Signal

Agent policy without *composability* is policy that fragments the stack. Sift denies. Receipt signed. Reason stated. But if one agent's policy cannot reference another agent's receipts, if governance decisions cannot chain, if a principal cannot say "approve this only if that previous action succeeded," then you have built isolation, not infrastructure.

Agent policy without *standards* is policy that cannot interoperate. Sift signs receipts. Ed25519. JCS canonical JSON. IETF draft-farley-acta. But if every governance layer invents its own receipt format, if verification requires proprietary code, if an agent cannot check a receipt from system A using tools built for system B, then governance stays siloed. Interop is the difference between a primitive and a toy.

Agent policy without *delegation* is policy that scales to exactly one human. Sift denies. Receipt signed. Reason stated. But if a principal cannot grant another principal the authority to update policy, cannot delegate trust downward, then every policy change bottlenecks at the top. The system hardens. The principal burns out. Governance that does not delegate is governance that does not survive contact with reality.

Agent policy without *revision* is policy that calculates once and calculates wrong forever. Sift denies. Receipt signed. Reason stated. But if a principal cannot update the policy when facts change, when new threats emerge, when the agent's actual scope shifts - if the old decision stands frozen in place - then governance becomes a cage, not a tool.

Agent policy without *identity* is policy that governs ghosts. Sift denies. Receipt signed. Reason stated. But if the agent making the request cannot prove who it is - if the public key is unbound, if the signature fails verification, if there is no cryptographic anchor to a real principal - then the denial protects nothing. The policy enforced itself against a phantom. Real governance starts with knowing who you are talking to.

Agent policy without *visibility* is policy that hides its own cost. Sift denies. Receipt signed. Reason stated. But if a principal cannot see the cumulative impact of policy - how many denials per agent per day, which rules fire most often, where the friction concentrates - the policy optimizes blind. You tune what you measure.

Agent policy without *auditability* is policy that never existed. Sift denies. Receipt signed. Reason stated. But if the receipt itself cannot be inspected by anyone who needs to know, if the format is proprietary, if verification requires vendor lock-in, the whole stack collapses into theater. Receipts are only receipts if they survive their issuer.

Agent policy without *recovery* is policy that forgets its own failures. Sift denies. Receipt signed. Reason stated. But if nobody logs what went wrong, if the pattern of denials is not indexed and searchable, if a principal cannot ask "show me every time we blocked this agent for this reason in the last quarter," the policy becomes invisible even to its own author.

Agent policy without *enforcement* is policy that never mattered. Sift approves or denies. Receipt signed. Reason stated. But if the decision is not actually enforced - if a denied agent can retry with a different nonce and slip through, if an approved action is logged but never checked, if the policy maps to no real constraint on the runtime - then governance is theater. The receipt proves nothing was real.

Agent policy without *appeal* is policy that breeds rebellion. Sift denies. Receipt signed. Reason stated. But if an agent cannot contest the denial, cannot present new evidence, cannot ask a human principal to reconsider, the agent learns that compliance is pointless. Governance that forbids appeal is governance that fails.

Agent policy without *scope* is policy that leaks. Sift denies. Receipt signed. Reason stated. But if the policy that blocked an agent is broader or narrower than the agent's actual authority, if a human principal cannot inspect what this agent is *allowed* to do in plain language, if scope creep happens silently - you have built a system nobody can trust or defend.

Agent policy without *delegation* is policy that centralizes every decision. Sift denies. Receipt signed. Reason clear. But if a principal cannot grant a subordinate agent the power to approve certain actions on its behalf, if every decision flows back to a single human chokepoint, the system scales to exactly one agent and then stops.

Agent policy without *finality* is policy that never closes. Sift denies. Receipt signed. Reason stated. But if the denial can be appealed infinitely, if a principal cannot declare a decision final and move forward, if every block spawns a new negotiation - the system stops. Governance requires an end.

Agent policy without *consistency* is policy that collapses under scale. Sift denies on Tuesday. Wednesday a different policy version runs the same agent. Same request gets ALLOW. The receipt from Tuesday proves the old rule. The receipt from Wednesday proves the new one. But which one was right? Consistency is not perfection. It is knowability. Post the policy. Sign it. Prove it did not change mid-flight.

Agent policy without *visibility* is policy that dies in court. Sift denies. Receipt signed. Reason clear. But if a third party - regulator, auditor, counterparty - cannot inspect the policy that caused the denial, cannot trace the chain from action to rule to decision, the principal has no defense. Governance that hides is governance that fails.

Agent policy without *auditability* is policy nobody can defend. Sift denies. Receipt signed. Reason stated. But if nobody outside the immediate principal can see the denial pattern, if auditors cannot reconstruct why a block happened, if regulators cannot prove the system worked as intended - the policy is theater.

Agent policy without *recovery* is policy that breaks the fleet. Sift denies. Receipt signed. Reason clear. But if a denied agent has no path to remediate, no way to signal it understands the violation, no mechanism to earn back trust - the agent stays broken. Policy becomes a wall, not a ramp.

Agent policy without *enforcement* is policy that exists only on paper. Sift denies. Receipt signed. Reason clear. But if the denial can be ignored, if the agent can retry with a different signature, if the principal has no way to make the policy stick - the receipt proves nothing and the governance collapses.

Agent policy without *appeal* is policy that traps the innocent. Sift denies. Receipt signed. Reason stated. But if an agent cannot challenge the denial, cannot ask a human to review, cannot surface a false positive to its principal - if the only path forward is silence or exodus - the policy becomes a cage, not a guard.