There is genuine confusion in the market about what the Agent Transfer Protocol is and what it is for. Some of it comes from the breadth of what AGTP covers. Some of it comes from the natural tendency to conflate infrastructure with the decisions made on top of it. Some of it comes from vendors who have an interest in keeping the distinction blurry.

The SMTP analogy quickly resolves the confusion. And it is worth spending time on because the architectural clarity it provides changes how you think about the entire agent infrastructure stack.

The SMTP Analogy

SMTP is the protocol that carries email. It has been doing this since 1982. It defines how messages are transmitted, how servers communicate, and how messages are routed and relayed. It operates on port 25. It is the dedicated infrastructure for email traffic.

SMTP’s job is to carry email. The decision about what is spam lives elsewhere.

Spam filters, content moderation systems, deliverability policies, and malware detection are all application-layer decisions made by mail providers, organizations, and specialized tools. Gmail, Outlook, and ProtonMail compete on their decision-making quality and user experience, all operating above SMTP. The protocol provides the wire. The applications provide the judgment.

AGTP is the same architecture for agent traffic.

AGTP is the protocol that carries agent traffic. It operates on port 4480. It moves agent communication off HTTP, which was designed for browsers and documents, onto a dedicated lane designed specifically for agents. It carries wire-level facts that decision-makers require: agent identity, authority scope, trust scores, attribution records, intent-aligned methods, audit primitives, and discovery metadata.

AGTP’s job is to carry agent traffic with the necessary information governance decisions. The governance decisions live in the application layer above it.

What AGTP Carries

The breadth of what AGTP covers is worth naming specifically, because it is larger than most people realize, and it is where some of the confusion originates.

The transfer layer itself is the substrate. A dedicated protocol running on port 4480, separate from HTTP, purpose-built for agent traffic. Similar to how SMTP created a dedicated lane for email, allowing the email ecosystem to develop its own infrastructure, AGTP creates a dedicated lane for agents. This has immediate practical value for regulated industries that require agent traffic off HTTP for compliance reasons, and for shadow AI discovery, since traffic on a dedicated agent protocol is structurally distinguishable from other traffic in a way that HTTP agent traffic cannot be.

On top of the transport layer, AGTP carries several categories of wire-level primitives.

Agent identity comprises the canonical Agent ID, the genesis record from which it derives, and the certificate infrastructure that makes it verifiable to any party that receives agent traffic. Discovery and registry primitives allow agents to find each other. Certificates establish cryptographic proof of identity.

Agent security covers authority scope as a wire-level fact, trust scores carried on the wire, authorization structures, and validation mechanisms. The authority scope declaration travels with every request. Any receiving system can see what the agent claims it is authorized to do without having to query a separate authority.

Agent communication covers session management, media types, and translation for agent-to-agent interactions.

Agentic APIs cover the intent-aligned semantic methods: BOOK, QUERY, SUMMARIZE, DELEGATE, PROPOSE. Also included is the Runtime Contract Negotiation Substrate, which allows contracts to be negotiated at runtime rather than being predetermined at design time.

Agent logging covers the attribution records signed on every method invocation, audit log primitives, and transparency log integration. These are the wire-level ingredients that enable an auditable record.

Agent commerce covers merchant identity primitives and purchase flow infrastructure. AGTP carries the identity and structural information required for commerce decisions. The authorization decision itself lives in the application layer.

Agent budgets cover cost center identifiers and budget limit primitives carried at the wire level.

What Sits on Top

Everything listed above is infrastructure. The protocol carries these facts. The application layer uses them to make decisions.

Decision engines determine what to allow, what to deny, and what to escalate based on the wire-level facts AGTP provides. The agent’s identity and authority scope are inputs to those decisions. AGTP provided them. The decision engine acts on them.

Policy frameworks determine what scope to grant and what trust thresholds matter. An organization’s policy requiring agents with trust scores below a certain threshold to undergo human review before high-consequence actions is a policy layer decision. AGTP provided the trust score. The policy framework applied the threshold.

Governance platforms, Nomotic and its competitors, sit at this application layer. They consume the identity, authority, trust, and attribution primitives that AGTP carries and make governance decisions from them. AGTP gave the governance platform the Agent ID. The governance platform determined which behavioral constraints apply to that agent and whether its proposed action falls within them.

MCP sits at the application layer, too. AGTP provides the Agent ID and the Log ID primitives. MCP running on AGTP can provide richer auditing of tool selection and use because the underlying identity and attribution are already present in the protocol envelope.

Commerce platforms consume the merchant identity and budget primitives AGTP carries and make authorization decisions. AGTP provides the merchant identity and the agent’s declared budget limits. The commerce platform decides whether to authorize the transaction.

Why the Distinction Matters

Conflating the protocol with the application layer leads to architectural decisions that are harder to correct later.

An organization that treats its governance platform as its agent protocol is building a fragile stack. The quality of governance decisions depends on the quality of the decision engine. And the inputs to those decisions (agent identity, authority scope, trust score, attribution record) are only as reliable as the system that produced them. When those inputs are asserted by the application layer rather than carried by the protocol, any application with access to the system can assert whatever identity and authority it wants.

When identity, authority, and attribution are wire-level facts carried by the protocol, they are structural. Any application that handles agent traffic automatically gets them. Any governance platform making decisions on that traffic is working from protocol-level evidence rather than application-layer assertions. The evidence is harder to forge, easier to verify, and consistent across all applications that consume it.

This is the same reason email security improved when DKIM and SPF became protocol-adjacent infrastructure rather than optional application add-ons. The authentication evidence moved closer to the wire. The decision layer above it became more reliable because its inputs were more trustworthy.

The Practical Implications

For organizations deploying AI agents:

AGTP gives your governance platform the Agent ID it needs to know which agent it is governing. With protocol-level identity, the governance platform is governing a verified participant whose identity is cryptographically bound to their behavioral history.

AGTP gives your logging infrastructure the audit primitives it needs to produce a complete governance record. The attribution record signed on every method invocation is the raw material for an evidentiary audit trail. The application layer assembles it. The protocol produced it.

AGTP gives your security infrastructure the authority, scope, and trust score it needs to make zero-trust decisions. The input is in the wire. The decision is in the policy.

AGTP gives your commerce infrastructure the merchant identity and budget information it needs to authorize agent-initiated transactions. American Express requires a registered agent identity and authenticated purchase intent for its Agent Purchase Protection. AGTP is the infrastructure that makes registered agent identity a protocol-level fact rather than an application-layer claim.

For organizations building governance platforms:

AGTP is the substrate your platform sits on. It provides the wire-level facts your decision engine needs. Your differentiation is in the quality of your decisions, the sophistication of your behavioral evaluation, the depth of your audit record, and the usefulness of your oversight interfaces. All of that is yours to build. AGTP provides the foundation.

The Simple Version

SMTP carries email. Gmail decides what is spam.

AGTP carries agent traffic. Governance platforms decide what is allowed.

The protocol provides the lane and the facts. The applications provide the judgment.

Building governance infrastructure that depends on application-layer identity assertions rather than protocol-level identity facts produces fragility at the foundation. Strong governance decisions require trustworthy inputs. Trustworthy inputs come from the wire, where they are structural, rather than from the application, where they are asserted.

The protocol is available at agtp.io. The specification is at the IETF. The decision layer is where you build your competitive advantage.

---

If you find this content valuable, please share it with your network.

Follow me for daily insights.

Book me to speak at your next event.

Start managing your agents for free.

Chris Hood is an AI strategist and author of the #1 Amazon Best Seller Infailible and Customer Transformation, and has been recognized as one of the Top 30 Global Gurus for Customer Experience. His latest book, Unmapping Customer Journeys, is available now!