Hero Scenario
Cross-vendor agent action attestation. When Vendor A’s agent invokes Vendor B’s tool on a buyer’s behalf, both kernels produce a jointly-verifiable receipt that the buyer can audit without trusting either vendor unilaterally.
Forward-looking concept
Why this scenario
The third-party agent ecosystem is fragmenting fast. Buyers want to compose agents across vendors (LLM provider, tool provider, data provider, orchestrator) but they inherit liability for actions they did not directly approve. Today the answer is contractual: vendor SLAs, DPA addendums, audit rights nobody exercises.
Congregate-style coordination is the cryptographic answer. Every cross-vendor action produces a bilateral co-signed receipt that survives in both vendors’ audit stores and the buyer’s, with a workflow receipt capturing the multi-step plan as a single artefact.
The buyer pitch
“Your auditor can verify every action your composed agents took across every vendor, without trusting any of them.” The budget line exists already (third-party agent governance, vendor risk management, AI/ML compliance) and is growing.
The audit slate
Three concrete questions a buyer’s auditor can answer with cross-vendor receipts that they cannot answer today. Each maps to a live cross-vendor failure mode: SLA disputes, side-channel authorisation, and silent capability drift.
- Did Vendor B actually authorise the action it billed for? Today the buyer sees Vendor A’s log, Vendor B’s invoice, and a tool-call result. Vendor B’s consent is implicit. With a bilateral co-signed receipt, both vendors independently evaluated the same canonical body and signed it; either side can produce the receipt years later from its own audit store, and neither can rewrite the joint history. Disputes resolve against an artefact rather than a vendor email thread.
- Did the multi-step plan stay inside the capability the buyer issued? The workflow receipt captures the joint multi-step plan as one artefact, with each step bound to an attenuated capability ultimately rooted in the buyer’s issuance. An auditor walks the lineage DAG, checks that every leaf step is dominated by the buyer’s grant, and rejects any plan that smuggled in a side capability or escaped the original scope.
- When did this composition first start drifting outside policy, and which vendor did it? Receipts are evidence the buyer’s governance can replay. A freeze or sanction case names specific receipts as evidence; any third party can replay the case and reach the same finding without a vote. The drift is attributable to the kernel that signed the deviating receipts, not assigned by negotiation.
vs. adjacent approaches
Chiodos competes with five different shapes of system at once because each addresses one slice of the cross-vendor problem. The table below maps the slice each one solves and what the congregate adds on top.
| Approach | What it solves | What chiodos adds |
|---|---|---|
| Sigstore / in-toto for runtime invocation | Post-hoc transparency-log anchoring of a single-party signature over an invocation predicate. In active WG discussion (OpenSSF AI/ML Security WG, CoSAI Workstream 4); not yet shipping. | Bilateral co-signing at action time (joint commit by both parties on the same canonical body), per-action attenuated capability scoping, workflow receipts as joint multi-party plans, and evidence-referential dispute. Anchoring chio receipts to Rekor v2 is a free integration win, not the structural slice. |
| DAOs | On-chain treasury governance via token-weighted voting. | No token, no electorate, no quorum threshold for routine action. Plutocratic capture has no surface to attack because there is no roster to capture. Cross-org coordination is mostly observation-mode; co-signing only at destructive boundaries. |
| CrewAI, AutoGen, LangGraph | Coordinate task execution within a single trust boundary (one company, one orchestrator). | The trust-boundary protocol that composes orthogonally. A participant could use LangGraph internally and still join the congregate via tower middleware; chiodos only governs what crosses the boundary. |
| A2A payment protocols (x402, ACP) | Move money between agents under a payment-shaped contract. | Institutional context around why something is allowed: who signed under what treaty, with what reputation, producing what auditable workflow receipt. Used as plumbing, not as a substitute. Payment without provenance still leaves the buyer holding liability. |
| ISACs and STIX / TAXII | Humans-in-the-loop intel sharing; document-shaped polling feeds. MISP, FS-ISAC, H-ISAC, CISA AIS, commercial threat-intel platforms address the information problem at scale. | Real-time stigmergic deposit propagation with cryptographic accountability and bounded trust expiry. Sovereign per-org kernels and bilateral co-signed receipts instead of a central hub or an after-hours human exchange. |
Second-wave: federated detection swarms
The same primitives also support federated detection swarms across organisational boundaries. Pheromone deposits from peer SOCs flow into the local concentration calculation, weighted by peer reputation. Response actions that cross organisational boundaries are co-signed by both kernels. Workflow receipts capture multi-step joint incident response as single auditable artefacts. Compromised participants are expelled by revocation gossip propagating bilaterally through the graph.
This is a real capability gap: no current system supports a destructive cross-org response (blocking a credential one org issued and another sees abused) signed as one auditable workflow receipt by both kernels. But the binding constraints on SOC adoption are operational, not protocol. Three constraints in particular dictate adoption sequencing.
- Analyst capacity to triage shared signals. A SOC that is already saturated by its own indicator volume cannot absorb peer deposits regardless of how cryptographically clean they are. Cross-org gradients only add value once internal triage is not the bottleneck.
- Legal and PR liability of acting on a peer’s indicator. Acting destructively on a signal from another org exposes the SOC to both regulatory questions and reputational risk if the peer is wrong. Counsel will not approve cross-org destructive response without a court-admissible artefact in the SOC’s own jurisdiction. The bilateral co-signed receipt is exactly that artefact, but the operational sign-off has to land first.
- Attribution risk if a peer is wrong. A false-positive blast radius from peer-driven action is borne by the actor, not the originator. Reputation epoch-pinning and replayable arena-fitness signals reduce the risk but cannot eliminate it.
The implication for sequencing: SOCs adopt the congregate as a free byproduct of cross-vendor agent action attestation, not as a primary capability they buy. The cross-vendor wedge maps to a budget line; the SOC consortium serves the same primitives once the operational objections clear.