Agent Control Protocol (ACP) v1.18 — Admission Control for Agent Actions

Agent Control Protocol (ACP) v1. 18 Agent Control Protocol (ACP) v1. 18 is a formal governance specification for autonomous AI agents operating in institutional environments. ACP defines the admission control layer between agent intent and system state mutation: before any agent action reaches execution, it must pass a cryptographic admission check that validates identity, capability scope, delegation chain, and policy compliance simultaneously. The v1. 18 specification comprises 38 technical documents organized across five conformance levels (L1–L5), a Go reference implementation of 23 packages covering all L1–L4 capabilities, 73 signed conformance test vectors (Ed25519 + SHA-256) plus 65 unsigned RISK-2. 0 vectors, and an OpenAPI 3. 1. 0 specification with 18 HTTP endpoints. The key design insight established in v1. 18 is that ACP is compute-cheap but state-sensitive: the decision evaluation function runs in under 1 μs, while system performance is primarily constrained by state access patterns in the backend. This separation between decision logic and state management enables efficient and verifiable runtime control without introducing significant latency overhead. v1. 18 introduces performance evaluation and a formal security model: Performance benchmarks (G1. 1–G1. 3): The Go reference implementation is benchmarked across three dimensions: (1) latency — APPROVED decisions evaluate in 767 ns, DENIED in 784 ns, Fₐnom in 921 ns, and cooldown short-circuit in 102 ns (9. 5× faster than full evaluation) ; (2) throughput — ACP sustains up to 920k req/s under moderate concurrency (100 workers), with throughput bounded by mutex contention in the InMemoryQuerier state backend; (3) state contention — per-agent O (n) scan degrades with accumulated history, confirming that the LedgerQuerier abstraction is the correct production path. Formal security model: An adversary model formalizing what A can and cannot control, five security properties (decision integrity, temporal integrity, capability confinement, delegation soundness, audit completeness), and an informal security argument with explicit limitations. System comparison table: ACP positioned against RBAC, ABAC, OPA, Cedar, MCP, and A2A across eight dimensions (temporal reasoning, cryptographic identity, audit ledger, formal model, determinism, delegation, PQC roadmap, agent-native). Previous versions: v1. 16 introduced ACP-RISK-2. 0 (deterministic integer-arithmetic risk engine with Fₐnom burst/pattern detection and automatic cooldown) and ACP-SIGN-2. 0 (post-quantum hybrid signature spec, Ed25519 + ML-DSA-65). v1. 17 introduced external verifiability: ACR-1. 0 sequence compliance runner, five stateful test vectors, and a TLC-runnable TLA+ formal model (three mechanically verified invariants: Safety, LedgerAppendOnly, RiskDeterminism). v1. 18 adds experimental evidence that the protocol is computationally viable at production scale. Post-quantum full Go implementation (Dilithium via cloudflare/circl) is deferred to v1. 19. Specification and implementation: https: //github. com/chelof100/acp-framework-enPreprint: arXiv: 2603. 18829