GraventureReference Architecture
v3  ·  April 2026
Pressure-TestedResearch-Verified

Enterprise AgenticControl Architecture

A full reference model for production agentic systems — mapping mature standards, custom engineering, and the gaps the industry has not yet solved.
NIST AI RMF  ·  OWASP ASI01–10  ·  Singapore MGF  ·  EU AI Act  ·  SLSA v1.2  ·  OpenTelemetry GenAI01 / 35
§0   Scope, Limitations, Regulatory ContextRead First
Reading Posture
This document leads with what it cannot solve.
If a hostile reviewer finds nothing to attack here, they will look harder elsewhere. Give them the ground early.
What this is
A pressure-tested control architecture combining mature standards, custom engineering patterns, and openly unsolved gaps into one diagnostic model for enterprise agentic systems.
How to use it
Technically challengeable by design. Explicit about assumptions. Useful as a diagnostic against real deployments — not as a formal standard or compliance checkbox.
Enterprise Agentic Control Architecture02 / 35
§0.2   Maturity Classification of the FieldScope
The Field, Honestly Assessed
Three maturity tiers. Different defences apply to each.
TierAreasStandards In Force
Mature Software supply chain, workload identity, policy enforcement, durable workflows, runtime isolation, rate limiting, logging and traces. SLSA v1.2 · SPIFFE · OPA/Cedar · Temporal · gVisor/Firecracker · OpenTelemetry · Istio/Envoy
Custom Decision-to-provenance binding, context provenance at decision time, multi-agent dependency graphs, architecture-level versioning, compound risk reclassification. No formal standard; built from mature primitives.
Unsolved Model-weight provenance, semantic validation of model outputs, non-deterministic replay, universal multi-agent lineage, cross-system context attestation. Active work: NIST CAISI · OWASP ASI · OpenTelemetry GenAI SIG. No settled standard.
§0.2 Maturity Classification03 / 35
§0.3   Regulatory LandscapeApril 2026
What You Are Being Measured Against
Six frameworks, different stages of maturity, overlapping obligations.
FrameworkStatus & Relevance
NIST AI RMF + Agentic ProfileAI Agent Standards Initiative launched Feb 2026 via CAISI. Three pillars: security, interoperability, governance. SP 800-53 overlays (COSAiS) in development. Cyber AI Profile (IR 8596) maps CSF 2.0 to AI risks. Full agentic overlays expected Q4 2026.
OWASP Top 10 for Agentic Applications (2026)Released Dec 2025. ASI01–ASI10: Goal Hijack, Tool Misuse, Identity & Privilege Abuse, Supply Chain, Unexpected Code Execution, Memory & Context Poisoning, Inter-Agent Comms, Cascading Failures, Human-Agent Trust Exploitation, Rogue Agents. Introduces least agency.
Singapore MGF for Agentic AIReleased Jan 2026 (Davos). First global governance framework specifically for agentic AI. Four dimensions: risk bounding · human accountability · technical controls · end-user responsibility. Voluntary but influential.
EU AI ActHigh-risk obligations enforceable 2 August 2026. Articles 9 (risk mgmt), 13 (transparency), 14 (human oversight), 16 (provider obligations). Penalties up to €35M or 7% global turnover.
OpenTelemetry GenAI ConventionsStill in Development status. Agent spans, tool execution spans, evaluation events defined but not yet stable.
SLSA v1.2Build track stable. Source track in development. Covers code & artifacts only. No equivalent exists for model weights.
§0.3 Regulatory Landscape04 / 35
§0.4   The Defensible ClaimFraming
The Position
We can make enterprise agentic systems materially more controllable and auditable. We cannot make them perfectly explainable or perfectly reproducible.
What this architecture closes
The gaps most teams leave open — decision-to-provenance binding, context integrity, multi-agent lineage, dynamic governance.
What it explicitly names
The gaps the industry has not yet solved — model-weight provenance, semantic validation, deterministic replay of frontier models.
§0.4 Defensible Claim05 / 35
§1   Core ClaimTwelve Requirements
A defensible system in April 2026 must ensure:
Twelve properties. Each binds to a control plane.
01
System integrity — what is running is trusted and provenance-verified.
07
Bounded aggregate behaviour — rate limits, budgets, circuit breakers, dynamic autonomy downgrades prevent flash-crash scenarios.
02
Model path integrity — exact model version, config, and eval baseline recorded per decision.
08
Context integrity — every piece of context carries provenance, trust classification, tamper-detection hash.
03
Structural validation — every model output validated before policy evaluation.
09
Decision dependency tracking — multi-agent chains recorded as a graph, not isolated events.
04
Policy-gated execution — no side effect without explicit policy authorisation.
10
Containment and recovery — stop, quarantine, rollback; trace downstream impact.
05
Risk-proportionate isolation — execution boundary matches decision risk class.
11
Jurisdictional compliance — residency, inference location, cross-border flows as first-class policy checks.
06
Engineered human oversight — authenticated, time-bounded, audited, escalation-pathed.
12
Architecture versioning — exact control regime at decision time is reconstructable.
§1 Core Claim06 / 35
§2   The Twelve Control PlanesMap of the Architecture
Architecture Map
Each plane closes a specific failure mode.
01
Governance
Classifies decisions into risk tiers with explicit, testable rules.
02
Build Integrity
Signs and attests code, prompts, workflows, policies, tool adapters.
03
Model Integrity
Pins model path, provider, version, config, eval baseline per decision.
04
Deployment Admission
Rejects unsigned, unprovenanced, or incompatible artifacts.
05
Identity & Trust
Scoped workload identity per component; least-privilege enforcement.
06
Workflow & State
Durable, replayable workflow execution for consequential operations.
07
Output Validation
Schema + bounded plausibility checks between model and policy.
08
Policy & Authorisation
Business + system authorisation before any side effect.
09
Tool Execution
Scoped by identity, delegation, context, risk class.
10
Behaviour Bounding
Rate, budget, circuit breakers, autonomy downgrades.
11
Evidence & Dependency
Decision packages with upstream dependency graph.
12
Detection · Response · Recovery
Anomaly, quarantine, rollback, dependency-aware remediation.
§2 Twelve Control Planes07 / 35
§3 · Plane 01   GovernanceClassification Engine
The Most Load-Bearing Plane
Classification engine, not taxonomy. If classification is weak, the entire architecture collapses.
Classification inputs
Financial impact · external system interaction · regulatory exposure (incl. jurisdiction) · data sensitivity · reversibility · blast-radius potential.
Output drives
Isolation tier · approval requirement · tool scope · rate limits · monitoring thresholds · blast-radius controls.
Critical rule
Classification must be deterministic from attributes, not based on human impression.
Decision tiers
D3External / regulated action — max controls. Writes external system · changes legal/financial state · regulated data across jurisdictions · grants privileged access · exceeds aggregate impact threshold.
D2Bounded internal action. Changes internal state or triggers bounded internal effects; cannot independently create external legal, financial, or customer-facing consequences.
D1Read-only recommendations.
D0Informational or observational operations.
§3 Governance08 / 35
§3 · cont.   Compound Risk & Feedback LoopGovernance Is Dynamic
Compound Risk Reclassification
A sequence of D2 decisions whose cumulative financial, operational, or reputational impact exceeds a defined threshold must be governed as D3.
This prevents walking through D3-level outcomes one D2 step at a time. Aggregate exposure is a governance signal, not a monitoring metric.
Runtime Governance Feedback
When runtime behaviour degrades
  • Agent trips circuit breakers repeatedly → class automatically downgraded.
  • Anomaly scores rise → tool scopes shrink, rate limits tighten.
  • Cumulative impact approaches threshold → workflow reclassifies upward, stricter approvals.
Aligns with Singapore MGF dimension 1 (risk bounding by design) and EU AI Act Article 9 (ongoing evidence-based risk management).
§3 Governance — dynamic09 / 35
§4 · Plane 02   Build IntegrityArtifact Provenance
Scope
What enters production must be proven — code, prompts, policies, tools alike.
Artifacts covered
Application code · workflow definitions · prompt templates · policy bundles · tool adapters.
Flow
git commit  →  CI build  →  signed artifact  →
provenance attestation  →  SLSA L3+ for production
Controls
  • No manual builds
  • Signed artifacts only
  • Provenance required
  • Builder identity validated
OWASP ASI04 coverage
Agentic Supply Chain Vulnerabilities specifically calls out compromised tools, MCP servers, and dynamic prompt templates. Build integrity mitigates these by requiring signed manifests and provenance for all deployment artifacts — including tool adapters and prompt packs.
Known limitation
This secures software artifacts. It does not secure upstream model weights — that gap is the Model Integrity plane.
§4 Build Integrity10 / 35
§5 · Plane 03   Model IntegritySLSA-Equivalent Does Not Exist
The Industry Gap
No broadly adopted SLSA-equivalent for model weights as of April 2026.
Minimum requirement — every decision record
  • Model provider
  • Model ID / version
  • Inference configuration (temperature, top-p, max tokens)
  • Tokenizer version
  • Safety-layer version
  • Evaluation baseline score for that exact model path
Higher-trust — self-hosted models
  • Weights digest (SHA-256) recorded and verified
  • Serving-image provenance
  • Quantisation configuration
  • Model-serving stack treated as a build artifact subject to SLSA-equivalent controls
Candid
NIST CAISI has acknowledged the gap and is developing guidance. No standard has been published.
§5 Model Integrity11 / 35
§5 · cont.   Model Endpoint Drift DetectionWeakest Control in Practice
The Threat
A provider silently updates the model behind the same API endpoint.
The architecture must detect this. Three practical approaches; none sufficient alone.
Approach A
Periodic evaluation benchmarks
Run a fixed, version-controlled test set against the endpoint on a schedule. Compare to baseline scores. Alert on material deviation.
Approach B
Output distribution monitoring
Statistical drift detection on token distributions, response latency, and response patterns. Detects silent capability and behavioural shifts.
Approach C
Contractual notification
Legal obligation on the model provider to notify on any change behind a named endpoint. Non-technical control.
Candid
This is the single weakest control in most real deployments. The document acknowledges this openly.
§5 Drift Detection12 / 35
§6 · Plane 04   Deployment AdmissionA Hard Gate
Before Any Runtime Enters Production
Seven verifications must pass — or the artifact is rejected.
01
Image signature
02
Provenance attestation
03
Builder identity
04
Approved repository
05
Policy bundle compatibility
06
Serving-stack compatibility
07
Control bundle version compatibility
↛ Fail
Reject artifact
Critical rule
This is a hard gate, not a warning. Any failed verification rejects the artifact outright.
§6 Deployment Admission13 / 35
§7 · Plane 05   Identity & TrustSPIFFE · mTLS · Zero Trust
Every Component Receives
Unique identity. Short-lived credentials. Scoped access. mTLS everywhere.
Applies to
Agent orchestrator · retriever · tool runners · policy engine · human approval service · model gateway · anomaly detector.
OWASP ASI03 coverage
Identity and Privilege Abuse specifically targets inherited credentials, cached tokens, and delegated permissions. Short-lived, task-scoped credentials are the primary mitigation.
Critical rule
Identity does not equal permission. Identity plus policy equals permission. A valid SPIFFE identity is necessary but not sufficient — it must map to least-privilege capability grants.
§7 Identity & Trust14 / 35
§8 · Plane 06   Workflow & StateDurable · Replayable
The Source of Execution Truth
All consequential work happens inside a durable workflow.
The workflow is responsible for
— Starting execution
— Retrieving & classifying context
— Staging model calls
— Invoking output validation
— Invoking policy evaluation
— Pausing for human approval
— Executing tools in isolation
— Recording evidence
— Retrying safely
— Escalating on timeout
— Compensating on failure
— Rolling back on failure
Critical rule
No consequential side effect may happen in an ad hoc model loop. If it is not in a workflow, it did not happen under control.
§8 Workflow & State15 / 35
§9 · Plane 07   Output ValidationBetween Model and Policy
Why This Plane Exists
Policy engines assume structured, trustworthy input. Models do not reliably produce structured truth.
Layer 1 · Schema
Correct structure · required fields present · valid enum values · parameter bounds · tool name exists in registry · no forbidden argument combinations.
Layer 2 · Semantic plausibility
Is the proposed action plausible in context? Correct counterparty? Sensible amount? Expected destination? Consistent with retrieved facts? Sane timing?
Honest limit
Semantic correctness is only partially solvable. The claim is not "the system proves semantic truth" — it is "the system applies layered plausibility checks and escalates uncertainty to human review for high-consequence decisions."
Backstop when semantic validation fails silently: behaviour bounding detects unusual patterns · human review for all D3 · anomaly detection flags deviations from expected decision distributions.
§9 Output Validation16 / 35
§10 · Plane 08   Policy & AuthorisationOPA · Cedar
Two Layers of Authorisation
Only policy may authorise. Model output never directly triggers a side effect.
Business authorisation
Who can do what, with what, under what conditions. Actor entitlement · target resource entitlement · separation-of-duty · cumulative exposure.
System / environment authorisation
Runtime constraints · infrastructure state · deployment context · data residency and cross-border restrictions.
Checks applied on every proposal
  • Actor entitlement
  • Target resource entitlement
  • Risk class from governance engine
  • Current environment state
  • Approval requirement
  • Cumulative exposure
  • Separation-of-duty rules
  • Contextual restrictions inc. data residency
Critical rule
The model may suggest. The workflow may stage. Only policy may authorise.
§10 Policy & Authorisation17 / 35
§11 · Plane 09   Tool ExecutionA Separate Control Domain
Threat Context
OWASP ASI02 documents real incidents where legitimate tools were weaponised through manipulated inputs.
Every tool must have
  • Explicit identity
  • Explicit owner
  • Explicit action class
  • Parameter schema
  • Least-privilege scope
  • Read/write classification
  • Risk rating
  • Invocation audit trail
Tool access is constrained by
  • Agent identity
  • Decision class
  • User delegation scope
  • Current workflow state
  • Policy result
  • Rate / budget controls
Critical rule
A general-purpose agent identity must not imply broad tool access. Tool access is explicitly granted per-context, never inherited from identity alone.
§11 Tool Execution18 / 35
§12 · Plane 10   Behaviour BoundingFlash-Crash Prevention
OWASP ASI08 — Cascading Failures
Individually valid actions can be collectively catastrophic.
Controls
  • Per-agent rate limits
  • Per-workflow action limits
  • Per-tenant budgets
  • Per-tool quotas
  • Cumulative risk thresholds
  • Max write volume
  • Circuit breakers
  • Kill switches
  • Escalation to human control
Dynamic autonomy downgrade
  • Agent hits limits repeatedly → governance plane automatically reclassifies.
  • Anomaly scores rise → tool scopes shrink.
  • Cumulative impact approaches threshold → workflow reclassifies into higher tier, requiring stricter approvals.
Critical rule
Governance is dynamic, not static.
§12 Behaviour Bounding19 / 35
§13 · Plane 11   Evidence & DependencyDecision Package
What Every Consequential Decision Produces
A structured decision package linking runtime to provenance — and to upstream decisions as a graph.
Decision package — minimum fields
decision_id
workflow_id
timestamp
actor_identity
input_refs
context_refs + trust_class + chunk_hashes
upstream_dependencies
model_path (provider,version,config)
prompt_version
output_validation_result
policy_result + bundle_version
approval_result + expiry
tool_invocation_details
side_effects
runtime_image_digest
provenance_ref
control_bundle_version
Dependency graph — multi-agent fields
  • Parent decision IDs
  • Upstream agent IDs
  • Dependency graph edge list
  • Confidence / trust class on inherited context
  • Delegation scope token reference
Critical rule
Decisions are part of a directed acyclic graph, not isolated events.
Aligns with EU AI Act Art 13 (transparency for high-risk systems) and Singapore MGF dimension 4 (end-user responsibility through transparency).
§13 Evidence & Dependency20 / 35
§14 · Plane 12   Detection · Response · RecoveryBeyond Observability
Observability Is Necessary — Not Sufficient
Detection without response is just observation.
Detection
  • Anomaly detection on live behaviour
  • Pattern deviation detection
  • Context poisoning heuristics ASI06
  • Policy-compliant but contextually abnormal patterns
  • Model output drift monitoring
Response
  • Pause workflow
  • Revoke workload identity
  • Disable tool
  • Quarantine agent
  • Rotate signing materials
  • Quarantine suspect model version
  • Halt downstream workflows
Recovery
  • Replay dependency graph from compromised node
  • Identify all downstream decisions affected
  • Execute compensating actions for irreversible side effects
  • Produce forensic evidence package for regulators
§14 Detect · Respond · Recover21 / 35
§15   Human Approval ArchitectureEngineered, Not A Checkbox
OWASP ASI09 — Human-Agent Trust Exploitation
Humans over-rely on agent recommendations, approving harmful actions. A weak approval path invalidates the entire architecture.
The approval subsystem must define
— Who can approve (role-validated identity)
— What they can approve (scoped by decision class)
— What evidence is shown before approving
— How approval is authenticated (strong identity, not just session)
— How long approval remains valid (explicit expiry)
— What happens on timeout (escalation, not silent approval)
— When escalation occurs
— What is recorded for audit (immutable)
— Whether approval is one-time, bounded, or reusable
Failure mode
Rubber-stamped, time-out-to-auto-approve, or unauthenticated approvals make human oversight illusory — and invalidate every control downstream.
§15 Human Approval22 / 35
§16   Context IntegrityContext Is An Attack Surface
OWASP ASI06 — Memory & Context Poisoning
Minimum viable context provenance on every chunk used in a decision.
FieldRequirementPurpose
Source IDDocument or system identifierTrace origin
Chunk hashSHA-256 of retrieved contentDetect tampering since retrieval
Retrieval timeTimestampReason about freshness
Trust classCanonical · transformed · external · agent-generated · user-suppliedLet policy weight context quality
Transformation refID if content was summarised or translatedInspect derived context
Session scopeWorkflow or case IDPrevent cross-case contamination
Context absence detection. Track not only what context was used, but flag when expected context was not retrieved. This prevents agents proceeding on incomplete context without detection.
Hash verification at decision time. The system must verify that the specific context hashes used by the agent still match the stored content or canonical source reference.
§16 Context Integrity23 / 35
§17   Multi-Agent DelegationScoped Capability Tokens
OWASP ASI07  ·  ASI03
Least privilege is not real until delegation is carried as a scoping token.
Enforcement mechanism
Parent agent receives a scoped capability token tied to workflow, decision class, allowed tools, argument bounds, and expiry. When delegating, the parent can only mint a child token that is equal or narrower in scope. The policy plane verifies the presented capability token before every delegated action.
Revocation propagation
If a parent's token is revoked mid-workflow, all child tokens must be immediately invalidated. In-flight child workflows halt at the next checkpoint, record incomplete state, and trigger compensating actions for any completed side effects. Revocation cascades through the entire delegation chain.
Critical rule
Authority shrinks with delegation. No sub-agent may inherit more authority than its parent was explicitly granted.
§17 Multi-Agent Delegation24 / 35
§18   Key & Trust Material LifecycleSurviving Compromise
Do Not Hide This Under An Assumption
OWASP ASI04 includes compromised credentials as a root cause. Explicit lifecycle controls are required.
Required controls
  • Issuance
  • Scheduled rotation
  • On-demand revocation
  • Compromise detection (anomalous signing pattern monitoring)
  • Emergency break-glass procedures
  • Recovery after compromise (re-signing, re-attestation)
  • Signer trust-store updates
  • Historical verification after rotation
Applies to
  • Signing identities
  • Workload identity roots
  • Approval credentials
  • Tool credentials
  • KMS-backed materials
Critical rule
A secure system is not one with keys. It is one that survives key compromise.
§18 Key & Trust Lifecycle25 / 35
§19   Data Residency & Jurisdictional ControlsFirst-Class Policy
Where Inference Happens Matters
A control architecture is incomplete if it ignores where inference, storage, and retrieval occur.
Regulatory basis
EU AI Act requires high-risk systems meet specific data governance obligations (Article 10). GDPR cross-border transfer rules apply to any AI system processing EU personal data.
What to classify
Every model route and data store by region and jurisdiction. Bind policy to location constraints.
Every decision package records
  • Where inference occurred
  • Where context was retrieved from
  • Where evidence was stored
Critical rule
Cross-border flow is a first-class policy check, not a legal footnote.
§19 Data Residency & Jurisdiction26 / 35
§20   Architecture VersioningControl Bundle
Component Versions Are Not Enough
You need the control regime version.
A control bundle includes
  • Governance rules version
  • Policy packs version
  • Tool schemas version
  • Approval logic version
  • Anomaly thresholds version
  • Circuit-breaker settings version
Store the control bundle version in every decision package. Promote bundles through test, staging, and production the same way you promote code.
Rollback compatibility rule
Decisions made under a subsequently reverted control bundle remain valid as of their execution time. The revert itself is recorded as a governance event. This prevents audit gaps during control-regime changes.
Critical rule
You must be able to answer: which exact control architecture was in force when this decision occurred?
§20 Architecture Versioning27 / 35
§21   Reconstruction, Not Perfect ReplayMost Important Framing Decision
The Framing
Do not claim exact replay of frontier model behaviour. LLMs are inherently non-deterministic. The defensible claim is decision context reconstruction plus policy re-evaluation.
What you can prove
  • Exact inputs provided to the model
  • Exact context references (with hashes) used
  • Exact policy bundle and governance rules in force
  • Exact tool scopes available
  • Exact approval chain and evidence
  • Exact control bundle version active
What regulators need
Proof the decision was made within the correct control boundaries, using verified context, under valid policy, with proper authorisation. Exact reproduction of the model output is neither achievable nor required.
§21 Reconstruction28 / 35
§22   Control Plane AssuranceTested, Not Assumed
An Untested Control Is A Hypothesis
Twelve control planes mean nothing if they are never exercised under adversarial conditions.
Red-team exercises
Adversarial testing against each OWASP ASI01–ASI10 category.
Chaos engineering
Verify circuit breakers fire at correct thresholds, quarantine actually isolates, revocation cascades propagate.
Policy validation
Confirm the policy engine blocks what it should block (test with known-bad proposals).
Approval path testing
Verify timeout escalation, expiry enforcement, audit trail completeness.
Key compromise drills
Simulate signing key compromise and verify recovery procedures.
Context poisoning simulation
Inject known-bad context and verify detection heuristics.
Assurance should run continuously, not as a one-time exercise. Results are versioned alongside the control bundle.
§22 Assurance29 / 35
§23   End-to-End Request PathHow The Planes Interlock
Thirteen Stages
One consequential decision, traced through every plane.
01Admit signed artifact + control bundleBuild · Admission
02Runtime receives workload identityIdentity
03Workflow starts; classify riskGovernance
04Retrieve & classify context; check absenceContext
05Model generates proposal; path recordedModel
06Validate structure + plausibilityValidation
07Evaluate policy + jurisdictionPolicy
08Pause for authenticated approverApproval
09Execute tool in isolation tierTools
10Check rate, budget, cumulative impactBounding
11Write decision package + dep graphEvidence
12Detect anomalies + drift liveDetection
13On breach: quarantine · revoke · replayRecovery
Each step produces evidence, updates the dependency graph, and may trigger dynamic reclassification via the governance feedback loop.
§23 Request Path30 / 35
§24   OWASP Agentic Top 10 MappingCoverage Table
Every ASI Category Maps To At Least One Plane
Coverage is explicit; residual risks are named, not hidden.
OWASP RiskPrimary Control PlanesResidual Risk
ASI01 · Agent Goal HijackContext Integrity · Output Validation · Behaviour BoundingSophisticated indirect injection may evade plausibility checks
ASI02 · Tool MisuseTool Execution · Policy · Output ValidationNovel tool abuse patterns require updated detection rules
ASI03 · Identity & Privilege AbuseIdentity & Trust · Multi-Agent Delegation · Key LifecycleInsider threat with legitimate credentials
ASI04 · Supply Chain VulnerabilitiesBuild Integrity · Model Integrity · Deployment AdmissionNo model-weight provenance standard
ASI05 · Unexpected Code ExecutionTool Execution (sandboxing) · Workflow (no ad hoc)Zero-day escape from isolation boundary
ASI06 · Memory & Context PoisoningContext Integrity · Context Absence DetectionSlow poisoning below detection threshold
ASI07 · Insecure Inter-Agent CommsIdentity (mTLS) · Multi-Agent Delegation (scoped tokens)Token theft via side-channel
ASI08 · Cascading FailuresBehaviour Bounding · Governance Feedback · Circuit BreakersNovel cascade pattern not covered by current thresholds
ASI09 · Human-Agent Trust ExploitationHuman Approval Architecture · Evidence presentationAutomation bias despite controls
ASI10 · Rogue AgentsDetection & Response · Quarantine · Kill SwitchesSophisticated evasion of behavioural monitoring
§24 OWASP Mapping31 / 35
§25   Known GapsApril 2026
Stated Openly
A document that hides its limitations is less defensible than one that leads with them.
GapCurrent State & Mitigation
No standard for model-weight provenanceNIST CAISI developing guidance. Mitigation: record model path per decision, periodic eval benchmarks, contractual notification from providers.
No standard for decision-to-provenance bindingCustom implementation linking runtime decisions to build attestations via decision packages. No formal specification exists.
No standard for multi-agent decision lineageDependency graph tracking is custom engineering. NIST planning multi-agent overlays for SP 800-53 (late 2026).
No deterministic replay for LLMsReframed as decision context reconstruction plus policy re-evaluation. Exact model output reproduction is not claimed.
No universal context integrity attestationMinimum viable provenance model implemented; full cross-system attestation standard does not exist.
Semantic validation is partially solvableLayered plausibility checks reduce but do not eliminate risk. Backstop: human review for high-consequence decisions; anomaly detection.
OpenTelemetry GenAI not yet stableAgent spans, tool execution spans, evaluation events defined but in Development status. Production should use opt-in stability flags.
§25 Known Gaps32 / 35
§27   What This Architecture Does Not Fully SolveResidual Attack Surface
Mitigated But Not Eliminated
The architecture is honest about these. No system eliminates all risk.
·
Compromised CI pipeline (mitigated by SLSA L3; not immune to nation-state)
·
Sophisticated prompt injection through indirect channels ASI01
·
Malicious policy definition by an authorised insider
·
Model hallucination producing plausible but wrong outputs that pass validation
·
Insider threat with legitimate signing privileges
·
External system compromise downstream of tool invocations
·
Slow context poisoning below anomaly detection thresholds ASI06
·
Automation bias causing rubber-stamp approvals ASI09
·
Novel cascade patterns not covered by current circuit-breaker thresholds ASI08
Defensible claim
Failures can be detected, contained, and reconstructed with evidence.
§27 Residual Attack Surface33 / 35
§26   Client DiagnosticSixteen Questions
Use Against Any Enterprise Agentic Deployment
Any "no" is a real control gap.
01
Can you prove what artifact is running?
Build · Admission
02
Can you identify the exact model path used?
Model Integrity
03
Do you detect silent model changes behind an endpoint?
Drift Detection
04
Do you validate model outputs before policy sees them?
Validation
05
Can the model trigger a side effect without policy authorisation?
Policy
06
Is human approval engineered, authenticated, time-bounded, audited?
Approval
07
Are tools scoped by identity, delegation, context, and risk class?
Tool Execution
08
What stops 1,000 individually valid actions from causing aggregate damage?
Bounding
09
Does runtime behaviour feed back into governance classification?
Feedback Loop
10
Can you classify and trace the context used in a decision?
Context
11
Can you prove context was not tampered since retrieval?
Hash Verify
12
Does the system flag when expected context was not retrieved?
Context Absence
13
Can you reconstruct a multi-agent dependency chain?
Evidence · Dep
14
Can you quarantine one agent or tool without halting the platform?
Recovery
15
What happens if signing keys or workload identity roots are compromised?
Key Lifecycle
16
Do you have anomaly detection, not just logs?
Detection
§26 Client Diagnostic34 / 35
§28   Final PositionClose
One-Line Summary
Most systems can tell you what happened.
This architecture proves what caused it, which controls were in force when it happened, and how to stop it when it goes wrong.
Defensible in April 2026 because
  • Maps to NIST AI RMF, OWASP Agentic Top 10, Singapore MGF, EU AI Act obligations
  • Separates static integrity controls from dynamic behavioural controls
  • Explicitly identifies and classifies every gap by maturity level
  • Provides testable diagnostic questions for real deployments
  • Requires ongoing control-plane assurance, not one-time implementation
What matters
Twelve control planes. Some backed by mature standards, some custom engineering, some unsolved. What matters is wiring them together explicitly, admitting the weak points, and proving which controls were in force when a decision happened.
Enterprise Agentic Control Architecture · v3 · April 202635 / 35