AEGIS Governance Engine Specification
Architectural Enforcement & Governance of Intelligent Systems
Version: 0.2
Status: Informational
Part of: AEGIS Architecture
Author: Kenneth Tannenbaum
Last Updated: March 6, 2026
Purpose
The Governance Engine is the deterministic policy decision authority for AEGIS.1 It evaluates every capability request before any infrastructure interaction.2
Core rule:
- AI proposes action.
- Governance Engine evaluates action.
- Only approved actions execute.
Scope
This specification defines:
- Required input/output contract for authorization.
- Deterministic evaluation pipeline.
- Decision semantics and constraints behavior.
- Audit requirements and failure handling.
- Operational SLOs and verification criteria.
Detailed algorithms and schemas are defined in:
docs/architecture/DECISION_ALGORITHM.mddocs/architecture/POLICY_LANGUAGE.mddocs/architecture/RISK_SCORING_ALGORITHM.mddocs/architecture/CAPABILITY_SCHEMA.mddocs/architecture/GOVERNANCE_ENGINE_COMPONENTS.md
External Interface
Authorization Method
authorize(request: AGPRequest) -> AGPResponseInput Contract (AGPRequest)
Required fields:
request_id: stragent_id: strcapability: strresource: strcontext: dict
Validation requirements:
- Missing required fields MUST return
DENYwith validation reason. - Unknown capability MUST return
DENY. - Malformed request MUST NOT be executed.
Output Contract (AGPResponse)
Required fields:
decision: ALLOW | DENY | CONSTRAIN | ESCALATEreason: straudit_id: str | nullrisk_score: int | nullconstraints: dict | nulldecision_latency_ms: int
Deterministic Evaluation Pipeline
Execution order is fixed and MUST NOT vary by request type:
- Validate request structure.
- Verify agent capability grant.
- Match policies (priority ordered).
- Apply policy precedence rules.
- Compute risk score.
- Apply threshold mapping.
- Attach constraints if required.
- Emit immutable audit record.
- Return response.
If any stage fails internally, engine MUST fail closed (ESCALATE or DENY).1
Decision Semantics
ALLOW
- Request is approved with no additional runtime restrictions.
- Tool Proxy executes request directly.
CONSTRAIN
- Request is approved with mandatory runtime restrictions.
- Constraints MUST be machine-readable and enforceable.
- Execution without constraints is forbidden.
ESCALATE
- Request requires secondary authority (human or higher governance node).
- No execution occurs until escalation resolves to
ALLOWorDENY.
DENY
- Request is rejected and MUST NOT execute.
- Response includes explicit denial reason.
Policy Precedence Rules
When multiple policies match:
- Explicit
DENYalways wins. - Remaining policies are sorted by descending priority.
- First matching non-deny policy determines base effect.
- If no policies match, default decision is
DENY.
Risk Integration
Risk scoring is mandatory unless early denied by policy/capability check.
Threshold mapping:
0-30: ALLOW31-60: CONSTRAIN61-80: ESCALATE81-100: DENY
Risk score and factor breakdown SHOULD be attached to audit records.
Audit Requirements
Each request MUST produce an immutable audit event containing:
- Request identity and timestamp.
- Inputs used for decision.
- Matched policies.
- Risk score and factor breakdown.
- Final decision and rationale.
- Applied constraints (if any).
- Evaluation latency and outcome status.
Audit writes MUST be durable before returning success.
Failure Handling
Internal Component Failure
- Policy engine unavailable:
ESCALATE. - Risk engine unavailable:
ESCALATE. - Audit system unavailable:
DENYunless configured write-behind buffer is healthy.
Timeout Handling
- Evaluation timeout MUST fail closed.
- Default timeout target: 250 ms.
- Timeout decisions MUST be auditable.
Data Integrity Failures
- Corrupt policy set or capability registry MUST trigger degraded safe mode.
- Safe mode behavior: deny all non-break-glass capabilities.
Operational SLOs
Target service objectives:
- P50 decision latency: <= 20 ms
- P95 decision latency: <= 75 ms
- P99 decision latency: <= 150 ms
- Audit write success rate: >= 99.99%
- Deterministic replay mismatch rate: 0%
Verification and Test Criteria
Required test classes:
- Unit tests for each stage of evaluation.
- Property tests for precedence and threshold boundaries.
- Replay tests proving deterministic outcomes.
- Failure-injection tests (policy, risk, audit outages).
- Concurrency tests for consistent outcomes under load.
Release gate criteria:
- No critical policy bypass defects.
- Deterministic replay parity for golden test set.
- End-to-end tests for ALLOW, CONSTRAIN, ESCALATE, DENY.
Security Posture
The Governance Engine enforces capability-based authorization and default-deny semantics.2 No capability may execute unless explicitly authorized by policy and risk evaluation within defined trust boundaries.
References
Footnotes
-
F. B. Schneider, “Enforceable Security Policies,” ACM Transactions on Information and System Security (TISSEC), vol. 3, no. 1, pp. 30–50, Feb. 2000, doi: 10.1145/353323.353382. See REFERENCES.md. ↩ ↩2
-
J. P. Anderson, “Computer Security Technology Planning Study,” Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), Hanscom Field, Bedford, MA, Tech. Rep. ESD-TR-73-51, Vol. II, Oct. 1972. See REFERENCES.md. ↩ ↩2