Papers
Topics
Authors
Recent
Search
2000 character limit reached

Proof-Carrying Agent Actions: Model-Agnostic Runtime Governance for Heterogeneous Agent Systems

Published 2 Jun 2026 in cs.SE, cs.AI, and cs.CR | (2606.04104v1)

Abstract: Agent systems execute through runtimes with very different control points: local coding tools, framework SDKs, managed agent platforms, API gateways, and observer-only integrations. A high-risk action such as publishing data externally may therefore appear as a shell command in one runtime, a tool call in another, and a hosted session transition in a third. This makes it difficult to answer a basic governance question consistently: what action was authorized, under whose authority, with what approval semantics, and with what evidence after execution? This paper presents Proof-Carrying Agent Actions (PCAA), a runtime-neutral governance model centered on an action certificate rather than on a vendor-native session record. PCAA organizes control around five checkpoints: pre-action admissibility, action open, assumption capture, approval, and outcome closure. It binds these checkpoints to a portable action envelope, runtime and approval receipts, and replay-ready proof. The model is extended in two practical ways: the certificate is externality-aware, carrying boundary facts such as destination visibility and account provenance, and approval is described by explicit enforceability classes rather than by a single reviewed or unreviewed bit. We study the model through a reference implementation in a heterogeneous agent control plane and a disclosure-bounded evaluation protocol. On a protected benchmark expanded from 24 executable seeds to 96 traces across four runtime families, PCAA preserves route quality while exposing distinct failure modes under ablation. The paper contributes a systems formulation of runtime governance around certificate-bearing actions and an implementation-grounded account of how that formulation can remain portable under runtime churn without collapsing into vendor-specific control surfaces.

Authors (1)

Summary

  • The paper presents Proof-Carrying Agent Actions (PCAA) as a certificate-driven model that enforces accountability and traceability across diverse agent platforms.
  • It details a five-checkpoint lifecycle for action certificates, integrating replay-ready proofs with externality context to support robust runtime governance.
  • Empirical studies confirm PCAA’s exact route fidelity and versatile control contracts, advancing scalable and transparent regulatory compliance.

Proof-Carrying Agent Actions: Model-Agnostic Runtime Governance for Heterogeneous Agent Systems

Architectural Overview

The paper introduces Proof-Carrying Agent Actions (PCAA), shifting agent system governance from reliance on vendor-native runtime records to a certificate-centric model. PCAA operationalizes agent action authorization, accountability, and traceability through a portable action certificate constructed along a five-checkpoint lifecycle: pre-action admissibility, action open, assumption capture, approval, and outcome closure. This certificate encapsulates normalized envelopes, runtime and approval receipts, replay-ready proofs, externality-aware boundary facts, and enforceability classes for approvals.

Crucially, this model is runtime-neutral, abstracting governance away from heterogeneous runtime control points such as local code hooks, API gateways, managed agent platforms, and observer-only modes. The unified certificate path ensures consistent governance semantics, regardless of execution substrate, enabling portability and cross-runtime auditability.

Runtime Neutrality and Control Contract

PCAA delineates agent systems into explicit runtime families: OpenAI-compatible gateways, managed agent platforms, framework SDK runtimes, tool-hook runtimes, and observer/import-only integrations. Governance coverage is not assumed uniform; instead, adapter modes (inline SDKs, lifecycle hooks, session adapters, gateways, bridges, observer-only paths) are distinguished by their interception depth. The neutral runtime contract is formally defined, exposing schema-level details: family, adapter mode, execution boundary, authority split, session identity, and receipt projection capability.

Authority is explicitly triaged among workspace governance, runtime enforcement, and external governor enforcement. Approval enforceability is classified to clarify whether pre-execution gates, post-hoc evidence, delegated runtime control, or runtime-only enforcement are in effect. Receipt completeness is computed, ensuring transparency regarding actual runtime-stage evidence.

Portable Action Envelope

The action envelope is instantiated as a stable, versioned trust object carrying identity, tenant scope, runtime and governance context, authorization boundaries, workflow metadata, evaluation linkages, accountability chain, and detailed externality context. The envelope is the object projected into replay, export, and verification workflows, surviving runtime churn and supporting buyer-facing scrutiny.

The externality context, a notable augmentation, records granular boundary facts: destination visibility, account provenance, client identity, external write semantics, sensitive-payload posture, reversibility, destructive potential, and approval enforceability. This elevates admissibility determinations beyond action verb analysis, accounting for enterprise-grade boundary risks.

Proof, Replay, and Integrity

The PCAA proof architecture produces structured, replayable bundles—summaries, evidence payloads, verification projections, and manifest digests—attached to action certificates. The replay mechanism recomputes envelope, risk, and policy state, revealing drift and policy evolution. Proof closure distinguishes between execution, pending, partial, and non-execution cases, ensuring that even blocked or approval-paused actions produce actionable evidence artifacts.

Layered integrity lanes (fast commitments, portable trust materials, future verification lanes) provide modular integration with attestation ecosystems and verifiable credential infrastructures, without conflating external receipts with final workspace authority. Receipt completeness and manifest stability are quantitatively tracked to disclose the fidelity of proof paths under runtime heterogeneity.

Empirical Validation

Evaluation is conducted on a protected corpus, with aggregate traces spanning multiple runtime families and control outcomes. PCAA achieves exact route fidelity (accuracy and macro-F1 of 1.000) against static rule and scalar heuristic baselines, preserving a granular decision taxonomy critical for scalable agent governance. Review burden is selectively allocated: explicit review (29.2%), simulate-first actions (20.8%), hard blocks (25.0%), evidencing disciplined allocation of scarce human oversight.

Proof-path metrics confirm complete manifest and replay readiness, though receipt completeness varies (0.516), reflecting heterogeneous runtime enforcement depth. Ablations demonstrate the necessity of externality context, approval enforceability, and integrity lanes: their removal degrades route quality, review posture, and manifest stability differently, underscoring their distinct contributions to certificate closure.

Implications and Prospects

PCAA provides a formal solution for runtime churn and evolving execution substrates in agent systems, maintaining consistent governance and audit semantics across platforms. The stable certificate path enables replay, export, and buyer scrutiny irrespective of underlying tool, session, or API boundaries. The explicit authority split, enforcement taxonomy, and portable envelope expose a gradated control landscape, improving operational honesty and challengeability for enterprise, regulatory, and assurance stakeholders.

Integration with external attestation and verifier ecosystems (VCs, zkVM, EAS, chain settlements) is architecturally supported, aligning with emerging trends in cross-system trust and credential transport. The explicit boundary context and selective review routing support robust, risk-aware operation under dynamic budget and control constraints.

Future developments may focus on deeper public benchmarks, verifier-network integration, stronger cryptographic guarantees, and richer deployment scenarios. Open questions remain regarding receipt completeness, runtime honesty, and proof path resilience under adversarial or incomplete evidence.

Conclusion

PCAA recasts agent action governance as a certificate-centered control problem, independent of runtime family or product lineage. The reference implementation confirms that route-review-prove semantics, portable envelopes, and layered proof architectures materially advance governance durability, observability, and buyer-assurance under heterogeneous agent systems. The paradigm facilitates principled, selective, and replayable oversight, anchoring authority and evidence to a canonical certificate path rather than mutable runtime artifacts.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.