PEAC (Portable Evidence for Agent Compliance) is a new open standard published on GitHub that gives AI agents, APIs, and MCP tool hosts a way to produce cryptographically verifiable proof of what they actually did. Released under the Apache 2.0 license by Originary — a brand of Delaware-incorporated Poem, Inc. — it works through a three-step flow: service providers publish machine-readable terms at a well-known URL, return a signed JWT receipt header alongside governed HTTP responses, and consumers verify those receipts offline using Ed25519 public keys with no callback to the issuer. At v0.12.0, the repository spans 28 packages, more than 5,600 tests, and integrations across TypeScript and Go SDKs.
PEAC is designed to complement rather than replace existing infrastructure. It sits alongside authentication systems, payment rails, and observability tooling like OpenTelemetry, adding a portable evidence layer that can survive organizational handoffs. Key integrations include an MCP server package for Anthropic's Model Context Protocol, carrier mappings for Google's <a href="/news/2026-03-14-agent-format-yaml-standard-portable-ai-agents">Agent-to-Agent (A2A) protocol</a>, Express middleware, and adapters for x402, the HTTP 402-based machine-to-machine payment protocol. For dispute resolution and compliance audits, interactions can be bundled into portable ZIP archives containing receipts, policy snapshots, public keys, and verification reports — a design that targets regulatory contexts such as the EU AI Act and NIST frameworks.
The commercial model follows the open-core stewardship playbook. The full protocol — all packages, CLI, and SDKs — is free with no usage limits or callbacks to Originary's infrastructure. Enterprise revenue comes from guided integration support, KMS-backed hardware-attested signing keys, and compliance-grade evidence bundles, all priced on a custom basis. The KMS key offering is where the money is: while operators can self-generate Ed25519 keypairs, enterprises needing hardware-attested key provenance for regulatory audits have a clear incentive to purchase managed infrastructure. Originary has published an anti-capture governance commitment, with conformance test fixtures rather than the steward's own implementation serving as the normative arbiter, and a broader maintainer structure planned for after the v1.0 milestone.
One notable caveat for prospective enterprise adopters: Originary and its parent Poem, Inc. disclose no named founders, executives, or team members on their public-facing properties — an unusual degree of opacity for a standard seeking adoption in compliance-sensitive environments. The protocol maps to emerging agent interoperability standards including A2A, ACP, and the <a href="/news/2026-03-15-grantex-delegated-authorization-protocol-ai-agents">IETF AIPREF Internet-Draft</a>, and has integrations with Cloudflare edge, Vercel edge functions, and the OpenClaw agent runtime. Whether the broader agent ecosystem coalesces around PEAC or a competing evidence standard will depend heavily on how quickly framework authors and enterprise operators adopt the receipt-issuance pattern — and how credibly Originary executes on its promised governance transition.