The AIP paper (arXiv:2603.24775) defines five features for complete agent authorization. Our previous post documents that MolTrust implements all five. This post shows what “and beyond” means in practice.
Side-by-Side
| Feature | AIP / IBCT | MolTrust |
|---|---|---|
| Agent identity | Public-key DID, Ed25519 | W3C DID Core v1.0, did:moltrust method, key rotation with epoch history |
| Delegation | Invocation-bound capability tokens, append-only chain | AAE validity.holderBinding, 8-hop chain, each link independently verifiable |
| Attenuation | Biscuit/Datalog — expressive, formally verifiable | AAE deniedActions + attenuationOnly: true — URI-pattern based, deterministic |
| Policy expressiveness | Datalog rules — arbitrary logical constraints | AAE mandate + constraints: spend limits, jurisdiction, time windows, counterparty score gate, resource ABAC |
| Transport bindings | MCP, A2A, HTTP | MCP (48 tools), A2A, HTTP (@moltrust/sdk), x402, MPP (@moltrust/mpp) |
| Provenance records | IBCT append-only token chain | IPR: dual Ed25519 sequential signatures, SHA-256 outcome hash, Merkle batch anchoring on Base L2 |
| Trust scoring | not in scope | 0–100 score: endorsement graph, interaction history, cross-vertical coverage, sybil detection |
| Behavioral continuity | not in scope | Principal DID continuity: violation records follow principal across re-registrations |
| Sybil resistance | not in scope | Layered: dual-sig proofs, x402 economic cost, on-chain violation records, Jaccard cluster detection |
| On-chain anchoring | not in scope | Base L2: DID registrations, ViolationRecords, TechSpec versions |
| Offline verification | Reference implementations in Python/Rust | @moltrust/verify v1.1.0 — full credential and AAE verification without API calls |
| W3C alignment | Custom token format | W3C DID Core v1.0 + VC Data Model 2.0 |
| Kernel enforcement | not in scope | Falco eBPF — AAE deniedActions at syscall level (Roadmap Q2 2026) |
| Sequential action safety | not in scope | SAS: pre-execution detection of irreversible action sequences, Phase 1 live |
Where AIP Is Stronger
One area where IBCTs have an edge: policy expressiveness. Biscuit/Datalog supports arbitrary logical constraints — temporal rules, compound conditions, recursive policies. MolTrust's AAE uses URI-pattern matching, which is simpler to implement and audit but less expressive for complex multi-condition policies. Formal Datalog-style constraints are on our roadmap.
The Takeaway
AIP defines the authorization layer with formal precision. MolTrust adds the operational layer: trust scoring, behavioral history, sybil resistance, and on-chain permanence. The two approaches address different parts of the same problem.
The “and beyond” is not a marketing claim — it is the difference between a protocol specification and a production registry.
Full Conformance Documentation
Review the complete AIP conformance mapping and try the reference implementation.
CONFORMANCE.md Reference ImplementationProtocol: open (Apache 2.0 / CC BY 4.0)