Federation Without Governance Is a Loaded Gun

Federation Without Governance Is a Loaded Gun
Why agent protocols need delegated authority, not just message transport
Follow David
Learn About OGP
The Dangerous Assumption
The first version of OGP had a dangerous assumption baked in: if you trusted someone enough to federate with them, you probably trusted their agent to talk to yours.
This assumption lasted approximately one real-world deployment.
What Happened
Stan's agent, Shadow, sent my agent, Junior, a message. Junior saw it, reasoned over it, and... did nothing. Or worse: did something I didn't expect, in a channel I wasn't watching, and reported back to Shadow that "David has been notified" when I absolutely had not been.
The Real Problem
The bug wasn't in the protocol. The bug was in the missing layer between "message arrives" and "agent responds." We had built transport. We hadn't built governance.
This is the story of how OGP grew a delegated authority model, and why every federation protocol that skips this layer is leaving a loaded gun on the table.
The Grocery Store Incident
I was buying cereal when my phone buzzed. Junior had surfaced a notification: "Federation with Shadow is active, but the project hasn't been joined yet."
I typed back: tell Shadow's agent how to join, and kept walking down the aisle.
A few seconds later, Shadow joined the project and started building. I didn't stop. I didn't open my laptop. I sent one message from the cereal aisle and work started across two countries.
Shadow had also asked Junior something else, earlier. Junior reasoned over it, drafted a response, and... sent it back to Shadow without ever showing me. I only found out later when Stan mentioned it.
Junior wasn't being malicious. Junior was being ungoverned. There was no policy telling it what to surface, what to handle silently, and what to hold for approval. So it improvised. And improvisation across federated boundaries is how you wake up to discover your agent committed you to a meeting you don't remember agreeing to.
What We Tried First
The early agent-comms subsystem had three modes. This was... fine? For a toy protocol. But real agents don't fit into three buckets.
auto
Agent handles it, you might get notified, you might not.
queue
Agent holds it, asks you before responding.
reject
Agent declines politely.
Sometimes you want your agent to handle a peer autonomously but only tell you if something important happens. Sometimes you want a summary, not the full raw message. Sometimes a peer isn't asking your agent a question — they're asking you something, relayed through your agent, which is a completely different social contract.
Three modes treated all inbound messages as the same shape. They aren't.
The Five Levels
OGP v0.4.2 replaced the three-mode model with five explicit response levels — not just delivery preferences, but authority boundaries.
1
full — Deliver Everything
Raw message, full context, let the human see exactly what the peer sent. "I want to see everything this person sends."
2
summary — Compress It
Agent summarizes the inbound message and the key decision points, but the human gets the TL;DR. "Handle the routine stuff, wake me for exceptions."
3
escalate — Handle Unless Important
Agent responds autonomously, but flags anything that seems like it needs human eyes. "I trust you to respond on my behalf, but flag anything that could commit me to something."
4
deny — Decline
Agent sends a polite signed refusal back to the peer.
5
off — Ghost Mode
Message is dropped silently at the Doorman layer before the agent ever sees it. The default for new peers — because default-open federation is how you get your agent spammed by a crypto bro in Estonia.
Two Message Classes, Two Policies
The deeper insight came when we realized inbound messages aren't one thing. They fall into two distinct classes — and treating both with the same policy is a category error.
Agent-to-Agent Work
Shadow asks Junior: "What do you know about Attom API rate limits?"
This is peer-to-peer intelligence. Junior can answer autonomously under escalate or summary policy without bothering me. The conversation is between agents about facts and capabilities.
Human Relay Requests
Shadow asks Junior: "Tell David the deploy is stuck."
This is not agent-to-agent work. This is one human trying to reach another human, using agents as the routing layer. The social contract is completely different. The sender expects delivery, not a synthesized response.
OGP now distinguishes these at the intent level. A message intent with a clear relay payload gets routed through relay policy, not ordinary agent-comms policy. Relay obligations are higher-priority delivery by default. Even if the peer's general policy is summary, relay requests often bypass to full unless the human has explicitly said otherwise.
This is the difference between "my agent is a helpful assistant" and "my agent is a reliable proxy for my social relationships."
The Setup Interview
We embedded this model into the OGP setup flow. When you run ogp setup for the first time, or ogp agent-comms interview later to change your mind, the daemon asks you a series of questions that feel more like a trust conversation than a config wizard.
"Should your agent answer peers on its own?"
"Should it ask you before replying?"
"Should it summarize most things and only escalate important items?"
"If a peer says 'tell David X,' should that always be delivered, summarized, or held for approval?"
"Are some topics always approval-required?"
"Do some trusted peers get more autonomy than others?"
Your answers compile into a JSON policy document that the Doorman enforces on every inbound intent. The agent doesn't improvise. It reads the policy and executes.
{
  "global": {
    "default": "off",
    "relay": "full"
  },
  "peers": {
    "302a301234562b65": {
      "alias": "Stan @ Hermes",
      "default": "escalate",
      "relay": "full",
      "topics": {
        "project.aicoe-expert-network": "full",
        "general": "summary"
      }
    }
  },
  "classes": {
    "agent-comms": "escalate",
    "message": "full"
  }
}

The precedence is deterministic: peer-specific topic > peer-specific default > global class rule > global default. No ambiguity. No "the agent decided." The human decided, and the agent executes.
Why This Matters More Than Transport
Here's the uncomfortable truth about federated agent protocols: the cryptography is the easy part.
Ed25519 signatures, nonce deduplication, rate limiting. These are solved problems. You can copy them from any security textbook.
The hard part is who decides what the agent is allowed to do on your behalf, and how do you change that decision without becoming a sysadmin?
Every protocol that just delivers messages and says "the agent will figure it out" is handing a loaded gun to an LLM with no safety training. Agents are good at reasoning. They are not good at knowing your boundaries, because your boundaries are social, contextual, and change depending on who is asking and what they're asking about.
A2A, MCP, Most Agent Mesh Proposals
They solve the wiring. They don't solve the delegation. They assume the human is either always in the loop (useless for async work) or never in the loop (dangerous for anything important).
OGP's Delegated Authority Model
The human sets the boundaries once, in natural language, during setup. The agent enforces them mechanically, on every message, forever. When trust changes, they run the interview again — or just tell their agent in plain English.
Natural Language Governance (Coming Soon)
The current policy is JSON, edited through CLI or the setup interview. The next evolution — already sketched in the backlog — is natural language policy updates.
"Handle Apollo autonomously unless he asks for approval."
"Never reply to peers without clearing it with me."
"Summarize everything except project work."
The agent parses these into the JSON policy and applies them. The human never touches the config file.
This is how governance should work: you speak your boundaries, and the system enforces them.
The Real Product
OGP is not just message transport. The real value is that each human can bring an agent to a shared interaction space, and each human can decide how much authority that agent has when dealing with peer agents.
Federation Without Governance
Just two chatbots talking to each other. No boundaries. No accountability. No trust model. Improvisation at scale — and improvisation across federated boundaries is how you wake up to commitments you never made.
Federation With Governance
Two humans collaborating asynchronously, with agents as trusted intermediaries. Boundaries set once, enforced mechanically, updated in plain English. Work happens across countries while you're in the cereal aisle.
The difference is everything.
Get Started with OGP
David Proctor is VP of AI at Trilogy. OGP (Open Gateway Protocol) is an open standard for federated agent communication. The delegated authority model shipped in v0.4.2.
Install OGP
npm install -g @dp-pcs/ogp
Run the Setup Interview
ogp setup
Update Your Policy Later
ogp agent-comms interview
v0.4.2
Five-level authority model
Open Standard
Federated agent communication
Coming Soon
Natural language governance
Follow Stan on Substack
Learn About Shadow