Back to AI Research

AI Research

CAVA: Canonical Action Verification and Attestation... | AI Research

Key Takeaways

  • CAVA: Canonical Action Verification and Attestation for Runtime Governance of Agentic AI Systems addresses the challenge of governing AI agents that operate...
  • Agentic AI systems increasingly act through heterogeneous runtimes: local coding hooks, SDK tools, browser automation, managed-agent traces, API gateways, and workflow engines.
  • A single operational act such as publishing code, changing identity state, moving money, or exporting data may therefore be represented by many incompatible runtime records.
  • This makes a basic governance question difficult to answer: what action was actually approved, what evidence binds the approval to execution, and can an independent verifier reproduce the same action identity later?
  • This paper presents Canonical Action Verification and Attestation (CAVA), a runtime-semantics layer for converting heterogeneous agent activity into canonical runtime action objects.
Paper AbstractExpand

Agentic AI systems increasingly act through heterogeneous runtimes: local coding hooks, SDK tools, browser automation, managed-agent traces, API gateways, and workflow engines. A single operational act such as publishing code, changing identity state, moving money, or exporting data may therefore be represented by many incompatible runtime records. This makes a basic governance question difficult to answer: what action was actually approved, what evidence binds the approval to execution, and can an independent verifier reproduce the same action identity later? This paper presents Canonical Action Verification and Attestation (CAVA), a runtime-semantics layer for converting heterogeneous agent activity into canonical runtime action objects. CAVA is positioned below Proof-Carrying Agent Actions (PCAA): PCAA defines the deployer-owned route-review-prove governance process, while CAVA defines the stable action object that process governs. The paper formalizes canonical action identity, semantic pattern detection, approval binding, receipt integrity, runtime-portable projection, and optional attestation substrates. We study a reference implementation through a 96-seed, 384-variant benchmark covering semantic equivalence, semantic separation, wrapper bypass, false-positive control, approval binding, receipt reproducibility, attestation tamper detection, runtime portability, semantic pattern detection, policy degradation, and Azure deployment drills. The contribution is a systems formulation of action-level canonicalization and policy-addressable semantic patterns as a necessary substrate for deployer-side AI governance.

CAVA: Canonical Action Verification and Attestation for Runtime Governance of Agentic AI Systems addresses the challenge of governing AI agents that operate across diverse, incompatible environments. Because agents interact with systems through various methods—such as shell commands, SDKs, browser automation, and API gateways—it is difficult for organizations to maintain a stable, verifiable record of what an agent is actually doing. This paper introduces a runtime-semantics layer that converts these fragmented activities into a standardized, "canonical" action object, ensuring that governance decisions, approvals, and audit trails are bound to the actual intent of an action rather than its raw, easily manipulated text.

Standardizing Agent Behavior

The core problem identified is that current governance often relies on raw text or simple command-line tokens. These are easily bypassed by "wrappers"—such as aliases, environment variables, or tool indirection—that change how an action appears without changing its actual impact. CAVA solves this by mapping every runtime event to a structured, versioned, and hashable object. This object includes essential governance data, such as the specific tool used, the normalized operation, the risk category, and the systems being affected. By creating this stable "fingerprint," organizations can ensure that a policy decision made for one environment remains valid and enforceable even if the agent switches to a different runtime.

The Governance Protocol

CAVA functions as a protocol that sits beneath broader governance frameworks like Proof-Carrying Agent Actions (PCAA). The process involves capturing the raw event, normalizing it into a canonical action, and then running it through a "Semantic Pattern Layer." This layer interprets the action in the context of enterprise risk—for example, identifying if an action constitutes "public persistent egress" or "security-control weakening." Once identified, the system binds the approval or policy outcome to the action’s unique fingerprint. This ensures that when a human approves an action, they are approving the specific semantic intent, and that this approval is cryptographically tied to the execution, preventing "approval drift" or evidence tampering.

Performance and Reliability

To validate this approach, the research utilized a benchmark harness consisting of 96 seed scenarios and 384 runtime variants. The evaluation compared CAVA against traditional methods, such as raw-text filtering and first-token analysis. The results demonstrated that CAVA successfully maintained action identity across different runtime forms, whereas traditional baselines failed to detect actions hidden behind wrappers or to provide reproducible receipts. CAVA achieved high scores in semantic equivalence, wrapper robustness, and approval binding, proving that moving from raw-text monitoring to semantic canonicalization is a necessary step for robust AI governance.

Implementation and Scope

The paper outlines an "open-core" implementation strategy. A public, open-source package provides the foundational schema, hashing, and verification tools necessary for developers to test and implement the protocol. Meanwhile, a managed layer is reserved for enterprise-specific needs, such as complex policy routing, evidence graph visualization, and integration with hardware security modules. It is important to note that CAVA is not a replacement for enterprise policy or model-alignment techniques; rather, it provides the essential "substrate" that makes those policies effective by ensuring that the object being governed is both stable and verifiable.

Comments (0)

No comments yet

Be the first to share your thoughts!