The grant-semantics layer
for individual sovereignty.

What individuals own, what regulators audit, what agents are allowed to do on their behalf, composed into one protocol primitive. People own, manage, and control their data across organizations and over time; agents act for them, not in place of them.

AI agents now run on persistent memory, and over the last year that memory became its own layer in the stack. Almost all of the effort in that layer goes to one question: how accurately can a system recall the right fact at the right time. That work is important, and strong progress is being made. It leaves a second question unanswered, the one that decides whether agent memory can be trusted with anything that matters: who is allowed to see a fact, how its meaning shifts by role and jurisdiction, whether two stored facts contradict, and what was disclosed to whom. That second question is the contextualization gap, and SLF is the protocol drafted to close it.

Two different audiences arrive at the same gap from opposite ends.

Organizations, healthcare systems, financial services, government agencies, any institution that has to honor jurisdiction-specific regulations, need agents that can operate across organizational boundaries. The pieces exist. Regulatory metadata lives in policy stores (Microsoft Purview, AWS Macie). Capabilities live in OAuth scopes and capability tokens. Audit trails live siloed inside each system that touched the data.

What does not exist is a way to make those three layers travel together through a single agent transaction, so that an agent acting across a pharmacy, a payer, and a provider in the same workflow carries the right regulatory tags, the right grants, and emits a verifiable audit receipt at every hop.

The EU AI Act Article 50 transparency obligations apply from August 2026, with the Digital Omnibus deferring the Annex III high-risk obligations into late 2027 and beyond. Regulators describe outcomes, not protocols, but the current stack, where regulatory metadata sits apart from the data and audit trails are stitched together after the fact, struggles to demonstrate the per-action provenance these obligations imply.

Individuals arrive from the opposite end. The personal-AI runtime is one piece of it: today's ChatGPTs, Rewinds, and Personal .ais give you an agent, but it owns your keys, your data, and the model that interprets them, so switching providers means starting over. The bigger concern sits underneath that. Your data is scattered across every organization that holds a piece of it, your bank, your pharmacy, your retailers, your employer, and none of it is yours to carry across those organizations or over time. It is disconnected by default. Solid and similar projects built a sovereign substrate but never built the agent, and prior attempts entangled the two primitives. The result is corporate ownership of the layer that should be most yours.

Both ends of the problem need the same bridge: an identity-and-data substrate the individual or institution owns, plus an agent runtime that is fully replaceable, with a protocol between them that carries regulatory semantics, capability grants, and audit receipts as first-class objects. SLF is that bridge.

Every operation in the protocol, issuing a credential, granting an agent permission to spend, revoking a previous grant, executing an action, recording an audit trail, is encoded as the same three-part object. Every operation encodes the same three-part object. One shape recurs at every layer the protocol touches.

view = render(substrate, lens, frame) → receipt

Read it as: a view onto your data is always a substrate projected through a lens, bound to a frame, and accompanied by a signed receipt.

This is the architectural payoff: credential issuance, presentation, grant revocation, agent action, audit emission, cross-organizational compound workflow, all of them are SLFs. One primitive, learned once, that works everywhere the protocol touches.

Eight emerging protocols are converging on the agent-authorization slot, FIDO's Agentic Authentication TWG (chartered April 2026), Google's AP2 mandates, OpenAI's Agentic Commerce Protocol, Microsoft Entra Agent ID, ERC-8004 on Ethereum, Apple Wallet's App Intents bridge, Visa's TAP, Stripe's MPP. All of them are answering a different question than SLF.

They define agent identity (who is this agent?) and authorization mechanics (does this token grant this scope?). Critical work. None of them define what the grants mean at the policy layer, substrate-bound regulatory tags that travel with credentials, an action-typed grant taxonomy that distinguishes read from read-and-cache from copy from write-back from sync from action from compound, or Substrate → Lens → Frame composition with deterministic narrowing for cross-jurisdictional flows. That is the layer SLF occupies.

Read it as: four conceptual layers. SLF occupies only the top one. Multiple in-flight protocols sit at each of the lower three, the named candidates change quarter to quarter, and SLF is designed to compose with whichever set wins at each layer.

At the substrate-transport layer, the obvious candidates are OID4VP, mdoc, and W3C Verifiable Credentials data models. At agent identity and token mechanics, Microsoft Entra Agent ID and ERC-8004 are the institutional and on-chain options, with several OAuth Working Group Internet Drafts, DAAP, AAT, ACAP, actor-chain, consolidating the agent-token mechanics in parallel. At delegation and intent, FIDO's Agentic Authentication Technical Working Group is the standards forum, and Google's AP2 mandates plus OpenAI's Agentic Commerce Protocol are the early movers in the payment-bounded slice.

The strategic posture is cohabitation. SLF doesn't pick winners at the lower layers; it specifies the substrate-bound regulatory semantics, action-typed grant taxonomy, and substrate → lens → frame composition that compose above whichever set is in play. Fighting any of the converging stacks loses. Layering above them is the lane, and as those stacks consolidate, SLF's surface area gets clearer rather than threatened.

Four artifacts are in flight in parallel: the SLF v0.5 architecture; slf-core, a standalone Apache-2.0 reference implementation whose conformance suite runs green (the evidence is below); a recovery prototype (the Sovereign Personal Agent recovery path) implemented as a Cargo workspace; and a layered OAuth Working Group extension drafted as draft-crenshaw-oauth-slf-substrate-grants-00, which specifies how the SLF primitive composes above existing agent-token-mechanics drafts at the IETF. The proposed direction is OAuth WG submission once the composition sections settle; the v0.5 spec deliverable is deliberately narrow, enough of the protocol to demonstrate the architectural payoff end to end.

The full argument, the regulatory grounding under the GDPR and the EU AI Act, the threat model, and the line between what is demonstrated and what is still designed, is written up in the position paper, The Governance Gap in Agentic Memory (June 2026).

Read and build: Position paper (Zenodo) · Reference implementation, slf-core (GitHub) · SPA architecture spec (PDF).

The layered OAuth extension makes a second kind of scope statement explicit: what SLF deliberately does not specify. Agent-identifier formats, delegation-chain construction, scope-subsumption algorithms, cascade-revocation mechanisms, and audit-chain constructions for token issuance and use all belong to the agent-token-mechanics layer the extension composes above. Concretely, that means SLF defers to drafts like DAAP (persistent agent identifiers, grant/revocation/audit), AAT (capability tokens with typed-constraint subsumption), ACAP (cryptographic intent binding), and actor-chain (cross-domain token-exchange preservation under RFC 8693). Sections 5 through 8 of the SLF draft work out the composition with each. Cohabitation moves from strategic posture into a normative specification.

Sequencing is deliberate. The recovery prototype proves the architecture end to end at the CLI; the OAuth WG draft makes the composition surface concrete and citable. How the operational ecosystem around the protocol, conformance suite, vocabulary registries, reference implementations, gets stewarded is itself an open question.

The convergence map below is the field as of mid-2026. Each protocol below is sponsored and shipping. Read it as a posture map: who SLF composes with, who SLF cohabitates with, and where the one real competitive surface sits.

FIDO's Agentic Authentication Technical Working Group is the one slot where SLF must engage substantively. AATWG's charter language, "delegated credentials, intent-bound assertions, attestation and metadata for agentic features", is adjacent to SLF's territory without overlapping it. The window is 6–12 months while AATWG drafts crystallize. If SLF is not visibly participating when that scope hardens, it gets compressed into the "alternative to FIDO" slot rather than the "upstream grant-semantics layer" it occupies.

Two forcing functions converge over the next twelve months, and each one is a clock for adoption.

The regulated-domain anchor

In March 2026, CVS Health and Google Cloud announced Health100, a cross-organization agentic AI platform (built on Gemini) orchestrating pharmacy, payer, PBM, and provider workflows. That is the regulated-domain cross-org grant problem SLF was designed for, named publicly by a Fortune 5 company. Healthcare systems forced to run agents across pharmacy, payer, and provider boundaries are the clearest early adopters of substrate-bound regulatory semantics.

The regulatory ramp

The window is broader than a single cliff. EU AI Act Article 50 transparency obligations apply from 2 August 2026; under the Digital Omnibus provisional agreement (6 May 2026), the Annex III high-risk obligations slip roughly sixteen months to late 2027, pending formal adoption. Across the same window, India's DPDP consent-manager framework (operational November 2026), the EU Digital Product Passport for batteries (February 2027), and CMS-0057-F in the United States all push the same direction: per-action provenance, demonstrable consent, structured audit. SLF is not what any of these statutes requires, regulators describe outcomes, and industry picks standards. But the architectural shape (substrate-bound regulatory metadata, signed receipts as first-class output) is well-formed for institutions whose compliance posture has to scale across organizations, and the 2027–2030 ramp is enough runway to do that work deliberately rather than reactively.

This overview is the shared starting point. Deep-dives are pressure-test-ready briefings, not final specs, tensions and open questions are surfaced inline rather than hidden. Seven are live; two are queued. Each is written for a specific audience (regulators, FIDO members, healthcare CISOs, individual sovereignty advocates, infrastructure developers); I'll share individual links directly with the audiences each is written for. Push back on overclaims, missing tensions, or wrong premises, that is what the drafts are for.

Live drafts are linked above, each invites pressure-testing on overclaims, missing tensions, or wrong premises. Two more are in progress.

If you want to talk, about a pilot, about AATWG positioning, about how this fits a specific regulatory exposure, or simply to argue with the framing, the contact options sit in the header above. Architects, regulators, and individual sovereignty advocates are all welcome at this stage; the design is still soft enough to absorb good criticism.