pith. sign in

arxiv: 2606.12320 · v1 · pith:OCVW7RSEnew · submitted 2026-06-10 · 💻 cs.AI · cs.CC· cs.CR· cs.SE

A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents

Pith reviewed 2026-06-27 10:07 UTC · model grok-4.3

classification 💻 cs.AI cs.CCcs.CRcs.SE
keywords runtime governanceAI agentsreference architecturepolicy enginecomposite principalsaudit substratedelegation chainsenforcement planes
0
0 comments X

The pith

A five-plane reference architecture governs production AI agents by enforcing decisions on composite principals across reasoning, network, identity, endpoint, and data planes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Enterprise security traditionally protects data at rest and in transit, but production AI agents act on behalf of enterprises by calling tools and modifying systems in sequences that can alter business processes without authorization. The paper establishes a reference architecture that decomposes governance into a reasoning plane for intent adjudication and four enforcement planes, using stop-anywhere mediation and composite principals whose authority attenuates through delegations. This approach defines interruption primitives and correctness invariants to address risks that existing policy engines cannot handle. If the architecture works as described, organizations can audit and control agent workflows with measured performance in microseconds and tamper-evident records. The authors demonstrate its application by foreclosing seven threats in five workflows through a reference implementation.

Core claim

The paper presents a reference architecture for runtime governance of production AI agents built from four composable primitives: a five-plane decomposition, stop-anywhere mediation, composite principals with capability attenuation, and audit as a structured evidence substrate. It defines a taxonomy of six interruption primitives, argues for four correctness invariants, and shows the foreclosure of seven production-agent threats across five concrete workflows. The policy-engine core provides evidence that attenuation correctness and evidence reconstructability hold on every trial, with single-digit microsecond adjudication and designed tamper-evidence in the audit substrate.

What carries the argument

The five-plane decomposition consisting of a reasoning plane that adjudicates intent and four enforcement planes that realize the decision, combined with stop-anywhere mediation and composite principals.

If this is right

  • Seven production-agent threats are foreclosed across five concrete workflows.
  • Attenuation correctness and evidence reconstructability hold on every trial in the reference implementation.
  • Adjudication runs in single-digit microseconds.
  • The audit substrate's tamper-evidence behaves as designed.
  • Four correctness invariants are maintained by the architecture.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This could be tested by deploying it against existing agent benchmarks to measure threat foreclosure rates.
  • Similar five-plane structures might apply to governance of multi-agent systems where delegation chains are longer.
  • Enterprises could map their current access control lists to the composite principals to reduce migration effort.

Load-bearing premise

The five-plane decomposition together with stop-anywhere mediation and composite principals can be composed without coverage gaps or new vulnerabilities when applied to real production agent workflows.

What would settle it

Running the reference implementation on a live production agent benchmark and observing an agent completing an unauthorized business process transformation that bypasses the planes.

Figures

Figures reproduced from arXiv: 2606.12320 by Krti Tallam.

Figure 1
Figure 1. Figure 1: The five-plane reference architecture. Side-channel and timing attacks. Attacks that extract information through timing, power, or other side channels are the province of classical systems security and are out of scope for the action-governance threats considered here. Denial of service. Attacks that seek to exhaust the system’s resources rather than to exceed authority are out of scope; the architecture’s… view at source ↗
Figure 2
Figure 2. Figure 2: The seven mediation points along the agent execution loop. [PITH_FULL_IMAGE:figures/full_fig_p019_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: End-to-end trace of a single agent action through the architecture. [PITH_FULL_IMAGE:figures/full_fig_p038_3.png] view at source ↗
read the original abstract

Enterprise security was built to govern data boundaries: the protected surface was data at rest and in transit, and the controls -- access control, data-loss prevention, perimeter inspection -- governed crossings of that boundary. Production AI agents dissolve this assumption. An agent reads context, calls tools, invokes connectors, and modifies systems of record on an enterprise's behalf, so risk moves inside the workflow, into sequences of individually-permitted actions that may transform a business process no one authorized. Existing policy engines do not extend to this regime: they evaluate request-time decisions against atomic principals, where agentic systems require stateful evaluation against composite principals whose authority attenuates through delegation chains. We present a reference architecture for the runtime governance of production agents, built from four composable primitives: a five-plane decomposition (a reasoning plane that adjudicates intent, and four enforcement planes -- network, identity, endpoint, data -- that realize the decision), stop-anywhere mediation, composite principals with capability attenuation, and audit as a structured evidence substrate. We define a taxonomy of six interruption primitives that generalize allow and deny, state and argue for four correctness invariants, and demonstrate the foreclosure of seven production-agent threats across five concrete workflows. A reference implementation of the policy-engine core supplies measured evidence: attenuation correctness and evidence reconstructability hold on every trial, adjudication runs in single-digit microseconds, and the audit substrate's tamper-evidence behaves exactly as designed. We are explicit about scope: the architecture governs delegated action, not model behavior, and a full-system evaluation against a live agent benchmark is the invited next step.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper proposes a five-plane reference architecture for runtime governance of production AI agents. It introduces four composable primitives—a reasoning plane plus network/identity/endpoint/data enforcement planes, stop-anywhere mediation, composite principals with capability attenuation, and an audit evidence substrate—along with a taxonomy of six interruption primitives and four correctness invariants. The central claim is that this architecture forecloses seven production-agent threats across five concrete workflows. A reference implementation of the policy-engine core provides measurements showing that attenuation correctness and evidence reconstructability hold on every trial, adjudication completes in single-digit microseconds, and the audit substrate exhibits the designed tamper-evidence properties. The paper explicitly scopes its contribution to delegated action (not model behavior) and identifies full-system evaluation against a live agent benchmark as future work.

Significance. If the five-plane composition and threat foreclosure hold without coverage gaps, the work would supply a structured, stateful alternative to atomic-principal policy engines for governing agentic workflows that cross enterprise systems of record. The measured properties of the policy-engine core (correctness on all trials, microsecond-scale adjudication, and exact tamper-evidence behavior) constitute concrete, reproducible evidence for the core mechanism; the definition of four invariants and six interruption primitives offers a clear basis for further verification.

major comments (1)
  1. [Abstract, §1] Abstract and §1 (scope paragraph): the claim that the architecture 'demonstrate[s] the foreclosure of seven production-agent threats across five concrete workflows' rests on an untested composition step. The reported measurements apply only to the policy-engine core; no quantitative results are supplied for integration of the reasoning plane with the four enforcement planes, stop-anywhere mediation, or composite-principal attenuation inside the five workflows. The manuscript itself states that 'a full-system evaluation against a live agent benchmark is the invited next step,' leaving the central claim dependent on an unvalidated integration whose absence of coverage gaps is asserted but not demonstrated.
minor comments (1)
  1. The taxonomy of six interruption primitives and the four correctness invariants are introduced without an explicit mapping table showing which primitive realizes which invariant; adding such a table would improve traceability.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful and constructive review. We respond to the single major comment below, acknowledging the distinction between the core measurements and the full integration claims.

read point-by-point responses
  1. Referee: [Abstract, §1] Abstract and §1 (scope paragraph): the claim that the architecture 'demonstrate[s] the foreclosure of seven production-agent threats across five concrete workflows' rests on an untested composition step. The reported measurements apply only to the policy-engine core; no quantitative results are supplied for integration of the reasoning plane with the four enforcement planes, stop-anywhere mediation, or composite-principal attenuation inside the five workflows. The manuscript itself states that 'a full-system evaluation against a live agent benchmark is the invited next step,' leaving the central claim dependent on an unvalidated integration whose absence of coverage gaps is asserted but not demonstrated.

    Authors: We agree that the reported measurements apply exclusively to the policy-engine core and that no quantitative results are provided for the integrated behavior of the reasoning plane with the enforcement planes, stop-anywhere mediation, or composite-principal attenuation within the five workflows. The manuscript's demonstration of threat foreclosure is analytical: it proceeds by defining the five-plane decomposition, the six interruption primitives, and the four correctness invariants, then applying these constructs to each workflow to show, by construction, how the seven threats are addressed. This is the standard mode of contribution for a reference architecture. Nevertheless, the referee correctly identifies that the central claim therefore rests on an unvalidated composition step. We will revise the abstract and the scope paragraph in §1 to state explicitly that the foreclosure is shown through the reference architecture and invariants rather than through empirical results from a fully integrated system, and we will retain the explicit statement that full-system evaluation against a live agent benchmark remains future work. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper proposes a new five-plane reference architecture and four composable primitives for governing production AI agents, defines a taxonomy of interruption primitives and four correctness invariants, and supplies direct measurements from a reference implementation of the policy-engine core (attenuation correctness, evidence reconstructability, microsecond adjudication, tamper-evidence). No equations, fitted parameters renamed as predictions, self-citations, or self-definitional reductions appear in the text; the central claims are architectural definitions and empirical results on the implemented core rather than derivations that reduce to their own inputs by construction. The note that full-system evaluation is future work concerns validation scope, not circular logic.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 3 invented entities

The architecture rests on the sufficiency of the five-plane decomposition and the feasibility of implementing the new primitives without introducing gaps or overhead; these are postulated rather than derived from external benchmarks.

axioms (2)
  • domain assumption The four enforcement planes together with the reasoning plane comprehensively cover all sequences of delegated agent actions without gaps.
    The threat foreclosure and correctness invariants depend on this coverage assumption.
  • domain assumption Stop-anywhere mediation and composite principals with capability attenuation can be realized in production systems without unacceptable performance cost or new attack surfaces.
    The measured microsecond adjudication and invariant holding rely on this implementation feasibility.
invented entities (3)
  • Five-plane decomposition no independent evidence
    purpose: Separate intent adjudication from enforcement across network, identity, endpoint, and data planes.
    New architectural construct introduced to address the agentic workflow regime.
  • Composite principals with capability attenuation no independent evidence
    purpose: Track and reduce authority through delegation chains for stateful evaluation.
    New mechanism for handling authority in agentic systems.
  • Six interruption primitives no independent evidence
    purpose: Generalize allow/deny into a taxonomy supporting stateful policy evaluation.
    New taxonomy introduced to support the architecture.

pith-pipeline@v0.9.1-grok · 5815 in / 1525 out tokens · 39621 ms · 2026-06-27T10:07:15.040235+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

56 extracted references · 15 canonical work pages · 9 internal anchors

  1. [1]

    Cedar policy language

    Amazon Web Services. Cedar policy language. Whitepaper and project documentation, 2023. [DOCS]

  2. [2]

    Spicedb: Open source authorization system inspired by google zanzibar

    Authzed. Spicedb: Open source authorization system inspired by google zanzibar. Project documentation. [DOCS]

  3. [3]

    Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud

    Arnar Birgisson, Joe Gibbs Politz, Úlfar Erlingsson, Ankur Taly, Michael Vrable, and Mark Lentczner. Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud. InNetwork and Distributed System Security Symposium (NDSS), 2014

  4. [4]

    Linkerd: A service mesh for kubernetes

    Buoyant, Inc. Linkerd: A service mesh for kubernetes. Project documentation. [DOCS]

  5. [5]

    Mihai Christodorescu, Earlence Fernandes, Ashish Hooda, Somesh Jha, Johann Rehberger, Kamalika Chaudhuri, Xiaohan Fu, Khawaja Shams, Guy Amir, Jihye Choi, Sarthak Choudhary, Nils Palumbo, Andrey Labunets, and Nishit V. Pandya. Systems security foundations for agentic computing, 2025. arXiv:2512.01295 [WEB-VERIFIED]

  6. [6]

    Envoy proxy

    Cloud Native Computing Foundation. Envoy proxy. Project documentation, . [DOCS]

  7. [7]

    Open policy agent

    Cloud Native Computing Foundation. Open policy agent. Project documentation, . [DOCS]

  8. [8]

    Opentelemetry

    Cloud Native Computing Foundation. Opentelemetry. Project documentation, . [DOCS]

  9. [9]

    Datadog observability platform

    Datadog, Inc. Datadog observability platform. Product documentation. [DOCS]

  10. [10]

    Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for llm agents

    Edoardo Debenedetti, Jie Zhang, Mislav Balunović, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for llm agents. InAdvances in Neural Information Processing Systems (NeurIPS),

  11. [11]

    arXiv:2406.13352 [WEB-VERIFIED]. 62

  12. [12]

    Defeating prompt injections by design,

    Edoardo Debenedetti, Ilia Shumailov, Tianqi Fan, Jamie Hayes, Nicholas Carlini, Daniel Fabian, Christoph Kern, Chongyang Shi, and Florian Tramèr. Defeating prompt injections by design,

  13. [13]

    arXiv:2503.18813; the CaMeL defense [WEB-VERIFIED]

  14. [14]

    SoK: The Attack Surface of Agentic AI

    Ali Dehghantanha and Sajad Homayoun. Sok: The attack surface of agentic ai – tools, and autonomy, 2026. arXiv:2603.22928 [WEB-VERIFIED]

  15. [15]

    Dennis and Earl C

    Jack B. Dennis and Earl C. Van Horn. Programming semantics for multiprogrammed computa- tions.Communications of the ACM, 9(3):143–155, 1966

  16. [16]

    Plan-and-Act: Improving Planning of Agents for Long-Horizon Tasks

    Lutfi Eren Erdogan, Nicholas Lee, Sehoon Kim, Suhong Moon, Hiroki Furuta, Gopala Anu- manchipalli, Kurt Keutzer, and Amir Gholami. Plan-and-act: Improving planning of agents for long-horizon tasks. InInternational Conference on Machine Learning (ICML), 2025. arXiv:2503.09572 [WEB-VERIFIED]

  17. [17]

    Systematization of knowledge: Security and safety in the model context protocol ecosystem,

    Shiva Gaire, Srijan Gyawali, Saroj Mishra, Suman Niroula, Dilip Thakur, and Umesh Yadav. Systematization of knowledge: Security and safety in the model context protocol ecosystem,

  18. [18]

    arXiv:2512.08290 [WEB-VERIFIED]

  19. [19]

    Hector Garcia-Molina and Kenneth Salem. Sagas. InACM SIGMOD International Conference on Management of Data, 1987

  20. [20]

    Beyondcorp whitepaper series

    Google. Beyondcorp whitepaper series. Google research publications, 2014–2017. [DOCS]

  21. [21]

    Chronicle security operations

    Google Cloud. Chronicle security operations. Product documentation. [DOCS]

  22. [22]

    Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection

    Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection. In16th ACM Workshop on Artificial Intelligence and Security (AISec), 2023. arXiv:2302.12173 [WEB-VERIFIED]

  23. [23]

    Scott Stornetta

    Stuart Haber and W. Scott Stornetta. How to time-stamp a digital document.Journal of Cryptology, 3(2):99–111, 1991

  24. [24]

    The confused deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review, 22(4):36–38, 1988

    Norm Hardy. The confused deputy: (or why capabilities might have been invented).ACM SIGOPS Operating Systems Review, 22(4):36–38, 1988

  25. [25]

    Jason E. Holt. Logcrypt: Forward security and public verification for secure audit logs. In Australasian Information Security Workshop, 2006

  26. [26]

    Honeycomb observability

    Honeycomb.io. Honeycomb observability. Product documentation. [DOCS]

  27. [27]

    Istio: Connect, secure, control, and observe services

    Istio Authors. Istio: Connect, secure, control, and observe services. Project documentation. [DOCS]

  28. [28]

    Jones, Anthony Nadalin, Brian Campbell, John Bradley, and Chuck Mortimore

    Michael B. Jones, Anthony Nadalin, Brian Campbell, John Bradley, and Chuck Mortimore. Oauth 2.0 token exchange. Technical Report RFC 8693, Internet Engineering Task Force, 2020. [CANONICAL]

  29. [29]

    H. T. Kung and John T. Robinson. On optimistic methods for concurrency control.ACM Transactions on Database Systems, 6(2):213–226, 1981

  30. [30]

    Ralph C. Merkle. Protocols for public key cryptosystems. InIEEE Symposium on Security and Privacy, 1980. 63

  31. [31]

    Microsoft sentinel

    Microsoft. Microsoft sentinel. Product documentation. [DOCS]

  32. [32]

    Oauth 2.0 on-behalf-of flow

    Microsoft Identity Platform. Oauth 2.0 on-behalf-of flow. Documentation reference. [DOCS]

  33. [33]

    Miller.Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control

    Mark S. Miller.Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, 2006

  34. [34]

    O’Reilly Media, 2nd edition, 2021

    Sam Newman.Building Microservices: Designing Fine-Grained Systems. O’Reilly Media, 2nd edition, 2021. Saga pattern chapter [CANONICAL]

  35. [35]

    Saml 2.0 condition for delegation restriction

    OASIS. Saml 2.0 condition for delegation restriction. Standards documentation. [DOCS]

  36. [36]

    Korn, Abhishek Parmar, Christopher D

    Ruoming Pang, Ramon Caceres, Mike Burrows, Zhifeng Chen, Pratik Dave, Nathan Germer, Alexander Golynski, Kevin Graney, Nina Kang, Lea Kissner, Jeffrey L. Korn, Abhishek Parmar, Christopher D. Richards, and Mengzhi Wang. Zanzibar: Google’s consistent, global authorization system. InUSENIX Annual Technical Conference (ATC), 2019. [CANONICAL]

  37. [37]

    Permify: Open source authorization service

    Permify. Permify: Open source authorization service. Project documentation. [DOCS]

  38. [38]

    Zero trust architecture

    Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly. Zero trust architecture. Technical Report NIST Special Publication 800-207, National Institute of Standards and Technology,

  39. [39]

    Saltzer and Michael D

    Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems.Proceedings of the IEEE, 63(9):1278–1308, 1975

  40. [40]

    Policy-based access control with open policy agent

    Torin Sandall and Tim Hinrichs. Policy-based access control with open policy agent. Conference presentations and project documentation, 2018. [DOCS]

  41. [41]

    Secure audit logs to support computer forensics.ACM Transactions on Information and System Security, 2(2):159–176, 1999

    Bruce Schneier and John Kelsey. Secure audit logs to support computer forensics.ACM Transactions on Information and System Security, 2(2):159–176, 1999

  42. [42]

    Splunk enterprise security

    Splunk Inc. Splunk enterprise security. Product documentation. [DOCS]

  43. [43]

    Engineering risk-aware, security-by-design frameworks for assurance of large-scale autonomous ai models, 2025

    Krti Tallam. Engineering risk-aware, security-by-design frameworks for assurance of large-scale autonomous ai models, 2025. arXiv:2505.06409 [AUTHOR]

  44. [44]

    Alignment, agency and autonomy in frontier ai: A systems engineering perspective,

    Krti Tallam. Alignment, agency and autonomy in frontier ai: A systems engineering perspective,

  45. [45]

    arXiv:2503.05748 [AUTHOR]

  46. [46]

    Authorization Propagation in Multi-Agent AI Systems: Identity Governance as Infrastructure

    Krti Tallam. Authorization propagation in multi-agent ai systems: Identity governance as infrastructure, 2026. arXiv:2605.05440 [AUTHOR]

  47. [47]

    PoTAcc: A Pipeline for End-to-End Acceleration of Power-of-Two Quantized DNNs

    Krti Tallam. Execution envelopes: A shared admission contract for backend ai execution requests, 2026. arXiv:2605.06082 [AUTHOR]

  48. [48]

    Layered mutability: Continuity and governance in persistent self-modifying agents,

    Krti Tallam. Layered mutability: Continuity and governance in persistent self-modifying agents,

  49. [49]

    arXiv:2604.14717 [AUTHOR]

  50. [50]

    Partial Evidence Bench: Benchmarking Authorization-Limited Evidence in Agentic Systems

    Krti Tallam. Partial evidence bench: Benchmarking authorization-limited evidence in agentic systems, 2026. arXiv:2605.05379 [AUTHOR]

  51. [51]

    Operationalizing camel: Strengthening llm defenses for enterprise deployment, 2025

    Krti Tallam and Emma Miller. Operationalizing camel: Strengthening llm defenses for enterprise deployment, 2025. arXiv:2505.22852 [AUTHOR]. 64

  52. [52]

    Temporal: Durable execution workflow engine

    Temporal Technologies. Temporal: Durable execution workflow engine. Project documentation. [DOCS]

  53. [53]

    Cadence: Fault-tolerant stateful workflow engine

    Uber. Cadence: Fault-tolerant stateful workflow engine. Project documentation. [DOCS]

  54. [54]

    Beyondcorp: A new approach to enterprise security.USENIX ;login:, 39(6):6–11, 2014

    Rory Ward and Betsy Beyer. Beyondcorp: A new approach to enterprise security.USENIX ;login:, 39(6):6–11, 2014. [CANONICAL]

  55. [55]

    Trace context

    World Wide Web Consortium. Trace context. W3C Recommendation, 2020. [DOCS]

  56. [56]

    ReAct: Synergizing Reasoning and Acting in Language Models

    Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. React: Synergizing reasoning and acting in language models. InInternational Conference on Learning Representations (ICLR), 2023. arXiv:2210.03629 [WEB-VERIFIED]. 65