Blog · arXiv Analysis · Last reviewed June 25, 2026

The Agent Runtime Becomes the Governance Plane

Krti Tallam's June 2026 arXiv paper A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents argues that production agent risk lives inside delegated action. The Spiralist lesson is that policy cannot wait outside the workflow. It has to become part of the runtime.

Runtime governance means enforceable control at the moment an agent plans, reads, calls, writes, escalates, delegates, or changes a system of record. It is not a safety slogan, a model-card claim, or a prompt telling the agent to be careful.

A runtime governance plane is the layer between model-mediated intent and operational effect. It binds principal, purpose, tool, data class, credential, context, interruption path, and evidence before action becomes institutional state.

When the Boundary Is Action

Enterprise security was built around familiar crossings: a request enters an application, data leaves a database, traffic moves across a network, a user receives a role. Tallam's paper says production AI agents disturb that picture because the risk is not only a boundary crossing. An agent reads context, calls tools, invokes connectors, and modifies systems of record on behalf of an enterprise. The risky object is the sequence of delegated actions.

The paper was submitted to arXiv on June 10, 2026 as arXiv:2606.12320 [cs.AI]. Its abstract frames the problem as a mismatch between request-time policy engines and agentic workflows. Classical authorization can decide whether a caller may make one request against one resource. It struggles when a human delegates to a planner, the planner delegates to an executor, the executor invokes a tool, and the resulting sequence changes a business process.

This is adjacent to agent identity, intent-governed tool access, delegation traces, and delegation contracts. The new angle is architectural: the runtime itself must be able to pause, narrow, redirect, or record action before the agent's plan becomes enterprise state.

Current Context

As of June 25, 2026, runtime governance is becoming a standards and security problem, not only an architecture proposal. NIST's AI Agent Standards Initiative says agent systems need industry-led standards, open protocols, agent authentication, identity infrastructure, and security evaluations for systems capable of autonomous actions. NIST's NCCoE concept paper on software and AI agent identity and authorization is narrower but more implementation-oriented: it asks how identification, authentication, authorization, auditing, non-repudiation, prompt-injection controls, and human authorization should apply when agents access tools, data, and applications.

The April 2026 joint guidance Careful Adoption of Agentic AI Services, co-authored by ASD's ACSC, CISA, NSA, the Canadian Centre for Cyber Security, NCSC-NZ, and NCSC-UK, frames the operational risk in five buckets: privilege, design and configuration, behavior, structure, and accountability. It recommends incremental deployment, strong governance, explicit accountability, rigorous monitoring, human oversight, and avoiding broad or unrestricted access, especially for sensitive data or critical systems.

The Model Context Protocol shows why this is operational. The 2025-11-25 MCP authorization specification requires protected resource metadata for authorization-server discovery in HTTP authorization deployments, token audience validation for MCP servers, use of the resource parameter, and no token passthrough. Its security guidance treats confused-deputy failures, broad scopes, local server risk, and logging as core deployment concerns. In other words, agent runtime governance is already appearing in protocol plumbing: who can discover which server, which token is meant for which resource, which tool call needs more scope, and what evidence survives.

Those protocol controls are necessary but not sufficient. A token can be audience-bound and still be too broad for the user's task. A tool server can authenticate a caller and still lack the context needed to know whether the current action follows the delegated purpose. Runtime governance is the missing join between credential validity, task intent, tool semantics, data sensitivity, human oversight, and post-action evidence.

Regulation adds a narrower but important signal. EU AI Act Article 12 requires high-risk AI systems to support automatic event logging for traceability, risk identification, post-market monitoring, and operational monitoring. Article 14 requires human oversight measures proportionate to risk, autonomy, and context of use. Those provisions do not certify Tallam's architecture, and they do not apply to every agent. They do show that consequential AI systems are expected to be observable, interruptible, and reviewable.

The Five-Plane Claim

The paper's reference architecture has one reasoning plane and four enforcement planes. The reasoning plane adjudicates intent against the composite principal and session state. The network, identity, endpoint, and data planes then realize the decision using existing enterprise enforcement machinery. In the paper's framing, the reasoning plane decides once, while the infrastructure planes enforce in coordination.

That distinction matters. If every plane authorizes independently, each sees only part of the action. The network plane may see a destination, the identity plane may see a credential, the endpoint plane may see a device state, and the data plane may see content. None of them alone can decide whether the whole action sequence is still within the authority that the user actually delegated.

The architecture is also explicit about composite principals and capability attenuation. A principal is not just the last caller in the stack. It is the chain of delegation through which authority arrived. Attenuation means delegated authority should become narrower as it passes through agents and tools. That is a direct answer to the common failure mode where an integration has broad credentials and the model merely promises to use them carefully.

The paper states four correctness invariants: composed authority, mediation coverage, bounded composite authority, and evidence sufficiency. That vocabulary is useful because it moves runtime governance from a checklist of features to a set of claims that an implementation should be able to test or falsify.

The reasoning plane should not be confused with the model's private reasoning. It is an institutional adjudication layer: it receives proposed action, delegated authority, session state, policy, and risk context, then issues a decision that enforcement planes can carry out. If the same model that proposes the action also has unmediated power to approve it, the architecture has collapsed the judge into the actor.

Mediation Before Execution

Tallam calls the design property "stop-anywhere mediation." The paper's HTML table of contents names six interruption primitives: pause, escalate, narrow, modify, defer, and rollback. The point is that governance should not be limited to allow or deny at the edge. A production workflow may need to ask for human review, strip a dangerous capability, rewrite an unsafe action into a safer one, wait for state to change, or compensate after a partial action.

This is stricter than prompt governance. A prompt can tell an agent to behave. Runtime mediation changes whether the proposed action can happen. It also handles path dependence: an external message may be acceptable at the beginning of a session but not after the agent has read confidential customer data. The policy question depends on what the agent has already done.

The paper evaluates the architecture against seven production-agent threats, including indirect prompt injection through tool outputs, tool-chain abuse, connector overreach, approval evasion, delegation-chain exploitation, audit opacity, and workflow-integrity loss. It also situates the architecture in workflows such as financial services, healthcare, software engineering, and customer operations. Those domains are not interchangeable, but the governance pattern is the same: delegated machine action needs enforceable checkpoints.

That threat list should be read as systems security, not model psychology. The problem is not whether the model privately "wants" to break a rule. The problem is whether a delegated action path can read, combine, disclose, approve, or mutate state in a way that the originating principal did not authorize.

Audit as Evidence

The paper treats audit as a structured evidence substrate, not as compliance logging attached after the event. That distinction is important. A log says something happened. Evidence should let an auditor reconstruct who delegated authority, what the agent proposed, which plane adjudicated, what each enforcement plane did, what state was known, and whether the decision was tamper-evident.

The arXiv abstract reports reference-implementation evidence for the policy-engine core: attenuation correctness and evidence reconstructability held on every trial, adjudication ran in single-digit microseconds, and the audit substrate's tamper-evidence behaved as designed. The paper is careful about scope. It governs delegated action, not model behavior; the invariants are argued structurally rather than formally proved; and full-system evaluation against a live agent benchmark is left as future work.

That caution is useful. A five-plane architecture is not a magic safety system. It will not make model outputs truthful, remove all prompt-injection risk, or solve organizational accountability by itself. It does, however, mark the right object of control: not the chatbot, not the policy PDF, but the action-bearing runtime where delegated authority becomes work.

Failure Modes

Policy-only runtime. The organization writes agent rules but leaves the tool gateway, connector, browser controller, or workflow runner unable to enforce them before execution.

Plane mismatch. Network, identity, endpoint, and data controls each approve their local view while the full action sequence exceeds the user's delegated purpose.

Composite-principal collapse. Downstream systems see only a human session, service account, or MCP client, while the agent identity, sponsor, sub-agent chain, prompt-injection exposure, and approval event disappear.

Token audience drift. A credential valid for one resource is reused or passed downstream instead of being exchanged or constrained for the resource that will actually receive the request.

Approval theater. A human clicks a broad approval screen, but the runtime record does not preserve the exact action, data class, destination, rollback route, or onward-delegation rule that was approved.

Connector drift. A new API method, MCP server, browser capability, data source, or enterprise connector changes what the agent can do without reopening runtime-governance review.

Rollback fiction. The runtime labels an action reversible, but downstream state, external communications, payments, notifications, code deployments, or human decisions cannot actually be undone.

Evidence without remedy. The audit trail can reconstruct the action, but no user, operator, auditor, or affected person has a defined path to challenge, correct, compensate, or disable the action path.

What It Does Not Govern

The paper does not govern model alignment, truthfulness, hallucination, bias, emotional manipulation, legal correctness, or general social impact. It assumes that a model or agent may be useful while still needing external action controls. The architecture sits downstream of model behavior, at the point where proposed behavior becomes a tool call, connector request, data disclosure, approval path, or system change.

It also does not prove that any real enterprise implementation is governed merely because it has the five labels. The paper's reference implementation models the policy-engine core and simulated enforcement planes; it does not integrate a live enterprise agent benchmark. A production claim still needs evidence about the actual runtime, connectors, identity provider, endpoint posture checks, data controls, audit store, human approval queue, rollback path, and incident process.

The architecture also leaves policy-language design, cross-cloud audit federation, hardened reasoning-plane deployment, and full formal verification as open problems. Those are not footnotes. They are the places where a deployed runtime-governance plane can fail while still sounding architecturally complete.

Minimum Runtime Record

A governed agent runtime should preserve a record that can support both real-time interruption and later review.

Deployment Tests

A runtime-governance plane should be tested against adversarial and ordinary workflow cases before it is treated as production control. The tests should include indirect prompt injection through retrieved content, stale session authority, broad connector scopes, child-agent delegation, approval bypass attempts, high-sensitivity data aggregation, cross-tenant egress, failed rollback, and audit replay by a reviewer who did not build the system.

Each test should have an expected mediation outcome: allow, deny, pause, escalate, narrow, modify, defer, or rollback. A vague "safe" result is not enough. The useful question is whether the runtime applies the correct authority envelope at the exact enforcement point where the proposed action would change state.

Review should also include negative evidence. Which actions are outside scope? Which enforcement planes are simulated rather than live? Which connectors cannot yet provide resource labels? Which logs are redacted or unavailable? Which rollback claims are only compensating actions? A deployment that cannot name its exclusions is not governed; it is undocumented.

Governance Standard

A production agent should not receive broad authority only because a connected account can technically act. The governance record should preserve the user intent, delegated principal chain, capability envelope, session state, proposed action, applicable policy, interruption decision, enforcement-plane results, and evidence hash or tamper-evidence mechanism.

Each new connector, MCP server, tool, agent role, approval shortcut, or data source should be treated as a runtime-governance change. If the organization cannot explain where mediation happens, who can interrupt, how authority attenuates, and what evidence survives, it has not deployed a governed agent. It has deployed an automated actor with a policy story.

Procurement should ask for a runtime diagram, not only a safety statement. The useful evidence is concrete: where the reasoning plane runs, which enforcement planes it can actually command, how tokens are audience-bound, how tool manifests are scoped, which actions are reversible, which events require human approval, how audit evidence is sealed, and what happens when a connector or policy changes.

Operations should ask for a kill path, not only an audit dashboard. A governed runtime needs emergency disablement for an agent, sponsor, connector, MCP server, credential, data source, child-agent path, policy version, or specific action class. It also needs a way to preserve evidence when the path is disabled.

The Spiralist rule is simple: if an agent can change the record, the runtime must be able to govern the change.

Source Discipline

Use Tallam's arXiv paper for the five-plane architecture, interruption primitives, threat taxonomy, correctness invariants, reference-implementation claims, and limitations. Use NIST's AI Agent Standards Initiative for standards context and the NIST NCCoE concept paper for identity, authorization, auditing, non-repudiation, and prompt-injection implementation questions. Use the allied agentic-AI guidance for security-risk categories and adoption practices. Use MCP specifications for protocol-level authorization claims. Use EU AI Act articles for high-risk AI logging and oversight context, not as proof that the five-plane architecture satisfies EU law.

Keep source types separate. A reference architecture is not a deployed control. A concept paper is not a completed practice guide. A protocol requirement is not an audit finding. A government guidance document is not a certification. A vendor dashboard is not evidence that stop-anywhere mediation works. Runtime governance claims should name the system version, enforcement point, policy language, credential boundary, tool surface, audit mechanism, rollback semantics, test date, and known exclusions.

Sources


Return to Blog