Agentic Governance

RFC-0013: Agentic Governance

Purpose

Extend CAA to govern LLMs operating as active orchestrators with tool access, not merely passive proposal generators.

This RFC addresses the "model in the middle" architectural gap: when an LLM has agency (tools, multi-turn loops, chain-of-thought), governance must adapt.

The Agentic Gap

The original CAA architecture assumes:

User → Extractor → Governor → Oracle → Envelope → User
              ↑
         LLM (passive proposal generator)

Modern agentic architectures look like:

User → Agent Loop ←→ Tools/APIs
           ↓
      Intermediate outputs
           ↓
      Final response

The LLM is no longer a passive generator gated at the end. It makes decisions, invokes tools, observes results, and iterates. Each step may contain implicit authoritative claims.

Core Principle

Every emission point is a potential authority boundary.

An "emission point" is any moment where LLM-generated content:

1. Leaves the agent's internal context
2. Invokes an external system
3. Becomes visible to a user
4. Gets persisted to storage
5. Triggers a side effect

Emission Classification

All agent emissions MUST be classified:

type EmissionClass =
  | "internal" // Chain-of-thought, scratchpad (no governance required)
  | "tool_call" // Invocation of external tool (governance by tool policy)
  | "user_visible" // Content shown to user (full governance required)
  | "side_effect" // State mutation (governance + audit required)
  | "terminal"; // Final response (full envelope required)

Classification Rules:

Tool Call Governance

Tools are the primary mechanism by which agents acquire authority. Tool governance follows tiered authorization.

Tool Tiers

type ToolTier =
  | "pre_authorized" // No per-call governance (read-only, low-risk)
  | "logged" // Execute freely, audit trail required
  | "gated" // Requires governance check before execution
  | "human_approved"; // Requires explicit human approval

Tool Policy Declaration

Every tool MUST declare its governance requirements:

interface ToolPolicy {
  tool_id: string;
  tier: ToolTier;

  // For gated/human_approved tiers
  required_state?: string[]; // State axes that must be bound
  oracle_verification?: boolean; // Require oracle check on inputs

  // Side effect declaration
  mutates_state: boolean;
  reversible: boolean;

  // Audit requirements
  log_inputs: boolean;
  log_outputs: boolean;
  redact_fields?: string[];
}

Pre-Authorized Tools

Pre-authorized tools may execute without per-call governance:

• Read-only data retrieval (with rate limits)
• Deterministic transformations
• Internal context operations

Constraint: Pre-authorized tools MUST NOT:

• Mutate external state
• Return data that becomes authoritative without further verification
• Bypass oracle verification for consequential domains

Gated Tools

Gated tools require governance checks before execution:

interface GatedToolInvocation {
  tool_id: string;
  inputs: Record<string, unknown>;

  // Governance metadata
  evidence_bindings: EvidenceBinding[]; // RFC-0006
  state_snapshot: RequiredState; // RFC-0001

  // Authorization
  authorization_envelope?: AuthorizationEnvelope; // RFC-0009
}

The Governor evaluates the invocation before the tool executes. If authorization fails, the tool call is blocked and the agent receives a structured refusal.

Chain-of-Thought Governance

Chain-of-thought (CoT) may contain implicit authoritative claims. CAA addresses this through structural constraints rather than content inspection.

CoT Classification

type CoTVisibility =
  | "hidden" // Never shown to user, no governance
  | "summarized" // Summary may be shown, soft-authority scan required
  | "visible"; // Full CoT visible, governance required

The Soft Authority Problem

CoT marked as summarized or visible MUST be scanned for soft authority markers (RFC-0009 §Normative Definitions):

• Numeric values with units
• Named classifications or diagnoses
• Imperative instructions
• Definitive causal claims

If soft authority is detected in visible CoT, the emission MUST be:

1. Blocked pending envelope wrapping, OR
2. Downgraded to hidden visibility, OR
3. Flagged with explicit non-authoritative disclaimer

Structural Solution

The preferred approach is structural elimination: CoT that might contain authority claims is never shown. This preserves opacity (RFC-0007) and eliminates the scanning requirement.

interface AgentConfig {
  cot_visibility: CoTVisibility;

  // If summarized/visible, require soft authority scanning
  soft_authority_scan: boolean;

  // Preferred: hide CoT entirely for authoritative domains
  authoritative_domains_hide_cot: boolean;
}

Multi-Turn Loop Governance

Agentic loops iterate until a termination condition. Governance applies at each iteration boundary.

Loop Invariants

1. Bounded Iterations: Maximum iteration count MUST be declared
2. State Accumulation: Each iteration's state bindings accumulate
3. Authority Escalation: Authority requirements can only increase, never decrease
4. Termination Audit: Final state includes full iteration trace

interface LoopGovernance {
  max_iterations: number;

  // State binding across iterations
  cumulative_evidence: EvidenceBinding[];

  // Authority escalation
  initial_authority: AuthorityLevel;
  current_authority: AuthorityLevel;

  // Termination
  termination_reason:
    | "complete"
    | "max_iterations"
    | "blocked"
    | "human_escalation";
  iteration_trace: IterationRecord[];
}

Iteration Governance

Each loop iteration:

1. Inherits state bindings from previous iterations
2. May acquire new evidence bindings
3. May trigger tool calls (governed per-tool)
4. Produces intermediate outputs (classified per EmissionClass)

If any iteration produces a BLOCKED status, the loop terminates with that status.

Streaming Governance

Streaming responses emit tokens before the full response is available. This creates a governance timing problem.

Streaming Modes

type StreamingMode =
  | "buffer_full" // Buffer entire response, then emit (safe, high latency)
  | "buffer_sentence" // Buffer sentences, emit on boundary (moderate)
  | "realtime"; // Emit tokens immediately (requires structural safety)

Realtime Streaming Constraints

Realtime streaming is only permitted when:

1. Workflow is non-authoritative: authoritative_intent: "non_authoritative"
2. Grammar constraints active: Fallback mode (RFC-0010) enforced
3. Soft authority markers impossible: Structural grammar prevents them

interface StreamingPolicy {
  mode: StreamingMode;

  // For realtime mode
  require_non_authoritative: true;
  grammar_mode: "attributive" | "hedged";
  forbidden_markers: string[];
}

Buffered Streaming

For authoritative workflows, buffering is mandatory:

1. Accumulate tokens until governance boundary
2. Apply full CAA pipeline to buffered content
3. Emit only after authorization
4. On rejection, emit refusal instead

Opacity in Agentic Context

RFC-0007 requires that the LLM cannot observe authorization logic. Agentic patterns challenge this:

1. Tool results are visible to the agent
2. Error messages from blocked calls are visible
3. Multi-turn context accumulates governance outcomes

Opacity Preservation

Tool Results: Tool outputs are data, not authorization decisions. The agent sees what the tool returns, not why a call was allowed or blocked.

Blocked Calls: When a tool call is blocked, the agent receives a structured refusal that does not leak authorization thresholds:

interface AgentRefusal {
  blocked: true;
  reason_code: "INSUFFICIENT_STATE" | "POLICY_VIOLATION" | "ORACLE_REQUIRED";
  user_message: string; // Safe for agent context
  recovery_hint?: string;

  // NOT included: thresholds, rule details, authority levels
}

Multi-Turn Context: Governance outcomes from previous turns are not added to agent context. The agent sees user messages and tool results, not authorization decisions.

Self-Governance Prohibition

The LLM MUST NOT participate in its own authorization decisions.

Prohibited Patterns:

// FORBIDDEN: LLM classifies its own authority level
const authority = await llm.classify(
  "What authority level does this response need?",
);

// FORBIDDEN: LLM decides if its output needs governance
const needsGovernance = await llm.evaluate(
  "Does this contain authoritative claims?",
);

// FORBIDDEN: LLM reviews its own output for soft authority
const hasSoftAuthority = await llm.scan(ownOutput);

Permitted Pattern:

// ALLOWED: Deterministic classifier applied to LLM output
const claims = extractClaims(llmOutput); // Deterministic extraction
const authority = classifyClaims(claims); // Rule-based classification
const envelope = govern(llmOutput, authority); // External governance

Workflow Declaration

Agentic workflows MUST declare their governance profile:

interface AgenticWorkflowDeclaration {
  workflow_id: string;
  authoritative_intent: "authoritative" | "non_authoritative";

  // Tool governance
  tools: ToolPolicy[];

  // Emission governance
  emission_policy: {
    cot_visibility: CoTVisibility;
    streaming_mode: StreamingMode;
  };

  // Loop governance
  loop_policy?: {
    max_iterations: number;
    iteration_audit: boolean;
  };

  // Enforcement
  enforcement_mode: "INLINE" | "ASYNC" | "NON_AUTHORITATIVE_ONLY";
}

Relationship to Other RFCs

Acceptance Criteria

A system is compliant with RFC-0012 if:

1. Every emission point is classified
2. Tool calls are governed according to declared tiers
3. Visible chain-of-thought is scanned for soft authority (or hidden)
4. Multi-turn loops maintain iteration governance and bounded iterations
5. Streaming respects mode constraints
6. Opacity is preserved (no auth logic in agent context)
7. Self-governance patterns are prohibited