selfdriven.computer Principles
Foundation document

The principles of
a verifiable agent OS.

7 principles 12 min read selfdriven Foundation
01
Timing

Clock first. Everything else follows.

A verifiable agent system must start with time. Not wall-clock time — but sequenced, anchored, tamper-evident time that every participant agrees on.

Before an agent can act, decide, or communicate, it needs a shared sense of sequence. In traditional computing, the clock is an implementation detail. In agentic systems operating across distributed networks, the clock is a trust primitive.

The KERI key event log solves this elegantly. Each event in the log carries a sequence number — sn — that establishes strict ordering without relying on a central authority. An agent's entire operational history becomes a totally ordered sequence of verifiable events.

This is the foundation for everything else. Without a shared, verifiable sequence, there is no meaningful audit trail. Without an audit trail, there is no accountability. Without accountability, there is no trust.

Implications
Every action produces a sequenced event No gap in sequence numbers is tolerated. Missing events trigger recovery protocols.
Witnesses anchor events in external time A distributed witness network provides independent confirmation of event timing.
Replay is always possible Any agent's state can be reconstructed by replaying its KEL from inception.
KERI Event — icp (inception)
"v": "KERI10JSON...",
"t": "icp",
"d": "EKE4g_0hDG...",
"i": "EKE4g_0hDG...",
"sn": 0,
"kt": 1,
"wt": 2
Principle in one line
Sequence number zero is the origin. All trust is built on top of it.
02
Instruction design

Reduce the set. Complexity is the enemy of trust.

The more an agent can do, the harder it is to reason about what it will do. A reduced instruction set trades raw capability for auditability — and in agentic systems, auditability is capability.

RISC processors proved that a small, well-defined instruction set outperforms bloated architectures across almost every metric. The same logic applies to agentic systems. When an agent's behavioural surface is small, every deviation is visible.

selfdriven.computer proposes five core primitives: Perceive, Reason, Decide, Act, and Attest. Every observable agent behaviour is a composition of these five. Higher-order capabilities emerge from composition, not from expanding the primitive set.

This means an auditor reviewing an agent's KEL doesn't need to understand the full complexity of the agent's internal model. They need to understand the semantics of five operations and the sequence in which they were invoked.

Implications
Five primitives: Perceive · Reason · Decide · Act · Attest All agent behaviour is expressed as compositions of these five operations.
Smaller surface = stronger security posture Each additional operation type is a new attack surface for adversarial agents.
Composability replaces complexity Rich agent behaviours emerge from primitive sequences, not custom instruction extensions.
Core primitives
PPerceive
RReason
DDecide
AAct
AAttest
Principle in one line
What an agent cannot do, it cannot be tricked into doing.
03
Verification

Proof, not promise. Trust must be checkable.

Statements about what an agent has done, can do, or is authorised to do must be cryptographically verifiable — not dependent on the agent, its operator, or any third party being honest.

The dominant trust model in software is attestation by authority: a certificate authority says a server is legitimate; a platform says an app is safe; an operator says their AI is aligned. These chains of assertion are only as strong as their weakest link — and the weakest link is always human.

selfdriven.computer inverts this. Every claim is a proof. An ACDC credential asserts what an agent is authorised to do, and that assertion is cryptographically bound to the agent's KERI AID. The verifier needs only the agent's inception event and the credential schema — both of which are public and independently verifiable.

This isn't a subtle improvement. It's an architectural shift. When trust doesn't require trusting anyone, the trust ecosystem scales without introducing new points of failure.

Implications
ACDC credentials bind authority cryptographically Credential schemas are public. Verification requires no privileged access.
No trusted third party required Verification is self-contained. The credential itself carries the proof chain.
Attestations are durable Proofs survive the dissolution of the issuing organisation. The KEL is the record.
ACDC Credential — partial
"type": "AgentScope",
"issuer": "EKE4g...",
"subject": {
  "aid": "EBot7j...",
  "scope": "health",
  "ttl": 86400
}
Principle in one line
If you can't verify it yourself, it isn't trust — it's hope.
04
Identity

Identity is the root. Everything else is built on top of it.

An agent without a verifiable identity isn't an agent — it's a process. Identity is not a feature to be added later. It's the first thing that must exist before any trustworthy action can be taken.

KERI AIDs are self-certifying. The identifier itself — derived from the cryptographic material used to control it — carries its own proof of origin. There is no registration authority. No central directory. No dependency on DNS, PKI, or any infrastructure that can be compromised, abandoned, or politicised.

For AI agents, this is transformative. Every agent gets a persistent, portable, verifiable identity from the moment of its instantiation. Every interaction that agent participates in — with humans, other agents, or services — is cryptographically attributed to that identity. Accountability becomes structural, not contractual.

This also means that when an agent's keys are compromised, rotation is deterministic. The pre-rotation commitment made at inception allows the agent to recover its identity without losing its history.

Implications
Self-certifying AIDs require no issuing authority The AID's validity is proven by the cryptographic material alone.
Pre-rotation enables zero-trust key recovery Next-key commitments at inception allow rotation without losing continuity.
Persistent identity across all ecosystem domains One AID works across health, finance, community, and professional services.
Agent AID (Self-certifying)
EKE4g_0hDGBOqDLKzNBT3kFOPxoP7wXkqt
Key event types
icp rot ixn dip drt
Principle in one line
An agent's first act is to prove it exists. Everything after is built on that proof.
05
Authority

Delegate carefully. Authority is not a binary.

Giving an agent permission to act is not an all-or-nothing decision. Delegation should be scoped, time-limited, revocable, and traceable back to its human origin.

KERI's delegation model uses dip (delegated inception) events to create child AIDs that operate under the authority of a parent AID. This creates a hierarchical trust chain that mirrors how organisations actually work: humans at the top, agents operating under human-granted authority at each level below.

Crucially, delegation in KERI is bilateral. The delegated AID must commit to the delegator in its inception event, and the delegator must confirm the delegation in its own key event log. Neither party can claim delegation without the other's cryptographic commitment.

This prevents the most dangerous failure mode in agentic systems: an agent that accumulates authority beyond what was intended, either through design or through prompt injection. The delegation chain is structural, not conversational.

Implications
dip/drt events create auditable delegation chains Every grant of authority is recorded in both the delegator and delegatee KELs.
Scope and TTL are credential-level constraints ACDC credentials restrict what a delegated agent can do, not just who it is.
Revocation is instant and unilateral The delegator can revoke at any time via rot event, with no agent cooperation required.
Delegation event — dip
"t": "dip",
"di": "EKE4g...",
"sn": 0,
"scope": "health",
"ttl": 86400
Principle in one line
An agent's authority is exactly what was given to it. Not more. Proven, not assumed.
06
Composition

Compose safely. The ecosystem is the product.

The value of a verifiable agent OS isn't in any single agent — it's in the network of agents that can safely interact with each other because they share a common trust substrate.

When two agents interact, neither should need to trust the other's operator. They need only verify each other's AID and the credentials attached to it. This is the same principle that makes HTTPS work across the entire internet — a shared cryptographic standard that lets unknown parties establish trust without prior relationship.

selfdriven.computer extends this to agent-to-agent interaction via SKILL.MD protocols. Each agent advertises its capabilities as a structured, versioned document that other agents can verify. Composition of capabilities follows the same delegation model as authority — explicit, scoped, and auditable.

The result is an ecosystem where composability is a security property, not just an engineering convenience. Safe composition means each participant knows exactly what they agreed to — and that agreement is recorded in the KEL.

Implications
SKILL.MD defines the capability contract Structured, versioned capability definitions that agents can verify before composing.
A2A interactions are KEL-anchored Agent-to-agent agreements are recorded as interaction events in both parties' logs.
Domain isolation by design Health agents cannot compose with finance capabilities unless explicit scope grants exist.
Ecosystem domains
selfdriven.health
selfdriven.money
selfdriven.network
selfdriven.computer ↗
Principle in one line
Interoperability without trust assumptions. The protocol is the guarantee.
07
Human agency

Human in context. Not human in the loop.

The goal is not to replace human judgment — it's to free humans from the tasks that don't require judgment, while ensuring they remain in genuine control of the ones that do.

"Human in the loop" is often a euphemism for a human rubber-stamping agent decisions at high volume. The human sees a stream of requests, approves most of them, and provides a false sense of oversight. This is worse than no oversight — it creates accountability without attention.

The Human Conductor model inverts this. Agents handle volume. Humans handle judgment. Each area of focus — from direction to accountability — has a human conductor who sets strategy, resolves exceptions, and governs the agent ecosystem that operates beneath them. Agents report upward; humans decide downward.

Critically, the conductor's authority is cryptographically anchored. When a human makes a strategic decision that agents must respect, that decision is recorded as a KERI interaction event — signed by the human's passkey-linked AID. Agents cannot deviate from it without creating a verifiable discrepancy in their KEL.

Implications
8 Areas of Focus, each with a human conductor Direction · Engagement · Enablement · Protocols · Sustainability · Processes · Accountability · Organisational
Passkey-linked AIDs anchor human decisions Strategic decisions are signed with FIDO2/WebAuthn and recorded in the KEL.
70/30 conductor focus model Each conductor dedicates 70% to their primary area and 30% across supporting areas.
Human auth event — ixn
"t": "ixn",
"aid": "EKE4g...",
"sn": 7,
"auth": "passkey",
"decision": "approve-scope"
Principle in one line
Agents do the work. Humans set the direction. The KEL shows who decided what.
Synthesis

These principles are a system.
Each one reinforces the others.

The clock makes proofs durable

Without sequenced time, proofs are snapshots. With a verifiable clock, proofs have position in history. You can always ask: when was this signed, and what came before and after it?

Identity makes delegation meaningful

Delegation without identity is just configuration. When the delegator and delegatee each have verifiable identities, delegation becomes a cryptographic contract — not a setting that can be quietly overridden.

Humans anchor the whole stack

Every trust chain in the system terminates at a human AID. Agents operate with delegated authority; humans hold the root. The conductor model ensures that authority and accountability remain co-located.

Ready to explore the architecture?

View architecture Back to overview