Control plane reference architecture.
How policy evaluation, approval binding, permit issuance, and evidence recording compose into a governed execution boundary. Each layer has explicit failure behavior — not configurable availability tradeoffs.
Execution layers.
Policy evaluation layer
Evaluate the proposed action against versioned policy before any side effects occur.
Approval binding layer
Bind approval decisions to the exact normalized parameters of the action. Detect substitution.
Permit issuance layer
Issue execution permits with scope, TTL, and lineage reference. Permits are revocable.
Execution boundary layer
Enforce that every governed action presents a valid permit before side effects proceed.
Evidence recording layer
Record attributable evidence for every governed event: identity, policy version, approval, parameters, outcome.
System invariants.
These hold across the full execution path. If a deployment violates any of them, it is outside the governed boundary.
- —No action executes without a policy evaluation decision.
- —No execution proceeds with an expired or revoked permit.
- —Approval tokens bind to the normalized action manifest — parameter substitution is detectable.
- —Every governed event produces attributable evidence.
- —The system fails closed when control dependencies are unavailable.
- —Governance-suspended execution is an explicit mode — recorded in audit, not an implicit bypass.
Assess your current boundary.
The AI Execution Boundary Assessment maps your current deployment posture against these architecture requirements.
Start assessment