A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents
English summary
The paper proposes a reference architecture for runtime governance of production AI agents, addressing the breakdown of traditional data-boundary controls in agentic workflows. The architecture decomposes governance into five planes: a reasoning plane that adjudicates intent and four enforcement planes (network, identity, endpoint, data) that realize decisions. It introduces composite principals with capability attenuation to model authority delegation, stop-anywhere mediation, and a tamper-evident audit substrate. A taxonomy of six interruption primitives generalizes allow/deny, and four correctness invariants are proven while demonstrating foreclosure of seven production-agent threats across five concrete workflows. A reference implementation validates the design: adjudication runs in single-digit microseconds, attenuation correctness and evidence reconstructability hold on every trial, and the audit substrate exhibits exact tamper-evidence. The scope is restricted to governing delegated action, not model behavior, and a live-agent benchmark evaluation is proposed as next step.
Chinese summary
论文提出了一种针对生产AI代理的运行时治理参考架构,以解决代理式工作流中传统数据边界控制失效的问题。该架构分解为五个平面:一个裁决意图的推理平面,以及网络、身份、端点、数据四个执行平面。引入复合主体与能力衰减机制来建模权限委托,并提供随处停止的中介以及防篡改审计基底。定义了六种中断原语分类法(扩展了允许/拒绝),证明了四个正确性不变式,并在五个具体工作流中展示了如何阻断七种生产代理威胁。参考实现验证了设计:裁决仅需数微秒,能力衰减正确性与证据可重建性在所有测试中成立,审计基底表现出精确的防篡改特性。该架构仅治理委托行为,不涉及模型行为,下一步将邀请基于真实代理基准的全系统评估。
Key points
Introduces a five-plane reference architecture (reasoning plane + network, identity, endpoint, and data enforcement planes) for governing production AI agents.
提出面向生产AI代理的五平面参考架构(推理平面加上网络、身份、端点、数据四个执行平面)。
Defines composite principals with capability attenuation to model authority delegation and preserve security through agentic tool chains.
定义了带能力衰减的复合主体,以建模权限委托并在代理工具链中保持安全性。
Proposes a taxonomy of six interruption primitives that go beyond simple allow/deny, enabling fine-grained runtime mediation.
提出六种中断原语的分类法,超越简单的允许/拒绝,实现细粒度运行时中介。
Proves four correctness invariants and demonstrates foreclosure of seven distinct production-agent threats across five concrete workflows.
证明四个正确性不变式,并在五个具体工作流中展示如何阻断七种生产代理威胁。
Reference implementation shows adjudication in single-digit microseconds, full attenuation correctness, evidence reconstructability, and exact tamper-evidence properties.
参考实现显示裁决延迟为个位数微秒,能力衰减全部正确,证据可重建,且防篡改特性完全符合设计。