Proof-Carrying Agent Actions: Model-Agnostic Runtime Governance for Heterogeneous Agent Systems
Title: Proof-Carrying Agent Actions: Model-Agnostic Runtime Governance for Heterogeneous Agent Systems
Abstract:
Agent systems operate through runtimes that feature vastly different control points, ranging from local coding tools and framework SDKs to managed agent platforms, API gateways, and observer-only integrations. Consequently, a high-risk action, such as publishing data externally, might manifest as a shell command in one environment, a tool call in another, and a hosted session transition in a third. This fragmentation complicates the consistent resolution of fundamental governance questions: determining exactly what action was authorized, by whom, under which approval semantics, and with what evidence post-execution.
To address this, we introduce Proof-Carrying Agent Actions (PCAA), a runtime-neutral governance model that prioritizes an action certificate over vendor-native session records. PCAA structures control around five distinct checkpoints: pre-action admissibility, action open, assumption capture, approval, and outcome closure. These checkpoints are anchored to a portable action envelope that includes runtime and approval receipts, as well as replay-ready proof. The model is further enhanced in two practical dimensions: the certificate is designed to be externality-aware, incorporating boundary facts like destination visibility and account provenance; additionally, approval is defined by explicit enforceability classes rather than a binary reviewed/unreviewed status.
We evaluate the model through a reference implementation within a heterogeneous agent control plane and a disclosure-bounded evaluation protocol. Testing on a protected benchmark, expanded from 24 executable seeds to 96 traces across four runtime families, demonstrates that PCAA maintains route quality while revealing distinct failure modes during ablation studies. This work provides a systems formulation of runtime governance centered on certificate-bearing actions and offers an implementation-grounded perspective on how such a framework can remain portable amidst runtime changes without devolving into vendor-specific control surfaces.
Source: arXiv Generated at: 2026-06-04 00:00:00 UTC
