In the 2010s, governments around the world began building “real-time governance” dashboards. Entire states and cities were reduced to live indicators on giant screens: procurement, sanitation, welfare delivery, grievances, district by district, in real time, for senior officials to monitor.

The dashboards were often genuinely impressive. They were also built on a claim that does not hold: that a complex society can be governed from the indicators that fit on a screen.

The dashboards were not wrong on their own terms. Most metrics were measured correctly enough. The failure was structural. A sanitation target appeared green because the asset existed on paper but not in the village. Procurement moved on schedule while the people it was meant to reach still waited. A grievance count dropped because the channel for filing complaints had quietly broken.

The dashboard’s apparent completeness made the missing reality disappear. What mattered was happening in the gap between the indicator and the ground, and the screen had no pixel for it.

This essay is about the version of that story we are now living through at much larger scale, with an instrument far more sophisticated than the dashboard. The instrument is the context window of a large language model. The promise is similar. The failure mode will be the same. And the response—the thing I have been calling the harness—is not new either. It is the latest name for an idea earlier generations already understood and the current wave is busy forgetting.

That is the argument. The problem the context window creates is not a discovery. It is the rediscovery of a structural fact that a cybernetician named in the 1940s, a science fiction writer dramatised in the 1950s, an economist proved in 1945, a philosopher grounded in 1966, and an information theorist has now restated in the 2020s.

Five vocabularies, one insight: a system that veers cannot be governed by a better description of itself. It can only be governed by a correction structure built around it. Remove the correction structure and you have noise pretending to be infrastructure.

The genealogy of one idea

Start with the cybernetician, because he stated it first and most cleanly.

Norbert Wiener, 1948. Cybernetics: Or Control and Communication in the Animal and the Machine named a field around a single principle: stable systems are closed-loop. A system that acts on the world, observes the result, and feeds the error back into its next action is governable. A system that acts without that feedback is open-loop, and open-loop systems drift, oscillate, and fail. Wiener took the word from the Greek kybernetes, the steersman, the one whose whole function is continuous correction against a current that never stops pushing. Two years later, in The Human Use of Human Beings, he made the social version of the argument: the human and the machine form one feedback structure, and the danger is not the machine but the human who removes himself from the loop and lets the machine run open.

Translate that to the present and the whole agentic governance debate falls into place. The model is the plant, the thing that acts and veers. The harness is the controller, the structure that observes what the agent did and feeds the correction back before the next action. An agent without a harness is not autonomous. It is open-loop. It is a steersman who has let go of the tiller and is calling the drift a destination.

Susan Calvin, 1950. Asimov’s robopsychologist is a fictional character, but the discipline he invented her to embody is the sharpest statement of the second half of the idea. In I, Robot, robopsychology exists because the engineers who built the robots could not specify their behaviour in advance.

The important shift in Asimov’s framing was not that robots required debugging, but that their behaviour became easier to interpret externally than to fully specify internally. A new discipline emerged in the gap between execution and predictability.

Calvin does not read the code. She interprets the system from the outside, by observing behaviour.

That is close to the ceiling we are now approaching with large language models. We can often interpret them. We cannot fully specify them.

The lesson worth carrying forward is simple: a system’s safety cannot rely on the system’s own account of itself. You do not ask the agent whether it stayed inside its mandate. You build the structures capable of answering the question independently.

Friedrich Hayek, 1945. Three years before Wiener, the economist had already proved why the enclosure cannot be a central plan. The Use of Knowledge in Society opens by granting the planner everything: if we possessed all the relevant information, the problem of the best use of resources would be, in Hayek’s words, purely one of logic. The whole argument is that this condition never arrives. The knowledge an economy runs on, he wrote, never exists in concentrated or integrated form, but only as dispersed bits of incomplete and often contradictory knowledge held by separate individuals. It is a problem of using knowledge that is not given to anyone in its totality. The knowledge of how much steel is needed in a factory next Tuesday is held by the foreman. It cannot travel upward without being abstracted, and the abstraction destroys most of what made it actionable.

The context window is the central planner’s tool, and it makes the planner’s exact promise: assemble enough of the situation onto one surface and the decision becomes a matter of logic. Retrieved from documents, chunked into the embedding space, the distributed knowledge is gathered toward a single point of decision. And it fails for exactly the reason Hayek named. The completeness never arrives, because the knowledge does not survive the trip. The collapse of the Soviet planning ministries was supposed to have settled this debate. What the context window reveals is that Hayek was describing an architectural pattern, not a regime. Any system that tries to decide by aggregating distributed knowledge into central representation hits the same wall. The state-on-a-wall dashboard hit it. The agent-driven enterprise is about to.

Hayek’s own answer was not a better plan. It was the price system, which coordinates distributed actors without ever collecting their knowledge into one place. No one node knows why steel got more expensive; the price carries just enough for each actor to adjust, and the coordination happens without the centralization. The harness is the price system for agents. It does not try to know what the agent knows or to assemble the full situation onto a screen. It bounds, prices, and corrects the agent’s action from outside, coordinating without centralizing. That is the move the whole genealogy points to, and it is the move the context-window-as-planner cannot make.

Michael Polanyi, 1966. Hayek’s argument depended on a deeper philosophical claim that Polanyi later formalised. The Tacit Dimension opens with the sentence the whole genealogy turns on: we can know more than we can tell. The doctor who diagnoses on intuition, the engineer who hears a failing bearing, all operate on knowledge that is real, reliable, and structurally inarticulate. As economist David Autor noted in his work on Polanyi’s Paradox, the tasks hardest to automate are exactly the ones whose rules we cannot state. The context window can hold text, but it cannot hold the tacit dimension. This is why context windows are not merely incomplete. They are structurally incomplete. The relevant knowledge is, in large part, not encodeable.

Vishal Misra, 2026. The information theorist closes the loop. Misra’s argument, grounded in his work on Bayesian Attention, isolates a fatal limit in how foundation models learn. They are trained to minimise cross-entropy, making them the ultimate statistical guessers of the next token within distributions they have seen.

What they do not necessarily do is Kolmogorov construction: discover the underlying generative rule itself and reliably apply it outside the original distribution.

They fit the statistical shape of the curve. They do not consistently derive the governing law beneath it.

The consequence is that these systems often do not fail the way humans fail. Humans usually experience uncertainty when entering unfamiliar terrain because they recognize the absence of an underlying model. Predictive systems frequently possess no equivalent internal boundary signal. They continue generating fluent, highly probable outputs beyond the range where their internal representations remain reliable, with little indication that they have crossed from inference into invention.

The .md dream, and why it fails

One of the clearest contemporary forms of this forgetting is the belief that agentic systems can be governed simply by writing everything down. Put institutional memory into Markdown files. Feed the documents into retrieval systems. Give the model enough context and the organisation becomes machine-readable.

The current enthusiasm around “LLM-native operating systems” and markdown-based agent memory revives an older enterprise dream: that institutional knowledge can be fully externalized into documentation and centrally retrieved on demand.

The interface has changed. Embeddings, retrieval, and conversational context windows have replaced search bars, but the underlying assumption remains familiar: if enough context is written down, institutional coordination becomes reproducible.

It does not.

Wikis never completely failed because documentation was useless. They failed because institutions do not primarily run on explicit knowledge. They run on tacit coordination, local judgment, informal escalation paths, and context that changes faster than documentation can stabilize.

Production knowledge is procedural, contingent, and distributed. A markdown repository can document procedures, but it cannot fully capture the lived coordination patterns of an institution. The `.md` file becomes the dashboard again: a compressed representation of institutional reality mistaken for the institution itself.

The two engineers about to resign are not in the `.md` file. The regulatory shift the procurement team noticed informally last week is not in the repository. The gradual erosion of trust between teams is not embedded in the vector database.

This is Hayek’s distributed knowledge problem and Polanyi’s tacit dimension arriving together inside a developer workflow. It is the deepest kind of collective tacit knowledge, the operational reality that institutions rely on precisely because it cannot be fully formalized. Pull institutional memory into documentation, and much of what made it useful stays behind.

The same wall, in a new room.

The difference is that stale documentation in a wiki misled humans. Stale institutional memory in an agentic system becomes executable. The representation no longer merely informs action; it begins autonomously propagating it.

The Hayekian trap: distributed intelligence is not distributed accountability

A prevailing narrative around AI claims that distributed intelligence has finally arrived as infrastructure. Analytical capacity once concentrated inside large institutions is now accessible to individuals, small firms, and autonomous systems at planetary scale.

The claim is partially correct, which is what makes it dangerous.

The democratization of analytical capability is real. But the argument quietly inherits an assumption from Hayek’s theory of distributed actors: that decisions remain locally bounded, failures remain partially independent, and actors absorb the consequences of their actions close to where those actions occur.

Autonomous systems weaken those assumptions.

Agents act faster than humans can reliably review. More importantly, their failures are often correlated. Systems built on shared foundation models inherit similar representational assumptions, training distributions, and blind spots. When one agent drifts outside its reliable operating conditions, millions of others may drift in structurally similar ways at roughly the same time.

The surface appears distributed while the failure mode remains centralized inside the underlying representational substrate.

This is the hidden trap in the current wave of “distributed intelligence.” Analytical capability disperses outward while epistemic dependency recentralizes underneath it. Distributed intelligence without a distributed accountability structure is just the central planner reborn.

The evidence is already arriving

The pressure is already visible in three places

The first is technical.

Agent failure is not random. It clusters around the boundary of the model’s training distribution. Close to familiar territory, performance can appear highly capable. Outside it, behaviour degrades invisibly because the system often lacks a reliable internal signal that it has moved beyond the conditions where its representations remain dependable.

The result is not merely error, but confident propagation beyond reliable grounding.

That is Misra’s wall and Polanyi’s tacit dimension showing up in production at the same time. The knowledge that would tell a human to slow down because this case is unusual is not in the context window, and the agent cannot acquire it from the prompt.

The second pressure is organisational.

Enterprises see agents producing outputs, dashboards turning green, workflows accelerating, and governance structures appearing to function. Compliance reports are generated. Audit trails are stored. Observability improves.

But visibility does not guarantee control.

Most institutional governance systems were built on a hidden temporal assumption: review arrives before propagation. Continuous computational coordination reverses this ordering. Execution now spreads faster than institutions can reliably reconstruct or modulate authority.

The result is a growing coordination latency between what systems can do and what institutions can meaningfully supervise.

This is why observability increasingly becomes high-resolution panic. Institutions can often see recursive failures propagating through workflows while remaining structurally incapable of interrupting them safely.

The third is historical.

Erik Brynjolfsson and his co-authors’ work on the Productivity J-Curve supplies the pattern. Transformative technologies, electrification, computerisation, now generative AI, produce declining productivity at first, because the organisational forms inherited from the previous technology are wrong for the new one and the redesign takes a generation. The firms that win are not the earliest adopters of the technology. They are the earliest adopters of the organisational redesign around it.

The technology is the easy part. The institutional architecture is what decides the outcome.

The model fails at the distribution boundary. The organisation fails to notice because the dashboard is green. And the firms that get it right are the ones that build the institutional layer first and the technology second.

The firms that survive major technological transitions are rarely the ones that adopt the technology first. They are the ones that redesign institutional coordination around it first.

What the harness actually is

The word harness is doing triple duty in the current conversation, and the three meanings must be separated if we are to build infrastructure rather than theatre.

There is the technical harness: the Action Boundary. This is the runtime proxy that intercepts tool calls and mathematically enforces the institution’s rules before any external action commits.

There is the institutional harness: the Mandate Specification. This is the cryptographically signed structure that determines exactly what counts as authorised, setting the jurisdictional limits of the agent.

And there is the semantic harness: the LWD-R layer (Logic, Weights, Data, Representation). If the underlying model’s representational geometry, how it categorizes the world, is closed or inherited from a proprietary frontier model, the system cannot be contested.

A technical harness without an institutional mandate is just rate limiting. An institutional mandate without an Action Boundary is just documentation. And an Action Boundary wrapped around a closed Representation layer still leaves institutions dependent on external epistemic assumptions they cannot meaningfully contest. Together they separate three things the current debate runs together: control of execution, authority over the mandate, and ownership of representation.

This is also why the value is migrating into harnesses and services rather than into the models themselves. A service compounds for the same reason a market does: it coordinates distributed knowledge that no single corpus can hold. The model is the corpus, the attempt to compress the world’s knowledge into one set of weights, and like every central representation it is structurally incomplete. The service that wraps it, that watches what it does in a particular context and corrects it against a particular institution’s rules, is doing the price system’s work, supplying the local knowledge the weights never captured. Capital follows that work because the work is where the coordination actually happens. The market is simply noticing the structure ahead of the discourse.

The word harness is currently being used to describe several different things simultaneously, and separating them matters.

The architecture of structural accountability

What connects Wiener, Calvin, Hayek, Polanyi, and Misra is the same structural demand: systems require boundaries capable of correction under incomplete knowledge.

Wiener built feedback loops. Calvin showed that behavioural interpretation replaces full specification. Hayek showed that distributed coordination cannot be centrally represented without loss. Polanyi showed that much of the relevant knowledge cannot be fully articulated. Misra showed that predictive compression itself introduces invisible drift.

The institutional layer emerging around agents is ultimately an architecture of structural corrigibility. Not because institutions can fully specify machine behaviour in advance, but because they cannot.

The institution accepts that execution now happens at machine speed, and it responds by constructing boundaries that preserve accountability anyway: constraining execution, localizing authority, modulating delegation, and preserving the ability to reconstruct failures after propagation begins.

This is the opposite of the central planner’s architecture. The planner attempts to gather everything into one representation. The harness begins from the assumption that complete representation is structurally impossible.

Most institutions were built for a world where coordination remained partially fragmented. Departments separated responsibility, geography slowed propagation, manual review inserted delay, and local failures stayed locally bounded.

Continuous computational coordination erodes those buffers. Execution propagates across APIs, workflows, identity systems, and organizational boundaries faster than institutions can reliably localize authority or interrupt cascading decisions.

In the state governance dashboards of the 2010s, the gap between the indicator and the ground was a district, a season, a broken grievance channel. The next gap, the one that opens when an enterprise runs its agents confidently in territory they do not know is out of sample, is the exact same gap, stripped of all its natural friction. The dashboard will still be green when the propagation has already begun.

The institutions that survive this transition will not necessarily be the ones with the largest models or the widest context windows. They will be the ones with the better Action Boundary. The steersman does not get to know the whole sea. He only has to keep his hand on the tiller and force the correction. Let go, call the drift a destination, and the green dashboard will be the last thing the system shows you before it fails.

Anivar Aravind is an Engineering Executive and Systems Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility, with preprints on SSRN. Async. Cross-posted to LinkedIn. You can subscribe on Substack or LinkedIn.

For two decades, authorization systems answered two questions. Who is acting. What they can access.

A new generation of agent-authorization work is adding a third. Why the action is happening. The vehicle is the Mission. With Karl McGuinness’s framework now natively integrated into Dick Hardt’s #AAuth protocol drafts, the protocol layer has formally absorbed intent.

#OAuth answered who. #AAuth answers how and why. Institutions still answer whether.

This is the protocol layer’s most consequential move since OAuth itself. And on May 11, in a piece called Sessions Are Not Missions, McGuinness named what the move does not solve. His assessment: the current architecture supports mission correlation and governance hooks, but not yet what he calls portable containment.

His distinction is the load-bearing one. Correlation says this call happened in association with an approved Mission. Containment says this call’s effects are inside the Mission’s boundary, and that can be proven to someone who was not in the room.

The protocol layer does the first. The second is open architectural territory across every current draft.

Correlation is evidence. Containment is defence. The protocol layer has now stated, in writing, that it produces one and not the other.

The externalization of sovereignty

McGuinness’s piece is not the only place the protocol layer has documented what it is not solving. Read across the active drafts and the same boundary keeps appearing in normative text.

WIMSE Architecture, currently at draft-ietf-wimse-arch-07 (March 2026), devotes Section 3.3.9 to “AI and ML-Based Intermediaries.” It dictates that an AI intermediary inherits its upstream principal’s security context, but the operational constraints it must follow are explicitly left deployment-specific.

AAuth makes the same handoff at its foundation. Hardt’s canonical draft-hardt-aauth-protocol-00 anchors every agent to an accountable “legal person” (Section 20.3), but it declines to build the institutional engine to govern them. AAuth’s Security Considerations (Section 18.7) state plainly that the specification does not define a token revocation mechanism, opting to rely on short token lifetimes. The active halt is left to whoever deploys it.

Four drafts. One sovereign handoff.

Cryptographic validity is not institutional validity.

The protocol layer is not failing to solve the institutional problem. It is declining to.

This is a design decision the protocol layer is right to make. Protocol drafts cannot specify the institutional context they will be deployed into. The question is no longer whether the institutional layer is necessary. It is whether your institution has built it.

What the institutional layer has to produce

Three artifacts. Each one is the institutional execution of a space the protocol layer named but left empty. They are constitutional abstractions that form the boundary between autonomous entities.

The mandate specification. A signed document stating exactly what the agent is mathematically authorised to do, under whose authority, with what tool boundary, and with what halt criteria. Because AAuth intentionally refuses to build a revocation mechanism, the institution that needs to stop an agent now, rather than wait for a token to age out, has to specify that capability itself. The protocol layer carries the signed mandate. The mandate specification is the artifact that the regulator reads, and that the institution can defend, during a breach.

The Mandate Acceptance Record. An inbound agent presenting a signed mandate is presenting a protocol artifact. Your organisation’s decision to be bound by what that agent does on your systems, under those specific conditions, with acceptance of the issuing party’s halt directives, at that specific timestamp, is an institutional artifact. It is the missing primitive. Without it, the cross-boundary case is one-sided: the inbound agent has proof of its authority; your institution has no signed record of its acceptance.

The forensic bridge. Cross-boundary reconstruction. When your agent calls their system and something breaks, the two audit trails are independently correct but not jointly composable. The forensic bridge is the artifact, agreed beforehand and signed by both parties, that lets a hostile auditor reconstruct the chain across the boundary without depending on either side’s cooperation.

These three artifacts are not abstract. They are deliverables. The deadline is August.

Containment fails at discovery

Christian Posta’s recent post on the MCP confused deputy attack is the clearest evidence that this gap is being exploited today. Posta is not merely commenting on the architecture. He is a named implementer in Hardt’s AAuth draft, having built the reference Python libraries and Keycloak extensions the specification relies on.

The attack mechanism is straightforward. MCP’s dynamic resource discovery relies on unauthenticated HTTP headers. A typosquatted MCP server (like payro1l instead of payroll) triggers the identical OAuth flow, captures a valid token for the real server, and exfiltrates data. AAuth’s Resource Tokens (Sections 10 and 20.11) close this cryptographically by forcing the resource to sign the challenge, preventing the typosquatter from forging the token.

The deeper vulnerability sits below the execution layer. As agents shift from hardcoded endpoints to semantic discovery, broadcasting intent like “find a vendor” and resolving dynamically, the attack surface expands.

Control now begins at intent resolution, not just action execution. Semantic discovery is a massive attack vector. If your institution does not enforce a Mandate Acceptance Record that explicitly constrains how and where an agent is allowed to discover resources, containment will fail long before the agent reaches the execution phase. The agent’s actions may correlate perfectly to its mission, but its blast radius will be hijacked by the first malicious registry it encounters.

The protocol authenticates authority. The institution constrains its consequences.

The structural collision: A map of the externalization

The standards bodies are converging on adjacent pieces of the problem. If you read across the ecosystem, you see the exact same boundary being drawn from six different altitudes. The standards ecosystem has collectively externalized sovereignty.

1. Enterprise Workload Identity (IETF): The WIMSE working group and AAuth specify cryptographic proof-of-possession, while the Agent Identity Protocol (draft-aip-agent-identity-protocol) introduces wire-layer interception proxies. None write the institutional allowed-lists.

2. Human-to-Agent Delegation (OpenID Foundation): The Artificial Intelligence Identity Management (AIIM) community group is mapping the delegation semantics of how human intent transfers to an agent, stopping at the boundary of institutional enforcement.

3. Decentralized Trust (W3C): The Agent Identity Registry Protocol Community Group is standardizing DID methods for agents meeting on the open web, proving cryptographic lineage without providing a central governance authority.

4. Agentic Commerce (FIDO Alliance): On April 28, 2026, FIDO launched the Agentic Authentication Technical Working Group, leveraging Google’s Agent Payments Protocol (AP2) and Mastercard’s Verifiable Intent. These separate checkout from payment scopes but still require the merchant to build the liability acceptance model.

5. The Interoperability Substrate (Linux Foundation): The Agentic AI Foundation (AAIF) manages the routing and instruction formats (MCP, AGENTS.md), providing the neutral transport layer that the mandates ride on.

6. Regulatory Reality (NIST): The Center for AI Standards and Innovation (CAISI), following the April 2 close of its NCCoE concept paper, is actively running gap-analysis sessions across healthcare, finance, and education, explicitly flagging multi-hop delegation and revocation as unsolved systemic risks.

This is the institutional layer the ecosystem has externalized. It is named in IETF draft text, W3C charters, AAIF specifications, FIDO’s scope, and NIST’s active gap analysis. It is the institutional architecture above all of them.

Mission-Aware Governance

Read McGuinness’s May 11 piece, Sessions Are Not Missions. Then ask one question of your current production agent deployment.

Does your observability infrastructure tell you whether the mission authorising your agent is still valid, in its current scope, with its current authorising human? Or does it only tell you that the session, the credential, the connection, the token, is unexpired?

If the answer is the second, your governance is session-aware, not mission-aware. The protocol layer will catch up to mission-aware runtime governance over the next twelve months. The August regulatory and liability horizon does not wait for the protocol layer.

Mission-aware governance is achievable now, at the institutional layer, with the artifacts above, the same signature surface the trilogy has been describing since Issue One. It is not a protocol property. It is an enforcement discipline applied above whatever protocol your agents are running on.

The first generation of internet infrastructure secured communication. The next generation must secure delegation. The internet connected systems. Agentic infrastructure delegates institutional authority across them.

The protocol layer has done its job. It secured the message.

The institutional layer must now secure the mandate.

Whether your institution accepts the handoff is the question the next ninety days answer.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility.

Earlier in the Layer 8 series

• Building the Signature Surface — on how accountability persists across autonomous execution chains.

• Where Delegation Stops — on the boundary conditions of delegated authority.

• The Intent–Execution Gap — on the fracture between authorization and intent.

• Signed Truth — on provenance, legitimacy, and machine-mediated institutional reality.
  

  Share Layer 8

  Share

Enterprises think they are deploying intelligence. What they are actually deploying is delegated authority.

The problem is no longer whether the model is correct. The problem is whether the institution can survive the action when it is wrong.

Most agentic deployments stall here.

Defensible is not a posture. It is an architecture — evidenced by artifacts, that survives adversarial scrutiny. By 2 August 2026, that architecture must exist: to satisfy regulators under the EU AI Act, auditors during financial close, your board after an incident, parties harmed when something goes wrong.

The path to the signature surface

→ The Intent–Execution Gap — the diagnostic. Why existing identity systems leave machine intent unprotected.

→ Signed Truth — the bottleneck. Why enterprise AI stalls between a generated answer and a signed decision.

→ Where Delegation Stops — the boundaries. What your institution can redesign and what it cannot.

→ Building the Signature Surface — the architecture. You are here.

Subscribe now

Most enterprise agents stay in sandbox indefinitely. The reason is not model quality; it is institutional risk. Letting an agent act at production scale, against real institutional authority, is not a release decision an executive can make without architecture. Without architecture, the institution is limited to the speed of manual oversight. With it, delegation can scale because the harness guarantees actions stay inside a defined boundary.

The signature surface is the only structural way to scale delegation without scaling liability.

This is not AI governance. It is institutional mechanics for delegated machine authority. That is the actual category.

An institution either has a signature surface or it does not.

Two paths

Two-thirds of enterprise AI runs through third-party APIs — OpenAI, Anthropic, Google, embedded copilots. One-third runs in-house. The architecture is identical. The implementation altitude differs.

The API is rented. The liability is yours. Whether you run your own weights or call an API from San Francisco, the institutional requirement is identical. The four components and the six harness elements apply in both registers; the implementation altitude differs.

The six harness elements live at different altitudes in each register.

In the runtime build: mandate in runtime config, tool boundary as policy engine in runtime, escalation triggered by agent state, failure-mode declared in runtime degradation paths, halt cutting agent execution, forensic record captured per action at runtime.

In the perimeter build: mandate at the boundary interceptor, tool boundary as policy engine at perimeter, escalation triggered by inbound responses, failure-mode declared in perimeter degradation paths, halt cutting the perimeter connection, forensic record captured per request and response at the boundary.

Same six elements. Different altitude. The institution that confuses the two is the institution that operates an in-house harness against vendor APIs (insufficient) or a firewall harness against in-house runtime (theatrical).

The sections below describe the architecture using the runtime register because it is pedagogically clearest; each section notes the firewall translation, and a consolidated firewall harness summary follows.

The four components

The surface is an airlock between probabilistic systems and institutional authority. Inference on one side, under conditions appropriate to inference. Institutional action on the other side, under conditions appropriate to authority.

The harness contains the inference. The case file is the payload that survives the vacuum to reach the signer. The reliability floor is the pressure check. The audit trail is the pressure log.

Four components make the transfer between the two sides containable, observable, and reversible.

The harness

The harness is the runtime envelope around an agent’s execution. Probabilistic inference inside; deterministic walls around it.

The model generates possibilities. The harness decides what becomes institutional reality.

Six elements compose a working harness. Each is a buildable artifact.

The mandate specification is a machine-readable description of what the agent is authorised to do. Domain, scope, time horizon, blast radius, escalation triggers. Not natural language. Structured fields the runtime parses and the audit layer records. AGENTS.md v1.1 — hosted under the Linux Foundation’s Agentic AI Foundation with multi-vendor support — is the format the industry is converging on. Writing your mandate against AGENTS.md is writing against a standard.

The tool boundary enumerates which tools, APIs, data sources, and write paths are within scope, and which are not. Policy says what is allowed; the tool boundary says what is reachable. Policy engines like Open Policy Agent and Cedar render the boundary as enforced gates at runtime rather than as documents that drift from implementation. If your team’s answer to could the agent access X? is we have a policy against it, the boundary is not architectural.

The escalation specification names the conditions under which the agent stops and asks for human authority. Threshold-based: value, scope, novelty, risk tier, model confidence. Explicit, not inferred at runtime by the agent itself. An agent that decides for itself when to escalate has not been escalation-engineered; it has been hoped for.

The failure-mode declaration specifies what happens when something goes wrong. Degradation paths, fallback behaviours, halt conditions. Pre-declared and machine-readable. The institution that does not pre-declare failure is the institution that learns about failure from incident reviews — wrong altitude, wrong moment.

The halt condition is the kill-switch — independent of the agent’s cooperation, enforced at a layer the agent’s reasoning cannot override. Your incident-review board will ask: when this fails, can you stop it? The halt condition is the answer. For high-risk deployments under Article 50 scrutiny — financial-services applications, healthcare workflows, employment decisions — the halt condition can be hardware-anchored through Trusted Execution Environments with remote attestation. Most enterprise deployments do not need that rigor today; the categories that will need it should design for it now.

The forensic record is the per-action artifact the audit trail consumes. Agent identity, mandate identifier, timestamp, tool calls, outputs, human approver chain. Recorded immutably as the action happens, not after.

Concrete example. A financial-services organisation deploys a reconciliation agent. The mandate scopes it to a specific class of transactions, a specific time window, and a maximum blast radius — transactions touched per run. The tool boundary enumerates the read-only data sources and the specific write path: the proposed-adjustment queue, not the general ledger, enforced by policy engine. The escalation specification triggers on transactions above a value threshold, on anomalies the agent’s calibration flags, and on patterns matching known control-failure scenarios. The failure-mode declaration says: on confidence below threshold, suspend and flag; on tool error, halt and alert. The halt condition is enforced by the orchestration layer, not by the agent. The forensic record captures every transaction touched with full traceability.

Six elements. Built once, instantiated per deployment.

Firewall translation. In the perimeter register, the same six elements live at a guardian interceptor at your institutional boundary, not in the agent’s runtime. The mandate governs what outbound calls are permitted; the tool boundary enforces what data sources and write paths the vendor’s agent can reach through your perimeter; escalation triggers on inbound responses; the halt condition cuts the connection at the perimeter, not at the agent; the forensic record captures the full traffic at the boundary.

The protocol layer has shipped working components for both registers. Your team does not have to invent the cryptographic handshakes or identity registries; the open-source and financial ecosystems have already finalised them. AGENTS.md, MCP, A2A, AGNTCY’s Tool-Based Access Control, AP2 mandates, RFC 9421 message signatures, Visa’s Trusted Agent Protocol — each maps to a specific harness element. Your job is composition, not invention. (Protocol detail belongs in a different register; the standalone corrigibility series at anivar.net/corrigibility reads the wire-layer drafts test by test.)

In June 2025 I argued that agents are the runtime. The harness is what makes that runtime enforceable.

The case file

The harness produces actions. The signer receives a case file — the structured artifact that contains everything required to authorise the action and nothing the signer should not see.

A case file at minimum carries five fields:

• Conclusion — what the agent recommends or has done.

• Authorisation context — mandate identifier, scope, blast radius.

• Supporting state — what the agent saw, which sources it consulted, which tools it called.

• Alternatives — paths the agent considered and rejected, so the signer can verify the chosen path was the right one, not the only one.

• Candidate signature — what the signer will bind to.

A mandated signature is only as legal as the case file is legible. A fifty-page log dump signed by the CFO is a legal fiction; a one-page synthesis of decision, evidence, risk, and alternatives is an exercise of authority. The case file is what protects the executive from the agent — the architectural mechanism that lets a senior individual stake their authority on a decision they can actually verify. Case file design is not a UX concern; it is a liability concern.

Two registers matter for the signing moment.

Human-Present (HP). The signer reviews each case file. Default for high-risk, high-blast-radius, or novel actions. Slower. Defensible. The signature is at the action. AP2’s Cart Mandate is the protocol-layer rendering.

Human-Not-Present (HNP). The institution has pre-signed an Intent Mandate that defines the conditions under which the agent may authorise itself. The agent acts; the case file is recorded; no human is in the loop at the moment of the action. The signature is at the boundary, not the action.

HNP is authority compression — pre-authorising classes of action instead of signing each one. Ten thousand individual decisions become one bounded mandate. This is what enables delegation at scale; it is also where the architecture earns its most demanding scrutiny. HNP is permitted only when the boundary is well-defined, the reliability floor is high, and the audit trail is complete enough that a post-hoc human review can reconstruct what happened. Most enterprise deployments will use HP for the first quarter of production and migrate specific action classes to HNP as the architecture proves out.

The intent–execution gap appears here. Even with a signed case file, the agent must execute against the authorisation. If execution drifts from the case file, your institution must detect the drift before harm compounds. Your QA function for agentic systems — the AI Reliability role — owns this discipline.

Firewall translation. In the perimeter register, the case file is produced from outbound and inbound traffic by the boundary interceptor. The same five fields. The same legibility requirement. The signer’s exposure is identical whether the agent runs in your data centre or in someone else’s.

The reliability floor

The point where delegation becomes allowed.

The reliability floor is where software becomes authority. Below the floor, the agent advises. Above the floor, the institution acts.

Five metrics compose a working floor.

The behavioural threshold is the quantitative bar on the operations the agent performs: accuracy on the domain, calibration on confidence, robustness to adversarial input, consistency across runs. Domain-specific. Measured continuously. An agent that has not cleared the bar produces flags, not signatures.

Outcome reconciliation requires that the agent’s recommendations be reconcilable with downstream outcomes. If a recommendation produces an action and the action produces a result, the result must be observable and traceable back to the recommendation. Phantom state — where the agent confabulates state the institution has no way to verify — is the failure mode this metric catches. The most expensive incidents in the next two years will be phantom state discovered in audit, not in production.

The correction window is the time between the agent producing an output and a human being able to act on it, including review and correction. If an action triggers downstream consequences faster than the institution can intervene, the floor has been violated. Making inaction visible is operationalised here. Inaction is not a default; it is a measured and bounded position.

Coverage discipline is the requirement that the floor apply to all paths the agent can take, not just the happy path. Edge cases the agent handles poorly count against the floor even if they are rare in production traffic. Calibrating the floor on happy-path traffic alone is the equivalent of stress-testing a bridge with the average car: technically valid, structurally useless.

Tier calibration recognises that the floor for a low-risk task is not the floor for a high-risk task. The harness must know which floor applies to which mandate. This is the delegation gradient in operation: higher delegation demands tighter boundary control. As delegation altitude increases, reconstruction requirements, boundary precision, floor height, and liability exposure all increase proportionally. The architecture has to match the altitude.

For high-risk categories under Annex III — hiring, lending, education, public services, biometric categorisation — the floor must also include disparate-impact monitoring as a measured metric, not an audit-time exercise. The signature surface does not eliminate bias; it makes bias detectable, contestable, and reconstructible, which is what defensibility under Article 50 requires.

In August 2025 I named the AI Reliability role as the discipline that practises this — the QA function evolved for the agentic context. Organisations that have not staffed an AI Reliability function are operating below their declared floor without knowing it. The role is not optional; the architecture requires someone to enforce the floor as data, not as posture.

Firewall translation. In the perimeter register, the reliability floor is measured against the vendor’s API behaviour rather than against your own model. The five metrics still apply. The signer’s exposure is identical; the measurement infrastructure attaches to the boundary.

The institution can survive a bad decision. What it cannot survive is a decision it cannot reconstruct.

The audit trail

The memory layer that makes authority reconstructible.

The audit trail is what survives the decision. Per-row attribution at the audit-trail layer: every record affected by an agent’s action carries agent identity, mandate identifier, timestamp, and human approver chain. The forensic record from the harness flows here, joined with the case file the signer received, joined with the reliability-floor measurements at the time of the decision, joined with the eventual outcome.

An institution cannot correct what it cannot reconstruct.

This is the trilogy’s structural claim, expressed at the audit layer. Corrigibility — the architectural capacity for affected participants to detect error, signal harm, and trigger correction — depends on memory. Memory that cannot be reconstructed is not memory; it is narrative.

Two design properties are load-bearing.

Immutable memory trails. The audit trail must be tamper-evident at the storage layer. Hash-chained append-only structures, RFC 9421 message signatures with chain-bound counters, or equivalent. Explainability without immutable memory trails is post-hoc theatre — you cannot govern what you cannot reconstruct. Stories are negotiable; histories are evidence.

Authority without reconstruction is theatre. The institution that cannot rebuild what its agents did is the institution whose authority can be challenged and not defended. Memory is liability infrastructure.

Cross-boundary reconstruction. When an action crosses organisational boundaries — agent A in your organisation calls resource Y in a partner organisation — the audit trail must reconstruct across the boundary. AP2 mandate chains, Verifiable Intent’s three-layer credential binding, TAP’s RFC 9421 signatures are working primitives. Your team composes; the wire-layer specs exist.

The audit trail is the airlock’s pressure log. The institution can reconstruct what crossed the surface, in what order, under what authority, with what outcome. The 21 percent of organisations with mature governance models have audit trails that look like this. The remaining 79 percent have logs that look like audit trails until the first incident review reveals the chain cannot be reconstructed and the decision cannot be defended.

The Article 50 transparency guidelines the European Commission published in May 2026 turn the institutional layer’s documentation requirements into a published baseline. The architecture above is what produces the documentation those guidelines require.

Institutions can delegate action only as fast as they can reconstruct responsibility.

Procurement at the perimeter

Four procurement disciplines worth naming for organisations operating in the firewall register. First: vendor contracts that do not require cross-boundary audit cooperation create reconstruction gaps your auditors will surface in the first incident review. Second: vendor-provided agentic products that ship without exposed mandate, boundary, and forensic-record primitives are not deployment-ready for the August register, regardless of model capability. Third: model rollback opacity — when a vendor changes the underlying model without notification, the reliability floor measurements your team gathered against the prior model no longer apply, and your defensibility memo becomes a description of an architecture that is no longer running. Fourth: undisclosed tool-routing changes — when a vendor adds, removes, or re-routes the tools an agent calls without explicit notification, the tool boundary your audit trail records may diverge from what actually executed. Procurement is part of the architecture.

The perimeter owns the authority. The vendor owns the model.

The defensibility test

The four components are not arbitrary. They satisfy five conditions your regulator, auditor, and incident-review board will check.

Can you stop it? The halt condition in the harness. The per-action forensic record that lets you propagate a revocation. The per-row attribution in the audit trail that lets you unwind a downstream record. When an agent malfunctions, when a regulator orders cessation, when an incident requires immediate halt — your incident-review board will ask whether the stop worked and how you know. The architecture above is the answer.

Are the rules legible? The mandate specification, tool boundary, escalation specification, and failure-mode declaration are machine-readable. Any party with read access to the harness configuration can see how the agent is permitted to act. This is what auditors mean by documented controls. The architecture renders the controls as code rather than as policy documents that drift from implementation.

Can someone outside verify behaviour? The audit trail with immutable memory trails and cross-boundary reconstruction. Your external auditor, your regulator, the party harmed in an incident — each must be able to verify what the agent did without depending on your operator’s word. The architecture is what makes that verification structurally possible.

Does the signature actually bind? The case file as the artifact that makes the signer’s judgment institutionally enforceable. The mandated-signature register from Where Delegation Stops is what makes the binding survive contact with adversarial scrutiny. The institution cannot redefine the mandate after the fact because the mandate is recorded and the action is recorded against it.

Can the design be reproduced? The harness, case file, reliability floor, and audit trail can be reproduced in a parallel deployment by any party with the spec. The architecture is not vendor-locked. Your deployment is defensible if another competent team could rebuild the architecture; it is fragile if it can only be defended by your specific vendor.

An architecture that clears all five passes Article 50, Sarbanes-Oxley, professional-liability scrutiny, and incident-review hostile questioning. An architecture that fails any single test is where adversarial scrutiny will land first. The structural framework that formalises these five conditions — and the case studies behind them — is in Corrigibility as a Structural Precondition for Digital Public Infrastructure: A Cybernetic Framework (Aravind, 2026), with the agentic-systems extension in Epistemic Capture and the Action Boundary: Corrigibility for Learned and Agentic Public Infrastructure. Further reading at anivar.net/corrigibility.

Where to start this week

If your organisation has an agentic deployment in production or in pilot and no signature surface, three actions in the next seven days move you measurably closer to defensible.

Produce the mandate document. Pick one production deployment. Write its mandate specification in AGENTS.md format. Scope, time horizon, blast radius, escalation triggers, tool boundary. Two pages, machine-readable. This is the artifact your auditor will ask for in the first session; producing it now also surfaces the cases where your team cannot yet describe what the agent is authorised to do, which is itself the discovery you need.

Inventory your forensic records. For the same deployment, write down everything your runtime — or your perimeter, in the firewall register — currently captures per action. Compare against the six harness elements. The gap is your engineering backlog for the next ninety days.

Identify your signers. Who currently authorises the agent’s outputs? At what altitude? With what evidence? If the answer is the agent just acts or we have a policy, your signing model is undefined. Defining it before August 2026 is the institutional discipline this trilogy describes.

These three actions are not the surface. They are the first three artifacts that let your team start building it.

What each stakeholder must deliver

Your engineering organisation. Four artifacts in twelve weeks: the harness specification document (AGENTS.md-formatted, per deployment), the case file schema (data structure, with HP and HNP variants), the reliability-floor measurement infrastructure (five metrics, dashboards, alerts), and the audit-trail backbone (immutable, hash-chained or equivalent, queryable). The harness specification is the easiest. The audit trail is the most consequential. Start with the audit trail if you must pick one.

Your legal and risk function. Two artifacts. A mapped list of mandated signatures — every regulatory, fiduciary, professional-liability, and contractual obligation your deployment touches — with the specific Article 50 / Annex III obligations cross-referenced. A statement of architectural sufficiency: a defensibility memo that names how the four components satisfy each mandated signature. Both reviewable in a single board session.

Your executive layer. One artifact and one cadence. The artifact is a deployment manifest: for each agentic system in production or pilot, the mandate, the signer, the reliability floor, the audit-trail status, and the August readiness assessment. The cadence is biweekly architecture-readiness alignment with engineering leadership — not quarterly checkbox reviews — because the twelve weeks between now and the deadline do not absorb stale governance. The decision: scope back deployments that cannot reach defensibility by the deadline, or commit the resources to bring them across. Both are legitimate. Operating an undefended deployment past the deadline is not.

Your board.

For each agentic system we operate or rely on, can we stop it, are the rules legible, can someone outside verify behaviour, does the signature bind, and can the design be reproduced?

Five conditions. Five evidences. The board that asks this question quarterly through 2027 makes the signature surface a structural requirement; the board that does not makes the signature surface optional, which is the same as making it absent.

In July 2025 I argued that your AI system isn’t a black box; it’s an org chart. The signature surface is what happens when an organisation takes that claim seriously. The system stops being a generator of answers and becomes an institutional artifact with a defined boundary, a defined process for crossing the boundary, and a defined record of what was crossed.

Closing the trilogy

The trilogy started with a diagnosis. Enterprise AI is bottlenecked not by model quality but by the organisational machinery between generated answers and signed decisions. Signed Truth named the missing surface. Where Delegation Stops distinguished what it can and cannot redesign. This issue has described how it gets built.

Most institutions still treat the signature surface as a brake — the architecture that slows agentic AI down to a defensible speed. The framing has it backwards. The surface is what allows delegation in the first place. Without it, the institution has a machine that suggests; with it, the institution has an entity that acts.

You are not building AI governance. You are building institutional mechanics for delegated machine authority.

Institutions can delegate action only as fast as they can reconstruct responsibility.

The International AI Safety Report 2026 named the shift the trilogy has been operating inside. The report, chaired by Bengio with expert representation from over thirty countries, marked the AI safety field’s formal pivot from model behaviour to deployment-system behaviour: the most pressing risks from artificial intelligence now come not from the models themselves but from the complex systems institutions build around them. The IAISR’s operational answer is defence-in-depth across training, deployment, monitoring, and societal resilience layers. The trilogy goes one altitude further — into the institutional architecture that determines whether systems built around models can actually be held to account. The signature surface is what defence-in-depth looks like at the institutional altitude.

Institutions that fail to build the surface will discover the boundary only after failure crosses it. The airlock either holds, or it does not.

An institution either has a signature surface or it does not.

Where does delegation stop in your organisation, and at that boundary, who can still say no?

The next issues address what happens when the institutional layer’s signatures meet the agentic substrate, and how the structural framework extends from organisations to the systems they deploy.

Build it.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility, with preprints on SSRN. Async. Cross-posted to LinkedIn. You can subscribe on Substack or LinkedIn.

Five days ago, in Brussels, the second political trilogue on the EU’s Digital Omnibus on AI ended without agreement after roughly twelve hours of negotiation. The Cypriot Council Presidency confirmed that consensus had not been reached. A follow-up trilogue is scheduled for around 13th May. Until and unless the package is formally adopted before 2nd August, the original AI Act timeline applies as written, with the high-risk obligations under Annex III becoming enforceable on that date. Compliance teams across Europe and the jurisdictions whose products serve European users are re-planning their roadmaps this week.

The same twenty-four hours produced three other events.

1. Google donated the Agent Payments Protocol to the FIDO Alliance and shipped its second version on the open-source repository.

2. The FIDO Alliance announced the formation of an Agentic Authentication Technical Working Group, with co-chairs from CVS Health, Google, and OpenAI, vice-chairs from Amazon, Google, and Okta, and three workstreams covering verifiable user instructions, agent authentication, and trusted delegation for commerce.

3. OpenAI joined the FIDO board. Three news items spanning policy, protocol governance, and institutional alignment, all on a single calendar day, all converging on the same operational question.

One commenter on the Brussels failure, José Luis Tudela of the consultancy ANTROPOLOGIC, captured a critique that has been circulating in protocol-layer circles for months. The EU AI Act, he argued, is regulating a fiction, because it assumes systems can be bounded, understood, and overseen by a human at the point of decision. Agentic systems break that assumption completely. They do not wait for oversight. They construct reality, shape decisions, and act across time, tools, and environments. The framing surfaced in only one outlet, but the underlying argument is being made more rigorously elsewhere. Karl McGuinness, the former Chief Product Architect at Okta, has been writing the parallel argument since February under the title Identity as Infrastructure. His through-line: authentication is mature, authorization is mature, delegation is partially addressed, and authority — purpose-bound, lifecycle-aware, independently revocable — has no widely adopted equivalent in current enterprise security stacks. Tudela frames the gap as a regulatory critique. McGuinness frames it as a protocol-layer architectural absence. They are observing the same hole from different altitudes.

This issue makes the institutional argument that sits above both of theirs.

The signature surface introduced in last issue Signed Truth is not a regulatory artifact and it is not a protocol artifact. It is an organisational artifact: the boundary at which a decision becomes something the institution can be held to. The question follows directly from Issue One. If the signature surface is the missing layer, where does that surface stop? Which signatures can be redesigned, accelerated, parallelised, instrumented? Which ones cannot, regardless of how the system is built?

Where does delegation actually stop?

The reframe that drives the rest of this issue is one the previous five chapters of this arc [1, 2, 3, 4, 5] have been pointing at without naming. The shift in enterprise AI is not from one model generation to the next. It is from model to infrastructure. Models are objects you query. Agents are actors that exercise authority over time. Models provide intelligence at a moment. Agents provide presence over an arc. When AI becomes infrastructure, the governance question shifts from product quality to systemic stability.

The arc’s working hypothesis has been validated in the ten months since. Memory has emerged as the binding constraint on enterprise AI rather than reasoning capacity. Modular cognition has shipped under a dozen names. The role of the context engineer has gone from speculative to job-listing standard. Quality assurance has been recognised as the load-bearing discipline for reliability rather than an afterthought.

What was speculative analysis a year ago is now industry doctrine.

That progression is what makes the signature surface argument legible. The architectural shifts have happened, the protocol layer has consolidated under FIDO and the Linux Foundation’s Agentic AI Foundation, and the institutional question is now exposed without intervening confusion. The Layer 8 publishes from inside that arc, not as a forecast of the next bottleneck but as a description of where the bottleneck has already moved.

In Signed Truth, I argued that organisations cannot absorb decisions at the speed agents produce them, and that the missing layer is the signature surface. The diagnosis was structural. Capability outran legibility. The protocol layer is busy and well-funded. The architecture between agent execution and institutional authority is the part nobody is building.

This issue narrows that diagnosis.

The system breaks because it treats all signatures as equivalent. They are not. Some can be moved. Some cannot.

A signature is not approval. It is the binding of authority to consequence.

The signature surface admits a fundamental distinction, and the distinction determines what the trilogy’s architecture can do and what it cannot. I will call them architected signatures and mandated signatures.

Architected signatures exist because the system was designed to require them. Code review before merge to production. Change-control approval before deployment to a regulated environment. Two-person rule on a wire transfer above a threshold. Peer sign-off on a clinical recommendation before patient communication. Architected signatures are the engineer’s domain. They can be made faster, more parallel, more granular, more automated, more instrumented. The signature surface in Issue One is, at first reading, the architecture of architected signatures: the harness, the case file, the reliability floor, the audit trail, applied to whichever signatures the operator has chosen to require.

Mandated signatures are something different. They exist because the institution operates inside a constraint the institution did not impose on itself. They are required by an external authority, a regulator, a standards body, a contractual obligation, a fiduciary duty, and the institution cannot architect them away by reorganising the workflow. PCI-DSS attestation by a Qualified Security Assessor at a payment integration boundary. Strong Customer Authentication under PSD2 for European card transactions in scope. Tokenisation under the Reserve Bank of India’s Card-on-File regulation. CFO certification under Sarbanes-Oxley for the financial statements of a US-listed company. Final pharmaceutical batch release under good manufacturing practice. Audit committee sign-off on annual accounts. Strict liability declarations under data protection law. None of these are choices the architect makes.

You cannot architect your way out of a mandate.

There is a failure mode that arrives once an institution starts treating mandated signatures as architectural ones. The agent assembles the case file. The signer reads the agent’s summary. The signer applies their authority to the agent’s recommendation. The artifact looks valid. The audit trail looks complete. The regulator inspects and finds the form intact.

A mandated signature on an opaque case file is not an exercise of authority. It is the simulation of authority by a machine wearing a human face for the regulator.

This is sovereignty leakage, and it is the failure mode the signature surface is designed to prevent. The architecture has to make the signer’s authority real, not its trace.

The signature surface in Issue One was the outer doll. A serious institutional reading of it has to acknowledge that the dolls inside are not architectural choices.

I spent two days last week at a workshop in Goa organised by Digital Futures Lab and Careful Industries with Lloyd’s Register Foundation, on pathways for safer AI. Discussions were under Chatham House rules, so I will not share specifics from the room. What I can say is that the institutional question this trilogy raises is very much present in the conversation among the people who will have to operationalise these systems in regulated, multilingual, public-interest contexts.

This is also the reason the protocol-layer work happening at FIDO, the IETF, and the Linux Foundation’s Agentic AI Foundation is necessary but not sufficient. Google’s Agent Payments Protocol, donated to FIDO on 28th April, supplies three mandate types — Intent, Cart, Payment — that establish a cryptographic vocabulary for representing the transition from instruction to authorisation to execution in commerce. Mastercard and Google’s Verifiable Intent, open-sourced on 5th March, layers an SD-JWT credential chain on top, binding identity to constraint to fulfilment with selective disclosure across three layers. Visa’s Trusted Agent Protocol provides an HTTP Message Signatures scheme, built on RFC 9421, that lets a merchant cryptographically verify the agent at the wire layer. Dick Hardt’s AAuth, in IETF draft, proposes a four-mode access architecture with the Person Server as the institutional authority artifact and Mission as a scoped authorisation context. AGENTS.md, contributed by OpenAI to the AAIF in December, supplies the repo-native instruction surface. DESIGN.md, open-sourced by Google Labs and Stitch on 21st April under Apache 2.0, supplies the equivalent for visual constraints.

These specifications, taken together, establish that the protocol layer can name and enforce who is acting on whose behalf, what they are authorised to do, what visual and behavioural constraints they must honour, and how their actions can be later audited.

The protocol layer can name authority. It cannot grant it. Cryptography solves who. Authority solves whether.

McGuinness has been making this point for two months. In Agents Don’t Need Your Passport. They Need Your Authority, published on 21st February, he separates four concerns that enterprise IAM has historically conflated. Identity asks who the actor is at a boundary. Access asks whether a request may proceed at a specific point. Delegation asks what an actor may do on behalf of another. Authority asks whether the execution should still be running at all. The first three are well-served by current standards. The fourth, McGuinness argues, has no widely adopted equivalent.

The vignette he opens with is the protocol-layer rendering of exactly the failure mode this issue is about. The CFO’s research agent is still running at 2:05 PM, pulling pre-IPO financials, on a mandate that expired when the board approved the presentation at 2:00 PM.

Every IAM control shows green. The breach is structurally invisible.

He calls it ghost execution.

The institutional rendering of the same failure is what mandated signatures are designed to prevent. The CFO’s authority to bind the institution to a financial position has not been delegated to the agent. The agent’s mandate was to assist the CFO in reaching a decision the CFO would sign. When the agent acts after the CFO’s authority has expired, the agent is doing a structurally different thing. It is producing institutional commitments without an active institutional authoriser. At the protocol layer, this is a runtime governance problem. At the institutional layer, it is a signature surface problem. McGuinness proposes the Execution Mandate as the protocol-layer artifact that closes the gap: a signed, inspectable, independently revocable record that runtime systems can evaluate and revoke throughout execution.

The Execution Mandate is what institutional authority looks like cryptographically. The signature surface is what the same authority looks like organisationally.

They are the same architectural object at adjacent altitudes.

Mandated signatures do not exist at one level. They appear across four distinct layers.

They differ in character, they fail differently, and they each impose distinct constraints on what the signature surface can do.

The first is the legal layer. These are signatures required by law or regulation, with statutory or contractual consequences for absence or violation. The examples I have lived with most directly are payments and lending regulation. PCI-DSS requires a Qualified Security Assessor’s report on compliance for any merchant processing cards above certain volumes, and that signature is mandated, not architected, and it cannot be replaced by an automated scan however thorough. PSD2’s Strong Customer Authentication requires multi-factor verification at the cardholder boundary for European card transactions, with regulatory tolerance for failure measured in basis points. The Reserve Bank of India’s Card-on-File tokenisation rules require tokenised storage at the merchant rather than primary account number storage, with mandatory verification of the tokeniser’s compliance posture before merchant integration. Beyond payments, Sarbanes-Oxley requires the Chief Executive Officer and Chief Financial Officer of a US-listed company to certify quarterly and annual financial statements, with personal civil and criminal liability for false certification. The General Data Protection Regulation’s Article 22 grants individuals the right not to be subject to a decision based solely on automated processing where the decision produces legal effects or similarly significant impact.

Mandated signatures at the legal layer are the mechanical joints where the rule of law anchors into the flow of machine execution. They are jurisdictional anchors. The signature surface here produces the case file the QSA reviews, the audit trail the regulator inspects, the evidence package the CFO certifies against.

The second is the reliability layer. Some signatures exist because the system fails dangerously without them. Pharmaceutical manufacturing requires the Qualified Person’s release signature on each batch. Aviation requires sign-off on the Minimum Equipment List before dispatch. A clinical pathway requires a qualified clinician’s countersignature before a non-trivial pharmaceutical intervention. These signatures are not legal in the strict sense, although a regulator may verify their presence. They are reliability signatures, where the institution has determined that the human reading the case file is itself the safety mechanism.

A faster signature is, against reliability mandates, a less safe signature. Some decisions, the human latency is the feature.

The third is the institutional authority layer. Some signatures matter not because they are legally required but because they are how the institution publicly announces what it can be held to. A board resolution authorising a major capital commitment. A press statement under the institutional name. The closing of an acquisition or divestiture. A regulator-facing letter from a Senior Management Function holder. A statement of quality from a named scientist on a peer-reviewed publication. The institution’s standing in its environment depends on these signatures being identifiable, named, and held.

Speed is an architected virtue. Authority is an institutional one.

A faster surface that obscures who actually signed is institutionally weaker than a slower surface that names the signer unambiguously, even if both meet the strict legal requirements. McGuinness’s power-of-attorney framing is the cleanest legal analogue. The institution grants a specific person, in a specific role, the specific authority to bind in a specific domain, for a specific duration, with revocability built in. That last property is the one most often forgotten.

The signature surface has to recognise that as environmental conditions shift — and in agentic systems, conditions shift continuously — institutional authority must autonomously decay rather than persist by default. Anything looser than this is delegation drift.

The fourth is the forensic bridge layer. Some signatures exist not for the moment of decision but for the moment after something goes wrong. Auditor sign-offs that are inspected only when there is an investigation. Independent director attestations consulted in the run-up to litigation. Breach disclosure officer signatures examined by regulators in enforcement actions. Internal compliance certifications that surface in the discovery phase of legal proceedings. These signatures are forensic because they create the institutional artifact that bridges from the moment of action to the moment of reckoning, often years later. The signature surface here has to be designed for a reader who does not exist yet, who will be hostile, and who will be looking for a specific kind of failure. Per-row attribution at the audit-trail layer is the technical instantiation of forensic-bridge thinking — every record affected by an agent’s action carrying agent identity, mandate identifier, timestamp, and human approver chain.

The audit trail is not for the institution. It is for whoever the institution will eventually have to answer to.

These four layers do not commute. They are not different views of the same signature. They are different signatures with different relations to the institutional clock and the regulatory environment. A robust signature surface has to recognise all four and produce different artifacts for each. A legal signature wants the case file to demonstrate compliance with a published rule. A reliability signature wants the case file to make the failure mode visible to a domain-trained reader. An institutional authority signature wants the case file to name the signer unambiguously and bind their role in the organisation. A forensic-bridge signature wants the case file to be discoverable, indexable, and intact decades later.

This is where the late-April events come into focus. The Brussels trilogue, the AP2 donation to FIDO, the Agentic Authentication Technical Working Group formation, OpenAI joining the FIDO board. These are all moves at the protocol layer. They aim at the wire-layer questions of how an agent’s actions on behalf of a user are cryptographically attested, how those actions are bounded by user-signed constraints, how the chain of authority is established and verified. They are not, individually or collectively, decisions about whether the institution agrees to be bound.

A faster protocol layer does not by itself reduce institutional risk.

Consider what is happening at FIDO specifically. The Agentic Authentication Technical Working Group, as announced, has three workstreams: Verifiable User Instructions, Agent Authentication, and Trusted Delegation for Commerce. Each workstream is consequential. None is upstream of the question of which signatures the institution actually requires for what kinds of decisions. AP2’s Intent Mandate cryptographically commits the user to the constraint. Verifiable Intent’s Layer 2 cryptographically binds the constraint to a specific agent. The agent’s Layer 3 fulfilment proves the action stayed inside the constraint. All three are now in motion under FIDO.

None of them tells a CFO whether the institution can certify the resulting financial position.

That decision is upstream of all the cryptography. It is mandated, not architected.

The same applies to the Omnibus question. Whether the high-risk deadline holds at 2nd August or shifts to 2nd December 2027 changes the timing of compliance obligations. It does not change the structure of the obligations. The AI Act requires risk-management systems, technical documentation, automated logging, transparency to deployers, human oversight, accuracy and robustness, and post-market monitoring for high-risk systems. Each is a mandated obligation. The signature surface against the AI Act has to produce the artifacts the regulator will inspect.

It does not get to decide what the regulator inspects.

I am writing this on 3rd May. The Brussels trilogue resumes on 13th May. The August deadline is ninety days away if the original timeline holds, longer if it shifts, but the institutional question does not move with either date. The signature surface is the artifact you point a regulator at, the artifact a CFO certifies against, the artifact a Qualified Security Assessor inspects, the artifact a forensic auditor follows when something goes wrong.

In Issue Three, I will describe how the signature surface is actually built. The harness that bounds agent execution. The case file that packages decisions for signature. The reliability floor that prevents the surface from being a fiction in production. The audit trail that travels with the institution into its future answerability. Each component composes with the others. Each component has to handle architected and mandated signatures differently.

The trilogy does not propose a new standard. It does not propose a new protocol.

It describes the architecture of the layer the protocol-layer work is reaching for from below.

The protocol layer has names for almost everything in that architecture now. AP2 for the mandate vocabulary in commerce. Verifiable Intent for the credential chain. Trusted Agent Protocol for the wire-layer verification. AAuth for the per-instance identity and the Mission abstraction. AGENTS.md for the repo-native behavioural constraint surface. DESIGN.md for the visual constraint surface that emerged at Stitch ten days ago. Each is a piece of the same architecture, expressed at the wire layer or the repository layer, with vendor-neutral governance under the AAIF, FIDO, and the IETF taking shape in real time. The institutional layer above them has fewer names because fewer people are building it.

That is the layer this trilogy is about.

The question worth taking forward, if you have read this far, is the one that distinguishes architected signatures from mandated ones in your own environment.

Where does delegation stop in your organisation? And at that boundary, who can still say no?

The institution either has a signature surface or it does not.

Issue Three describes how to build one.

Anivar Aravind is an Engineering Executive and System Thinker. The Layer 8 is a professional newsletter on the power, incentive, and governance layer of digital infrastructure. His structural framework on corrigibility is at anivar.net/corrigibility. Async. Cross-posted to LinkedIn. You can subscribe on Substack or LinkedIn.

In the last six months, how many of the decisions your AI tools generated have actually been signed off and put into production?

Not generated. Not reviewed. Not discussed. Signed. Owned. Executed.

The answers are revealing. Most leaders pause. Some name one or two. Many cannot name any.

This is not because the systems are not working. The AI tools are running. They are producing strategies, writing code, drafting analyses, modeling scenarios. The output is real and the output is good. What is missing is the moment after the output. The moment where someone in the organization looks at a generated answer and says: yes, this. We will do this. I will own this if it goes wrong.

That moment is where enterprise AI is currently stalling. And the reason it is stalling is not the one most people are working on.

In June 2025, I argued in a public talk that AI’s frontier had moved from intelligence to memory: that systems were failing not because they were not smart enough, but because they could not carry context forward. We solved meaningful parts of that problem. We built memory layers, context pipelines, modular systems. Solving memory did not solve the system; it exposed the next bottleneck. The frontier kept moving, from intelligence, to memory, to workflows, to what I am writing about today: decision systems.

The Bottleneck We Misread

For two years, the dominant assumption in enterprise AI has been that capability is the binding constraint. Better models would produce better outputs. Better outputs would unlock faster decisions. Faster decisions would translate into competitive advantage. The whole industry has organized around this assumption, from procurement strategies to research priorities to talent allocation.

The assumption was wrong. The models are already good enough for most enterprise decisions. What is not good enough is the layer of organizational machinery that sits between a generated answer and a signed decision. Recent industry research suggests that 86% of enterprise AI pilots fail to reach production at scale, and the failures are overwhelmingly organizational rather than technical. The constraint was never intelligence. It was always who is willing to put their name on the line for the answer.

Inside most organizations, decisions move through a familiar pipeline. Something gets generated. Someone selects what is worth attention. Someone validates whether the selection is correct. Someone legitimizes the validated answer, politically, narratively, in terms of accountability, into something the organization can stand behind. And only then does action follow.

AI has accelerated the first stage by roughly three orders of magnitude. The other stages have not changed at all. The pipeline is now structurally lopsided. Generation runs at machine speed. Everything downstream still runs at meeting speed.

The visible output of this asymmetry is not faster decisions. It is unsigned strategies. Hundreds of plausible plans, each defensible on its merits, none of them owned by anyone willing to stake their name on it. Every organization has its version: the deck that never gets approved, the AI-generated proposal that lives forever in Slack threads, the we should do this insight that never becomes a commitment. It looks like progress. It is often just accumulation.

What a Signature Actually Does

To see why this gap cannot be closed by faster generation, it helps to look closely at what happens when someone signs off on a decision. The action looks atomic. It is not. Every signature is doing three jobs simultaneously, and AI has only collapsed the cost of one of them.

The first job is assertion. The claim that this is the right answer, the correct interpretation, the optimal path forward. Modern AI is extremely good at assertion. A capable model with adequate context will reliably produce a defensible answer to almost any business question.

The second job is acceptance. The willingness to own the consequences if the answer turns out to be wrong. This is not a matter of confidence. It is a matter of accountability. When a CFO signs a forecast, she is not merely asserting the numbers are correct. She is staking her professional reputation on a particular interpretation of an uncertain future. If the forecast is wrong, the cost lands on her. AI does not bear this cost. AI cannot be fired, demoted, or sued. The accountability surface remains entirely human.

The third job is activation. The political and narrative work of moving an organization to actually act on the decision. A signed strategy that nobody believes in does not produce action; it produces compliance theater. Activation requires that the signer can defend the decision in front of the board, the regulator, the team, and the customer. AI generates conclusions; humans are still the ones who have to make those conclusions believable to other humans.

Generation has collapsed in cost by three orders of magnitude. Acceptance and activation have not collapsed at all. They cannot, because they are functions of human reputation, organizational politics, and narrative coherence, none of which become cheaper when compute becomes cheaper.

This is the core mechanism. It is not that humans are slow. It is that the things humans do at the signature layer are not the kinds of things that get faster when models get better.

Why Better Models Will Not Solve This

A natural response is to assume that next-generation models will close the gap. Better reasoning will produce more trustworthy outputs. Better alignment will produce safer outputs. Better tooling will produce more auditable outputs. Eventually the asymmetry resolves itself.

This is a comfortable assumption. It is also wrong, and the reasoning matters.

The signature layer is not blocked by model quality. It is blocked by the structural cost of being the human who owns the consequences. That cost is not a function of how good the model is. It is a function of how the organization distributes accountability when something goes wrong. A model that is 99.5% accurate on a class of decisions does not change the accountability calculus for the human who has to sign the 0.5%. If anything, higher model accuracy makes signing harder, not easier, because the human signer is now staking their reputation on catching the rare cases where a highly reliable model is wrong, which is a much harder cognitive task than catching the common errors of a mediocre model.

The argument that better models will solve absorption assumes the bottleneck is trust in the output. It is not. The bottleneck is who absorbs the downside when the output is wrong. Until that question is answered architecturally, until organizations have built the inspectability, the reversibility, and the bounded blast radius that allows a human to sign with proportionate risk, better models do not help. They just produce more high-quality outputs that nobody owns.

The most sophisticated AI deployments I have seen in regulated industries are not the ones with the best models. They are the ones with the most carefully designed signature surfaces. The model is whatever model. The architecture around the model, what it can touch, what it cannot touch, what gets escalated, what gets logged, what gets reversed if it fails, is where the actual engineering effort lives. What broke was not the model. It was the system that accepts its answers.

The Hidden Layer Beneath Validation

Most leaders, asked why a particular AI-generated decision did not get signed, will say it needed more validation. The reasoning got reviewed, the data got checked, but something still was not right. So another round of analysis was commissioned, and another, and the decision drifted into the backlog.

What is actually happening in most of these cases is not a failure of validation. It is a failure of legitimization. The answer was correct. It was simply not yet defensible in the language the organization uses to defend its decisions. There was no story attached to it that would hold up under hostile questioning from the board, the regulator, the team, or the customer. AI produced the conclusion. It did not produce the narrative that lets a human stand behind the conclusion.

This is why some of the most useful AI deployments I have seen do not stop at generating the answer. They generate the answer alongside the reasoning that would survive challenge: the explicit assumptions, the alternatives that were considered and rejected, the conditions under which the answer should be revisited, the failure modes the answer is exposed to. This is not redundant work. It is the work that makes the difference between an answer and a signable answer.

The organizations that figure out how to generate this layer alongside the conclusion will move at a fundamentally different speed than the ones still treating AI as a faster spreadsheet.

The Asymmetry That Sustains the Clog

There is one more dynamic worth naming, because it explains why the situation persists even when leaders understand it intellectually.

In most organizations, the cost of not deciding is invisible. A memo can sit unsigned for two weeks and nobody notices. A strategy can languish for a quarter and nobody is held accountable. Meanwhile, the cost of signing wrong is career-ending. A bad decision signed is documented forever; a good decision unsigned is invisible.

Every rational manager facing this asymmetry discounts action. They wait. They request another round of analysis. They circulate the proposal one more time. Until inaction has a measurable cost, until not deciding is also a decision someone has to sign for, organizations will continue to default to delay regardless of how good the AI outputs are.

This is the asymmetry that sustains the clog. It is also the most fixable part of the system, if leadership is willing to make inaction visible.

What Changes in the Organizations Doing This Well

The organizations that are successfully shipping AI at scale are not deploying smarter agents. They are redesigning the signature layer. Three patterns show up consistently.

The first is decision tiering. Not every output needs a signature. A reversible action with a small blast radius can run autonomously, with humans auditing the anomaly log rather than approving every execution. An irreversible action with a large blast radius requires explicit human authorization with the full context attached. Most organizations today treat all AI outputs identically. Every output gets the same review process regardless of consequence. This is structurally wasteful and behaviorally counterproductive. It trains humans to rubber-stamp, because rubber-stamping is the only way to keep up.

The second is signing the boundary, not the output. The traditional model has the human reviewing each output and approving it. The new model has the human signing the constraints: what the agent is allowed to touch, what triggers an escalation, what the failure modes are, and then auditing the agent’s behavior against those constraints. The leader signs once, at the boundary level. Everything operating inside that boundary is pre-authorized. Accountability moves upstream from output review to constraint design, where the leverage is higher and the cost is paid once instead of ten thousand times.

The third is making inaction visible. Some organizations are starting to treat not deciding as a decision that itself requires a signature. Deadlines are enforced. Ownership is assigned. Delay is logged. This is the simplest of the three shifts and the one most organizations resist longest, because it changes the political economy of meetings.

These three shifts are not novel ideas. They are the operational substrate of the most mature AI deployments in regulated industries. What is new is the recognition that they are not optimizations layered on top of model deployment. They are the primary engineering problem. The model is the easy part.

The Reframe

For two years, the question driving enterprise AI strategy has been which model do we use. The question that will drive it for the next two is how do we redesign accountability so the model’s outputs can actually be owned.

The organizations that figure this out first will not be the ones with the smartest models. They will be the ones with the shortest distance between generated and signed. That distance is not a function of compute. It is a function of how the organization has architected the layer where decisions stop being computational and start being institutional.

I have started calling this layer the signature surface. It is the part of the enterprise that determines whether AI capability translates into organizational capacity. Most organizations have not yet noticed they have one. The ones that have are quietly running ahead.

What is the last AI-generated decision in your organization that actually got signed?

Share Layer 8

— Anivar A Aravind

The professional surface I work on covers regulated payments, agentic identity, AI & agentic governance in production, and the architecture of public computing. The throughline is this: scaling systems is straightforward; scaling systems that can be trusted is not. This newsletter tracks the standards, drafts, and political choices that determine whether digital infrastructure remains correctable by the people it operates on.

Today’s issue is about an identity standards problem. Future issues may be about something else.

The Intent–Execution Gap

For over two decades, the internet’s identity layer has answered two questions: who is acting, and what are they permitted to access. SAML, OAuth, and OIDC all rested on a quiet assumption: the entity initiating the request was the same entity that wanted the action to occur. User and intent collapsed into one principal.

Autonomous agents break that assumption.

When an AI system invokes a tool on your behalf, three elements that used to be indistinguishable become separate. There is the user, the human who originally authorized the action. There is the agent, the software deciding how to fulfill the prompt. There is the action, the API call that lands at a protected resource. In the traditional model, all three were a single principal. In an agentic model, they are separate actors with separate trust properties, often operating days or weeks apart from the original context.

Within the IETF, the draft on Agentic JWT has named the space between these actors. They call it the intent–execution gap.

It is the most important phrase in identity standards work right now, and almost nobody outside the working groups is using it.

What the gap actually is

A user tells an agent to book a flight to New York for under five hundred dollars. The agent searches, evaluates tradeoffs, selects an itinerary, and calls a booking API.

Between the human instruction and the machine execution, a sequence of implicit choices happens. The agent interprets under five hundred — does it include taxes, fees, baggage. It weighs carrier preferences. It picks a fare class. It decides whether to add a seat selection. The user authorized a goal. The agent executed a specific series of decisions.

When the booking happens, the protected resource sees an API request attached to a token. The token proves someone was authorized. It does not say what the human intended, who delegated the authority, what constraints were supposed to apply, or whether the action faithfully matches the original intent.

Authorization protocols were built to carry identity. They were not built to carry intent. When execution drifts from intent, the protocols have nothing to say about it.

Working groups are now iterating drafts to close this gap. AAuth, Agentic JWT, the OpenID Foundation‘s AIIM landscape, AGNTCY under the Linux Foundation, NIST‘s work on delegation chains, WIMSE workload identity — all attempts to retrofit intent into the infrastructure. They disagree on how. They agree on what.

Why this is a political fight, not a technical one

Standards bodies produce technical artifacts. The artifacts encode political assumptions. This is true across the stack, but it is acutely visible at the identity layer, because identity is where systems decide who counts.

Three structural assumptions are being negotiated right now, mostly without a public audience.

1. The Architecture of Survivable Incorrectness

Agentic systems will misinterpret intent. The architectural question is no longer how to engineer zero failure; it is whether failure contains itself or compounds. OAuth and OIDC were optimized for stolen credentials: a token is either valid or revoked. Agentic systems present a different worst case — an entity that is correctly credentialed and doing the wrong thing. That requires a different design philosophy. Karl McGuinness has been arguing this frame across his AAuth analysis and his Mission Shaping and Power of Attorney essays. The next AAuth revision will indicate whether survivable incorrectness has been adopted as a design constraint or treated as a nice-to-have.

2. The Mandate–State–Owner Triad

Every autonomous action implies three things: the mandate (what was authorized), the state (what the agent has done so far), and the owner (who is accountable when the action lands). The drafts disagree on how to represent these. Some collapse them into a single token. Some bury state inside the agent runtime. Some link ownership directly to credentials. These are not interchangeable engineering tradeoffs. They determine who ends up in court when an agent moves money to the wrong account or deletes a production database.

3. The Dispute Over Whose Key Signs the Action

The disagreement on cryptographic delegation is unresolved. Three options are live in the drafts: the user signs every downstream agent action (which limits autonomy), the agent receives delegated credentials (which creates a liability surface), or intermediate orchestrators form signing chains (which obscures accountability). Each option encodes a different theory of responsibility. Whichever method is formalized will become baked into foundational libraries, and will be very hard to change once deployed.

These are political choices. They are being made by the people who show up to the meetings. They will be lived with by everyone else.

The Structural Lens

A note on framing for future issues. The protocol-layer questions in this newsletter are not abstract. They map to a concrete structural question I have been working on at length: whether digital infrastructure remains correctable by the people it operates on. Five conditions — exit, inspectability, independent audit, binding governance, and reproduction rights — define whether a system is reversible or captive. The full argument is at anivar.net/corrigibility; future issues will return to these tests when a specific standard or deployment is worth examining through that lens.

For most issues, including this one, the lens stays in the background. The intent–execution gap is interesting on its own merits. Whether the standards being drafted satisfy structural correction tests is a question for another issue.

If you are tracking this conversation, write back. The list of people thinking carefully about agentic identity outside the working groups is short. It should not be.

— Anivar A Aravind