Pipeline schematic

Architecture to sell

The agent never receives a raw pipe to enterprise systems. It submits a typed action envelope; the gateway verifies policy, scores residual risk, routes review, and records a replayable decision.

Composed pipeline

Layer 2 runs first because formal verification is cheap when the policy is formalized. Layer 1 handles the uncertified residue with risk and workload bounds. Layer 3 packages remaining cases so the human checks a certificate instead of reconstructing the task.

Agent proposes action Verifier / Shield OPA, Cedar, runtime automata, invariants certify | block | defer Selective Router VoI + conformal risk control execute | escalate Human Review legible dry run owner-routed Tool Gateway execution + logs ERP, CRM, data review labels recalibrate router and policies
All tool calls traverse a verifier, a calibrated router, and a review package before execution.

Action envelope

Engineers should treat every agent move as an immutable request object. The model can propose intent, but execution depends on structured fields that policy engines and risk routers can inspect deterministically. 

{
  "action_id": "act_01JZ8KD4S9Q4",
  "tenant_id": "acme-bank",
  "actor": {
    "agent_id": "collections-coworker-v3",
    "run_id": "run_7f4e",
    "requested_by": "marta@acme.example"
  },
  "tool": {
    "name": "crm.update_customer_limit",
    "version": "2026-06-01",
    "environment": "production"
  },
  "args": {
    "customer_id": "cus_8841",
    "new_limit_eur": 25000,
    "reason": "contract renewal approved in ticket T-3914"
  },
  "context_refs": [
    "ticket:T-3914",
    "policy:credit-limit-change-v12",
    "customer-risk-score:2026-06-29"
  ],
  "declared_effects": [
    "writes:crm.customers.credit_limit",
    "notifies:account_owner"
  ],
  "rollback": {
    "tool": "crm.update_customer_limit",
    "args": { "customer_id": "cus_8841", "new_limit_eur": 12000 }
  }
}

Policy check, risk check, review package

The first pass is deterministic. If the action violates a hard rule, it is blocked. If the verifier cannot certify it, the router decides whether the calibrated risk is low enough to execute or whether a human owner needs the review package.

Example Rego policy

package agent.tools

default allow := false

allow if {
  input.tool.name == "crm.update_customer_limit"
  input.tool.environment == "production"
  input.tenant_id == data.tenants[input.actor.requested_by]
  input.args.new_limit_eur <= 50000
  "ticket:" ++ ticket_id in input.context_refs
  data.approvals[ticket_id].status == "approved"
}

deny[msg] if {
  input.args.new_limit_eur > 50000
  msg := "credit limit requires finance director approval"
}

Decision log row

{
  "action_id": "act_01JZ8KD4S9Q4",
  "schema_valid": true,
  "policy": {
    "engine": "opa",
    "bundle_sha": "sha256:9cb1...",
    "result": "defer",
    "deny": []
  },
  "risk": {
    "model": "router-2026-06-28",
    "score": 0.017,
    "threshold": 0.011,
    "calibration_set": "cal_2026w26"
  },
  "route": {
    "decision": "human_review",
    "owner_queue": "finance",
    "reason": "risk above calibrated threshold"
  }
}

Execution lifecycle

01

Agent emits an action envelope with declared effects, required context, and rollback instruction.

02

Gateway validates JSON schema, tenant boundary, tool version, idempotency key, and context snapshot hashes.

03

Policy engine evaluates hard rules. Known unsafe actions are blocked with a signed denial event.

04

Verifier/shield checks formalized invariants: allowed tool, allowed row scope, amount bounds, approval state, data residency, and side-effect class.

05

Selective router scores only the uncertified residue using the current calibration set and customer risk target.

06

Low-risk residue executes through the tool gateway. High-risk residue becomes a review package with exact failed checks and model evidence.

07

Reviewer decision, rationale, and corrected action are written back as labels for calibration, policy refinement, and workload reporting.

Failure modes engineers will ask about

Failure modeControlEvidence to expose
Prompt tries to bypass policyModel text never talks directly to tools; only schema-valid envelopes reach the gateway.Rejected malformed envelopes and policy denial logs.
Policy bundle changes after executionEvery decision stores policy bundle SHA, tool version, and calibration ID.Replay endpoint returns original decision trace.
Router drifts under new workflowsRolling calibration, realized-error monitoring, and automatic tightening when bounds are violated.Risk-coverage chart by week and workflow.
Human review becomes the bottleneckLearning-to-defer queues, workload constraints, and review packages that isolate failed invariants.Queue SLA, review-time distribution, and deferral accuracy.
Unsafe side effect is not in the specClaim is scoped to formalized properties; unknown classes route to review until modeled.Coverage of policy classes and "uncertified residue" rate.