Sovereign Assurance Boundary: Certificate-Bound Admission for Agentic Infrastructure

Deying Yu; Jun He

arxiv: 2606.11632 · v1 · pith:OSDUNIAFnew · submitted 2026-06-10 · 💻 cs.CR · cs.AI· cs.DC· cs.MA

Sovereign Assurance Boundary: Certificate-Bound Admission for Agentic Infrastructure

Jun He , Deying Yu This is my paper

Pith reviewed 2026-06-27 09:34 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.DCcs.MA

keywords sovereign assurance boundarycertificate-bound admissionagentic infrastructureruntime authorizationexecution contractsrevocation checkssovereign execution broker

0 comments

The pith

A certificate-bound airlock and broker turn agent proposals into scoped, revocable execution contracts before any infrastructure change.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Current mechanisms either grant static permissions or audit actions after they occur, leaving non-deterministic agents free to propose high-stakes resource mutations without runtime oversight. The paper presents the Sovereign Assurance Boundary as an intercepting layer that converts proposals into typed contracts bound to evidence digests and policy versions, then routes them through certification paths. Successful admission produces a signed certificate scoped to an execution identity, revocation epoch, and validity window. A separate broker performs fresh verification and drift checks immediately before invoking APIs. The result converts delegated authority into a cryptographically verifiable, evidence-bound, and revocable artifact rather than direct execution rights.

Core claim

The Sovereign Assurance Boundary intercepts agent proposals at an assurance airlock, compiles them into typed execution contracts bound to cryptographic evidence digests and policy versions, routes the contracts through consequence-aware certification paths, and upon admission emits a signed Sovereign Assurance Certificate strictly scoped to a specific execution identity, revocation epoch, and validity window; a sovereign execution broker then verifies the certificate and performs fresh pre-execution revocation and drift checks before any infrastructure API invocation, thereby preventing autonomous reasoning from directly mutating state.

What carries the argument

The Sovereign Assurance Certificate (Ω), a signed artifact that carries the admission decision and is strictly scoped to execution identity, revocation epoch, and validity window.

If this is right

Autonomous agents lose the ability to mutate production state directly.
Every execution decision becomes a replayable, evidence-bound artifact.
Revocation checks occur immediately before each API call rather than only at policy definition time.
Admission decisions remain traceable to specific cryptographic evidence and policy versions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same airlock-broker pattern could apply to other domains where non-deterministic controllers propose physical or financial actions.
Chaining multiple certificates across cooperating agents would require additional invariants on certificate composition.
The approach separates policy evaluation from execution in a way that may simplify regulatory audit trails.

Load-bearing premise

Consequence-aware certification paths can be implemented in practice without prohibitive latency or new vulnerabilities.

What would settle it

A production deployment in which an agent proposal bypasses the broker verification step and directly mutates infrastructure state, or admission latency measurements from the Go prototype that exceed operational thresholds for the target environment.

Figures

Figures reproduced from arXiv: 2606.11632 by Deying Yu, Jun He.

read the original abstract

Agentic infrastructure introduces a critical control-plane authorization problem: non-deterministic reasoning systems can propose high-stakes mutations to production resources, yet existing security mechanisms -- such as identity and access management (IAM), policy engines, consensus protocols, and audit logs -- either enforce static, context-unaware permissions or merely record actions post-execution. This paper introduces the Sovereign Assurance Boundary (SAB), a certificate-bound runtime admission layer for autonomous execution authority. SAB intercepts agent proposals at an assurance airlock, compiles them into typed execution contracts $C$, and binds these contracts to cryptographic evidence digests $H(E)$ and policy versions. The contracts are then routed through consequence-aware certification paths. Upon successful admission, the system emits a signed Sovereign Assurance Certificate ($\Omega$) that is strictly scoped to a specific execution identity, revocation epoch, and validity window. Finally, a sovereign execution broker verifies $\Omega$ and performs fresh pre-execution revocation and drift checks before invoking infrastructure APIs. We detail the airlock-broker architecture, formalize its admission and revocation invariants, and report preliminary feasibility measurements from a Go prototype evaluated over 2,500 admission attempts. Ultimately, this broker-enforced model prevents autonomous reasoning from directly mutating state, transforming delegated execution authority into a cryptographically verifiable, evidence-bound, revocable, and replayable runtime artifact.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper frames a certificate-bound airlock and broker for agentic infrastructure control but the prototype leaves the key reliability claims on crypto and policy engines untested.

read the letter

The main takeaway is an architectural sketch for stopping non-deterministic agents from directly mutating production state. Proposals hit an assurance airlock that turns them into typed contracts, routes them through consequence-aware paths, and issues a scoped sovereign certificate. A broker then does fresh revocation and drift checks before any API call.

The work does a solid job naming the gap between static IAM and post-execution logs. The combination of revocation epochs, evidence digests, and a broker-enforced boundary is a distinct framing. They formalize admission and revocation invariants and include a Go prototype with 2500 admission runs, which at least shows the basic flow can be implemented.

The soft spots sit in the validation. The prototype reports feasibility but supplies no latency numbers, no breakdown of failure cases, and no adversarial testing of the cryptographic primitives or policy-engine drift. Without those, the claim that the system adds no new vulnerabilities stays an assertion. There is also no comparison to existing certificate or policy work, so it is hard to judge how much is incremental.

This is for readers working on runtime security for autonomous agents or control-plane designs in production infrastructure. The problem is real and the framing is worth discussing.

I would send it to peer review. The ideas are concrete enough to benefit from referee input on the evaluation gaps.

Referee Report

3 major / 2 minor

Summary. The paper proposes the Sovereign Assurance Boundary (SAB), a certificate-bound runtime admission layer for agentic infrastructure. Agent proposals are intercepted at an assurance airlock, compiled into typed execution contracts C bound to cryptographic evidence digests H(E) and policy versions, routed through consequence-aware certification paths, and result in issuance of a signed Sovereign Assurance Certificate (Ω) scoped to execution identity, revocation epoch, and validity window. A sovereign execution broker verifies Ω with fresh pre-execution checks before API invocation. The manuscript details the airlock-broker architecture, formalizes admission/revocation invariants, and reports Go prototype results over 2,500 admission attempts, claiming this model prevents autonomous reasoning from directly mutating state.

Significance. If the formalized invariants hold under the stated cryptographic and policy assumptions and the prototype generalizes, the approach could provide a practical mechanism for making delegated execution authority in non-deterministic agent systems cryptographically verifiable, revocable, and replayable, addressing a gap between static IAM/policy engines and post-hoc audit logs.

major comments (3)

[§4] §4 (Formalization of invariants): The manuscript states that admission and revocation invariants are formalized, yet supplies no equations, proof sketches, or machine-checked artifacts establishing that the consequence-aware certification paths and Ω scoping prevent direct mutations; without these, the central security claim remains an unverified assertion.
[§5] §5 (Prototype evaluation): The report of 2,500 admission attempts is presented as feasibility evidence, but the text provides no breakdown of success/failure rates, latency distributions, adversarial test cases against the cryptographic primitives, or measurements isolating policy-engine drift or revocation failures, leaving the 'no new vulnerabilities' guarantee untested.
[§3.2] §3.2 (Certification paths): The description of consequence-aware certification paths assumes reliable underlying cryptographic primitives and policy engines without any validation or threat model addressing implementation-induced vulnerabilities or latency overheads that could undermine the broker's pre-execution checks.

minor comments (2)

Notation for the certificate Ω and contract C is introduced without an explicit table of symbols or scoping rules, which would aid readability.
The abstract and introduction use the term 'parameter-free' in passing for the architecture; clarify whether any policy-version or epoch parameters are treated as free or fixed.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments identify key opportunities to increase the rigor of the formalization, evaluation, and threat analysis. We respond to each major comment below and indicate the revisions that will be incorporated.

read point-by-point responses

Referee: [§4] §4 (Formalization of invariants): The manuscript states that admission and revocation invariants are formalized, yet supplies no equations, proof sketches, or machine-checked artifacts establishing that the consequence-aware certification paths and Ω scoping prevent direct mutations; without these, the central security claim remains an unverified assertion.

Authors: We agree that while §4 describes the invariants narratively, it does not supply explicit equations or proof sketches. In the revised manuscript we will add a dedicated formalization subsection that states the admission and revocation invariants as equations, defines the scoping properties of Ω, and includes brief proof sketches showing how consequence-aware paths and evidence binding prevent direct mutations under the stated cryptographic and policy assumptions. Machine-checked artifacts are not available at this stage. revision: yes
Referee: [§5] §5 (Prototype evaluation): The report of 2,500 admission attempts is presented as feasibility evidence, but the text provides no breakdown of success/failure rates, latency distributions, adversarial test cases against the cryptographic primitives, or measurements isolating policy-engine drift or revocation failures, leaving the 'no new vulnerabilities' guarantee untested.

Authors: Section §5 presents the 2,500 attempts strictly as preliminary feasibility data rather than a comprehensive security evaluation. We will expand the section to report success/failure rates, latency distributions, and any adversarial testing performed on the cryptographic components. The manuscript does not claim a 'no new vulnerabilities' guarantee; it shows that the broker-enforced model prevents direct state mutation. We will add explicit language clarifying these scope limitations. revision: partial
Referee: [§3.2] §3.2 (Certification paths): The description of consequence-aware certification paths assumes reliable underlying cryptographic primitives and policy engines without any validation or threat model addressing implementation-induced vulnerabilities or latency overheads that could undermine the broker's pre-execution checks.

Authors: We acknowledge that §3.2 relies on standard assumptions without an accompanying threat model. The revised manuscript will add a threat-model subsection that enumerates assumptions on the cryptographic primitives and policy engines, discusses potential implementation vulnerabilities and latency overheads, and explains how the broker's fresh pre-execution checks address these risks within the model. revision: yes

Circularity Check

0 steps flagged

Architectural proposal with no derivations or fitted predictions

full rationale

The paper introduces an architectural system (SAB airlock-broker), formalizes admission/revocation invariants, and reports Go prototype measurements over 2,500 attempts. No equations, parameters, or first-principles derivations are present that could reduce to inputs by construction. No self-citations, uniqueness theorems, or ansatzes are invoked. The work is self-contained as a design proposal with empirical feasibility data; invariants are stated as design properties rather than derived from fitted data.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 1 invented entities

Abstract-only review provides no explicit free parameters, axioms, or independent evidence for new entities; the Sovereign Assurance Certificate is introduced as a core artifact without external validation details.

invented entities (1)

Sovereign Assurance Certificate (Ω) no independent evidence
purpose: Provide strictly scoped, revocable, evidence-bound execution authority
New artifact defined in the admission flow; no independent evidence supplied

pith-pipeline@v0.9.1-grok · 5770 in / 1159 out tokens · 24250 ms · 2026-06-27T09:34:16.859140+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Sovereign Execution Broker: Enforcing Certificate-Bound Authority in Agentic Control Planes
cs.CR 2026-06 unverdicted novelty 6.0

The Sovereign Execution Broker (SEB) enforces certificate-bound authority at execution time by verifying mutations against certified contracts, validity windows, and policy epochs before invoking infrastructure APIs.
Governing Actions, Not Agents: Institutional Attestation as a Governance Model for Autonomous AI Systems
cs.AI 2026-06 unverdicted novelty 5.0

The paper formalizes a computational governance model where AI agents retain planning autonomy but require cryptographically bound, independently attested preconditions for executing high-risk actions, supported by ta...

Reference graph

Works this paper leans on

18 extracted references · 4 linked inside Pith · cited by 2 Pith papers

[1]

ReAct: Synergizing reasoning and acting in language models

Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. ReAct: Synergizing reasoning and acting in language models. arXiv preprint arXiv:2210.03629, 2022

Pith/arXiv arXiv 2022
[2]

Toolformer: Language models can teach themselves to use tools.arXiv preprint arXiv:2302.04761, 2023

Timo Schick, Jane Dwivedi-Yu, Roberto Dessì, Roberta Raileanu, Maria Lomeli, Luke Zettlemoyer, Nicola Can- cedda, and Thomas Scialom. Toolformer: Language models can teach themselves to use tools.arXiv preprint arXiv:2302.04761, 2023

Pith/arXiv arXiv 2023
[3]

Semantic quorum assurance: Collective certification for non-deterministic ai infras- tructure.arXiv preprint arXiv:2606.08021, 2026

Jun He and Deying Yu. Semantic quorum assurance: Collective certification for non-deterministic ai infras- tructure.arXiv preprint arXiv:2606.08021, 2026

Pith/arXiv arXiv 2026
[4]

Using simplicity to control complexity.IEEE Software, 18(4):20–28, 2001

Lui Sha. Using simplicity to control complexity.IEEE Software, 18(4):20–28, 2001

2001
[5]

Shield synthesis: Runtime enforcement for reactive systems

Roderick Bloem, Bettina Könighofer, Robert Könighofer, and Chao Wang. Shield synthesis: Runtime enforcement for reactive systems. InPro- ceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 533–548, 2015

2015
[6]

Security assurance cases: Motivation and research agenda.System Safety Society, 2001

John Rushby. Security assurance cases: Motivation and research agenda.System Safety Society, 2001

2001
[7]

Zero trust architecture

Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Con- nelly. Zero trust architecture. Technical Report Special Publication 800-207, National Institute of Standards and Technology (NIST), 2020

2020
[8]

Aws identity and access management (iam) user guide

AWS. Aws identity and access management (iam) user guide. InAmazon Web Services Technical Documenta- tion, 2024

2024
[9]

Policy language

Open Policy Agent. Policy language. Open Policy Agent documentation, 2026. Accessed 2026-06-05

2026
[10]

The part-time parliament.ACM Trans- actions on Computer Systems (TOCS), 16(2):133–169, 1998

Leslie Lamport. The part-time parliament.ACM Trans- actions on Computer Systems (TOCS), 16(2):133–169, 1998

1998
[11]

In search of an understandable consensus algorithm

Diego Ongaro and John Ousterhout. In search of an understandable consensus algorithm. InProceedings of the USENIX Annual Technical Conference (ATC), pages 305–320, 2014

2014
[12]

OW ASP top 10 for large language model applications

OW ASP Foundation. OW ASP top 10 for large language model applications. OW ASP project page, 2025

2025
[13]

Smolka, and Scott D

Dzung Phan, Radu Grosu, Nils Jansen, Nicola Paoletti, Scott A. Smolka, and Scott D. Stoller. Neural simplex architecture. InNASA Formal Methods Symposium, pages 97–114, 2020

2020
[14]

Practical byzantine fault tolerance

Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. InProceedings of the Symposium on Operating Systems Design and Implementation (OSDI), pages 173–186, 1999

1999
[15]

Dynamic admission control

Kubernetes. Dynamic admission control. Kubernetes documentation, 2026. Accessed 2026-06-05

2026
[16]

Llama Guard: LLM-based input-output safeguard for human- AI conversations.arXiv preprint arXiv:2312.06674, 2023

Hakan Inan, Kartikeya Upasani, Jian Zhang, Rashi Rungta, Riza Aktas, Felipe Cruz, Jason Ramapuram, Stephen Hicks, Onur Dilek, Igor Molybog, et al. Llama Guard: LLM-based input-output safeguard for human- AI conversations.arXiv preprint arXiv:2312.06674, 2023

Pith/arXiv arXiv 2023
[17]

PROV-DM: The PROV data model

Luc Moreau and Paolo Missier. PROV-DM: The PROV data model. Technical report, World Wide Web Consor- tium, 2013

2013
[18]

Artifi- cial intelligence risk management framework (AI RMF 1.0)

National Institute of Standards and Technology. Artifi- cial intelligence risk management framework (AI RMF 1.0). Technical Report NIST AI 100-1, National Institute of Standards and Technology, 2023. 12

2023

[1] [1]

ReAct: Synergizing reasoning and acting in language models

Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. ReAct: Synergizing reasoning and acting in language models. arXiv preprint arXiv:2210.03629, 2022

Pith/arXiv arXiv 2022

[2] [2]

Toolformer: Language models can teach themselves to use tools.arXiv preprint arXiv:2302.04761, 2023

Timo Schick, Jane Dwivedi-Yu, Roberto Dessì, Roberta Raileanu, Maria Lomeli, Luke Zettlemoyer, Nicola Can- cedda, and Thomas Scialom. Toolformer: Language models can teach themselves to use tools.arXiv preprint arXiv:2302.04761, 2023

Pith/arXiv arXiv 2023

[3] [3]

Semantic quorum assurance: Collective certification for non-deterministic ai infras- tructure.arXiv preprint arXiv:2606.08021, 2026

Jun He and Deying Yu. Semantic quorum assurance: Collective certification for non-deterministic ai infras- tructure.arXiv preprint arXiv:2606.08021, 2026

Pith/arXiv arXiv 2026

[4] [4]

Using simplicity to control complexity.IEEE Software, 18(4):20–28, 2001

Lui Sha. Using simplicity to control complexity.IEEE Software, 18(4):20–28, 2001

2001

[5] [5]

Shield synthesis: Runtime enforcement for reactive systems

Roderick Bloem, Bettina Könighofer, Robert Könighofer, and Chao Wang. Shield synthesis: Runtime enforcement for reactive systems. InPro- ceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 533–548, 2015

2015

[6] [6]

Security assurance cases: Motivation and research agenda.System Safety Society, 2001

John Rushby. Security assurance cases: Motivation and research agenda.System Safety Society, 2001

2001

[7] [7]

Zero trust architecture

Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Con- nelly. Zero trust architecture. Technical Report Special Publication 800-207, National Institute of Standards and Technology (NIST), 2020

2020

[8] [8]

Aws identity and access management (iam) user guide

AWS. Aws identity and access management (iam) user guide. InAmazon Web Services Technical Documenta- tion, 2024

2024

[9] [9]

Policy language

Open Policy Agent. Policy language. Open Policy Agent documentation, 2026. Accessed 2026-06-05

2026

[10] [10]

The part-time parliament.ACM Trans- actions on Computer Systems (TOCS), 16(2):133–169, 1998

Leslie Lamport. The part-time parliament.ACM Trans- actions on Computer Systems (TOCS), 16(2):133–169, 1998

1998

[11] [11]

In search of an understandable consensus algorithm

Diego Ongaro and John Ousterhout. In search of an understandable consensus algorithm. InProceedings of the USENIX Annual Technical Conference (ATC), pages 305–320, 2014

2014

[12] [12]

OW ASP top 10 for large language model applications

OW ASP Foundation. OW ASP top 10 for large language model applications. OW ASP project page, 2025

2025

[13] [13]

Smolka, and Scott D

Dzung Phan, Radu Grosu, Nils Jansen, Nicola Paoletti, Scott A. Smolka, and Scott D. Stoller. Neural simplex architecture. InNASA Formal Methods Symposium, pages 97–114, 2020

2020

[14] [14]

Practical byzantine fault tolerance

Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. InProceedings of the Symposium on Operating Systems Design and Implementation (OSDI), pages 173–186, 1999

1999

[15] [15]

Dynamic admission control

Kubernetes. Dynamic admission control. Kubernetes documentation, 2026. Accessed 2026-06-05

2026

[16] [16]

Llama Guard: LLM-based input-output safeguard for human- AI conversations.arXiv preprint arXiv:2312.06674, 2023

Hakan Inan, Kartikeya Upasani, Jian Zhang, Rashi Rungta, Riza Aktas, Felipe Cruz, Jason Ramapuram, Stephen Hicks, Onur Dilek, Igor Molybog, et al. Llama Guard: LLM-based input-output safeguard for human- AI conversations.arXiv preprint arXiv:2312.06674, 2023

Pith/arXiv arXiv 2023

[17] [17]

PROV-DM: The PROV data model

Luc Moreau and Paolo Missier. PROV-DM: The PROV data model. Technical report, World Wide Web Consor- tium, 2013

2013

[18] [18]

Artifi- cial intelligence risk management framework (AI RMF 1.0)

National Institute of Standards and Technology. Artifi- cial intelligence risk management framework (AI RMF 1.0). Technical Report NIST AI 100-1, National Institute of Standards and Technology, 2023. 12

2023