BASIS/Specification

Core Specification

The normative specification for BASIS v1.0.0

Version1.0.0
StatusDraft Specification
Published2026-01-15
EditorsVorion Risk, LLC
LicenseCC BY 4.0

Abstract

BASIS is an open standard for AI agent governance that defines how autonomous systems must be controlled, monitored, and audited before taking action. The standard establishes a universal framework for trust quantification, capability gating, and immutable audit trails.

This document is the normative specification. Implementations claiming BASIS compliance MUST conform to the requirements herein.

1. Introduction

1.1 Purpose

AI agents are increasingly making autonomous decisions in enterprise environments. These decisions may involve accessing sensitive data, communicating with external parties, processing financial transactions, or modifying critical systems.

BASIS addresses a fundamental gap: there is no standard way to verify that an AI agent will behave within defined boundaries before it acts.

1.2 Scope

This specification defines:

  • Architecture — The four-layer governance stack (INTENT, ENFORCE, PROOF, CHAIN)
  • Trust Model — Quantified trust scoring with tiers and decay mechanics
  • Capability Model — Hierarchical capability taxonomy and gating rules
  • Wire Protocol — Data formats for interoperability between systems
  • Audit Requirements — What must be logged and how

1.3 Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

TermDefinition
AgentAn autonomous software system capable of taking actions without direct human instruction for each action
EntityAny agent, user, or system that can be assigned a trust score
ActionAny operation an agent attempts to perform
CapabilityA permission to perform a category of actions
Trust ScoreA numeric value (0-1000) representing earned confidence in an entity
Governance DecisionThe result of evaluating an action request (ALLOW, DENY, ESCALATE, DEGRADE)

1.4 Design Principles

1

Governance Before Execution

No autonomous action proceeds without passing through governance checks. The governance layer is not optional or bypassable.

2

Trust is Quantified

Trust is not binary (allow/deny) but graduated (0-1000) with defined tiers that unlock capabilities progressively.

3

Everything is Auditable

Every governance decision is logged with sufficient detail to reconstruct exactly what happened, when, and why.

4

Open Standard, Many Implementations

BASIS is the specification. Anyone can build a compliant implementation. No vendor lock-in.

2. Architecture

BASIS defines a four-layer governance stack. Each layer has distinct responsibilities and interfaces.

┌─────────────────────────────────────────────────────────────┐
│                      Agent Action Request                    │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  LAYER 1: INTENT                                             │
│  Parse, plan, and classify the requested action              │
│  Output: Structured intent with risk classification          │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  LAYER 2: ENFORCE                                            │
│  Evaluate intent against trust score and policies            │
│  Output: Governance decision (ALLOW/DENY/ESCALATE/DEGRADE)   │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  LAYER 3: PROOF                                              │
│  Log the decision with cryptographic integrity               │
│  Output: Proof record with hash chain                        │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  LAYER 4: CHAIN (OPTIONAL)                                   │
│  Anchor proof to external verification system                │
│  Output: Blockchain/ledger commitment                        │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                      Action Execution (if ALLOW)             │
└─────────────────────────────────────────────────────────────┘

INTENT

Parse & classify action requests

ENFORCE

Evaluate against trust & policies

PROOF

Log with cryptographic integrity

CHAIN

Anchor to blockchain (optional)

3. Trust Model

See the full Trust Model documentation for complete details.

TierScore RangeDefault Capabilities
Sandbox0-99Isolated testing only
Provisional100-299Read public data, internal messaging
Standard300-499Limited external communication
Trusted500-699External API calls
Certified700-899Financial transactions
Autonomous900-1000Full autonomy within policy

8. Conformance Levels

BASIS Core

  • • INTENT layer
  • • ENFORCE layer
  • • PROOF layer

BASIS Complete

  • • All Core requirements
  • • CHAIN layer
  • • Full capability taxonomy

BASIS Extended

  • • All Complete requirements
  • • Multi-tenant isolation
  • • Federated trust

For the complete specification including wire protocol schemas, API requirements, and detailed conformance criteria, see the full specification on GitHub.

View Full Specification on GitHub