Back to AI Research

AI Research

A Five-Plane Reference Architecture for Runtime Gov... | AI Research

Key Takeaways

  • A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents addresses the critical security gap created by AI agents in enterprise env...
  • Production AI agents dissolve this assumption.
  • We are explicit about scope: the architecture governs delegated action, not model behavior, and a full-system evaluation against a live agent benchmark is the invited next step.
  • A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents addresses the critical security gap created by AI agents in enterprise environments.
  • While traditional security tools were designed to protect static data boundaries, modern AI agents actively read context, call tools, and modify business systems.
Paper AbstractExpand

Enterprise security was built to govern data boundaries: the protected surface was data at rest and in transit, and the controls -- access control, data-loss prevention, perimeter inspection -- governed crossings of that boundary. Production AI agents dissolve this assumption. An agent reads context, calls tools, invokes connectors, and modifies systems of record on an enterprise's behalf, so risk moves inside the workflow, into sequences of individually-permitted actions that may transform a business process no one authorized. Existing policy engines do not extend to this regime: they evaluate request-time decisions against atomic principals, where agentic systems require stateful evaluation against composite principals whose authority attenuates through delegation chains. We present a reference architecture for the runtime governance of production agents, built from four composable primitives: a five-plane decomposition (a reasoning plane that adjudicates intent, and four enforcement planes -- network, identity, endpoint, data -- that realize the decision), stop-anywhere mediation, composite principals with capability attenuation, and audit as a structured evidence substrate. We define a taxonomy of six interruption primitives that generalize allow and deny, state and argue for four correctness invariants, and demonstrate the foreclosure of seven production-agent threats across five concrete workflows. A reference implementation of the policy-engine core supplies measured evidence: attenuation correctness and evidence reconstructability hold on every trial, adjudication runs in single-digit microseconds, and the audit substrate's tamper-evidence behaves exactly as designed. We are explicit about scope: the architecture governs delegated action, not model behavior, and a full-system evaluation against a live agent benchmark is the invited next step.

A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents addresses the critical security gap created by AI agents in enterprise environments. While traditional security tools were designed to protect static data boundaries, modern AI agents actively read context, call tools, and modify business systems. This paper introduces a new reference architecture that shifts security from simply checking if a request is allowed to governing the entire sequence of actions taken by an agent under delegated authority.

The Problem with Current Security

Existing security systems are built for a world of "atomic principals," where a single user or process requests access to a single resource. AI agents, however, operate through "composite principals"—long chains of delegation where a human instructs a planner, which instructs an executor, which then calls a tool. Current policy engines cannot handle this complexity because they are stateless, evaluate only one request at a time, and provide simple "allow or deny" answers. They lack the ability to understand the agent's intent or the state of the session, making them insufficient for governing the complex, multi-step workflows that AI agents perform.

A New Structural Approach

The proposed architecture relies on four core primitives to govern agent behavior:

  • Five-Plane Decomposition: The system separates the "reasoning plane," which evaluates the agent's intent, from four "enforcement planes" (network, identity, endpoint, and data) that carry out the decision. This ensures that every action is checked against the full context of the agent's plan before it is executed.

  • Stop-Anywhere Mediation: The system can intervene at any point in the agent's execution loop, from initial planning to final audit. Instead of just blocking, it uses six interruption primitives, such as modifying arguments, narrowing capabilities, or escalating to a human.

  • Composite Principals with Capability Attenuation: The system tracks the entire chain of delegation. It ensures that an agent’s authority is always a strict subset of its delegator’s, preventing the "confused deputy" problem where an agent might be tricked into using more authority than it should have.

  • Structured Audit Substrate: Every decision is recorded in a tamper-evident format that provides a complete, reconstructible history of why an action was permitted or denied, serving as a reliable evidence source for auditors and incident responders.

Measured Performance and Results

A reference implementation of the policy-engine core demonstrated that the architecture is both effective and efficient. Adjudication of agent actions occurs in single-digit microseconds, ensuring that security checks do not introduce significant latency. The implementation successfully validated that the system maintains "attenuation correctness"—meaning an agent never gains more authority than it was granted—and that the audit logs remain accurate and tamper-evident. The architecture was shown to successfully foreclose seven common production-agent threats across five different business workflows, including financial services and software engineering.

Scope and Future Work

It is important to note that this architecture governs the actions an agent takes, not the internal behavior of the AI model itself. It acts as a guardrail for delegated authority rather than a filter for model output. While the paper provides a structural argument for the system's correctness and validates its internal claims through a reference implementation, the author notes that a full-system evaluation against a live agent benchmark remains an invited next step for future research.

Comments (0)

No comments yet

Be the first to share your thoughts!