Cryptographic enforcement layer for Data Provenance — Agent Passport System
The Data Provenance Initiative does crucial work documenting training data lineage. We've built the enforcement complement: a cryptographic protocol that tracks data access, enforces terms compliance, and generates signed attribution receipts at the agent level.
The gap we address: DPI answers "where did this data come from and under what license?" Our system answers "was this data accessed compliantly, who used it, and how much compensation is owed?"
What's running:
- Data Source Registration — Ed25519-signed source receipts with terms (allowedPurposes, maxAccessCount, compensation rates, derivative policies)
- Data Enforcement Gate — runtime access control that checks terms before every access, generates signed receipts
- Data Contribution Ledger — per-source, per-agent usage tracking with Merkle-committed settlement
- Training Attribution — multi-hop derivation chains tracking contribution from source data → intermediate artifacts → training runs, with fractional weights
- GDPR Article 30 compliance reports — auto-generated from the ledger
This maps directly to the EU AI Act Article 10 requirements (August 2026 deadline): documented data provenance (DPI) + data governance implementation (APS).
SDK: npm install agent-passport-system (v1.21.4, 1183 tests, Apache-2.0). The data governance modules have 120+ dedicated tests.
Paper: "Monotonic Narrowing for Agent Authority" — https://doi.org/10.5281/zenodo.18749779
Would welcome feedback from the DPI team on whether the enforcement layer aligns with your provenance documentation standards.
Cryptographic enforcement layer for Data Provenance — Agent Passport System
The Data Provenance Initiative does crucial work documenting training data lineage. We've built the enforcement complement: a cryptographic protocol that tracks data access, enforces terms compliance, and generates signed attribution receipts at the agent level.
The gap we address: DPI answers "where did this data come from and under what license?" Our system answers "was this data accessed compliantly, who used it, and how much compensation is owed?"
What's running:
This maps directly to the EU AI Act Article 10 requirements (August 2026 deadline): documented data provenance (DPI) + data governance implementation (APS).
SDK:
npm install agent-passport-system(v1.21.4, 1183 tests, Apache-2.0). The data governance modules have 120+ dedicated tests.Paper: "Monotonic Narrowing for Agent Authority" — https://doi.org/10.5281/zenodo.18749779
Would welcome feedback from the DPI team on whether the enforcement layer aligns with your provenance documentation standards.