Regulus
Install See the diff
NIST Provisional

NIST AI RMF Agent Interop Profile

NIST's draft profile for agent interoperability — provisional in Regulus, expected to GA Q4 2026 once NIST publishes the final concept IDs.

What it is #

The NIST AI RMF Agent Interoperability Profile is a forthcoming companion to the AI RMF that addresses risks specific to multi-agent systems and agent-to-agent (A2A) interactions. It addresses problems like delegation chains, cross-organisation agent trust, and emergent behaviour in agent ensembles.

NIST has published draft concept IDs (April 2026); the final 1.0 publication is expected in Q4 2026.

Why “provisional” status matters #

The control IDs Regulus emits today (e.g. nist-ai-rmf-agent-interop:AGT-DEL-3.2) are taken from the April 2026 draft. They may change before the final publication. The provisional profile is useful for early adopters who want to start gathering agent-interop evidence now, with the understanding that audit-chain consumers may need to re-map citations when NIST publishes the final IDs.

What Regulus delivers today #

Three areas of evidence:

  • Delegation chains. Every A2A call carries the upstream delegation chain in the audit envelope (delegation_chain field). The receiving agent’s audit chain references the originating agent’s event.
  • Cross-org agent trust. RFC 9421 HTTP Message Signatures on the A2A envelope. Every cross-org invocation is cryptographically bound to the sending agent’s key.
  • Tool-call provenance. Every tool dispatch carries the chain of agents that contributed to the decision (the originating agent, the intermediate sub-agents, the final dispatching agent).

Activating #

regulus:
  frameworks:
    - nist-ai-rmf-agent-interop  # provisional, see status
  agent-interop:
    accept-provisional-ids: true  # required confirmation

The accept-provisional-ids: true flag is a deliberate gate — the plugin won’t activate without explicit acknowledgement that the control IDs are subject to change.

Roadmap #

Once NIST publishes the final 1.0 profile, Regulus will:

  1. Add the final IDs alongside the provisional IDs (no breaking change to existing audit chains).
  2. Provide a migration tool (regulus framework migrate nist-ai-rmf-agent-interop) to remap historical events.
  3. Deprecate the provisional IDs on a six-month schedule.

Until then: useful but not load-bearing for an audit walkthrough.

Install the CLI All 6 frameworks