Tool calls are production changes.

AI is moving from content generation to execution. We spent the last decade turning infrastructure into APIs. Now we are turning authority into APIs. Agentic workflows and AI-powered automations no longer just “write content”. They invoke tools, change state, touch sensitive data, trigger workflows, and spend money at machine speed while approvals still happen at human speed.

That gap becomes your next incident.

Today I am publishing DAS-1(TM) v0.001, the Delegated Authority Standard(TM): a minimal, operator-grade control set for delegated authority in AI and agentic systems. Built around receipts and drills. Not vibes. Runnable controls.

They slow you down on purpose.

What DAS-1 is

• A minimal core spec: 12 Authority Engineering Controls (AEC-01 through AEC-12)

• Conformance criteria you can claim without lying

• Required drills: Tool-Call Pager Test, Revocation Fire Drill

• A structure for profiles and overlays so regulated environments can extend without bloating the core

The core is closed. Extensions live in profiles, overlays, and the catalog.

What DAS-1 is not

• A vendor platform

• A protocol replacement

• A certification racket

• A philosophy deck

The controls

Every control has receipts: evidence reproducible enough to steer decisions without personality contests.

• Tool catalog with revocation paths (AEC-01)

• Least-privilege, time-bounded credentials (AEC-02)

• Human gating for high-risk actions (AEC-03)

• Approval latency budgets with fallbacks (AEC-04)

• Revocation kill switches, tested quarterly (AEC-05)

• Preflight plans with declared blast radius (AEC-06)

• Complete audit trails with correlation IDs (AEC-07)

• Data class boundary enforcement (AEC-08)

• Secret lifecycle and rotation (AEC-09)

• Cost attribution and circuit breakers (AEC-10)

• Time-bounded exceptions that expire by default (AEC-11)

• Tool-call incident response annex with annual exercises (AEC-12)

If you cannot revoke it, you do not control it.

Risk classification

Not all tool calls are equal. DAS-1 uses four risk classes:

• R1: read-only, low sensitivity, low cost

• R2: sensitive reads or small writes with trivial blast radius

• R3: privileged access or meaningful write blast radius

• R4: high impact, irreversible, secrets and identity, production changes

R3 is where tool calls can break things. R4 is where they cannot be undone. R3 and R4 require human approval before execution. Bypassing approval without disclosure is a conformance failure.

Conformance

Claim “DAS-1(TM) v0.001 Conformant(TM)” only if:

• All 12 AEC controls are implemented, or explicitly excepted with expiry dates

• Both required drills executed within the last 90 days

• Four minimum metrics are measurable from stored receipts:

  • time-to-revoke

  • approval latency

  • audit completeness

  • cost attribution coverage

Silent renewal is how temporary becomes permanent.

The conformance checklist is a CSV you can copy and start filling out today.

Disputes over conformance claims are resolved by evidence: receipts, drill records, and the published criteria.

Profiles and overlays

Profiles show how specific AI agent protocols and tool ecosystems (MCP, agentic UI, ticketing agents, CI agents) meet core controls without forking the spec.

Overlays bundle tightened controls and extensions for regulated environments. The PCI overlay adds segmentation boundary enforcement and immutable logging on top of a conformant baseline.

Governance

The core changes slowly. Proposed core changes must be backed by at least two independent implementation receipts. Profiles, overlays, and the catalog can iterate faster, but they do not change core semantics.

Maintainers are listed in GOVERNANCE.md and are accountable for merge decisions.

Licensing

• Spec and documentation: CC BY 4.0

• Code and tooling: Apache 2.0

• Trademarks: governed by TRADEMARKS.md

This is an open standard. Implement it, extend it, reference it. The trademark exists to prevent dilution, not lock-in.

Collaboration

If you want to help harden this spec for AI and agentic workflows, bring receipts.

• Run the checklist against one real agent or automation with tool access and open an issue with artifacts and gaps.

• Propose one profile mapping (MCP, agentic UI, CI agent, ticketing agent) to the AEC controls.

• Propose one regulated overlay manifest if you operate in a constrained environment.

Repository

https://github.com/forgedculture/das-1

• Spec: spec/core/das-1-core-v0.001.md

• Conformance: spec/conformance/

• Controls catalog: catalog/

• Profiles: profiles/

• Overlays: overlays/

Status

v0.001 is a draft. It works today, and it will evolve based on implementation receipts.

If you build or run AI systems that can invoke tools on behalf of users or organizations, you are already on the hook. DAS-1 exists to make that hook measurable.

Per ignem, veritas.