Governing Actions, Not Agents: Institutional Attestation as a Governance Model for Autonomous AI Systems

Jakob Salfeld-Nebgen

arxiv: 2606.26298 · v1 · pith:3I2MYXRAnew · submitted 2026-06-24 · 💻 cs.AI · cs.CR

Governing Actions, Not Agents: Institutional Attestation as a Governance Model for Autonomous AI Systems

Jakob Salfeld-Nebgen This is my paper

Pith reviewed 2026-06-26 01:39 UTC · model grok-4.3

classification 💻 cs.AI cs.CR

keywords AI governanceautonomous agentsinstitutional attestationaction preconditionscryptographic bindingtamper-evident logsAI safetyhigh-risk actions

0 comments

The pith

AI agents retain full planning autonomy but require independent attestations for high-risk action execution.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes governing AI by focusing on actions rather than monitoring the agent's reasoning processes. High-risk actions such as clinical prescribing or software deployment become conditional on preconditions attested by separate authoritative sources, with each attestation cryptographically bound to a declared intent and checked by a deterministic policy. All decisions are recorded in a tamper-evident log that supports independent re-verification. A proof-of-concept implementation illustrates the approach in software deployment and clinical prescribing scenarios. This keeps the agent free to plan while blocking execution until external attestations are satisfied.

Core claim

Under the proposed model, an agent retains full autonomy over planning and reasoning but holds no execution authority over designated high-risk actions. Execution is conditional on preconditions that are each independently attested by a separate authoritative source, cryptographically bound to a declared intent, and evaluated by a deterministic policy. Decisions are recorded in a tamper-evident log amenable to independent re-verification.

What carries the argument

Institutional attestation: independent authoritative sources each attest specific preconditions for high-risk actions, with cryptographic binding to declared intent and deterministic policy evaluation.

If this is right

Agents keep unrestricted planning and reasoning while execution of high-risk actions is gated by external attestations.
Multiple independent sources for attestations distribute control away from any single party.
Tamper-evident logs make every execution decision subject to later independent audit.
The model applies to concrete domains including software deployment and clinical prescribing.
Execution authority is removed from the agent for designated actions but planning autonomy remains complete.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Existing institutions such as medical boards or software registries could supply the required attestations in their domains.
The model could be tested by simulating attestation failures to measure whether execution is reliably blocked.
New technical protocols for binding intents to attestations may be needed for practical deployment.
This action-focused approach could combine with other safety methods that target agent internals.

Load-bearing premise

Reliable independent authoritative sources exist and can supply attestations without introducing single points of failure or forgery risks.

What would settle it

A test case in which a forged attestation from one source allows an unauthorized high-risk action to execute despite the policy check.

Figures

Figures reproduced from arXiv: 2606.26298 by Jakob Salfeld-Nebgen.

**Figure 1.** Figure 1: Governed deploy_to_production: the agent collects independently signed attestations from the CI, code-review, and security-scan oracles, each bound to the issued intent identifier, before the hub verifies and authorises. Each oracle returns a signed attestation envelope containing its verified facts and the intent identifier. For example, the CI oracle returns: { "source_id": "ci_pipeline", "intent_id": "… view at source ↗

**Figure 2.** Figure 2: Governed prescribe_medication: the agent collects independently signed attestations from the EHR, drug-interaction, and DEA-licence oracles, each bound to the issued intent identifier, before the hub verifies and authorises. } The hub executes the same verification pipeline as in Section 4.1: signature verification against preregistered public keys, intent binding confirmation, completeness check, and con… view at source ↗

read the original abstract

Autonomous AI agents may begin to perform consequential, irreversible actions such as clinical prescribing and production software deployment. This paper observes that human institutions have governed powerful autonomous actors not by monitoring their reasoning but by requiring independently attested evidence at the point of consequential action. We formalise this institutional pattern as a computational governance model for AI agent systems. Under the proposed model, an agent retains full autonomy over planning and reasoning but holds no execution authority over designated high-risk actions. Execution is conditional on preconditions that are each independently attested by a separate authoritative source, cryptographically bound to a declared intent, and evaluated by a deterministic policy. Decisions are recorded in a tamper-evident log amenable to independent re-verification. We present a proof-of-concept implementation and illustrate the model with examples from software deployment and clinical prescribing.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper formalizes institutional attestation for AI action governance with a POC but leaves attestor integration and security largely unexamined.

read the letter

The main takeaway is that this paper takes a real-world institutional pattern—requiring independent attestations before high-stakes actions—and turns it into a computational model for AI agents. Agents keep full autonomy on planning and reasoning, but execution of risky steps like clinical prescriptions or software deployments only happens after separate sources attest preconditions, with cryptographic binding to declared intent and deterministic policy checks. A tamper-evident log supports later verification, and they include a proof-of-concept plus concrete examples.

What works is the clean separation: it avoids trying to monitor or restrict internal agent processes and instead focuses on the execution boundary, which aligns with how organizations already handle consequential decisions. The formalization with binding and deterministic evaluation is a direct computational step beyond loose analogies.

The soft spot is the integration of those independent attestors. The model requires reliable sources that cannot be bypassed or colluded with, yet the description stays high-level on discovery, authentication, compromise resistance, or new failure modes this setup might create. The POC is mentioned without details on implementation correctness or security testing, so the central claims rest on the assumption that such sources can be assembled cleanly.

This is for researchers working on AI governance, safety mechanisms, or regulatory design who want alternatives to full agent control. It is constructive and engages the literature on institutional practices without circular claims.

I would send it for peer review. The core idea is clear enough to benefit from referee input on the security and integration questions, even if substantial revision follows.

Referee Report

2 major / 1 minor

Summary. The paper claims that autonomous AI agents can be governed for consequential actions by requiring independently attested preconditions at execution time rather than controlling their planning or reasoning. Under the model, agents retain full autonomy over reasoning but execution of high-risk actions is conditional on attestations from separate authoritative sources that are cryptographically bound to declared intent and evaluated by a deterministic policy; decisions are recorded in a tamper-evident log. A proof-of-concept implementation is presented and illustrated with examples from software deployment and clinical prescribing.

Significance. If the security and integration properties can be established, the model would offer a constructive governance pattern that separates agent autonomy from execution authority by leveraging existing institutional attestation mechanisms. This could be significant for high-stakes AI deployment domains, providing a falsifiable alternative to internal monitoring approaches and drawing directly from observed human institutional practices.

major comments (2)

[Abstract and model formalization] Abstract and model formalization: The central claim that execution authority is withheld because each precondition is attested by a separate authoritative source, cryptographically bound, and enforced by a deterministic policy the agent cannot bypass is load-bearing. However, the manuscript provides no analysis of how attestation sources are discovered, authenticated, or integrated without introducing single points of failure, centralization risks, collusion, or forgery vectors. This directly affects whether the claimed security properties hold.
[Proof-of-concept implementation] Proof-of-concept implementation: The manuscript states that a proof-of-concept is presented but supplies no details on implementation correctness, how the cryptographic binding or policy evaluation is realized outside agent control, or any evaluation of security properties. Without this, the central claim that the model prevents bypass cannot be assessed.

minor comments (1)

[Abstract] The abstract could more explicitly state the assumptions about the existence and reliability of authoritative sources.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments. We address each major point below and indicate planned revisions.

read point-by-point responses

Referee: [Abstract and model formalization] Abstract and model formalization: The central claim that execution authority is withheld because each precondition is attested by a separate authoritative source, cryptographically bound, and enforced by a deterministic policy the agent cannot bypass is load-bearing. However, the manuscript provides no analysis of how attestation sources are discovered, authenticated, or integrated without introducing single points of failure, centralization risks, collusion, or forgery vectors. This directly affects whether the claimed security properties hold.

Authors: We agree that the manuscript does not analyze attestation source discovery, authentication, or integration risks. The contribution centers on formalizing the governance model itself, treating reliable attestation sources as an institutional primitive analogous to existing human practices. To strengthen the paper we will add a new subsection on model assumptions and limitations that explicitly discusses these vectors and notes how the model can be composed with existing PKI and identity frameworks. revision: yes
Referee: [Proof-of-concept implementation] Proof-of-concept implementation: The manuscript states that a proof-of-concept is presented but supplies no details on implementation correctness, how the cryptographic binding or policy evaluation is realized outside agent control, or any evaluation of security properties. Without this, the central claim that the model prevents bypass cannot be assessed.

Authors: The proof-of-concept is intentionally high-level to demonstrate applicability rather than to serve as a security evaluation. We acknowledge the absence of low-level implementation details and security analysis. In revision we will expand the implementation section with additional description of the cryptographic binding mechanism and policy evaluation logic, clarifying how enforcement remains outside agent control, while stating that a full security audit lies beyond the scope of the present work. revision: yes

Circularity Check

0 steps flagged

No circularity: constructive formalization of observed institutional pattern

full rationale

The paper observes a human institutional pattern of requiring attested evidence at action points rather than monitoring reasoning, then formalizes this as a governance model for AI with preconditions, cryptographic binding, deterministic policy evaluation, and tamper-evident logs. It presents a POC implementation and domain examples. No equations, fitted parameters, self-citations, or uniqueness theorems appear in the provided text; the central claim is a constructive proposal, not a derivation that reduces to its inputs by construction. The model is self-contained against external benchmarks as an applied analogy rather than a closed mathematical system.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no explicit free parameters, axioms, or invented entities; the model description relies on standard cryptographic and logging concepts without detailing new postulates.

pith-pipeline@v0.9.1-grok · 5660 in / 1115 out tokens · 19921 ms · 2026-06-26T01:39:33.303037+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

23 extracted references · 3 linked inside Pith

[1]

A Comparison of Commercial and Military Computer Security Policies,

D. D. Clark and D. R. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” IEEE Symposium on Security and Privacy , 1987

1987
[2]

eXtensible Access Control Markup Language (XACML) V ersion 3.0,

OASIS, “eXtensible Access Control Markup Language (XACML) V ersion 3.0,” OASIS Stan- dard, 2013

2013
[3]

Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Autho- rization,

J. Cutler et al., “Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Autho- rization,” Proc. ACM on Programming Languages (OOPSLA), 2024. 9

2024
[4]

Rego Policy Language,

The Open Policy Agent Authors, “Rego Policy Language,” https://www.openpolicyagent.org/docs/latest/policy-language/
[5]

A Digital Signature Based on a Conventional Encryption Function,

R. C. Merkle, “A Digital Signature Based on a Conventional Encryption Function,” Advances in Cryptology (CRYPTO ’87), 1988

1988
[6]

Certiﬁcate Transparency ,

B. Laurie, A. Langley , and E. Kasper, “Certiﬁcate Transparency ,” RFC 6962, Internet Engineer- ing Task Force, 2013

2013
[7]

in-toto: Providing farm-to-table guarantees for bits and bytes,

S. Torres-Arias, H. Afzali, T. K. Kuppusamy , R. Curtmola, and J. Cappos, “in-toto: Providing farm-to-table guarantees for bits and bytes,” USENIX Security Symposium, 2019

2019
[8]

An Architecture for Trustworthy and Transparent Digital Sup- ply Chains,

IETF SCITT Working Group, “An Architecture for Trustworthy and Transparent Digital Sup- ply Chains,” Internet-Draft, 2024

2024
[9]

Zero Trust Architecture,

S. Rose, O. Borchert, S. Mitchell, and S. Connelly , “Zero Trust Architecture,” NIST Special Publication 800-207, 2020

2020
[10]

The Protection of Information in Computer Systems,

J. H. Saltzer and M. D. Schroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE, vol. 63, no. 9, 1975

1975
[11]

Robust Composition: Towards a Uniﬁed Approach to Access Control and Con- currency Control,

M. S. Miller, “Robust Composition: Towards a Uniﬁed Approach to Access Control and Con- currency Control,” Ph.D. dissertation, Johns Hopkins University , 2006

2006
[12]

The Byzantine Generals Problem,

L. Lamport, R. Shostak, and M. Pease, “The Byzantine Generals Problem,” ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, 1982

1982
[13]

Computer Security Technology Planning Study ,

J. P . Anderson, “Computer Security Technology Planning Study ,” Technical Report ESD-TR- 73-51, US Air Force Electronic Systems Division, 1972

1972
[14]

High-Speed High-Security Signatures,

D. J. Bernstein, N. Duif, T. Lange, P . Schwabe, and B.-Y . Yang, “High-Speed High-Security Signatures,” Journal of Cryptographic Engineering, vol. 2, 2012

2012
[15]

Dead Simple Signing Envelope,

E. Engelke and S. Torres-Arias, “Dead Simple Signing Envelope,” https://github.com/secure-systems-lab/dsse, 2021

2021
[16]

The Knowledge Complexity of Interactive Proof Systems,

S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems,” SIAM Journal on Computing, vol. 18, no. 1, 1989

1989
[17]

Top 10 for Agentic Applications,

OWASP , “Top 10 for Agentic Applications,” OWASP GenAI Security Project, 2025. See ASI10: Rogue Agents

2025
[18]

Regulation (EU) 2024/1689 laying down harmonised rules on artiﬁcial intelligence (Artiﬁcial Intelligence Act),

European Parliament and Council, “Regulation (EU) 2024/1689 laying down harmonised rules on artiﬁcial intelligence (Artiﬁcial Intelligence Act),” Article 12: Record-keeping, 2024

2024
[19]

Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents,

U. Uchibeke, “Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents,” arXiv preprint arXiv:2603.20953, 2026

arXiv 2026
[20]

Sovereign Execution Broker: Enforcing Certiﬁcate-Bound Authority in Agentic Control Planes,

J. He and D. Yu, “Sovereign Execution Broker: Enforcing Certiﬁcate-Bound Authority in Agentic Control Planes,” arXiv preprint arXiv:2606.20520, 2026

Pith/arXiv arXiv 2026
[21]

From Logic Monopoly to Social Contract: Separation of Power and the Institutional Foundations for Autonomous Agent Economies,

A. Ruan, “From Logic Monopoly to Social Contract: Separation of Power and the Institutional Foundations for Autonomous Agent Economies,” arXiv preprint arXiv:2603.25100, 2026. 10

arXiv 2026
[22]

Securing LLM Agents Need Intent- to-Execution Integrity ,

W. Qu, M. Xu, P . Wang, S. Zhai, J. Zhang, and D. Song, “Securing LLM Agents Need Intent- to-Execution Integrity ,” arXiv preprint arXiv:2605.16976, 2026

Pith/arXiv arXiv 2026
[23]

Sovereign Assurance Boundary: Certiﬁcate-Bound Admission for Agentic Infrastructure,

J. He and D. Yu, “Sovereign Assurance Boundary: Certiﬁcate-Bound Admission for Agentic Infrastructure,” arXiv preprint arXiv:2606.11632, 2026. 11

Pith/arXiv arXiv 2026

[1] [1]

A Comparison of Commercial and Military Computer Security Policies,

D. D. Clark and D. R. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” IEEE Symposium on Security and Privacy , 1987

1987

[2] [2]

eXtensible Access Control Markup Language (XACML) V ersion 3.0,

OASIS, “eXtensible Access Control Markup Language (XACML) V ersion 3.0,” OASIS Stan- dard, 2013

2013

[3] [3]

Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Autho- rization,

J. Cutler et al., “Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Autho- rization,” Proc. ACM on Programming Languages (OOPSLA), 2024. 9

2024

[4] [4]

Rego Policy Language,

The Open Policy Agent Authors, “Rego Policy Language,” https://www.openpolicyagent.org/docs/latest/policy-language/

[5] [5]

A Digital Signature Based on a Conventional Encryption Function,

R. C. Merkle, “A Digital Signature Based on a Conventional Encryption Function,” Advances in Cryptology (CRYPTO ’87), 1988

1988

[6] [6]

Certiﬁcate Transparency ,

B. Laurie, A. Langley , and E. Kasper, “Certiﬁcate Transparency ,” RFC 6962, Internet Engineer- ing Task Force, 2013

2013

[7] [7]

in-toto: Providing farm-to-table guarantees for bits and bytes,

S. Torres-Arias, H. Afzali, T. K. Kuppusamy , R. Curtmola, and J. Cappos, “in-toto: Providing farm-to-table guarantees for bits and bytes,” USENIX Security Symposium, 2019

2019

[8] [8]

An Architecture for Trustworthy and Transparent Digital Sup- ply Chains,

IETF SCITT Working Group, “An Architecture for Trustworthy and Transparent Digital Sup- ply Chains,” Internet-Draft, 2024

2024

[9] [9]

Zero Trust Architecture,

S. Rose, O. Borchert, S. Mitchell, and S. Connelly , “Zero Trust Architecture,” NIST Special Publication 800-207, 2020

2020

[10] [10]

The Protection of Information in Computer Systems,

J. H. Saltzer and M. D. Schroeder, “The Protection of Information in Computer Systems,” Proceedings of the IEEE, vol. 63, no. 9, 1975

1975

[11] [11]

Robust Composition: Towards a Uniﬁed Approach to Access Control and Con- currency Control,

M. S. Miller, “Robust Composition: Towards a Uniﬁed Approach to Access Control and Con- currency Control,” Ph.D. dissertation, Johns Hopkins University , 2006

2006

[12] [12]

The Byzantine Generals Problem,

L. Lamport, R. Shostak, and M. Pease, “The Byzantine Generals Problem,” ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, 1982

1982

[13] [13]

Computer Security Technology Planning Study ,

J. P . Anderson, “Computer Security Technology Planning Study ,” Technical Report ESD-TR- 73-51, US Air Force Electronic Systems Division, 1972

1972

[14] [14]

High-Speed High-Security Signatures,

D. J. Bernstein, N. Duif, T. Lange, P . Schwabe, and B.-Y . Yang, “High-Speed High-Security Signatures,” Journal of Cryptographic Engineering, vol. 2, 2012

2012

[15] [15]

Dead Simple Signing Envelope,

E. Engelke and S. Torres-Arias, “Dead Simple Signing Envelope,” https://github.com/secure-systems-lab/dsse, 2021

2021

[16] [16]

The Knowledge Complexity of Interactive Proof Systems,

S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems,” SIAM Journal on Computing, vol. 18, no. 1, 1989

1989

[17] [17]

Top 10 for Agentic Applications,

OWASP , “Top 10 for Agentic Applications,” OWASP GenAI Security Project, 2025. See ASI10: Rogue Agents

2025

[18] [18]

Regulation (EU) 2024/1689 laying down harmonised rules on artiﬁcial intelligence (Artiﬁcial Intelligence Act),

European Parliament and Council, “Regulation (EU) 2024/1689 laying down harmonised rules on artiﬁcial intelligence (Artiﬁcial Intelligence Act),” Article 12: Record-keeping, 2024

2024

[19] [19]

Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents,

U. Uchibeke, “Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents,” arXiv preprint arXiv:2603.20953, 2026

arXiv 2026

[20] [20]

Sovereign Execution Broker: Enforcing Certiﬁcate-Bound Authority in Agentic Control Planes,

J. He and D. Yu, “Sovereign Execution Broker: Enforcing Certiﬁcate-Bound Authority in Agentic Control Planes,” arXiv preprint arXiv:2606.20520, 2026

Pith/arXiv arXiv 2026

[21] [21]

From Logic Monopoly to Social Contract: Separation of Power and the Institutional Foundations for Autonomous Agent Economies,

A. Ruan, “From Logic Monopoly to Social Contract: Separation of Power and the Institutional Foundations for Autonomous Agent Economies,” arXiv preprint arXiv:2603.25100, 2026. 10

arXiv 2026

[22] [22]

Securing LLM Agents Need Intent- to-Execution Integrity ,

W. Qu, M. Xu, P . Wang, S. Zhai, J. Zhang, and D. Song, “Securing LLM Agents Need Intent- to-Execution Integrity ,” arXiv preprint arXiv:2605.16976, 2026

Pith/arXiv arXiv 2026

[23] [23]

Sovereign Assurance Boundary: Certiﬁcate-Bound Admission for Agentic Infrastructure,

J. He and D. Yu, “Sovereign Assurance Boundary: Certiﬁcate-Bound Admission for Agentic Infrastructure,” arXiv preprint arXiv:2606.11632, 2026. 11

Pith/arXiv arXiv 2026