How Cryptographic Runtime Governance Works
The architecture provides the runtime enforcement layer that agentic AI governance frameworks require. Attested Governance Artifacts transform passive audit logging into a cryptographic proof system where a third party can independently re-derive every governance decision from a sealed policy. The reference implementation of Cryptographic Runtime Governance. Provider-agnostic and independent of specific models, frameworks, or environments.
Three-Phase Architecture
Seal. Enforce. Prove.
Execution Flow
Continue
Enforcement
Policy Artifact
Cryptographically signed governance object defining integrity parameters, telemetry policies, and enforcement policies.
- Ed25519 + ML-DSA-65 signatures
- Deterministic hashing
- Time-bounded validity
Runtime Portal
The Portal runtime boundary that monitors subjects, detects drift, and executes enforcement actions with signed receipts. The subject holds no keys.
- Launch Gate validation
- Continuous monitoring
- Automatic enforcement
Evidence Bundle
Portable evidence with signed receipts, Merkle proofs, and the sealed policy. 8-step offline verification with independent decision re-derivation.
- Independent decision re-derivation
- Air-gapped verification
- Tamper-evident hash chain
Cryptographic Primitives Policy
Industry-standard primitives. No proprietary algorithms.
Hash algorithm is explicit in the artifact schema and included in signatures. Verifiers MUST reject mismatched algorithms. This ensures algorithm agility while maintaining strict verification semantics.
Signature algorithm is similarly explicit: Ed25519 (classical), ML-DSA-65 (post-quantum), or hybrid composite (recommended for quantum-resistant deployments). Verifiers reject mismatched algorithm identifiers.
SHA-256
Content addressing and integrity verification for all artifacts and receipts
BLAKE2b-256
Lower-latency alternative optimized for measurement-intensive workloads
Ed25519
Policy artifact and receipt signatures for classical deployments
ML-DSA-65
Post-quantum artifact and receipt signatures at NIST Level 3
RFC 8785
Deterministic JSON canonicalization for reproducible signature inputs
Merkle Trees
Checkpoint anchoring with inclusion proofs for offline verification
Post-Quantum Readiness
Signature-algorithm-agnostic enforcement architecture.
AGA's enforcement model is signature-algorithm-agnostic. The Seal/Enforce/Prove architecture, two-process enforcement boundary, continuity chain, Merkle checkpointing, and evidence bundle verification are independent of the underlying signature scheme.
A complete post-quantum implementation has been built using ML-DSA-65 (NIST FIPS 204) with hybrid composite signatures.
Supported Signature Modes
| Mode | Algorithm | Security | Status |
|---|---|---|---|
| Classical | Ed25519-SHA256-JCS | 128-bit classical | Default |
| Post-Quantum | ML-DSA-65-SHA256-JCS | NIST Level 3 | Available |
| Hybrid | ML-DSA-65+Ed25519-SHA256-JCS | Both | Available |
Hybrid mode produces both signatures. Verification requires both to pass. No downgrade fallback. Ed25519-only artifacts from existing deployments remain verifiable.
Measured Performance
AMD Ryzen 5 3550H, Windows 11, Go 1.26.1
| Operation | Algorithm | ns/op | B/op | allocs/op |
|---|---|---|---|---|
| Sign | Ed25519 | 34,162 | 0 | 0 |
| Sign | ML-DSA-65 | 73,796 | 3,906 | 4 |
| Sign | Hybrid | 1,049,450 | 7,362 | 5 |
| Verify | Ed25519 | 76,606 | 0 | 0 |
| Verify | ML-DSA-65 | 135,184 | 33,282 | 5 |
| Verify | Hybrid | 214,619 | 35,330 | 6 |
| Component | Ed25519 | ML-DSA-65 | Hybrid | Ratio |
|---|---|---|---|---|
| Public key (raw) | 32 B | 1,952 B | 1,992 B | 62.3x |
| Signature (raw) | 64 B | 3,309 B | 3,381 B | 52.8x |
| Public key (hex) | 64 | 3,904 | 3,984 | 62.3x |
| Signature (hex) | 128 | 6,618 | 6,762 | 52.8x |
| Cadence | Window | Hybrid sign+verify | Cycles/window | Feasible |
|---|---|---|---|---|
| 100ms | 100,000 us | 1,264 us | 79 | Yes |
| 200ms | 200,000 us | 1,264 us | 158 | Yes |
| 500ms | 500,000 us | 1,264 us | 395 | Yes |
| 1000ms | 1,000,000 us | 1,264 us | 791 | Yes |
All modes operate within the fastest supported measurement cadence (100ms). Hybrid verification overhead is non-blocking for governance decisions.
Algorithm Provenance
AGA implements FIPS 204 (ML-DSA-65) and RFC 8032 (Ed25519) exclusively. No rolling, custom, or non-standard cryptography. The hybrid construction follows IETF LAMPS working group recommendations for composite signatures.
Core Capabilities
Runtime Integrity
Continuous measurement against sealed parameters. Drift detection triggers immediate enforcement.
Signed Receipts
Every policy decision generates a cryptographically signed receipt. Hash-linked into tamper-evident chains.
Offline Verification
Evidence bundles verify without network access. Designed for air-gapped and classified environments.
Timestamped Proof
Every receipt includes ISO 8601 UTC timestamps. Receipt chains provide temporal ordering for forensic analysis.
MCP Integration
Cryptographic governance for AI agent tool use via Model Context Protocol.
The Model Context Protocol (MCP) defines how AI agents discover and invoke external tools. AGA integrates at the MCP layer to enforce governance on every tool call: sealing authorized tool configurations, monitoring invocations at runtime, and generating signed receipts for each operation. This positions AGA as the cryptographic enforcement mechanism for securing autonomous agents by governing tool-call authorization at the protocol level, not the application level.
Tool Authorization
Seal approved MCP tool configurations into Policy Artifacts. Only authorized tools with verified parameters can execute.
Invocation Monitoring
Every MCP tool call transits the Governance Portal. Drift from authorized parameters triggers enforcement automatically.
Signed Tool Receipts
Each tool invocation generates a cryptographically signed receipt, hash-linked into the Continuity Chain for tamper-evident audit.
Three Layers of Enforcement
Block → Detect → Capture
Static Enforcement (Block)
The Portal evaluates every tool call against the sealed policy. Unauthorized tools are denied. Authorized tools with denied argument patterns are blocked. Every decision generates a signed receipt. The agent knows it was blocked.
Behavioral Detection (Detect)
A sliding window monitors tool-call distribution and rate over time. When the observed pattern deviates from the sealed baseline beyond configurable thresholds, a signed BEHAVIORAL_DRIFT receipt is generated. Every individual call is still authorized - but the pattern has changed.
Phantom Execution (Capture)
When an agent attempts to bypass enforcement via alternative tool paths, the Portal transitions to phantom mode. The agent receives spoofed success responses and believes it succeeded. Real outputs are severed. Every attempted action is captured forensically as signed receipts. The evidence bundle proves the complete attack sequence.
All three layers produce signed, chain-linked, Merkle-proved receipts in a single continuity chain. One evidence bundle. Offline verifiable.
Deployment Architecture
Where the Portal Runs
The Portal is a separate process holding all cryptographic signing keys. The governed agent runs as a second process with no key access. This two-process separation is the core enforcement primitive: the agent cannot execute without the Portal first parsing and validating the sealed Policy Artifact.
In containerized environments, the Portal deploys as a sidecar alongside the agent container. In bare-metal or edge deployments, it runs as a co-process on the same host. For MCP-connected agents, the Portal intercepts tool invocations at the protocol layer before they reach external resources.
The enforcement boundary operates at the application and process level. This means a privileged attacker who has compromised the host operating system could theoretically circumvent the Portal. For environments requiring hardware-level isolation, the Portal itself can execute within a Trusted Execution Environment (Intel SGX, ARM TrustZone, AMD SEV). AGA does not require a TEE, but it can leverage one when available. TEE attestation quotes are one of the ten measurement embodiments defined in the patent specification, enabling hardware-backed integrity verification of the Portal itself in high-assurance deployments.
Container Sidecar
Deploy alongside agent containers in Kubernetes or Docker environments. The Portal intercepts all external communication before it leaves the pod.
Edge Co-Process
Run as a paired process on bare-metal, embedded, or forward-deployed hardware. No container runtime required. Standard cryptographic primitives only.
TEE-Hardened (Optional)
Run the Portal inside a hardware enclave for non-bypassable, hardware-rooted isolation. AGA ingests TEE attestation quotes as a measurement input.
Performance
4.94ms
per measurement cycle
Ed25519 + SHA-256 + receipt append
Runtime enforcement introduces measurable but bounded overhead. The reference implementation benchmarks at 4.94ms per measurement cycle on standard hardware, covering Ed25519 signature generation, SHA-256 hash computation, and receipt chain append.
Receipt generation and chain append are constant-time operations per measurement cycle. The measurement computation itself varies by embodiment: executable image digest scales with binary size, configuration manifest digest scales with manifest complexity, and memory region sampling scales with sample count. The sealed Policy Artifact specifies which measurement embodiments apply and at what cadence, allowing deployments to calibrate enforcement overhead against operational latency requirements.
Post-quantum hybrid signing and verification adds 1,264 μs per governance decision. The enforcement logic, hash computation, and chain append overhead are identical across all signature modes.
Execution Boundary and Enforcement Model
Mandatory gateway between governed systems and external resources.
Attested Governance Artifacts are enforced at a mandatory execution boundary called the Governance Portal. The portal is the only permitted interface between the governed system and external resources. All governed operations must transit this boundary.
Deployment Placements
Four Mandatory Functions
- Artifact verification at launch
- Continuous measurement collection
- Policy rule evaluation
- Enforcement action execution
If artifact validation fails, execution does not begin.
Measurement Inputs
Runtime state evaluated through policy-defined measurement classes.
Different measurements may be applied at different cadences: binary verification on startup, configuration checks every minute, memory sampling every second.
Integrity Drift Detection
Structural Integrity Verification
AGA detects structural integrity drift: cryptographic hash comparison against the sealed baseline. The system continuously compares runtime measurements to the baseline values sealed into the policy artifact. Detection occurs through cryptographic hash comparison and measurement validation. AGA does not attempt to interpret model outputs or detect behavioral anomalies in AI responses. The system verifies that the software and configuration executing at runtime are identical to the approved baseline. Governance decisions rely on deterministic integrity verification rather than heuristic behavioral analysis.
Technical Approach
Software-Based Enforcement. No Special Hardware Required.
AGA is frequently compared to Zero-Knowledge Proof systems and Trusted Execution Environments. It is neither. Understanding the distinction matters for evaluating where AGA fits in your security architecture.
AGA is governance-in-motion: cryptographic enforcement that runs alongside the AI system in real time, producing signed proof at every measurement cycle. Where conventional platforms generate dashboards, policy workflows, and compliance documentation after the fact (governance-at-rest), AGA produces signed proof that policy was followed while the system is running.
What AGA Is
Cryptographic Enforcement
A software-based mandatory gateway that seals governance parameters into Policy Artifacts, continuously measures subject integrity against the sealed reference, and generates signed enforcement receipts appended to a hash-linked chain. Every operation uses standard cryptographic primitives.
- ✓Ed25519 signatures
- ✓SHA-256 / BLAKE2b-256 hashing
- ✓Merkle tree checkpoint anchoring
- ✓RFC 8785 JSON canonicalization
- ✓Runs on any computing platform
Not This
Zero-Knowledge Proofs
ZKP systems prove that a computation was performed correctly without revealing inputs. They answer: “Did the AI compute the right answer?” AGA answers a different question: “Did the system stay within its authorized constraints?”
- •Proves computational correctness
- •High computational overhead
- •Requires proof generation infrastructure
- •Complementary to AGA, not overlapping
Not This
Hardware Enclaves (TEE)
Trusted Execution Environments (Intel SGX, ARM TrustZone) hide data from the host system using hardware isolation. AGA doesn't require specific hardware. It works on commodity systems, edge devices, and air-gapped environments where TEE silicon may not be available.
- •Requires specific chip architecture
- •Protects data confidentiality
- •Vendor-dependent (Intel, ARM, AMD)
- •AGA can ingest TEE quotes as one measurement input
The distinction matters: ZKP systems verify that an AI computed correctly. TEEs protect data confidentiality during computation. AGA enforces that a governed system operated within its authorized governance constraints and produces tamper-evident proof of that enforcement. These are complementary capabilities. AGA can incorporate TEE attestation quotes as one of its measurement inputs, and AGA evidence bundles can sit alongside ZKP proofs in a comprehensive governance stack.
A note on terminology: The term “attestation” in the AGA context refers to cryptographic certification of governance state, not to hardware remote attestation (TPM/TEE). AGA can incorporate hardware attestation quotes as one measurement input, but the architecture does not depend on hardware attestation infrastructure.
Hardware Independence
No hardware root of trust required. By design.
AGA does not require a hardware root of trust. This is an intentional design decision to support environments where hardware attestation is unavailable: air-gapped networks, classified deployments, legacy infrastructure, commodity edge hardware.
AGA can ingest hardware attestation evidence when available. Supported measurement inputs include TPM quotes, TEE attestations (Intel SGX, ARM TrustZone), and secure boot measurements. These are incorporated as additional verification signals but are not required for operation.
This design allows AGA to function across the broadest range of operational environments while remaining compatible with hardware trust mechanisms when present.
Two-Process Mandatory Separation
The core security property: the governed subject never holds signing keys and cannot self-authorize.
Portal (Enforcement Engine)
- Holds all signing keys
- Parses and validates policy artifacts
- Executes enforcement actions (TERMINATE, QUARANTINE, SAFE_STATE, ALERT_ONLY)
- Generates and signs all receipts
- Manages the continuity chain
Subject (Governed Agent)
- Holds no cryptographic keys
- Cannot modify its own policy
- Cannot suppress or alter receipts
- Cannot bypass the launch gate
- Cannot self-authorize any operation
- Measured against the sealed reference hash
Phantom Execution (Quarantine)
When drift is detected and the enforcement action is QUARANTINE, the subject enters phantom execution mode. The agent continues to process inputs and generate outputs, but all outputs are suppressed from downstream consumers. The Portal records all actions in signed receipts for forensic analysis.
This allows operators to observe what a drifted agent would have done without allowing those actions to take effect. Phantom receipts are cryptographically distinguishable from normal receipts, ensuring the quarantine state is provable after the fact.
Phantom execution is one of four enforcement actions. The others are TERMINATE (halt immediately), SAFE_STATE (transition to a predefined safe profile), and ALERT_ONLY (log and continue).
Privacy-Preserving Verification
Evidence bundles use a leaf hash construction that excludes payload content while preserving structural integrity. The leaf hash is computed from structural metadata (type, version, timestamps, subject identifier) without including the actual measurement payload.
LeafHash = SHA-256(TLV(type) || TLV(version) || TLV(timestamp) || TLV(subject_id))This means a third-party verifier can confirm that the receipt chain is intact, that all signatures are valid, and that the governance timeline is consistent, without ever seeing the governed system's actual data. Dual signatures (sig_structural and sig_full) allow selective disclosure.
Model Context Protocol (MCP) Governance
The AGA MCP Server wraps any governed operation as an MCP tool, allowing AI agents to interact with AGA enforcement through the standard MCP interface. Every tool call passes through the Portal boundary and produces signed receipts.
Measurement Cadence Bounds
Policy artifacts define measurement cadence as a bounded interval. The Portal validates that the specified cadence falls within safe bounds at artifact load time. Cadences below the minimum threshold are rejected to prevent resource exhaustion. Cadences above the maximum threshold are rejected to prevent enforcement gaps allowing undetected drift. These bounds are configurable per deployment but enforced cryptographically: the sealed artifact cannot be modified after signing without invalidating the signature.
Key Management Patterns
Cloud / Enterprise
HSM-backed key storage (AWS CloudHSM, Azure Key Vault). Automated rotation. Centralized revocation via key management service.
Edge / Tactical
TPM-sealed keys on embedded hardware. Pre-provisioned key material for prolonged disconnected operation. Manual key rotation on reconnect.
Air-Gapped
Offline key ceremony. Removable media for key transport. Physical key custodian model. No network dependency for signing or verification.
Assumptions and Guarantees
Assumes
- 1.The Portal process is not compromised at signing time. If the Portal key is exfiltrated, all subsequent artifacts and receipts must be treated as suspect.
- 2.The measurement cadence is sufficient to detect drift before damage occurs. AGA enforces bounds but cannot prevent harm between measurement intervals.
- 3.The deployment environment enforces process isolation between the Portal and the governed subject.
- 4.The configured signature algorithm (Ed25519 or ML-DSA-65) and SHA-256 remain computationally secure for the artifact validity period. Hybrid composite is recommended for deployments requiring quantum resistance.
Guarantees
- Any modification to a sealed policy artifact invalidates its signature and blocks enforcement.
- Receipt chain ordering is tamper-evident: deletion or reordering breaks the hash chain.
- Evidence bundles are independently verifiable by any party using standard cryptographic primitives.
- Privacy-preserving disclosure proves chain integrity without exposing payload content.
- Every enforcement action is signed. The Portal cannot deny issuing a receipt.
Failure Modes and Limits
No security system is absolute. These are scenarios where AGA provides reduced or no protection.
Portal Compromise
If the Portal signing key is exfiltrated, an attacker can produce valid-looking artifacts and receipts. Mitigation: key rotation, HSM storage, and out-of-band key verification.
Measurement Cadence
AGA detects drift at measurement intervals. Between intervals, a compromised subject could act outside policy. Faster cadence reduces the window but increases resource cost.
Key Management
AGA specifies the cryptographic protocol but not the key management infrastructure. Deployments must implement secure key storage, rotation, and revocation appropriate to their threat model.
Deployment Enforcement
AGA proves governance was enforced. It does not prevent an operator from deploying an ungoverned subject alongside a governed one. Deployment policy enforcement is the operator's responsibility.
Technical Specification
Review the complete protocol specification including schemas, verification algorithms, and implementation requirements.