A Five-Plane Reference Architecture for Runtime Governance of Production AI Agents

Researchers propose a five-plane reference architecture for governing production AI agents in enterprise environments, addressing security gaps where traditional data-boundary controls fail. The system uses composite principals, capability attenuation, and structured audit trails to manage delegated agent actions that could otherwise transform business processes without proper authorization.

Traditional enterprise security frameworks were designed around protecting data at rest and in transit, relying on access controls and perimeter defenses. Production AI agents fundamentally break this model by operating as autonomous delegates that read context, invoke tools, and modify systems on behalf of organizations—pushing risk inside workflows rather than at boundaries. This architectural shift creates a new governance problem: existing policy engines evaluate atomic requests against single principals, but agentic systems require stateful evaluation of composite principals whose authority attenuates through delegation chains.

The proposed reference architecture addresses this gap through five planes: a reasoning plane that adjudicates intent, plus four enforcement planes (network, identity, endpoint, data) that implement decisions. The system introduces stop-anywhere mediation and capability attenuation to prevent unauthorized business-process modifications. The researchers define six interruption primitives that extend beyond simple allow/deny logic and demonstrate foreclosure of seven production-agent threat vectors.

For enterprises deploying AI agents, this framework represents a critical step toward operationalizing AI governance at scale. The measured performance—single-digit microsecond adjudication latency and tamper-evident audit trails—suggests production viability. However, the authors explicitly scope their work to delegated action governance rather than model behavior control, leaving questions about behavioral alignment unresolved. This architecture enables organizations to maintain audit trails and enforce delegation boundaries but doesn't address model hallucination, prompt injection, or training-time risks.

• →Enterprise AI agent security requires rethinking beyond traditional data-boundary models to govern sequences of individually-permitted actions.
• →The five-plane architecture enables microsecond-latency policy adjudication with structured audit evidence and capability attenuation across delegation chains.
• →Reference implementation demonstrates correctness invariants hold consistently, addressing seven specific production-agent threat categories.
• →Framework explicitly governs delegated action governance, not model behavior, leaving behavioral alignment as an orthogonal challenge.
• →Live agent benchmark evaluation remains the critical next step to validate real-world effectiveness against dynamic agentic workflows.