pith. sign in

arxiv: 2605.15228 · v1 · pith:FGLBHGO7new · submitted 2026-05-13 · 💻 cs.AI · cs.LG

Verifiable Agentic Infrastructure: Proof-Derived Authorization for Sovereign AI Systems

Jun He , Deying Yu This is my paper

Pith reviewed 2026-05-19 17:26 UTC · model grok-4.3

classification 💻 cs.AI cs.LG
keywords proof-derived authorizationAI agentsgoverned mutationdistributed trustsovereign AIevidence chainverifiable infrastructure
0
0 comments X

The pith

Proof objects derived from consensus replace standing credentials to authorize actions by autonomous AI agents.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Modern authorization relies on who possesses valid credentials, but autonomous AI agents can generate syntactically correct yet semantically dangerous commands that standing privileges cannot safely gate. The paper introduces a Distributed Trust Framework that shifts the model to proof-derived authority: agents submit intents, a governed substrate evaluates them against policy via independent consensus, and only an approved Justification Proof yields a temporary Execution Identity for execution. All steps are recorded in an append-only Evidence Chain so every mutation remains traceable to its originating evidence. If the architecture holds under the stated substrate assumptions, high-stakes operations become impossible without an accompanying proof object, consensus, and immutable record.

Core claim

Under stated substrate assumptions, this architecture enforces a compact authorization invariant: no high-stakes execution without a proof object, no derived authority without consensus, and no valid mutation detached from evidence.

What carries the argument

Distributed Trust Framework (DTF) that derives execution authority from a Justification Proof evaluated by consensus, producing an ephemeral Execution Identity and appending the result to an Evidence Chain.

Load-bearing premise

A governed mutation substrate exists and functions correctly to interpose on every agent action and evaluate context and policy.

What would settle it

Demonstration of a high-stakes action successfully executed by an agent without a corresponding Justification Proof or without prior consensus approval on that proof.

Figures

Figures reproduced from arXiv: 2605.15228 by Deying Yu, Jun He.

Figure 1
Figure 1. Figure 1: Generic DTF verification pipeline with OpenKedge shown as one substrate mapping. [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
read the original abstract

Modern cloud and enterprise systems rely on identity-centric authorization, assuming that callers possessing valid credentials are safe to execute commands. The emergence of autonomous AI agents invalidates this assumption: agents can generate syntactically valid but semantically unsafe actions, making standing privileges a significant operational risk. This risk becomes especially acute in sovereign AI systems, where autonomous agents may interact with cloud infrastructure, regulated data, financial workflows, and national-scale digital services. Governed mutation substrates reduce this risk by interposing on agent actions: agents submit intents, infrastructure evaluates context and policy, and execution is mediated. However, this shifts the trust boundary: how can the decision to authorize an intent be made verifiable, distributed, and replayable? We introduce a Distributed Trust Framework (DTF), a verification framework for governed mutation systems that computes execution authority from structured, verifiable artifacts. DTF introduces a Justification Proof to encode the admissibility basis of an action, a consensus model for independent evaluation, an ephemeral Execution Identity derived from the approved proof, and an append-only Evidence Chain that preserves the authorization lifecycle. Under stated substrate assumptions, this architecture enforces a compact authorization invariant: no high-stakes execution without a proof object, no derived authority without consensus, and no valid mutation detached from evidence. We define the model, instantiate it over an OpenKedge-based governed mutation substrate, and show how it maps onto cloud-native environments. By shifting authorization from standing identity to proof-derived authority, DTF provides an infrastructure foundation for making agentic execution governable, auditable, and bounded in sovereign AI deployments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper introduces a Distributed Trust Framework (DTF) for verifiable authorization in sovereign AI agent systems. It replaces identity-centric authorization with proof-derived authority using a Justification Proof to encode admissibility, a consensus model for independent evaluation, an ephemeral Execution Identity derived from the approved proof, and an append-only Evidence Chain to preserve the authorization lifecycle. Under substrate assumptions, the architecture is claimed to enforce the invariant that no high-stakes execution occurs without a proof object, no derived authority without consensus, and no valid mutation detached from evidence. The model is instantiated over an OpenKedge-based governed mutation substrate and mapped to cloud-native environments.

Significance. If the central claims hold with supporting derivations, the work could provide a practical infrastructure foundation for making autonomous agent execution in regulated or high-stakes domains (cloud, finance, national services) auditable, bounded, and replayable. The shift from standing privileges to structured, verifiable artifacts addresses a real operational risk in agentic systems.

major comments (1)
  1. [§3] §3: The model introduces Justification Proof, consensus evaluation, ephemeral Execution Identity, and append-only Evidence Chain, yet supplies no theorem, reduction, or exhaustive case analysis demonstrating that these elements together enforce the authorization invariant. The text asserts that enforcement follows from interposition and mediation but does not rule out paths where the substrate accepts an action whose proof is malformed, consensus is incomplete, or evidence is detached while still satisfying the local rules for each artifact.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback and for recognizing the potential significance of the Distributed Trust Framework for verifiable authorization in sovereign AI systems. We address the major comment below and will incorporate the suggested strengthening of the formal argument in the revised manuscript.

read point-by-point responses

  1. Referee: [§3] §3: The model introduces Justification Proof, consensus evaluation, ephemeral Execution Identity, and append-only Evidence Chain, yet supplies no theorem, reduction, or exhaustive case analysis demonstrating that these elements together enforce the authorization invariant. The text asserts that enforcement follows from interposition and mediation but does not rule out paths where the substrate accepts an action whose proof is malformed, consensus is incomplete, or evidence is detached while still satisfying the local rules for each artifact.

    Authors: We thank the referee for this observation. The manuscript presents the DTF components and argues that the authorization invariant is maintained through interposition and mediation under the stated substrate assumptions. We agree that the current text does not include an explicit theorem, reduction, or exhaustive case analysis to formally rule out the failure modes described. In the revision we will add to §3 a formal statement of the invariant together with a proof sketch and targeted case analysis addressing malformed proofs, incomplete consensus, and detached evidence. revision: yes

Circularity Check

1 steps flagged

Authorization invariant asserted by construction from introduced components without separate derivation

specific steps
  1. self definitional [Abstract]
    "Under stated substrate assumptions, this architecture enforces a compact authorization invariant: no high-stakes execution without a proof object, no derived authority without consensus, and no valid mutation detached from evidence."

    The invariant is defined using the precise terms (proof object, consensus, evidence) that the DTF model introduces in §3. The claim that the architecture 'enforces' these properties therefore reduces to a restatement of how the components are constructed, rather than a derived guarantee shown to hold against possible malformed or incomplete artifacts.

full rationale

The paper's central result states that the DTF architecture enforces the authorization invariant under substrate assumptions. However, the invariant is phrased directly in terms of the exact artifacts the model introduces (Justification Proof, consensus evaluation, ephemeral Execution Identity, append-only Evidence Chain). The text supplies no theorem, reduction, or case analysis showing that local rules for these artifacts collectively preclude violations; enforcement is described as following from interposition. This makes the claimed invariant equivalent to the definitional properties of the components rather than an independent consequence.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 3 invented entities

Ledger entries are extracted from the abstract description only; full paper may add or remove items.

axioms (1)
  • domain assumption stated substrate assumptions allow reliable context and policy evaluation by the governed mutation substrate
    The authorization invariant is conditioned on these assumptions being true.
invented entities (3)
  • Justification Proof no independent evidence
    purpose: Encodes the admissibility basis of an action
    New artifact introduced to make authorization verifiable and replayable.
  • ephemeral Execution Identity no independent evidence
    purpose: Temporary identity derived from the approved proof for execution
    New identity mechanism tied directly to the proof.
  • append-only Evidence Chain no independent evidence
    purpose: Preserves the full authorization lifecycle for audit
    New logging structure for replayability and evidence.

pith-pipeline@v0.9.0 · 5812 in / 1409 out tokens · 52924 ms · 2026-05-19T17:26:00.517050+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

17 extracted references · 17 canonical work pages · 2 internal anchors

  1. [1]

    OpenKedge: Governing Agentic Mutation with Execution-Bound Safety and Evidence Chains

    Jun He and Deying Yu. Openkedge: Governing agentic mutation with execution-bound safety and evidence chains.arXiv preprint arXiv:2604.08601, 2026

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  2. [2]

    Sandhu, Edward J

    Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. InProceedings of the 15th National Computer Security Conference, 1992

    work page 1992

  3. [3]

    Hu, David Ferraiolo, Rick Kuhn, Arthur R

    Vincent C. Hu, David Ferraiolo, Rick Kuhn, Arthur R. Friedman, Alan J. Lang, Margaret M. Cogdell, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. Guide to attribute based access control (abac) definition and considerations.NIST Special Publication 800-162, 2015

    work page 2015

  4. [4]

    Zero trust architecture

    Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly. Zero trust architecture. Techni- cal Report NIST Special Publication 800-207, National Institute of Standards and Technology, 2020

    work page 2020

  5. [5]

    Cedar: A new lan- guage for expressive, fast, safe, and analyzable authorization.Proceedings of the ACM on Programming Languages, 8(OOPSLA1):670–697, 2024

    Joseph W Cutler, Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, Eleftherios Ioannidis, John Kastner, Anwar Mamat, et al. Cedar: A new lan- guage for expressive, fast, safe, and analyzable authorization.Proceedings of the ACM on Programming Languages, 8(OOPSLA1):670–697, 2024

    work page 2024

  6. [6]

    How we built cedar: A verification-guided approach

    Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, John Kastner, Anwar Mamat, Matt McCutchen, Neha Rungta, et al. How we built cedar: A verification-guided approach. InCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering, pages 351–357, 2024

    work page 2024

  7. [7]

    Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection

    Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection. InProceedings of the 16th ACM Workshop on Artificial Intelli- gence and Security, 2023

    work page 2023

  8. [8]

    Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang

    Richard Fang, Rohan Binder, Jianlou Zou, Tyler Burgess, and David Wagner. Llm agents can autonomously hack websites.arXiv preprint arXiv:2402.06664, 2024

    work page arXiv 2024

  9. [9]

    A survey on large language model based autonomous agents.Frontiers of Computer Science, 18(6), 2024

    Lei Wang, Chen Ma, Xueyang Feng, Zeyu Zhang, Hao Yang, Jingsen Zhang, Zhiyuan Chen, Jiakai Tang, Xu Chen, Yankai Lin, et al. A survey on large language model based autonomous agents.Frontiers of Computer Science, 18(6), 2024. 17

    work page 2024

  10. [10]

    The byzantine generals problem.ACM Transactions on Programming Languages and Systems, 4(3):382–401, 1982

    Leslie Lamport, Robert Shostak, and Marshall Pease. The byzantine generals problem.ACM Transactions on Programming Languages and Systems, 4(3):382–401, 1982

    work page 1982

  11. [11]

    Practical byzantine fault tolerance

    Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. InProceedings of the 3rd Symposium on Operating Systems Design and Implementation, pages 173–186, 1999

    work page 1999

  12. [12]

    Why and where: A characterization of data provenance.Lecture Notes in Computer Science, 1973:316–330, 2001

    Peter Buneman, Sanjeev Khanna, and Wang-Chiew Tan. Why and where: A characterization of data provenance.Lecture Notes in Computer Science, 1973:316–330, 2001

    work page 1973

  13. [13]

    Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James A

    Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James A. Hendler, and Gerald Jay Sussman. Information accountability.Communications of the ACM, 51(6): 82–87, 2008

    work page 2008

  14. [14]

    O’Reilly Media, 2017

    Martin Kleppmann.Designing Data-Intensive Applications. O’Reilly Media, 2017

    work page 2017

  15. [15]

    Sovereign Agentic Loops: Decoupling AI Reasoning from Execution in Real-World Systems

    Jun He and Deying Yu. Sovereign agentic loops: Decoupling ai reasoning from execution in real-world systems.arXiv preprint arXiv:2604.22136, 2026

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  16. [16]

    Aws security token service api reference.https://docs.aws

    Amazon Web Services. Aws security token service api reference.https://docs.aws. amazon.com/STS/latest/APIReference/, 2024. Documentation reference

    work page 2024

  17. [17]

    Aws cloudtrail user guide.https://docs.aws.amazon.com/ awscloudtrail/latest/userguide/, 2024

    Amazon Web Services. Aws cloudtrail user guide.https://docs.aws.amazon.com/ awscloudtrail/latest/userguide/, 2024. Documentation reference. 18 A Notation Symbol Meaning I,C,PIntent, context, and policy spaces. J,A,GProof, attestation, and governance-metadata spaces. B,EExecution-boundary and Execution Identity spaces. X,OMutation-attempt and execution-out...

    work page 2024