Security Model & Threat Assumptions
Explicit threat model for Attested Governance Artifacts. What we defend against, what we do not, and the assumptions that underpin our guarantees.
Security Goals
What AGA Proves
AGA provides verifiable execution integrity, tamper-evident enforcement records,
and portable audit evidence.
It generates cryptographic proof that a governed subject operated within authorized constraints. Every enforcement decision is signed, chained, and independently verifiable.
Adversary Model
Assumed Attacker Capabilities
The adversary model assumes an attacker with full access to the local database and network but not the cryptographic signing keys or portal runtime.
AGA provides structural integrity guarantees independent of payload confidentiality. The system is designed so that even with full visibility into stored data and network traffic, an adversary cannot forge valid receipts or tamper with the enforcement chain without detection.
Threats Addressed
What AGA Defends Against
Binary modification
Hash comparison against sealed baseline
Configuration drift
Continuous measurement at policy-defined cadence
Unauthorized dependency changes
Checksum validation of loaded modules
Runtime policy bypass
Portal as mandatory execution boundary
Audit log tampering
Hash-linked receipt chain with structural metadata linking
Evidence fabrication
Merkle checkpoint anchoring to immutable storage
Replay attacks
Timestamped receipts with sequence numbering
Privilege escalation
Two-process separation; subject holds no signing keys
Supply chain model substitution
Sealed reference hash binds identity at build time
Threats Not Addressed
Explicit Exclusions
- Kernel-level or hypervisor compromise of the portal host
- Hardware microcode or firmware attacks
- Adversarial prompt manipulation at the model level (semantic drift)
- Behavioral anomaly detection in AI model outputs
- Side-channel attacks on the signing key
- Social engineering of the policy issuer
Note: AGA operates at the system governance layer. Model-level defenses are complementary but separate. Listing what we do not address is intentional transparency, not a limitation admission.
Trust Assumptions
Foundation of Guarantees
Portal Integrity
The portal must execute within a trusted boundary. If compromised, receipt integrity cannot be guaranteed. For highest assurance, the portal should execute within a TEE, though this is not required for standard operation.
Key Custody
The policy issuer's signing key must be protected. If the signing key is compromised, forged artifacts become possible. Key rotation is supported through the continuity chain mechanism.
Verification Guarantees
Assurance Levels
| Level | Steps | Guarantees |
|---|---|---|
| Offline | Steps 1–3 |
|
| Online | Step 4 |
|
| Full | All steps |
|
Explore the System
See how these security properties are implemented in practice across the governance architecture.