CAVA: Canonical Action Verification and Attestation for Runtime Governance of Agentic AI Systems addresses the challenge of governing AI agents that operate across diverse, incompatible environments. Because agents interact with systems through various methods—such as shell commands, SDKs, browser automation, and API gateways—it is difficult for organizations to maintain a stable, verifiable record of what an agent is actually doing. This paper introduces a runtime-semantics layer that converts these fragmented activities into a standardized, "canonical" action object, ensuring that governance decisions, approvals, and audit trails are bound to the actual intent of an action rather than its raw, easily manipulated text.
Standardizing Agent Behavior
The core problem identified is that current governance often relies on raw text or simple command-line tokens. These are easily bypassed by "wrappers"—such as aliases, environment variables, or tool indirection—that change how an action appears without changing its actual impact. CAVA solves this by mapping every runtime event to a structured, versioned, and hashable object. This object includes essential governance data, such as the specific tool used, the normalized operation, the risk category, and the systems being affected. By creating this stable "fingerprint," organizations can ensure that a policy decision made for one environment remains valid and enforceable even if the agent switches to a different runtime.
The Governance Protocol
CAVA functions as a protocol that sits beneath broader governance frameworks like Proof-Carrying Agent Actions (PCAA). The process involves capturing the raw event, normalizing it into a canonical action, and then running it through a "Semantic Pattern Layer." This layer interprets the action in the context of enterprise risk—for example, identifying if an action constitutes "public persistent egress" or "security-control weakening." Once identified, the system binds the approval or policy outcome to the action’s unique fingerprint. This ensures that when a human approves an action, they are approving the specific semantic intent, and that this approval is cryptographically tied to the execution, preventing "approval drift" or evidence tampering.
Performance and Reliability
To validate this approach, the research utilized a benchmark harness consisting of 96 seed scenarios and 384 runtime variants. The evaluation compared CAVA against traditional methods, such as raw-text filtering and first-token analysis. The results demonstrated that CAVA successfully maintained action identity across different runtime forms, whereas traditional baselines failed to detect actions hidden behind wrappers or to provide reproducible receipts. CAVA achieved high scores in semantic equivalence, wrapper robustness, and approval binding, proving that moving from raw-text monitoring to semantic canonicalization is a necessary step for robust AI governance.
Implementation and Scope
The paper outlines an "open-core" implementation strategy. A public, open-source package provides the foundational schema, hashing, and verification tools necessary for developers to test and implement the protocol. Meanwhile, a managed layer is reserved for enterprise-specific needs, such as complex policy routing, evidence graph visualization, and integration with hardware security modules. It is important to note that CAVA is not a replacement for enterprise policy or model-alignment techniques; rather, it provides the essential "substrate" that makes those policies effective by ensuring that the object being governed is both stable and verifiable.
Comments (0)
to join the discussion
No comments yet
Be the first to share your thoughts!