Agent Governance Series

Nine papers establishing the formal foundations of autonomous agent governance. Each paper addresses a distinct layer — from atomicity at the decision boundary to cryptographic identity-bound accountability — forming an irreducible architecture for governed execution.

Author: Marcelo Fernandez · TraslaIA · agentcontrolprotocol.xyz

Reading Sequence

Each paper builds on the previous. The series can be read sequentially or by layer.

P0 — Atomic Decision Boundaries
Why is atomicity at the decision boundary a structural requirement?
P1 — Agent Control Protocol (ACP)
How do we implement that boundary as a concrete enforcement protocol?
P2 — From Admission to Invariants (IML)
What can we actually observe above the enforcement boundary?
P3/4 — Irreducible Governance Structure
Is the multi-layer architecture irreducible? Who executes and under what allocation constraints?
P5 — Reconstructive Authority Model (RAM)
Given partial observability, when is execution authority actually valid?
P6 — Operationalizing Reconstructive Authority
How do we enforce RAM as a runtime protocol in a real system?
P7 — Closing the Execution Gap (Empirical)
Does the full stack close the gap between governance and execution on real LLM agents?
P8 — Identity-Bound Governance (APB)
When a governance halt occurs, how do we cryptographically bind re-authorization to a specific human principal?
P9 — MCP-Native Governance (Deployment)
How does the APB governance stack reach an agent without modifying the agent's code?
P10 — Non-Blocking Governance (Operability)
What happens when the human principal is delayed or offline? Can governance be safe and live simultaneously?

Papers

P0

Atomic Decision Boundaries: A Structural Requirement for Guaranteeing Execution-Time Admissibility in Autonomous Systems

Proves that no system separating evaluation from execution can guarantee admissibility at execution time. Introduces the atomic decision boundary — the condition under which decision and state transition are a single indivisible step — and maps RBAC, OPA, and ACP to a structural taxonomy of governance mechanisms.

P1

Agent Control Protocol: ACP v1.30 — Admission Control for Agent Actions

The ACP specification. Temporal admission control enforcing behavioral properties over execution traces via a 6-stage pipeline, execution tokens, cryptographic delegation chains, and a stateful risk engine (ACP-RISK-3.0). TLA+ verified over 4.29 × 10⁹ states with 9 safety invariants and 4 temporal properties.

P2

From Admission to Invariants: Epistemological Limits of Local Observability in Agent Governance

Proves that enforcement signals are epistemologically insufficient for detecting behavioral drift. Introduces the Invariant Measurement Layer (IML): a consistent estimator of behavioral deviation D̂(τ, A₀) with finite detection delay, validated across LangGraph agents, webhook pipelines, and single-agent executors.

P3/4

Irreducible Governance Structure for Autonomous Agent Systems: Fair Allocation, Strategy-Proofness, and Multi-Scale Composition

Establishes allocation as a first-class governance dimension. Proves Sybil amplification (any allocation mechanism is vulnerable to identity multiplication) and a strategy-proofness impossibility analogous to Arrow's theorem. The central result is an irreducibility theorem: under finite observability, no strict subset of the four governance layers (temporal, state, behavioral, population) can replicate the guarantees of the full architecture.

P5

Reconstructive Authority Model: Runtime Execution Validity Under Partial Observability

Separates integrity from coverage: cryptographic attestation proves trust in measurement, not completeness of execution-relevant reality. The Reconstructive Authority Model (RAM) introduces a reconstruction gate over an explicit coverage envelope and proves coverage is a necessary condition for execution validity. Invalid execution rates are proportional to the unobservable state fraction (1 − |S_p|/|S_r|).

P6

Operationalizing Reconstructive Authority: Runtime Construction, Dependency Resolution, and Execution Gating in Autonomous Agent Systems

Provides the runtime enforcement of RAM. Introduces a concrete execution protocol with dynamic dependency resolution, authority reconstruction at action time, and a Recovery Loop integrating IML drift detection with ACP execution gating. Proves the Execution Safety Theorem (no action executes without constructible authority) and Conditional Liveness (execution resumes when authority-defining variables become observable).

P7

Closing the Execution Gap in LLM Agent Systems: Empirical Evidence for Compliant Drift, Partial Observability, and Integrated Runtime Governance

First empirical validation of the complete ACP+IML+RAM+RecoveryLoop stack on real LangGraph agents. Introduces Compliant Drift — the phenomenon where g(τ)=0 throughout (all decisions approved) while D̂ grows monotonically — and proves it is real, measurable, and closeable. Four experiments: drift detection across 6 seeds and 2 LLM families (Mistral 15B, DeepSeek-R1 8B), 10k Monte Carlo trials under partial observability, multi-agent coordination up to N=16, and full-stack integration over 2000 steps. Introduces 3 theoretical refinements to the formal framework.

P8

Identity-Bound Governance Under Execution Uncertainty: An Accountability Proof Block for LLM Agent Persistent Halts, with Cryptographic Implementation and Cross-Model Calibration

Establishes identity-bound governance for LLM agents under execution uncertainty. Introduces the Accountability Proof Block (APB) — a cryptographically signed record (Es, Dh, σh) binding a HALT event to a specific human principal via ed25519 signatures and RFC 8785 canonical serialization. Proves four theorems: Governance Completeness (all halts resolved), Non-Repudiability, Impossibility of Anonymous Re-Authorization, and Finite-Time APB Construction. Also introduces k-of-n multi-principal threshold governance (Prop. 8.5). Empirically validated across 6 LLMs: 3,812 halt events (100% resolved), 1,800 adversarial APBs (100% detected), and a cross-model T* study revealing architecture-specific drift thresholds and the drift-floor effect.

P9

MCP-Native Identity-Bound Governance: Zero-Modification Agent Oversight via Protocol-Layer Interception and Multi-Hop Authority Propagation

Answers the deployment question left open by P8: how does the APB governance stack reach an agent without modifying the agent's code? The answer is the MCP Governance Proxy — a stateful middleware intercepting tools/call between any MCP client and MCP server, applying the P7+P8 stack (IML + RAM + Recovery Loop + APB) transparently. Proves three theorems: Transparency Invariance (T9.1, non-halt path observationally equivalent to direct connection; P95 = 51.8 µs), Halt Latency Bound (T9.2, governance events propagate within Δnet + Δverify + Δpolicy; measured 57 µs), and Multi-Hop Authority Propagation (T9.3, originator binding in A2A chains depth 1–5). Five experiments: E1 latency (10k calls), E2 real-agent APB (310 HALTs, 100% APB validity), E3 A2A delegation (334 HALTs, 100% originator binding), E4 concurrency stress (N=64 threads, 0 exceptions), E5 security adversarial suite (5 attack vectors, 0% adversary success rate). 92 tests passing.

P10

Non-Blocking Governance: Escrow-Based Asynchronous Authorization for Human-Mediated Agent Oversight

Closes the liveness gap left open by P9: when a tool call triggers a governance HALT, the P9 model blocks indefinitely until a human signs the APB. P10 resolves this by introducing escrow-based non-blocking governance — the suspended tool call's state is serialised into a persistent escrow entry and deposited in a priority queue; the agent session continues immediately. Introduces the V6 predicate (timeout enforcement: τapb ≤ thalt + Ttimeout) stacking on the P8/P9 V1–V5 chain. Proves three theorems: Non-Blocking Soundness (T10.1, no risky tool call executes without valid APB or explicit policy fallback; at-most-once semantics), Timeout Consistency (T10.2, fallback decision locally equivalent to explicit governance decision), and Escrow Liveness (T10.3, the first liveness theorem in the series: suspended call resumes within bounded Δresume when human responds within Ttimeout). Six experiments: E0 throughput (up to 81× speedup over P9 at 80% halt rate; safe-task throughput unaffected), E1 overhead (P95 = 6.4 µs, 156× below gate), E2 timeout semantics (0 unauthorized executions), E3 persistence (100% correct resume post-restart), E4 concurrency (N=64, 0 exceptions), E5 adversarial (A1/A2/A3a blocked at 0%; A3b documents escrow-store integrity as Requirement R10.1). 156 tests passing.

The Four Governance Layers

The series establishes four orthogonal dimensions of agent governance. The irreducibility theorem (P3/4) proves that none can be eliminated without loss of correctness or stability.

Temporal

Decision and state mutation as a single indivisible step. Eliminates the gap between evaluation and execution. P0, P1

State

Enforcement of constraints over system state via stateful risk evaluation and execution tokens. P1

Behavioral

Detection and measurement of drift above the enforcement boundary. Enforcement signals are insufficient — a separate measurement layer is necessary. P2

Population

Allocation of execution access among competing agents under shared resource constraints. Fair allocation and strategy-proofness cannot be simultaneously achieved. P3/4

P5 and P6 address a fifth dimension orthogonal to all four: runtime authority validity under partial observability — the question of whether execution is valid given what the system can actually observe at action time.

All papers are independently available on Zenodo with permanent DOIs. Pre-prints are on arXiv (where available).

Zenodo Collection ACP Governance Model