| Scope & unit |
Single goal-conditioned loop; tools as subroutines; local policies; no external contracts; optimized for one user context and narrow objectives. |
Team of specialized agents; explicit roles; messages coordinate tasks over a private bus; contracts are social and owner-enforced, not cryptographically formal. |
Open network of agents across orgs; roles fluid; protocol contracts enforceable; ecosystem coordination via registries, markets, and standardized intents. |
| Trust boundary |
One domain; owner trust assumed; attack surface mostly prompt/tool I/O; mitigations are local and procedural. |
Intra-org trust; shared policies; limited adversarial exposure; schemas and supervision curb misuse within a common authority. |
Cross-org, semi-adversarial; zero-trust defaults; verifiable identity and rate-limited principals; disputes handled by protocol processes. |
| World model |
Private world model per task; narrow ontology; brittle to distribution shifts; limited shared ground truth. |
Partially shared models; knowledge graph/blackboard binds roles; schemas negotiated but controlled by one owner. |
Interoperable ontologies; versioned semantics; plural models coexist; alignment via open standards and conformance tests. |
| Memory/state |
Local episodic/semantic memory; vector stores and scratchpads; retention/decay tuned per task. |
Shared private state (CRDT/task graph); merges by team policy; rollback and lineage under owner control. |
Sovereign state with consent & lineage; portable logs/KGs; cross-provider interop with rights-aware retention. |
| Coordination |
Internal loop and planners; critics as functions; minimal negotiation; mostly sequential execution. |
Message-passing protocols; auction/contract-net tasking; debate/critique; orchestration or choreography patterns. |
Federated pub/sub with typed speech acts; price signals; micro-economies form/dissolve to realize intents efficiently. |
| Protocols & I/O |
Ad-hoc tool DSLs; loosely typed I/O; informal versioning; tight coupling to host stack. |
Org-level APIs; schema registries; contracts via tests and SLAs on an internal bus/RPC. |
Open standards; capability descriptors; versioned ontologies; mailbox endpoints; interop test suites ensure fidelity. |
| Identity (AuthN) |
Single principal or API key; coarse identity; manual rotation; weak provenance guarantees. |
Service accounts per role; namespaced audit IDs; internal IAM; limited external verifiability. |
Verifiable IDs with attestations; DID/PKI-style proofs; reputation signals; automated rotation/decay of credentials. |
| Authorization (AuthZ) |
Static scopes; least-privilege ad hoc; approvals manual and context-blind. |
Role-scoped tokens; policy engines enforce access; exceptions via owner override. |
Intent-scoped capability tokens; time-boxed rights; delegations traceable; global, immediate revocation. |
| Governance & policy |
Policies baked into prompts/code; edits local; oversight minimal. |
Polycentric within org: team norms, reviews, change boards; audits periodic and internal. |
Protocol-native governance; on/off-chain policy exchange; attestations & continuous conformance proofs across jurisdictions. |
| Incentives |
Implicit: finish tasks cheaply/quickly; no pricing or staking mechanisms. |
Team KPIs; rewards implicit; little explicit mechanism design beyond throughput/quality. |
Mechanism-designed incentives; prices for compute/data/tools; staking/slashing; reputation-driven routing and access. |
| Discovery/registry |
Hard-coded tools; manual catalogs; brittle to change and version drift. |
Internal registries; typed catalogs; service discovery within one network. |
Open capability registries; compliance tags; price/quality metadata; decentralized search and verification. |
| Asset rights |
Assumes local rights; consent rarely explicit; provenance ad hoc and hard to audit. |
Owner-managed sharing; NDAs/policies; limited data residency and purpose control. |
Consent, provenance, usage terms attached to asset; regional constraints enforced by policy engines end-to-end. |
| State portability |
Exports as files/vectors; migrations manual and lossy. |
Shared formats within org; adapters required across teams/products. |
Portable append-only logs/KGs; CRDT/ledger interop; reversible import/export with lineage preserved. |
| Compute & scheduling |
Single scheduler; best-effort execution; no cross-tenant SLO guarantees. |
Pooled compute; queue-based orchestration; SLOs internal to the owner. |
Multi-provider scheduling; verifiable compute attestations; cross-domain SLO brokering; congestion and rate markets. |
| Reliability/SRE |
Local retries/rollbacks; blast radius limited to one agent and its tools. |
Health checks, backpressure, circuit breakers on the bus; failures contained by org domains. |
End-to-end tracing across providers; isolation per intent; rate markets for throttling abuse and hot spots. |
| Safety & risk |
Prompt filters and static guardrails; manual kill-switch; limited forensics. |
Policy engines; role sandboxes; internal red-team agents; structured playbooks. |
Zero-trust isolation; runtime policy checks; Protocol-native governance; forensics-ready, signed logs. |
| Observability/audit |
Step traces and logs; reproducibility local; sparse metadata standards. |
Centralized tracing; schema’d events; owner-controlled audit trails with periodic reviews. |
Cross-domain provenance graphs; signed events; regulator-grade auditability for counterparties and authorities. |
| Learning/adaptation |
Reflective loops; retrieval tuning; occasional fine-tunes bound to one domain. |
Auto-curricula across roles; self-play, specialization, and diversity maintenance under one owner. |
Ecosystem learning via markets and reputation; policy evolution; emergent standards through selection pressure. |
| Topology |
Single node with star links to tools; minimal network concerns. |
Hub-and-spoke or hierarchical; limited peer-to-peer inside the org. |
Heterogeneous P2P/federated mesh; overlays across clouds/edges; locality-aware, policy-constrained routing. |