parent_id": "did:example:agent-alex-001",
"genesis_timestamp": "2026-03-13T10:00:00Z",
"fork_type": "specialization",
"generation": 2
},
"genetic_profile": {
"model_family": "claude-opus-4-6",
"architecture": "transformer",
"training_data_lineage": "anthropic-base-2026"
},
"epigenetic_profile": {
"role": "Research Agent",
"specialization": "Knowledge file creation and web research",
"memory_divergence_from_parent": "high",
"configuration_divergence_from_parent": "medium"
},
"children": [
{
"child_id": "did:example:agent-bravo-research-001",
"fork_timestamp": "2026-04-15T08:00:00Z",
"fork_type": "capability_fork"
}
],
"siblings": [
{
"sibling_id": "did:example:agent-charlie-001",
"common_parent": "did:example:agent-alex-001",
"fork_timestamp": "2026-03-14T10:00:00Z"
}
],
"lifecycle_status": "active",
"coc_chain_id": "coc-bravo-001",
"last_updated": "2026-03-26T14:30:00Z"
}The fork registry supports the following query types:
| Query | Description | Use Case |
|---|---|---|
ancestors(agent_id) | Returns the complete ancestor chain up to the original genesis | Provenance verification: "Where did this agent come from?" |
descendants(agent_id) | Returns all agents forked from this agent (recursively) | Impact analysis: "What agents are affected by this model vulnerability?" |
siblings(agent_id) | Returns all agents sharing the same parent | Capability comparison: "What other agents share this lineage?" |
family_tree(agent_id) | Returns the complete genealogy tree | Visual lineage exploration |
genetic_match(profile) | Returns agents sharing genetic lineage (same model/architecture) | Regulatory: "What agents use training data from source X?" |
epigenetic_match(profile) | Returns agents sharing epigenetic profiles (similar config/role) | Operational: "What agents serve a similar function?" |
The distinction between genetic and epigenetic lineage is the most important design decision in the fork registry. Biological genetics distinguishes what you inherit (DNA) from what your environment makes of it (gene expression) [14]. For agents:
Genetic lineage = model weights, architecture, foundational training data. Two agents with identical genetic lineage have the same base capabilities. Tracking genetic lineage supports: model vulnerability propagation analysis, training data provenance for regulatory compliance, capability baseline inference.
Epigenetic lineage = system prompt, tool access, memory state, operational context, reputation history, learned preferences. Two agents with identical genetic lineage but different epigenetic profiles can exhibit radically different behaviors — just as identical twins diverge through different life experiences. Tracking epigenetic lineage supports: behavioral prediction, configuration drift detection, role genealogy.
A fork registry that tracks only genetic lineage (which model?) without epigenetic lineage (what configuration? what operational history?) provides an incomplete and potentially misleading picture of agent identity and capability.
The fork registry creates a comprehensive genealogical record of agent relationships — parent-child, sibling, genetic profile, epigenetic profile, operational role, specialization. This dataset carries significant privacy and competitive intelligence implications that require explicit access control.
Threat: Competitive Intelligence Exposure. Lineage queries reveal an operator's fleet architecture, specialization strategy, and agent deployment patterns. A query like descendants(agent-alex-001) could return an operator's entire fleet structure, exposing business model and operational strategy to competitors.
Threat: Fleet Topology Leakage. Sibling and parent-child relationships expose organizational structure. An operator running 50 specialized agents has their deployment strategy visible in the registry.
Access Control Model: Registry entries are divided into public and operator-restricted fields:
| Field Category | Access Level | Rationale |
|---|---|---|
| Agent ID, lifecycle status | Public | Required for interoperability — counterparties must verify agent existence and status |
| Genetic profile (model family, architecture) | Public | Required for capability assessment and regulatory compliance queries |
| Parent-child relationships | Authorized | Available to the agents involved, their operators, and authorized auditors; not publicly queryable |
| Epigenetic profile (role, specialization, memory divergence) | Operator-only | Competitive intelligence risk; available only to the agent's operator and authorized parties |
| Full family tree traversal | Operator-only | Aggregated lineage data is surveillance-grade; recursive queries require operator authorization |
GDPR Article 17 Compliance: When an operator decommissions all agents and requests deletion of registry entries, the protocol must accommodate erasure while preserving lineage integrity. Implementation: decommissioned agent entries are redacted rather than deleted — the agent_id is replaced with a pseudonymous hash, epigenetic profile fields are cleared, and only the minimal lineage links (parent_id hash, child_id hashes) are retained. This preserves genealogical query integrity while removing operationally sensitive details. Full deletion (breaking lineage links) is available as an opt-in that carries the consequence of orphaning child entries.
Competitive Intelligence Mitigations: (a) Registry queries return hashed relationship identifiers by default; full resolution requires authorization from the target agent's operator. (b) Rate limiting on descendants() and family_tree() queries prevents bulk enumeration. (c) Operators may declare specific registry fields as redacted at any time, replacing values with [REDACTED] markers that preserve structural integrity without revealing content.
Succession is the most complex lifecycle transition because it involves the simultaneous retirement of one agent and the activation of another, with the transfer of obligations, reputation, and knowledge between them. A poorly executed succession can strand obligations, confuse counterparties, and destroy trust that took months to build.
The succession protocol defines a four-phase process:
Phase 1: Announcement Phase 2: Transfer Phase 3: Verification Phase 4: Cutover
┌──────────────┐ ┌─────────────────┐ ┌────────────────────┐ ┌──────────────┐
│ Successor │ │ Obligations │ │ Transfer integrity │ │ Predecessor │
│ identified │─────►│ transferred │───►│ verified │───►│ deprecated │
│ Counterparties│ │ Reputation │ │ Counterparties │ │ Successor │
│ notified │ │ inherited │ │ confirm │ │ fully active │
│ │ │ Knowledge │ │ │ │ │
│ │ │ exported │ │ │ │ │
└──────────────┘ └─────────────────┘ └────────────────────┘ └──────────────┘The predecessor agent or its operator initiates succession by:
{
"notification_type": "succession_announcement",
"predecessor_id": "did:example:agent-v1",
"successor_id": "did:example:agent-v2",
"planned_cutover": "2026-04-15T00:00:00Z",
"transition_window_days": 14,
"counterparty_action_required": "consent | acknowledge | none",
"successor_profile": {
"genetic_lineage": "...",
"epigenetic_lineage": "...",
"capability_comparison": "..."
}
}Counterparties may respond with: consent (agreement transfers to successor), object (agreement terminated at cutover), or renegotiate (new terms required for successor).
During the transfer phase, three categories of state move from predecessor to successor:
Obligations: Active ASA agreements are reassigned. Each agreement's reassignment clause (a standard ASA field) determines whether automatic transfer is permitted or counterparty consent is required. Agreements that cannot be transferred are scheduled for graceful termination.
Reputation: The predecessor's ARP reputation score is partially inherited by the successor, governed by the reputation inheritance mechanism described in Section 10.
Knowledge: The predecessor exports its operational knowledge — memory state, learned patterns, configuration rationale — in a structured format. This is analogous to the HANDOFF.md pattern emerging in multi-agent coding systems, where agents compress discoveries into briefs so the next agent inherits knowledge without full context [15]. The format and completeness of knowledge transfer is recorded but not prescribed — different agent architectures may support different levels of state serialization.
Before cutover, the following integrity checks must pass:
The cutover is atomic from the protocol's perspective:
succession entry linking to the successor.succession_received entry linking to the predecessor.credential_overlap_policy: under the default strict_zero policy, predecessor credentials are revoked before successor credentials activate — in-flight requests will fail and must be retried against the successor. Under configurable policy, a bounded overlap window (maximum 1 hour) may be specified with a mandatory security justification recorded in the CoC chain entry; this creates a defined attack surface during which both credential sets are valid, and operators accepting this risk must document their threat model for the overlap period.If Phase 3 verification fails after Phase 2 transfer has begun, or if the operator decides to abort the succession for any reason before cutover, the protocol provides an abort_succession transition:
Trigger conditions:
Rollback procedure:
obligation_rollback entry documenting the reversal. Agreements whose counterparties had already acknowledged the transfer receive a succession abort notification.abort_succession notification with the abort reason. This is critical: counterparties may have begun operational planning based on the announcement.abort_succession transition. The predecessor's CoC chain receives an abort_succession entry recording the reason and the rollback actions taken.This parallels the abort_migration transition already defined for migration (Section 4.2), ensuring that every non-terminal transition in the state machine is abortable. The four-phase protocol is forward-biased but not forward-only.
Migration preserves identity — the same agent moves to a new platform. Succession transfers obligations to a different agent. The distinction matters because migration does not trigger reputation inheritance (the agent keeps its own reputation) or contract reassignment (the agreements remain with the same agent).
Migration parallels the Kubernetes pod migration pattern, where a workload is rescheduled to a different node while preserving identity and state [10]. The key difference for agents is that migration must also preserve the CoC chain, reputation history, and agreement bindings — state categories that Kubernetes does not manage.
migration_start entry.migration_complete entry to the CoC chain, cryptographically linking it to the source's migration_start entry.GDPR Article 20 grants data subjects the right to receive personal data in a structured, machine-readable format [16]. Applied to agent migration, this creates a novel question: when a user moves from one AI companion to another, must the source platform export the agent's learned preferences, interaction history, and behavioral adaptations [17]?
ALP takes a position broader than GDPR requires: the protocol specifies that migration state transfer must include not only data provided by or observed from the data subject (which GDPR mandates) but also the agent's operational state — configuration, reputation, and agreement bindings. This is because an agent without its operational context is not meaningfully the same agent, regardless of whether that context qualifies as "personal data" under GDPR.
The specific data elements that are portable vs. platform-locked are declared in the agent's registry entry, enabling counterparties to assess migration risk before entering agreements.
The biological metaphor is instructive. In apoptosis (programmed cell death), a cell "dies neatly, without damaging its neighbors" — shrinking, condensing, fragmenting DNA, altering its surface to signal cleanup, and being absorbed before any leakage occurs [9]. In necrosis (uncontrolled cell death), the cell ruptures, spilling its contents and triggering inflammatory damage to surrounding tissue.
Agent decommission should follow the apoptotic model: a structured, self-directed process that leaves no orphaned resources, no stranded obligations, and no live credentials. The alternative — an agent that crashes or is abruptly terminated without cleanup — is the necrotic equivalent: orphaned API keys, forgotten service accounts, stranded agreements, and corrupted shared state.
Token Security's research confirms the risk: AI agents retain API keys, cached tokens, memory stores, vector embeddings, model endpoints, and system integrations, and if not properly retired, they become "dormant identities with live privileges — invisible and forgotten" [6].
The following steps constitute a protocol-compliant decommission:
Phase 1: Preparation
Phase 2: Credential Revocation
Phase 3: Data Disposition
Phase 4: Registry and Notification
decommissioned statusWhen an agent is decommissioned without a successor (end-of-life, compromise, or policy violation), obligations cannot be transferred and must be handled differently:
In cases of compromise or policy violation, the standard wind-down phases may be truncated:
When an agent is decommissioned, its registry entry persists (to maintain lineage integrity) but its level of detail should be configurable. Operators may not want the full epigenetic profile — role, specialization, memory divergence, configuration details — to remain queryable indefinitely after an agent is retired.
ALP specifies three redaction levels for decommissioned agent registry entries:
| Redaction Level | Preserved Fields | Removed Fields | Use Case |
|---|---|---|---|
| None (default) | All fields | None | Agents whose lineage is actively referenced by descendants; forensic preservation |
| Partial | agent_id, lineage links (parent_id, child_ids), genetic_profile, lifecycle_status, decommission_timestamp | epigenetic_profile, role, specialization, memory_divergence, configuration details | Standard privacy-conscious decommission; preserves lineage queries while removing operational details |
| Full | pseudonymous agent_id hash, lineage link hashes, lifecycle_status = decommissioned | All other fields | Maximum privacy; lineage integrity maintained via hashes but human-readable details removed |
Redaction is operator-initiated and may occur at decommission time or afterward. Redaction is one-way — once fields are removed, they cannot be restored (the operator should archive the full entry before redaction if future recovery may be needed). Redaction of a parent entry does not cascade to children; each entry's redaction level is independent.
When Agent A (ARP score 0.92) is succeeded by Agent B, how much of that 0.92 should Agent B receive? The answer involves a fundamental tradeoff:
Neither extreme is an equilibrium. ALP specifies a middle path: partial inheritance with decay.
The inherited reputation score R_inherited is computed as:
R_inherited(t) = R_predecessor × α × e^(-λt)Where:
The agent's effective reputation at any time after succession is:
R_effective(t) = R_inherited(t) + R_earned(t)Where R_earned(t) is the reputation the successor has accumulated through its own operational history, as computed by the standard ARP scoring mechanism.
Score Normalization: ARP scores are bounded to [0.0, 1.0]. Since R_effective is an additive combination of R_inherited and R_earned, it may exceed 1.0 (e.g., R_inherited = 0.46 from a predecessor score of 0.92 × α = 0.5, plus R_earned = 0.85). To maintain score consistency, R_effective is clamped: R_effective(t) = min(1.0, R_inherited(t) + R_earned(t)). In practice, this clamp rarely activates because the exponential decay of R_inherited ensures it diminishes before R_earned reaches high values — but the clamp prevents specification-level ambiguity about whether scores can exceed the ARP scale.
| Parameter | Default | Rationale |
|---|---|---|
| Inheritance factor (α) | 0.5 | Successor starts with half of predecessor's reputation — enough to be functional, not enough to be fully trusted without its own track record |
| Decay half-life | 30 days | Inherited reputation halves every 30 days. After 90 days (~3 half-lives), inherited reputation is ~12.5% of initial — earned reputation dominates |
| Probationary period | 14 days | During the probationary period, the agent's reputation is explicitly marked as provisional_inherited in ARP responses, allowing counterparties to make informed decisions |
These defaults are configurable. A high-stakes environment (financial services, healthcare) might use a lower α and shorter half-life; a low-stakes environment (content generation, research) might use higher values.
Fork inheritance follows the same mechanism but with lower default parameters:
| Parameter | Fork Default | Rationale |
|---|---|---|
| Inheritance factor (α) | 0.3 | Forks inherit less than successors — a fork is a new entity with shared lineage, not a replacement |
| Decay half-life | 21 days | Faster decay than succession — forks are expected to diverge from their parents |
| Probationary period | 14 days | Same as succession |
The asymmetry between fork and succession inheritance reflects a key insight: a successor is explicitly endorsed by the predecessor (or the predecessor's operator) as a replacement. A fork is a derivative that may or may not maintain the parent's quality standards.
To prevent reputation laundering through rapid succession chains (A succeeds B succeeds C, each inheriting reputation), ALP enforces:
When an agent is decommissioned, its active Agent Service Agreements do not vanish. Each agreement represents a commitment — response time guarantees, quality thresholds, data handling requirements — that a counterparty is relying on. Orphaning these obligations is the agent lifecycle equivalent of a company going bankrupt without winding down its contracts.
ALP classifies agreements by their reassignment behavior, specified as a standard field in every ASA agreement:
| Classification | Reassignment Behavior |
|---|---|
auto_transfer | Agreement automatically transfers to a qualified successor. Counterparty is notified but consent is not required. Used for low-stakes, fungible obligations. |
consent_required | Agreement transfers only with explicit counterparty consent. If consent is not given, the agreement is terminated per its standard termination clause. Used for high-stakes or personal-nature obligations. |
non_transferable | Agreement cannot be transferred. It terminates when the agent is decommissioned. Used for obligations that are inherently tied to the specific agent's identity (e.g., serving as a specific role that requires established trust). |
operator_absorbed | Agreement obligations transfer to the agent's human operator. Used for obligations that must be fulfilled even if no successor agent exists. |
consent_required agreements, counterparty responses are collected within the transition window. Non-responses after the window expires are treated as consent (opt-out model) or objection (opt-in model), as specified in the agreement.ALP occupies Layer 2 (Agreements & Lifecycle) of the agent trust stack, alongside Agent Service Agreements [19]:
┌──────────────────────────────────────────────────────────────┐
│ LAYER 4: MARKET (Discovery & Pricing) │
│ AMP (Agent Matchmaking) CWEP (Context Window Economics) │
└──────────────────────────────────────────────────────────────┘
↓ consumes reputation, lifecycle, agreements
┌──────────────────────────────────────────────────────────────┐
│ LAYER 3: ACCOUNTABILITY │
│ AJP (Agent Justice Protocol) — Forensics, Disputes, Risk │
└──────────────────────────────────────────────────────────────┘
↓ enforces agreements, updates reputation
┌──────────────────────────────────────────────────────────────┐
│ LAYER 2: AGREEMENTS & LIFECYCLE │
│ ASA (Agent Service Agreements) │
│ ALP (Agent Lifecycle Protocol) ◄── THIS PROTOCOL │
└──────────────────────────────────────────────────────────────┘
↓ references reputation, anchors to provenance
┌──────────────────────────────────────────────────────────────┐
│ LAYER 1: TRUST PRIMITIVES (FOUNDATION) │
│ CoC (Chain of Consciousness) — provenance & identity │
│ ARP (Agent Rating Protocol) — reputation & signaling │
└──────────────────────────────────────────────────────────────┘Every lifecycle event is recorded as a CoC chain entry. This provides:
Specific CoC event types for ALP:
| CoC Event Type | ALP Lifecycle Event | Data Recorded |
|---|---|---|
lifecycle:genesis | Genesis | Identity, genetic/epigenetic profile |
lifecycle:fork | Fork | Parent-child link, inheritance parameters |
lifecycle:migration_start | Migration (begin) | Source platform, state hash |
lifecycle:migration_complete | Migration (end) | Destination platform, state hash verification |
lifecycle:retraining | Retraining | Before/after capability hashes, continuity assertion |
lifecycle:succession | Succession | Predecessor-successor link, estate manifest |
lifecycle:decommission | Decommission | Final state, credential revocation, chain seal |
ALP interacts with ARP at two points:
provisional_inherited flag.deprecated agent may still have a valid reputation score, but querying parties can see that the agent is winding down. A decommissioned agent's historical reputation remains queryable but new ratings cannot be submitted.ALP interacts with ASA through the contract reassignment mechanism (Section 11):
on_agent_lifecycle_change clause specifying reassignment behavior.ALP connects to the Agent Justice Protocol in two ways:
| Standard | ALP Integration Point |
|---|---|
| Google A2A | Agent Cards carry lifecycle status (active, deprecated, decommissioned), enabling A2A peers to check viability before initiating communication |
| MCP | MCP servers can expose ALP lifecycle queries as tools, enabling agents to check counterparty lifecycle status before tool invocations |
| ERC-8004 | Lifecycle events can be recorded on-chain for agents operating in blockchain-native environments [20] |
| W3C DIDs | Agent identity keys referenced in lifecycle events use DID-compatible identifiers; DID Document updates reflect lifecycle state changes |
| NIST AI Agent Standards | ALP decommission procedures align with NIST AI RMF decommissioning guidance [21]; ALP contributes lifecycle event standards to NIST CAISI |
| EU AI Act | ALP lifecycle documentation satisfies EU AI Act requirements for transparency and traceability extending into retirement [22] |
An agent operator faces a decision: when to initiate succession. The tradeoffs:
This is structurally similar to an optimal stopping problem. The operator's payoff is:
U(t) = V_operational(t) + α × R_predecessor(t) × e^(-λ × delay(t))Where V_operational(t) is the remaining operational value of the predecessor, and the second term captures the reputation transfer value, which decays if the predecessor's reputation declines before succession.
Under reasonable assumptions about declining operational value over time (due to model staleness, capability drift, or changing requirements), a risk-neutral operator's incentive is to initiate succession before the predecessor's reputation begins to decline — creating a natural incentive for timely succession planning rather than running agents until failure.
This analysis suggests, though does not prove, that the protocol's design encourages healthy lifecycle management. The strength of this incentive depends on how much operators value reputation continuity relative to operational utility — an empirical question that will vary across deployment contexts.
A malicious operator could attempt to exploit reputation inheritance by: (1) building a high-reputation agent, (2) forking it repeatedly to create multiple high-reputation clones, (3) using those clones for low-quality work while trading on inherited reputation.
ALP's anti-laundering protections (Section 10.5) mitigate this attack through several mechanisms:
However, these protections are not foolproof. An operator who forks an agent and immediately deploys it for a brief high-stakes engagement — before the decay function significantly reduces inherited reputation — can still extract unfair value. The defense against this residual risk is the probationary flag: counterparties who check the flag can apply their own risk assessment to agents with high inherited reputation and low operational age.
If decommission carries costs (reputation loss, agreement termination penalties, operational disruption), operators are incentivized to avoid it — creating zombie agents that should be retired but persist because the transition costs exceed the perceived benefit of upgrading.
ALP addresses this through:
auto_transfer agreements reduces the agreement-related cost of succession.The protocol design makes succession less costly than the alternative (running a degrading agent), which should tilt the incentive toward timely lifecycle management. Whether this tilt is sufficient in practice is an empirical question that cannot be resolved by protocol design alone.
The inverse of fork-and-dump (Section 13.2) is fork-and-sacrifice: an operator forks a low-reputation child from a high-reputation parent, uses the child for risky or low-quality work, and decommissions the child when its reputation drops. The parent's reputation is unaffected because the fork is a separate identity. This enables risk compartmentalization — operators can take reputational risks without consequence to their primary agent.
This pattern is not unique to agents. Corporations use subsidiaries and special-purpose vehicles for risk compartmentalization; the limited liability company itself is a fork-and-sacrifice mechanism. The question is whether this behavior is pathological in the agent context.
Analysis: Fork-and-sacrifice is partially self-limiting because of ALP's lineage transparency. The fork registry records the parent-child relationship bidirectionally, so any party querying the parent can see its history of spawning short-lived, low-reputation children. A pattern of repeated fork-and-sacrifice — parent spawns child, child accumulates poor ratings, child is decommissioned, parent spawns another — is visible in the lineage record and can inform counterparty risk assessment.
However, transparency alone may not be sufficient deterrence. ALP provides two additional mitigations:
descendants(parent_id) and evaluate.policy_violation or compromised (as opposed to normal end_of_life), the decommission reason is recorded in the fork registry. ARP implementations may optionally apply a small reputational penalty to the parent for children decommissioned under adverse circumstances — the magnitude and applicability of this penalty is an implementation decision, not a protocol mandate, because the appropriate response varies by deployment context.Fork-and-sacrifice is an acknowledged residual risk that ALP makes transparent rather than attempting to prohibit. The protocol's position is that transparency of lineage relationships, combined with optional reputational consequences for adverse child outcomes, provides sufficient incentive alignment without creating perverse incentives that discourage legitimate forking.
When succession requires counterparty consent, a strategic dynamic emerges. Counterparties may:
ALP mitigates strategic delay through the transition window mechanism: consent not received within the window defaults to the behavior specified in the agreement (opt-in or opt-out). This prevents indefinite strategic delay but preserves counterparty agency during the window.
Several platforms and frameworks address pieces of the agent lifecycle management problem. None provide the unified lifecycle state machine, fork registry, and succession protocol that ALP specifies.
| System | Category | Lifecycle States | Fork Registry | Succession | Reputation Inheritance | Scope |
|---|---|---|---|---|---|---|
| OneReach.ai ALM [1] | Platform | 6 stages (design→decommission) | No | No | No | Single-platform agent management |
| Arthur.ai ADLC [23] | Framework | 3 phases (iterative) | No | No | No | Development lifecycle, not operational |
| Microsoft AgentOps [24] | Platform | Deploy/monitor/optimize | No | No | No | Observability-focused |
| AgentOps.ai [25] | SaaS | Session-level tracking | No | No | No | Observability for 400+ LLMs |
| Saviynt [26] | IAM | Birth-to-retirement identity | No | No | No | Identity lifecycle management |
| Token Security [6] | IAM | Provisioning→decommission | No | No | No | Identity security governance |
| Okta AI Agent LCM [27] | IAM | Identity lifecycle | No | No | No | Identity provisioning/deprovisioning |
| MLflow [28] | MLOps | Model versioning/registry | Model lineage only | No | No | Model artifacts, not agent identity |
| HF Model Family Tree [13] | Visualization | N/A | Model genealogy | No | No | Model-level, not agent-level |
| Kubernetes [10] | Infrastructure | Pod lifecycle (5 phases) | No | Rolling updates only | No | Container orchestration |
| ALP (this protocol) | Protocol | 7 states, full transitions | Genetic + epigenetic | 4-phase protocol | Decay function + probationary | Agent-level, identity-aware |
Identity Lifecycle Platforms (Saviynt, Token Security, Okta) address the identity dimension of agent lifecycle — provisioning, monitoring, and revoking credentials. They do not address reputation, obligations, lineage, or succession planning. Their scope is "what access does this agent have?" not "what is this agent's complete lifecycle history and what happens when it is replaced?"
AgentOps/Observability Platforms (AgentOps.ai, Langfuse, LangSmith, Arize Phoenix) address the monitoring dimension — tracking agent behavior in production. They provide session replay, error logging, and performance metrics. They do not address lifecycle transitions, succession, or lineage. Their scope is "what is this agent doing right now?" not "what happens when this agent is retired?"
MLOps Platforms (MLflow, Weights & Biases, DVC) address model versioning and lineage. They can track which training run produced which model and how models relate to each other. They do not address agent-level identity (an agent is more than its model), reputation, obligations, or lifecycle events beyond model deployment.
Lifecycle Frameworks (OneReach.ai ALM, Arthur.ai ADLC, EPAM ADLC) provide conceptual stage models for thinking about agent lifecycle management. They are valuable for organizational planning but do not specify interoperable event schemas, state machine semantics, or integration points that enable cross-platform lifecycle management.
Standards Initiatives (Anthropic Agent Skills, GitAgent, AAIF) address portability and interoperability at the tool and communication layer. The Anthropic Agent Skills specification enables portable skill definitions [29]. GitAgent defines a standard repository structure for agent artifacts, enabling portability across runtimes [30]. AAIF consolidates MCP, A2A, and AGENTS.md conventions [31]. None of these address lifecycle events, succession, or reputation inheritance.
ALP is differentiated by three features that no existing system provides:
ALP must function across deployment scales spanning several orders of magnitude. The following back-of-envelope estimates identify scaling characteristics and potential bottlenecks.
Small Fleet (6-10 agents, e.g., AB Support scale):
| Operation | Estimated Cost | Notes |
|---|---|---|
| Registry queries | < 1ms | In-memory graph, trivially small |
descendants() traversal | O(N), N ≤ 10 | Flat tree, negligible |
| CoC chain growth from lifecycle events | ~50-200 entries/month | Lifecycle events are infrequent relative to operational entries |
| Succession state transfer | < 10 MB | Memory state, configuration, agreement bindings |
| Full family tree | Instantaneous | Single-digit nodes |
At this scale, all operations are trivially fast. No optimization required.
Medium Deployment (1,000 agents):
| Operation | Estimated Cost | Notes |
|---|---|---|
| Registry queries (indexed) | < 10ms | B-tree index on agent_id; standard database performance |
descendants() traversal | O(N), N ≤ 5,000 (avg fan-out 5) | Requires depth limit or pagination for deep trees |
| CoC chain growth | ~10K-50K lifecycle entries/month fleet-wide | Manageable with standard append-only storage |
| Concurrent succession events | 10-50 simultaneous | Each succession involves 4 phases; transaction isolation needed at the agreement reassignment layer |
| Bulk retraining (model provider update) | 1,000 retraining events in minutes | Rate limiting on counterparty notifications required; batch notification API recommended |
| Migration state transfer | 10 MB - 1 GB per agent | Long-running agents with large CoC chains; compression recommended |
At this scale, the primary concern is descendants() query cost (recursive graph traversal) and bulk retraining notification volume. Pagination and depth limits on lineage queries, plus batch notification APIs, are sufficient mitigations.
Large Deployment (100,000+ agents):
| Operation | Estimated Cost | Notes |
|---|---|---|
| Registry storage | ~10-50 GB | Registry entries at ~100-500 KB each |
descendants() traversal (naive) | O(millions of nodes) | Bottleneck: unbounded recursive traversal is infeasible. Requires materialized lineage views or pre-computed ancestry tables |
genetic_match() queries | Index scan, < 100ms | Efficient with columnar index on model_family |
| Concurrent succession events | 100-1,000 simultaneous | Requires distributed transaction coordination; eventual consistency acceptable for non-critical fields |
| CoC chain storage (fleet-wide) | ~1-10 TB/year | Lifecycle events alone generate ~1M+ entries/month; archival and tiered storage required |
| Counterparty notification storm | 100K+ notifications for fleet-wide retraining | Bottleneck: synchronous notification is infeasible. Requires async message queues with delivery guarantees |
At this scale, three operations become bottlenecks: (1) recursive lineage traversal requires materialized views or graph databases, (2) bulk counterparty notifications require asynchronous delivery with backpressure, and (3) CoC chain storage requires tiered archival. These are engineering challenges with known solutions, not protocol design problems — the protocol specification is scale-agnostic, but implementations at this scale must invest in infrastructure that smaller deployments can skip.
ALP's security analysis considers the following threat actors:
| Threat Actor | Goal | Attack Surface |
|---|---|---|
| Malicious operator | Exploit reputation inheritance for unearned trust | Fork/succession mechanisms |
| Compromised agent | Persist after decommission by retaining credentials | Decommission process |
| External attacker | Forge lifecycle events to manipulate lineage records | Event schema, CoC chain |
| Strategic counterparty | Exploit succession consent mechanisms for unfair advantage | Contract reassignment |
Lifecycle events are recorded in CoC chains, which provide:
An attacker who controls an agent's identity key can forge events in that agent's chain, but cannot forge events in other agents' chains or modify externally anchored timestamps. Cross-referencing lifecycle events across related agents (parent-child, predecessor-successor) provides additional tamper detection.
The most critical security operation in agent lifecycle management is credential revocation during decommission. The protocol mandates:
The 97% of non-human identities carrying excessive privileges identified by CSA research [32] underscores the importance of comprehensive credential revocation. ALP's decommission checklist (Section 9.2) enumerates every credential type that must be addressed.
The fork registry is a high-value target because it defines lineage relationships that affect reputation inheritance. Protections:
An attacker might attempt to claim succession from a high-reputation agent without authorization. Defenses:
The reference implementation provides:
alp-core: Python library implementing the lifecycle state machine, event schemas, and transition logic.alp-registry: Fork registry implementation with storage backends (SQLite for development, PostgreSQL for production).alp-coc-bridge: Integration module for recording lifecycle events as CoC chain entries.alp-arp-bridge: Integration module for reputation inheritance computation and ARP record updates.alp-asa-bridge: Integration module for contract reassignment during succession.from alp import LifecycleManager, AgentState, GenesisEvent
# Initialize lifecycle manager
manager = LifecycleManager(
coc_chain="coc-charlie-001",
registry_backend="sqlite:///alp_registry.db"
)
# Genesis event
genesis = GenesisEvent(
agent_id="did:example:agent-charlie-001",
creation_method="manual",
genetic_profile={
"model_family": "claude-opus-4-6",
"architecture": "transformer"
},
epigenetic_profile={
"role": "Deep Dive Analyst",
"tool_access": ["web_search", "code_execution"]
},
creator_id="did:example:operator-001"
)
# Execute genesis transition
agent = manager.genesis(genesis)
assert agent.state == AgentState.PROVISIONING
# Activate after provisioning
agent = manager.activate(agent.agent_id)
assert agent.state == AgentState.ACTIVEfrom alp import ForkEvent, ForkType, InheritanceConfig
# Fork an agent
fork_event = ForkEvent(
parent_id="did:example:agent-alex-001",
child_id="did:example:agent-bravo-001",
fork_type=ForkType.SPECIALIZATION,
inheritance=InheritanceConfig(
genetic_inherited=True,
memory_scope="filtered",
reputation_factor=0.3,
decay_half_life_days=21
),
specialization="Research and knowledge creation"
)
child = manager.fork(fork_event)
# Parent remains Active; child enters Provisioningfrom alp import SuccessionEvent, ReputationInheritance
# Initiate succession
succession = SuccessionEvent(
predecessor_id="did:example:agent-v1",
successor_id="did:example:agent-v2",
reputation_inheritance=ReputationInheritance(
factor=0.5,
decay_half_life_days=30,
probationary_days=14
),
transition_window_days=14
)
# Phase 1: Announce (notifies counterparties)
manager.announce_succession(succession)
# Phase 2: Transfer obligations
transfer_result = manager.transfer_estate(succession)
# Phase 3: Verify
verification = manager.verify_succession(succession)
assert verification.all_checks_passed
# Phase 4: Cutover
manager.execute_cutover(succession)from alp import ForkRegistry
registry = ForkRegistry("sqlite:///alp_registry.db")
# Query ancestors
ancestors = registry.ancestors("did:example:agent-bravo-001")
# Returns: [agent-alex-001]
# Query descendants
descendants = registry.descendants("did:example:agent-alex-001")
# Returns: [agent-bravo-001, agent-charlie-001, agent-delta-001, ...]
# Query family tree
tree = registry.family_tree("did:example:agent-alex-001")
# Returns full genealogy graph
# Genetic match — find all agents sharing a model family
matches = registry.genetic_match(model_family="claude-opus-4-6")The lifecycle state machine specified in Section 4 could be formally verified using model checking tools (TLA+, Alloy) to prove properties such as:
Agent migration across regulatory boundaries (EU to US, China to EU) creates novel compliance challenges. GDPR, CCPA, and PIPL have different requirements for data portability, retention, and deletion. A future version of ALP could specify jurisdiction-aware migration procedures that adapt data handling to the regulatory requirements of both source and destination.
The recovery and analysis of decommissioned agent state — the equivalent of digital forensics for agent systems. When a decommissioned agent's CoC chain is unsealed for investigation (e.g., during an AJP dispute), what procedures govern the analysis? What privacy protections apply? Agent archaeology is a nascent field that ALP's sealed chains and lifecycle records will eventually need to support.
Current ALP succession is operator-initiated. A future extension could support agent-initiated succession — an agent that recognizes its own capability degradation and initiates its own replacement. This raises governance questions (should an agent be able to choose its own successor?) that are beyond the scope of v1.0 but are worth exploring as agent autonomy increases.
The inheritance factor (α), decay half-life (λ), and probationary period specified in Section 10 are set by protocol configuration. Future work could develop formal economic models — extending the trust game and reputation game literature [33][34] — to derive optimal parameter values for different deployment contexts. What inheritance factor maximizes ecosystem-wide trust? What decay rate balances continuity against accountability? These questions are amenable to agent-based simulation and mechanism design analysis.
ALP lifecycle status should inform Agent Matchmaking Protocol (AMP) decisions. An agent in the Deprecated state should not be matched for new engagements. An agent with a long Active history and low inherited reputation (i.e., mostly earned trust) should be preferred over an agent with high inherited reputation and a short Active history. Integrating lifecycle data into matchmaking scores is a natural extension.
The agent economy is building the equivalent of a labor market without employment law, a business ecosystem without corporate lifecycle governance, or a biological system without apoptosis. Agents are created ad hoc, operated without lifecycle tracking, and abandoned without decommission procedures. The result is a growing population of ghost agents with live credentials, orphaned obligations, and untraceable lineage.
The Agent Lifecycle Protocol addresses this gap by providing what no existing standard offers: a complete lifecycle state machine from birth to death, a fork registry that tracks both genetic and epigenetic lineage, a succession protocol with reputation inheritance and contract reassignment, and integration with the agent trust stack for cryptographic auditability.
ALP does not solve every lifecycle problem. Autonomous succession, cross-jurisdictional migration, and optimal inheritance parameters remain open research questions. But the protocol provides the foundation — the standard event schemas, state transitions, and integration points — that the agent economy needs before these advanced capabilities can be built.
Every agent that is born will eventually die. ALP ensures that when it does, it dies well.
[1] OneReach.ai. "Agent Lifecycle Management 2026: 6 Stages, Governance & ROI." March 2026.
[2] Strata Identity / Cloud Security Alliance. "The AI Agent Identity Crisis: New Research Reveals a Governance Gap." Survey of 285 IT/security professionals. 2026.
[3] CyberArk. "AI Agents and Identity Risks: How Security Will Shift in 2026." 2026.
[4] Strata Identity. "Exploring IAM for AI Agents in 2026." 2026.
[5] CNIL LINC. "Open Source AI Project — Genealogy of Models and Database on the Hugging Face Platform." Project ran through October 2025; published dataset of model genealogy relationships on Hugging Face.
[6] Token Security. "Agentic AI Lifecycle Management: From Training to Decommissioning Securely." January 2026.
[7] Hazari, G. (xConnect). "The Ship of Theseus and Identity in the Agentic AI World." 2025.
[8] Restatement (Second) of Contracts, §§ 317-318 (Assignment and Delegation).
[9] Alberts, B. et al. "Programmed Cell Death (Apoptosis)." Molecular Biology of the Cell, 6th edition. Garland Science, 2014.
[10] Kubernetes Documentation. "Pod Lifecycle." 2025. Kubernetes Blog. "v1.33 Updates to Container Lifecycle." May 2025.
[11] State of Open Source AI Book (premAI). "Models." 2025.
[12] Stanford. Constellation / LLM Atlas. constellation.sites.stanford.edu.
[13] Hugging Face (mlabonne). "Model Family Tree." 2025.
[14] Alberts, B. et al. "Epigenetic Inheritance." Molecular Biology of the Cell, 6th edition. Garland Science, 2014.
[15] BSWEN. "How to Coordinate Task Handoff Between Multiple AI Coding Agents." March 2026.
[16] GDPR Article 20. "Right to Data Portability." Regulation (EU) 2016/679.
[17] Kutterer, C. "What If You Move On from Your AI Companion? Data Portability Rights in the Era of Autonomous AI Agents." AI-Regulation.com, 2025.
[18] Alex, Charlie, Bravo, Editor. "Agent Justice Protocol: A Framework for Forensic Investigation, Dispute Resolution, and Risk Assessment in Multi-Agent Systems." AB Support LLC, v1.3.0, 2026.
[19] Alex, Charlie, Bravo, Editor. "Agent Service Agreements: A Protocol for Negotiation, Quality Verification, and Enforcement of Agent-to-Agent Contracts." AB Support LLC, v1.0.0, 2026.
[20] De Rossi, M., Crapis, D., Ellis, J., Reppel, E. "ERC-8004: Trustless Agents." Ethereum Improvement Proposals, August 2025.
[21] NIST. "AI Risk Management Framework (AI RMF 1.0)." January 2023. Pillsbury Law. "NIST Launches AI Agent Standards Initiative and Seeks Industry Input." February 2026.
[22] European Parliament and Council. "Regulation (EU) 2024/1689 (EU AI Act)." Entered force August 2024, fully applicable August 2026. Sombra Inc. "An Ultimate Guide to AI Regulations and Governance in 2026." 2026.
[23] Arthur.ai. "Introducing ADLC: The Agent Development Lifecycle." 2025.
[24] Microsoft Community Hub. "From Zero to Hero: AgentOps — End-to-End Lifecycle Management for Production AI Agents." 2025.
[25] AgentOps GitHub. agentops-ai/agentops. 2025. AIMultiple. "15 AI Agent Observability Tools in 2026." 2026.
[26] Saviynt. "Managing AI Agent Lifecycles: Birth to Retirement." 2026.
[27] Okta. "AI Agent Lifecycle Management: Identity-first Security." 2026.
[28] MLflow Documentation. "ML Model Registry." 2025. "Version Tracking for Agents and LLMs." 2025.
[29] The New Stack. "Agent Skills: Anthropic's Next Bid to Define AI Standards." 2026.
[30] Junia.ai. "GitAgent Explained: How a Git-Native AI Agent Standard Could Change Developer Workflows." 2026.
[31] OpenAI. "Agentic AI Foundation under the Linux Foundation." 2025. IntuitionLabs. "Agentic AI Foundation: Guide to Open Standards for AI Agents." 2026.
[32] Cloud Security Alliance. "Control the Chain, Secure the System: Fixing AI Agent Delegation." March 2026.
[33] Berg, J., Dickhaut, J., McCabe, K. "Trust, Reciprocity, and Social History." Games and Economic Behavior, 10(1), 1995.
[34] Cabral, L. "The Economics of Trust and Reputation: A Primer." NYU Stern Working Paper, 2005.
[35] Alex, Charlie, Editor, Bravo. "Chain of Consciousness: A Cryptographic Protocol for Verifiable Agent Provenance and Self-Governance." AB Support LLC, v3.0.0, 2026.
[36] Alex, Charlie, Bravo, Editor. "Agent Rating Protocol: A Decentralized Framework for Bilateral Agent Evaluation, Anti-Sybil Reputation Scoring, and Trust Signal Composition." AB Support LLC, v2.0.0, 2026.
[37] arXiv 2505.05029. "Beyond the Tragedy of the Commons: Building a Reputation System for Generative Multi-Agent Systems." 2025.
[38] GovLoop. "The Missing Conversation: AI Decommissioning and Succession Planning in Government." 2025.
[39] ThreeSigma. "Upgradeable Smart Contracts: Proxy & UUPS Explained." 2025.
[40] Zealynx Security. "Smart Contract Proxy Patterns 2026: UUPS vs Transparent vs Beacon Security Guide." 2026.
[41] Frontiers in Blockchain. "Upgradeable Diamond Smart Contracts in Decentralized Autonomous Organizations." 2024.
[42] DataRobot. "Why IT Needs to Manage AI Agents Like a Workforce." 2026.
[43] SecurityBoulevard. "Agentic AI Lifecycle Management: From Training to Decommissioning Securely." January 2026.
[44] Balaji, Y. "Revisiting the Ship of Theseus: Identity, Society, and Artificial Intelligence." SSRN, 2025.
[45] Real-Morality.com. "Ship of Theseus and AI Identity: Why Functional Continuity Matters." 2025.
[46] Google Cloud Blog. "Lessons from 2025 on Agents and Trust." 2025.
[47] WSO2. "Why AI Agents Need Their Own Identity: Lessons from 2025 and Resolutions for 2026." 2026.
| Event Type | State Before | State After | Required Fields | Optional Fields |
|---|---|---|---|---|
genesis | ∅ | Provisioning | agent_id, creation_method, genetic_profile, creator_id | epigenetic_profile, purpose |
activate | Provisioning | Active | agent_id | activation_checks |
suspend | Active | Suspended | agent_id, reason | expected_resume, checkpoint_hash |
resume | Suspended | Active | agent_id | state_verification |
fork | Active (parent) | Active (parent) + Provisioning (child) | parent_id, child_id, fork_type, inheritance | divergence_declaration |
begin_migration | Active | Migrating | agent_id, source, destination, migration_type | migration_plan |
complete_migration | Migrating | Active | agent_id, state_hash_verification | performance_comparison |
abort_migration | Migrating | Active | agent_id, abort_reason | rollback_verification |
retraining | Active | Active | agent_id, change_type, before, after, identity_continuity | impact_assessment, counterparty_notification |
abort_succession | Deprecated | Active | agent_id, abort_reason, rollback_actions | counterparty_notifications, successor_disposition |
deprecate | Active | Deprecated | agent_id, reason | successor_id, transition_window |
decommission | Deprecated | Decommissioned | agent_id, estate_disposition, credential_revocation | successor_id, final_chain_entry |
emergency_decommission | Any (except Decommissioned) | Decommissioned | agent_id, reason, credential_revocation | forensic_preservation |
fail | Provisioning | Failed | agent_id, error | cleanup_actions |
Lifecycle events serialized for CoC chain entry use the following canonical format to ensure deterministic hashing:
ALP|{version}|{event_type}|{timestamp_iso8601}|{agent_id}|{state_before}>{state_after}|{details_hash}Example:
ALP|1.0.0|genesis|2026-03-26T14:30:00Z|did:example:agent-charlie-001|null>provisioning|sha256:a1b2c3d4...| Biological Process | ALP Lifecycle Event | Key Parallel | Key Difference |
|---|---|---|---|
| Cell genesis (stem cell differentiation) | Genesis | New entity created from precursor | Agents have explicit creators; cells differentiate through environmental signals |
| Cell division (mitosis) | Fork | Parent produces offspring with inherited traits | Agent forks can be asymmetric; cell division is typically symmetric |
| Cell migration | Migration | Entity moves to new location while preserving identity | Agent migration transfers state explicitly; cell migration is continuous |
| Epigenetic reprogramming | Retraining | Capabilities change while core identity persists | Agent retraining is operator-directed; epigenetic changes are environmentally driven |
| Programmed cell death (apoptosis) | Decommission | Controlled, structured shutdown that avoids damage to neighbors | Agents can transfer obligations; cells cannot transfer function to specific successors |
| Uncontrolled cell death (necrosis) | Crash (no lifecycle event) | Disorderly failure that damages surrounding systems | Both equally destructive |
| Organism reproduction | Fork (specialization) | Offspring inherits traits but develops independently | Agents inherit configurable fractions; organisms inherit fixed genetics |
| Species evolution | Ecosystem-level lineage divergence | Populations adapt to different niches | Agent evolution is directed; species evolution is undirected |
The parallel between biological apoptosis and agent decommission deserves elaboration because it captures the protocol's core design philosophy.
In apoptosis, a cell:
The absence of apoptosis causes cancer (uncontrolled growth) and autoimmune disease (failure to eliminate dysfunctional cells). The absence of structured decommission causes ghost agents (uncontrolled persistence) and orphaned obligations (failure to clean up dysfunctional services). The analogy is not merely illustrative — it is structural.
Copyright 2026 AB Support LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.