AEGIS System Stack

Architectural Enforcement & Governance of Intelligent Systems

Version: 0.2
Status: Informational
Part of: AEGIS Architecture
Author: Kenneth Tannenbaum
Last Updated: March 6, 2026

Purpose

This stack model defines layer boundaries, responsibilities, and control points for governed capability execution.

Layered Stack

L0  External Input (human/API/scheduler)
L1  Application Layer
L2  Agent/AI Reasoning Layer
L3  AEGIS Governance Layer
L4  Tool Proxy Execution Layer
L5  Operating System / Platform Layer
L6  Hardware / Infrastructure Layer

Layer Responsibilities

L0 External Input

Submit intents/tasks.
No direct execution rights.

L1 Application Layer

Orchestrates workflows and user-facing behavior.
Converts external intents into agent tasks.

L2 Agent/AI Layer

Produces candidate actions (proposals only).
Cannot authorize or execute privileged capability directly.¹

L3 AEGIS Governance Layer

Validates request schema and identity.
Evaluates policy and risk.
Produces deterministic decision outcome.
Emits immutable audit records.

L4 Tool Proxy Layer

Executes only governance-approved actions.²
Enforces runtime constraints (timeout, rate, scope, resource).
Records execution telemetry and violations.

L5 OS/Platform Layer

Process, memory, filesystem, and network primitives.
Enforced by least-privilege runtime profile.

L6 Hardware/Infrastructure Layer

Physical compute, storage, and network resources.

Inter-Layer Control Gates

Gate	Transition	Required Control
G1	L2 -> L3	Schema + identity validation
G2	L3 -> L4	Signed decision grant + constraints
G3	L4 -> L5	Runtime policy enforcement
G4	L5 -> L6	Platform-native security controls

Forbidden Paths

These paths are explicitly prohibited:¹

L2 -> L5 direct execution.
L1/L2 direct write access to policy store.
L0 direct access to capability registry internals.

Violations MUST be denied and audited.

Operational Metrics by Layer

L3: decision latency, deny rate, escalation rate, replay parity.
L4: constraint violation count, execution success rate.
L5: privileged call count, sandbox escape attempts.

Design Outcome

The stack ensures intelligence can propose, but only governance can authorize, and only constrained execution paths can invoke capability.¹³

References

J. P. Anderson, “Computer Security Technology Planning Study,” Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), Hanscom Field, Bedford, MA, Tech. Rep. ESD-TR-73-51, Vol. II, Oct. 1972. See REFERENCES.md. ↩ ↩² ↩³
S. Rasthofer, S. Arzt, E. Lovat, and E. Bodden, “DroidForce: Enforcing Complex, Data-centric, System-wide Policies in Android,” 2014 Ninth International Conference on Availability, Reliability and Security (ARES), Fribourg, Switzerland, 2014, pp. 40–49, doi: 10.1109/ARES.2014.13. See REFERENCES.md. ↩
F. B. Schneider, “Enforceable Security Policies,” ACM Transactions on Information and System Security (TISSEC), vol. 3, no. 1, pp. 30–50, Feb. 2000, doi: 10.1145/353323.353382. See REFERENCES.md. ↩