A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents

Problem
The paper addresses a significant gap in the governance of production AI agents, which operate within enterprise environments. Traditional security frameworks focus on data boundaries, managing data at rest and in transit, but fail to account for the dynamic and context-aware actions of AI agents. These agents can autonomously read context, invoke tools, and modify systems, leading to risks that are not adequately managed by existing policy engines. The authors highlight that current systems evaluate decisions based on atomic principals, whereas AI agents require stateful evaluations against composite principals, complicating the governance landscape. This work is a preprint and has not undergone peer review.

Method
The authors propose a reference architecture composed of four key primitives: a reasoning plane for intent adjudication and four enforcement planes (network, identity, endpoint, and data) that implement decisions. The architecture incorporates stop-anywhere mediation, allowing for flexible intervention, and introduces composite principals with capability attenuation to manage authority delegation. Additionally, the authors define a taxonomy of six interruption primitives that extend beyond simple allow/deny mechanisms. They argue for four correctness invariants to ensure the reliability of the governance framework. A reference implementation of the policy-engine core is provided, demonstrating that attenuation correctness and evidence reconstructability are maintained across trials, with adjudication times in the single-digit microsecond range.

Results
The proposed architecture successfully mitigates seven identified threats posed by production AI agents across five distinct workflows. The authors report that their implementation meets the correctness invariants, with evidence of tamper-evidence in the audit substrate functioning as intended. The architecture’s performance is quantified, showing that adjudication runs in single-digit microseconds, which is critical for real-time governance in production environments. However, specific baseline comparisons and quantitative metrics against existing policy engines are not detailed, which could provide further context for the effectiveness of the proposed solution.

Limitations
The authors acknowledge that their architecture is limited to governing delegated actions and does not encompass model behavior, which remains an area for future exploration. They also note that a full-system evaluation against a live agent benchmark is necessary to validate the architecture’s effectiveness in real-world scenarios. Additionally, the paper does not address potential scalability issues or the integration of this architecture with existing enterprise systems, which could pose challenges in practical deployments.

Why it matters
This work is significant as it lays the groundwork for a robust governance framework tailored to the complexities introduced by production AI agents, which are increasingly prevalent in enterprise settings. By addressing the limitations of current policy engines, this architecture has the potential to enhance security and compliance in AI-driven workflows. The implications of this research extend to the development of more sophisticated governance mechanisms in AI, as highlighted in related works on AI safety and ethics, as published in arXiv cs.AI.