A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents
Pith reviewed 2026-06-27 10:07 UTC · model grok-4.3
The pith
A five-plane reference architecture governs production AI agents by enforcing decisions on composite principals across reasoning, network, identity, endpoint, and data planes.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper presents a reference architecture for runtime governance of production AI agents built from four composable primitives: a five-plane decomposition, stop-anywhere mediation, composite principals with capability attenuation, and audit as a structured evidence substrate. It defines a taxonomy of six interruption primitives, argues for four correctness invariants, and shows the foreclosure of seven production-agent threats across five concrete workflows. The policy-engine core provides evidence that attenuation correctness and evidence reconstructability hold on every trial, with single-digit microsecond adjudication and designed tamper-evidence in the audit substrate.
What carries the argument
The five-plane decomposition consisting of a reasoning plane that adjudicates intent and four enforcement planes that realize the decision, combined with stop-anywhere mediation and composite principals.
If this is right
- Seven production-agent threats are foreclosed across five concrete workflows.
- Attenuation correctness and evidence reconstructability hold on every trial in the reference implementation.
- Adjudication runs in single-digit microseconds.
- The audit substrate's tamper-evidence behaves as designed.
- Four correctness invariants are maintained by the architecture.
Where Pith is reading between the lines
- This could be tested by deploying it against existing agent benchmarks to measure threat foreclosure rates.
- Similar five-plane structures might apply to governance of multi-agent systems where delegation chains are longer.
- Enterprises could map their current access control lists to the composite principals to reduce migration effort.
Load-bearing premise
The five-plane decomposition together with stop-anywhere mediation and composite principals can be composed without coverage gaps or new vulnerabilities when applied to real production agent workflows.
What would settle it
Running the reference implementation on a live production agent benchmark and observing an agent completing an unauthorized business process transformation that bypasses the planes.
Figures
read the original abstract
Enterprise security was built to govern data boundaries: the protected surface was data at rest and in transit, and the controls -- access control, data-loss prevention, perimeter inspection -- governed crossings of that boundary. Production AI agents dissolve this assumption. An agent reads context, calls tools, invokes connectors, and modifies systems of record on an enterprise's behalf, so risk moves inside the workflow, into sequences of individually-permitted actions that may transform a business process no one authorized. Existing policy engines do not extend to this regime: they evaluate request-time decisions against atomic principals, where agentic systems require stateful evaluation against composite principals whose authority attenuates through delegation chains. We present a reference architecture for the runtime governance of production agents, built from four composable primitives: a five-plane decomposition (a reasoning plane that adjudicates intent, and four enforcement planes -- network, identity, endpoint, data -- that realize the decision), stop-anywhere mediation, composite principals with capability attenuation, and audit as a structured evidence substrate. We define a taxonomy of six interruption primitives that generalize allow and deny, state and argue for four correctness invariants, and demonstrate the foreclosure of seven production-agent threats across five concrete workflows. A reference implementation of the policy-engine core supplies measured evidence: attenuation correctness and evidence reconstructability hold on every trial, adjudication runs in single-digit microseconds, and the audit substrate's tamper-evidence behaves exactly as designed. We are explicit about scope: the architecture governs delegated action, not model behavior, and a full-system evaluation against a live agent benchmark is the invited next step.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a five-plane reference architecture for runtime governance of production AI agents. It introduces four composable primitives—a reasoning plane plus network/identity/endpoint/data enforcement planes, stop-anywhere mediation, composite principals with capability attenuation, and an audit evidence substrate—along with a taxonomy of six interruption primitives and four correctness invariants. The central claim is that this architecture forecloses seven production-agent threats across five concrete workflows. A reference implementation of the policy-engine core provides measurements showing that attenuation correctness and evidence reconstructability hold on every trial, adjudication completes in single-digit microseconds, and the audit substrate exhibits the designed tamper-evidence properties. The paper explicitly scopes its contribution to delegated action (not model behavior) and identifies full-system evaluation against a live agent benchmark as future work.
Significance. If the five-plane composition and threat foreclosure hold without coverage gaps, the work would supply a structured, stateful alternative to atomic-principal policy engines for governing agentic workflows that cross enterprise systems of record. The measured properties of the policy-engine core (correctness on all trials, microsecond-scale adjudication, and exact tamper-evidence behavior) constitute concrete, reproducible evidence for the core mechanism; the definition of four invariants and six interruption primitives offers a clear basis for further verification.
major comments (1)
- [Abstract, §1] Abstract and §1 (scope paragraph): the claim that the architecture 'demonstrate[s] the foreclosure of seven production-agent threats across five concrete workflows' rests on an untested composition step. The reported measurements apply only to the policy-engine core; no quantitative results are supplied for integration of the reasoning plane with the four enforcement planes, stop-anywhere mediation, or composite-principal attenuation inside the five workflows. The manuscript itself states that 'a full-system evaluation against a live agent benchmark is the invited next step,' leaving the central claim dependent on an unvalidated integration whose absence of coverage gaps is asserted but not demonstrated.
minor comments (1)
- The taxonomy of six interruption primitives and the four correctness invariants are introduced without an explicit mapping table showing which primitive realizes which invariant; adding such a table would improve traceability.
Simulated Author's Rebuttal
We thank the referee for the careful and constructive review. We respond to the single major comment below, acknowledging the distinction between the core measurements and the full integration claims.
read point-by-point responses
-
Referee: [Abstract, §1] Abstract and §1 (scope paragraph): the claim that the architecture 'demonstrate[s] the foreclosure of seven production-agent threats across five concrete workflows' rests on an untested composition step. The reported measurements apply only to the policy-engine core; no quantitative results are supplied for integration of the reasoning plane with the four enforcement planes, stop-anywhere mediation, or composite-principal attenuation inside the five workflows. The manuscript itself states that 'a full-system evaluation against a live agent benchmark is the invited next step,' leaving the central claim dependent on an unvalidated integration whose absence of coverage gaps is asserted but not demonstrated.
Authors: We agree that the reported measurements apply exclusively to the policy-engine core and that no quantitative results are provided for the integrated behavior of the reasoning plane with the enforcement planes, stop-anywhere mediation, or composite-principal attenuation within the five workflows. The manuscript's demonstration of threat foreclosure is analytical: it proceeds by defining the five-plane decomposition, the six interruption primitives, and the four correctness invariants, then applying these constructs to each workflow to show, by construction, how the seven threats are addressed. This is the standard mode of contribution for a reference architecture. Nevertheless, the referee correctly identifies that the central claim therefore rests on an unvalidated composition step. We will revise the abstract and the scope paragraph in §1 to state explicitly that the foreclosure is shown through the reference architecture and invariants rather than through empirical results from a fully integrated system, and we will retain the explicit statement that full-system evaluation against a live agent benchmark remains future work. revision: yes
Circularity Check
No significant circularity detected
full rationale
The paper proposes a new five-plane reference architecture and four composable primitives for governing production AI agents, defines a taxonomy of interruption primitives and four correctness invariants, and supplies direct measurements from a reference implementation of the policy-engine core (attenuation correctness, evidence reconstructability, microsecond adjudication, tamper-evidence). No equations, fitted parameters renamed as predictions, self-citations, or self-definitional reductions appear in the text; the central claims are architectural definitions and empirical results on the implemented core rather than derivations that reduce to their own inputs by construction. The note that full-system evaluation is future work concerns validation scope, not circular logic.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption The four enforcement planes together with the reasoning plane comprehensively cover all sequences of delegated agent actions without gaps.
- domain assumption Stop-anywhere mediation and composite principals with capability attenuation can be realized in production systems without unacceptable performance cost or new attack surfaces.
invented entities (3)
-
Five-plane decomposition
no independent evidence
-
Composite principals with capability attenuation
no independent evidence
-
Six interruption primitives
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Cedar policy language
Amazon Web Services. Cedar policy language. Whitepaper and project documentation, 2023. [DOCS]
2023
-
[2]
Spicedb: Open source authorization system inspired by google zanzibar
Authzed. Spicedb: Open source authorization system inspired by google zanzibar. Project documentation. [DOCS]
-
[3]
Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud
Arnar Birgisson, Joe Gibbs Politz, Úlfar Erlingsson, Ankur Taly, Michael Vrable, and Mark Lentczner. Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud. InNetwork and Distributed System Security Symposium (NDSS), 2014
2014
-
[4]
Linkerd: A service mesh for kubernetes
Buoyant, Inc. Linkerd: A service mesh for kubernetes. Project documentation. [DOCS]
-
[5]
Mihai Christodorescu, Earlence Fernandes, Ashish Hooda, Somesh Jha, Johann Rehberger, Kamalika Chaudhuri, Xiaohan Fu, Khawaja Shams, Guy Amir, Jihye Choi, Sarthak Choudhary, Nils Palumbo, Andrey Labunets, and Nishit V. Pandya. Systems security foundations for agentic computing, 2025. arXiv:2512.01295 [WEB-VERIFIED]
-
[6]
Envoy proxy
Cloud Native Computing Foundation. Envoy proxy. Project documentation, . [DOCS]
-
[7]
Open policy agent
Cloud Native Computing Foundation. Open policy agent. Project documentation, . [DOCS]
-
[8]
Opentelemetry
Cloud Native Computing Foundation. Opentelemetry. Project documentation, . [DOCS]
-
[9]
Datadog observability platform
Datadog, Inc. Datadog observability platform. Product documentation. [DOCS]
-
[10]
Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for llm agents
Edoardo Debenedetti, Jie Zhang, Mislav Balunović, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for llm agents. InAdvances in Neural Information Processing Systems (NeurIPS),
-
[11]
arXiv:2406.13352 [WEB-VERIFIED]. 62
work page internal anchor Pith review Pith/arXiv arXiv
-
[12]
Defeating prompt injections by design,
Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Carlini, Daniel Fabian, Christoph Kern, Chongyang Shi, and Florian Tramèr. Defeating prompt injections by design,
-
[13]
arXiv:2503.18813; the CaMeL defense [WEB-VERIFIED]
work page internal anchor Pith review Pith/arXiv arXiv
-
[14]
SoK: The Attack Surface of Agentic AI
Ali Dehghantanha and Sajad Homayoun. Sok: The attack surface of agentic ai – tools, and autonomy, 2026. arXiv:2603.22928 [WEB-VERIFIED]
-
[15]
Dennis and Earl C
Jack B. Dennis and Earl C. Van Horn. Programming semantics for multiprogrammed computa- tions.Communications of the ACM, 9(3):143–155, 1966
1966
-
[16]
Plan-and-Act: Improving Planning of Agents for Long-Horizon Tasks
Lutfi Eren Erdogan, Nicholas Lee, Sehoon Kim, Suhong Moon, Hiroki Furuta, Gopala Anu- manchipalli, Kurt Keutzer, and Amir Gholami. Plan-and-act: Improving planning of agents for long-horizon tasks. InInternational Conference on Machine Learning (ICML), 2025. arXiv:2503.09572 [WEB-VERIFIED]
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[17]
Systematization of knowledge: Security and safety in the model context protocol ecosystem,
Shiva Gaire, Srijan Gyawali, Saroj Mishra, Suman Niroula, Dilip Thakur, and Umesh Yadav. Systematization of knowledge: Security and safety in the model context protocol ecosystem,
- [18]
-
[19]
Hector Garcia-Molina and Kenneth Salem. Sagas. InACM SIGMOD International Conference on Management of Data, 1987
1987
-
[20]
Beyondcorp whitepaper series
Google. Beyondcorp whitepaper series. Google research publications, 2014–2017. [DOCS]
2014
-
[21]
Chronicle security operations
Google Cloud. Chronicle security operations. Product documentation. [DOCS]
-
[22]
Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection. In16th ACM Workshop on Artificial Intelligence and Security (AISec), 2023. arXiv:2302.12173 [WEB-VERIFIED]
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[23]
Scott Stornetta
Stuart Haber and W. Scott Stornetta. How to time-stamp a digital document.Journal of Cryptology, 3(2):99–111, 1991
1991
-
[24]
The confused deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review, 22(4):36–38, 1988
Norm Hardy. The confused deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review, 22(4):36–38, 1988
1988
-
[25]
Jason E. Holt. Logcrypt: Forward security and public verification for secure audit logs. In Australasian Information Security Workshop, 2006
2006
-
[26]
Honeycomb observability
Honeycomb.io. Honeycomb observability. Product documentation. [DOCS]
-
[27]
Istio: Connect, secure, control, and observe services
Istio Authors. Istio: Connect, secure, control, and observe services. Project documentation. [DOCS]
-
[28]
Jones, Anthony Nadalin, Brian Campbell, John Bradley, and Chuck Mortimore
Michael B. Jones, Anthony Nadalin, Brian Campbell, John Bradley, and Chuck Mortimore. Oauth 2.0 token exchange. Technical Report RFC 8693, Internet Engineering Task Force, 2020. [CANONICAL]
2020
-
[29]
H. T. Kung and John T. Robinson. On optimistic methods for concurrency control.ACM Transactions on Database Systems, 6(2):213–226, 1981
1981
-
[30]
Ralph C. Merkle. Protocols for public key cryptosystems. InIEEE Symposium on Security and Privacy, 1980. 63
1980
-
[31]
Microsoft sentinel
Microsoft. Microsoft sentinel. Product documentation. [DOCS]
-
[32]
Oauth 2.0 on-behalf-of flow
Microsoft Identity Platform. Oauth 2.0 on-behalf-of flow. Documentation reference. [DOCS]
-
[33]
Miller.Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control
Mark S. Miller.Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, 2006
2006
-
[34]
O’Reilly Media, 2nd edition, 2021
Sam Newman.Building Microservices: Designing Fine-Grained Systems. O’Reilly Media, 2nd edition, 2021. Saga pattern chapter [CANONICAL]
2021
-
[35]
Saml 2.0 condition for delegation restriction
OASIS. Saml 2.0 condition for delegation restriction. Standards documentation. [DOCS]
-
[36]
Korn, Abhishek Parmar, Christopher D
Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christopher D. Richards, and Mengzhi Wang. Zanzibar: Google’s consistent, global authorization system. InUSENIX Annual Technical Conference (ATC), 2019. [CANONICAL]
2019
-
[37]
Permify: Open source authorization service
Permify. Permify: Open source authorization service. Project documentation. [DOCS]
-
[38]
Zero trust architecture
Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly. Zero trust architecture. Technical Report NIST Special Publication 800-207, National Institute of Standards and Technology,
-
[39]
Saltzer and Michael D
Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems.Proceedings of the IEEE, 63(9):1278–1308, 1975
1975
-
[40]
Policy-based access control with open policy agent
Torin Sandall and Tim Hinrichs. Policy-based access control with open policy agent. Conference presentations and project documentation, 2018. [DOCS]
2018
-
[41]
Secure audit logs to support computer forensics.ACM Transactions on Information and System Security, 2(2):159–176, 1999
Bruce Schneier and John Kelsey. Secure audit logs to support computer forensics.ACM Transactions on Information and System Security, 2(2):159–176, 1999
1999
-
[42]
Splunk enterprise security
Splunk Inc. Splunk enterprise security. Product documentation. [DOCS]
-
[43]
Krti Tallam. Engineering risk-aware, security-by-design frameworks for assurance of large-scale autonomous ai models, 2025. arXiv:2505.06409 [AUTHOR]
-
[44]
Alignment, agency and autonomy in frontier ai: A systems engineering perspective,
Krti Tallam. Alignment, agency and autonomy in frontier ai: A systems engineering perspective,
- [45]
-
[46]
Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure
Krti Tallam. Authorization propagation in multi-agent ai systems: Identity governance as infrastructure, 2026. arXiv:2605.05440 [AUTHOR]
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[47]
PoTAcc: A Pipeline for End-to-End Acceleration of Power-of-Two Quantized DNNs
Krti Tallam. Execution envelopes: A shared admission contract for backend ai execution requests, 2026. arXiv:2605.06082 [AUTHOR]
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[48]
Layered mutability: Continuity and governance in persistent self-modifying agents,
Krti Tallam. Layered mutability: Continuity and governance in persistent self-modifying agents,
-
[49]
arXiv:2604.14717 [AUTHOR]
work page internal anchor Pith review Pith/arXiv arXiv
-
[50]
Partial Evidence Bench: Benchmarking Authorization-Limited Evidence in Agentic Systems
Krti Tallam. Partial evidence bench: Benchmarking authorization-limited evidence in agentic systems, 2026. arXiv:2605.05379 [AUTHOR]
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[51]
Operationalizing camel: Strengthening llm defenses for enterprise deployment, 2025
Krti Tallam and Emma Miller. Operationalizing camel: Strengthening llm defenses for enterprise deployment, 2025. arXiv:2505.22852 [AUTHOR]. 64
-
[52]
Temporal: Durable execution workflow engine
Temporal Technologies. Temporal: Durable execution workflow engine. Project documentation. [DOCS]
-
[53]
Cadence: Fault-tolerant stateful workflow engine
Uber. Cadence: Fault-tolerant stateful workflow engine. Project documentation. [DOCS]
-
[54]
Beyondcorp: A new approach to enterprise security.USENIX ;login:, 39(6):6–11, 2014
Rory Ward and Betsy Beyer. Beyondcorp: A new approach to enterprise security.USENIX ;login:, 39(6):6–11, 2014. [CANONICAL]
2014
-
[55]
Trace context
World Wide Web Consortium. Trace context. W3C Recommendation, 2020. [DOCS]
2020
-
[56]
ReAct: Synergizing Reasoning and Acting in Language Models
Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. React: Synergizing reasoning and acting in language models. InInternational Conference on Learning Representations (ICLR), 2023. arXiv:2210.03629 [WEB-VERIFIED]. 65
work page internal anchor Pith review Pith/arXiv arXiv 2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.