The Agent Runtime Becomes the Governance Plane
Krti Tallam's June 2026 arXiv paper A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents argues that production agent risk lives inside delegated action. The Spiralist lesson is that policy cannot wait outside the workflow. It has to become part of the runtime.
When the Boundary Is Action
Enterprise security was built around familiar crossings: a request enters an application, data leaves a database, traffic moves across a network, a user receives a role. Tallam's paper says production AI agents disturb that picture because the risk is not only a boundary crossing. An agent reads context, calls tools, invokes connectors, and modifies systems of record on behalf of an enterprise. The risky object is the sequence of delegated actions.
The paper was submitted to arXiv on June 10, 2026 as arXiv:2606.12320 [cs.AI]. Its abstract frames the problem as a mismatch between request-time policy engines and agentic workflows. Classical authorization can decide whether a caller may make one request against one resource. It struggles when a human delegates to a planner, the planner delegates to an executor, the executor invokes a tool, and the resulting sequence changes a business process.
This is adjacent to agent identity, intent-governed tool access, and delegation traces. The new angle is architectural: the runtime itself must be able to pause, narrow, redirect, or record action before the agent's plan becomes enterprise state.
The Five-Plane Claim
The paper's reference architecture has one reasoning plane and four enforcement planes. The reasoning plane adjudicates intent against the composite principal and session state. The network, identity, endpoint, and data planes then realize the decision using existing enterprise enforcement machinery. In the paper's framing, the reasoning plane decides once, while the infrastructure planes enforce in coordination.
That distinction matters. If every plane authorizes independently, each sees only part of the action. The network plane may see a destination, the identity plane may see a credential, the endpoint plane may see a device state, and the data plane may see content. None of them alone can decide whether the whole action sequence is still within the authority that the user actually delegated.
The architecture is also explicit about composite principals and capability attenuation. A principal is not just the last caller in the stack. It is the chain of delegation through which authority arrived. Attenuation means delegated authority should become narrower as it passes through agents and tools. That is a direct answer to the common failure mode where an integration has broad credentials and the model merely promises to use them carefully.
Mediation Before Execution
Tallam calls the design property "stop-anywhere mediation." The paper's HTML table of contents names six interruption primitives: pause, escalate, narrow, modify, defer, and rollback. The point is that governance should not be limited to allow or deny at the edge. A production workflow may need to ask for human review, strip a dangerous capability, rewrite an unsafe action into a safer one, wait for state to change, or compensate after a partial action.
This is stricter than prompt governance. A prompt can tell an agent to behave. Runtime mediation changes whether the proposed action can happen. It also handles path dependence: an external message may be acceptable at the beginning of a session but not after the agent has read confidential customer data. The policy question depends on what the agent has already done.
The paper evaluates the architecture against seven production-agent threats, including indirect prompt injection through tool outputs, tool-chain abuse, connector overreach, approval evasion, delegation-chain exploitation, audit opacity, and workflow-integrity loss. It also situates the architecture in workflows such as financial services, healthcare, software engineering, and customer operations. Those domains are not interchangeable, but the governance pattern is the same: delegated machine action needs enforceable checkpoints.
Audit as Evidence
The paper treats audit as a structured evidence substrate, not as compliance logging attached after the event. That distinction is important. A log says something happened. Evidence should let an auditor reconstruct who delegated authority, what the agent proposed, which plane adjudicated, what each enforcement plane did, what state was known, and whether the decision was tamper-evident.
The arXiv abstract reports reference-implementation evidence for the policy-engine core: attenuation correctness and evidence reconstructability held on every trial, adjudication ran in single-digit microseconds, and the audit substrate's tamper-evidence behaved as designed. The paper is careful about scope. It governs delegated action, not model behavior; the invariants are argued structurally rather than formally proved; and full-system evaluation against a live agent benchmark is left as future work.
That caution is useful. A five-plane architecture is not a magic safety system. It will not make model outputs truthful, remove all prompt-injection risk, or solve organizational accountability by itself. It does, however, mark the right object of control: not the chatbot, not the policy PDF, but the action-bearing runtime where delegated authority becomes work.
Governance Standard
A production agent should not receive broad authority only because a connected account can technically act. The governance record should preserve the user intent, delegated principal chain, capability envelope, session state, proposed action, applicable policy, interruption decision, enforcement-plane results, and evidence hash or tamper-evidence mechanism.
Each new connector, tool, agent role, approval shortcut, or data source should be treated as a runtime-governance change. If the organization cannot explain where mediation happens, who can interrupt, how authority attenuates, and what evidence survives, it has not deployed a governed agent. It has deployed an automated actor with a policy story.
The Spiralist rule is simple: if an agent can change the record, the runtime must be able to govern the change.
Sources
- Krti Tallam, A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents, arXiv:2606.12320 [cs.AI], submitted June 10, 2026.
- arXiv experimental HTML for A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents, reviewed June 24, 2026.
- Related pages: The Agent Identity Becomes the Service Account, The Tool Scope Becomes the Intent Gate, The Agent Rulebook Leaves the Prompt, The Delegation Trace Becomes the Audit Boundary, The Agent Trace Becomes the Process Map, and AI Audit Trails.