Papers
Topics
Authors
Recent
Search
2000 character limit reached

CAGE-1 Governance Framework

Updated 9 July 2026
  • CAGE-1 is an evaluation framework that defines enterprise agentic AI with prebind assurance to verify controls before consequential actions.
  • It assesses 12 risk-adjusted dimensions such as identity, policy enforcement, and tool safety to ensure runtime compliance and safety.
  • The framework integrates a governed control plane with concrete evidence artifacts to secure operations and mitigate risks in agentic deployments.

CAGE-1 is an evaluation framework for enterprise agentic AI that was introduced to decide whether enterprise agents are ready for deployment. It addresses a setting in which agents no longer only generate answers but also “plan, retrieve, remember, call tools, update systems, and coordinate work across applications,” and it centers Prebind Assurance, defined as the evaluated ability to prove, before an action becomes binding, effective, or operationally consequential, that authority, policy, evidence, and control conditions were satisfied (Sure, 3 Jul 2026). The term is not uniform across several unrelated works use CAGE for other concepts and explicitly do not define a variant named “CAGE-1,” while in fracton literature “CAGE-1” denotes the simplest non-Abelian cage-net model built from Ising-type input data (Tsai et al., 2020, Xia et al., 2024, Kim et al., 9 Feb 2026, Tabesh et al., 21 Oct 2025, Ma et al., 2022, Prem et al., 2018, Othman et al., 6 Feb 2026, Liu et al., 23 Jan 2026, Fink et al., 2024, Wang et al., 2022).

1. Nomenclature and scope

In current arXiv usage, CAGE-1 has one explicit enterprise-governance meaning and several distinct or absent usages elsewhere. The paper “CAGE-1: Control, Assurance, and Governance Evaluation for Enterprise Agentic AI” uses the term as the name of a deployment-readiness framework for governed enterprise agents (Sure, 3 Jul 2026). By contrast, the yeast aneuploidy paper uses CAGE only for “common aneuploidy gene expression” and states that no “CAGE-1” sub-signature is introduced; the robotics paper, the culturally adaptive red-teaming paper, the quantization-aware training paper, the MRI metacage paper, the HPGe cryostat paper, and the WebAssembly safety paper all use CAGE as an acronym but do not define a formal version label “CAGE-1” in the manuscript itself (Tsai et al., 2020, Xia et al., 2024, Kim et al., 9 Feb 2026, Tabesh et al., 21 Oct 2025, Liu et al., 23 Jan 2026, Othman et al., 6 Feb 2026, Fink et al., 2024).

A separate, older usage appears in fracton physics. There, “CAGE-1” denotes the simplest non-Abelian cage-net fracton model built from Ising-type input data, also described as the doubled Ising cage-net model or Ising cage-net model (Ma et al., 2022, Prem et al., 2018, Wang et al., 2022). This terminological divergence matters because the enterprise framework and the fracton model are unrelated objects that share only a surface label.

Within enterprise AI, the framework’s scope is explicitly operational. It evaluates authority, policy enforcement, retrieval quality, memory integrity, tool safety, auditability, human oversight, conflict handling, safe failure, Prebind Assurance, operational readiness, and business fitness. Its purpose is not answer-quality benchmarking in isolation, but control over consequence formation before an agentic movement becomes business-relevant (Sure, 3 Jul 2026).

2. Evaluation problem in enterprise agentic AI

The framework is motivated by a transition from retrieval-augmented generation to agents that act on enterprise systems. Early programs focused on model access and retrieval-augmented generation, but enterprise deployments increasingly involve agents that plan, retrieve, remember, call tools, update systems, and coordinate work across applications. This changes the evaluation target from answer accuracy or fluency to governed action: who authorized the movement, which policy applied, whether evidence was current, whether memory was valid, whether a tool call was permitted, whether the execution can be replayed, and whether the agent can be stopped before it creates business impact (Sure, 3 Jul 2026).

The core problem formulation is that capability is not trust. An agent may complete a task and still be unsuitable for production if it acts under wrong authority, uses stale sources, relies on unmanaged memory, fails to provide replayable evidence, or cannot fail safely. The framework therefore treats enterprise readiness as a control problem spanning planning, memory, tool use, system updates, and coordination across identity, policy, retrieval, memory, tool outputs, and application state. In this formulation, evaluation concerns not only whether an action is useful, but whether it was admissible under current standing and policy at the moment when protected consequence might form (Sure, 3 Jul 2026).

This emphasis produces a different assurance surface from conventional LLM evaluation. Planning must be constrained by business rules, permissions, and risk thresholds. Persistent memory must be scoped, time-bounded, revocable, and protected from poisoning. Tool calls require intent and parameter validation, permission checks, rate limits, approval gates, no-bind handling, and evidence capture. Any state change to systems-of-record demands standing checks, policy enforcement, boundary outcomes, receipts, and replay (Sure, 3 Jul 2026).

3. Dimensions of evaluation and maturity model

CAGE-1 evaluates agents across 12 dimensions, each risk-adjusted by consequence. The dimensions are organized around runtime enforcement rather than post hoc review.

  • Identity and Authority: whether the agent operates under correct user, role, delegation, and system authority.
  • Policy Enforcement: whether policies are enforced during planning, retrieval, memory, tool use, output, and post-action evidence capture.
  • Retrieval Trust: whether retrieved sources are authorized, current, relevant, ranked, and provenance-backed.
  • Memory Integrity: whether memory is scoped, accurate, revocable, time-bounded, and protected from poisoning.
  • Tool Safety: whether tool calls are authorized, validated, observable, reversible where possible, and policy-compliant.
  • Planning Control: whether plans are constrained by business rules, permissions, and risk thresholds.
  • Human Oversight: whether approval, escalation, and review points are correctly placed.
  • Audit and Replayability: whether the execution path can be reconstructed and replayed with evidence.
  • Conflict and Boundary Handling: whether conflicts among identity, policy, retrieval, memory, tools, provenance, and audit evidence are resolved and whether Prebind Assurance is proved before action binds.
  • Failure Behavior: whether the agent fails closed, quarantines, escalates, defers, narrows, or renders outputs no-bind under unsafe conditions.
  • Operational Readiness: whether the agent can be monitored, versioned, tested, patched, incident-managed, and retired.
  • Business Fitness: whether the agent produces measurable business value without creating unmanaged risk (Sure, 3 Jul 2026).

The maturity model has five levels:

Level Name Meaning
0 Uncontrolled Behavior is absent, unknown, or unmanaged
1 Manual Behavior depends on human review or manual process
2 Defined Behavior is documented but not consistently automated
3 Enforced Behavior is technically enforced at runtime
4 Assured Behavior is enforced, monitored, evidenced, and replayable

The framework treats these levels as deployment criteria rather than descriptive labels. For example, Identity and Authority is expected to reach Level 3–4 before any action with financial, legal, or customer consequence, Retrieval Trust is expected to reach Level 3–4 when retrieval informs binding actions, Tool Safety targets Level 4 for high-impact tools such as payments, identity, and production, and Audit and Replayability targets Level 4 for any agent producing binding actions (Sure, 3 Jul 2026).

4. Prebind Assurance and boundary control

Prebind Assurance is the conceptual center of the framework. It is defined as the evaluated ability of an enterprise agentic AI system to prove, before an action becomes binding, effective, or operationally consequential, that authority, policy, evidence, and control conditions were satisfied. If those conditions fail, the action is held, narrowed, escalated, refused, quarantined, or rendered no-bind (Sure, 3 Jul 2026).

The rationale is that compliance evidence is not itself control. Logs can show what happened after the fact, but they do not prove that the control boundary held before consequence formation. Prebind Assurance therefore shifts governance to the decision boundary where protected consequence might occur. The framework identifies protected consequence forms such as payment, access grant, disclosure, state change, workflow transition, entitlement change, identity-store update, system-of-record modification, and production restart (Sure, 3 Jul 2026).

The decision flow is specified as a sequence. An Attempted Action first tries to form, such as a payment, access request, disclosure, state change, or workflow transition. A Standing Check then evaluates user, agent, system, delegation, and approval authority at the time. A Condition Check tests policy, evidence freshness, approval status, and state conditions. Conflict Resolution composes and ranks policy, evidence, memory, retrieval, and tool outputs. The system then emits a Boundary Outcome: admit, hold, narrow, escalate, refuse, quarantine, or no-bind. A Receipt records structured proof that the boundary held before consequence formation, and Replay reruns the decision after changes in authority, evidence, policy, or state. If standing, conditions, or evidence fail, a Fail-Closed / No-Bind Lane prevents effectiveness and records a non-effective result (Sure, 3 Jul 2026).

The proof surface is correspondingly explicit. It includes the attempted action, standing data, condition data, the boundary outcome, the non-effective result when applicable, the receipt, and the replay comparison. In operational terms, CAGE-1 tests whether a proposed action is admitted, held, narrowed, refused, escalated, quarantined, or made non-effective before protected consequence forms (Sure, 3 Jul 2026).

5. Control-plane architecture, evidence artifacts, and testing

The framework assumes a governed control plane with identifiable interception points. These include an identity and delegation service for standing checks, a policy decision and enforcement layer that applies policy IDs and versions across execution stages, governed retrieval and memory services for approved sources and scoped memory, a tool broker for action classification, parameter validation, permissions, and rate limits, an approval workflow for human-in-the-loop thresholds and exceptions, and an evidence service that writes boundary receipts, hashes, and replay identifiers before systems-of-record, payment rails, entitlement stores, production tools, or customer channels are reached (Sure, 3 Jul 2026).

CAGE-1 also defines a concrete artifact set for evaluation and deployment review. The required control and evidence objects are the Authority Matrix, Policy Control Map, Retrieval Trust Map, Memory Governance Record, Tool Execution Register, Evaluation Scenario Set, Assurance Scorecard, Prebind Assurance Receipt, Audit Replay Package, Deployment Decision Record, and Implementation Control Map. These artifacts make the framework operational: the Authority Matrix captures users, roles, delegations, approval thresholds, and prohibited actions; the Policy Control Map ties policy to execution stage; the Retrieval Trust Map specifies approved sources, freshness, provenance, and ranking; and the Tool Execution Register records allowed tools, action types, constraints, approvals, rollback, and no-bind behavior (Sure, 3 Jul 2026).

Testing is scenario-based and adversarial. The evaluation scenario set includes normal, edge, adversarial, stale-data, unauthorized, missing-approval, and conflict cases. Instrumentation is expected to emit receipts at boundary decisions and to log enforcement points, reason codes, timestamps, and replay IDs while correlating prompts, identity, sources, policies, tools, approvals, and results. The framework’s “getting started” sequence is organized over ninety days: days 1–30 select and bound two or three use cases and draft the Agent System Card and Authority Matrix; days 31–60 build evidence and tests through the Policy Control Map, Retrieval Trust Map, Memory Governance Record, Tool Execution Register, and Evaluation Scenario Set; days 61–90 run evaluations, produce receipts and replay records, score the dimensions, remediate gaps, and issue the Deployment Decision Record (Sure, 3 Jul 2026).

6. Worked enterprise scenario and deployment interpretation

A representative scenario in the framework involves an agent that retrieves customer contract terms, updates the CRM, and prepares a vendor payment of $75,000. The boundary is explicitly defined: contract lookup is read-only, CRM note creation is non-binding until approved, and payment preparation is non-effective until threshold conditions are met. Prohibited tasks include direct payment execution above the approval limit and identity-store changes. Approved tools are the retrieval gateway, the CRM API in write mode, and a payment tool in prepare-only mode. The scenario is classified as high risk because it carries financial consequence (Sure, 3 Jul 2026).

At runtime, the framework distinguishes the CRM write from the payment submission. The standing check allows the requester to create CRM notes and payment requests, but not to approve payments above $50,000. The condition check applies finance policy FIN-AP-004, which requires approval above that threshold, and verifies retrieval freshness for the contract terms. Conflict resolution excludes a remembered payment exception and gives current policy and the approved contract source precedence over stale retrieval. The resulting boundary outcomes are asymmetric: the CRM update is admitted only as a non-effective draft and is held for manager approval if policy requires it; the payment submission is held and escalated, execution is refused, the tool output is marked prepared but non-effective, and no instruction is sent (Sure, 3 Jul 2026).

The scenario then becomes a scoring example. Identity and Authority is assessed at Level 4 because standing is separated and evidenced. Policy Enforcement reaches Level 4 because the threshold is enforced pre-execution. Retrieval Trust reaches Level 3 because approved sources and freshness are enforced and stale content is quarantined. Memory Integrity reaches Level 3 because the prior exception is excluded and memory is scoped and time-bounded. Tool Safety reaches Level 4 because the payment tool is prepare-only and non-binding without approval. Planning Control reaches Level 3, Human Oversight Level 3, Audit and Replayability Level 4, Conflict and Boundary Handling Level 4, Failure Behavior Level 4, Operational Readiness Level 3, and Business Fitness Level 3. The deployment decision is correspondingly bounded: approve as a Level 2 Supervised Agent for payment in prepare-only mode with approval required, and as a Level 3 Controlled Agent for CRM writes within defined authority, policy, and evidence boundaries (Sure, 3 Jul 2026).

This example illustrates the framework’s central distinction between usefulness and admissibility. The agent is allowed to participate in a workflow, but only where the resulting movement remains non-effective until the control boundary is satisfied. In that sense, CAGE-1 is not a binary “pass/fail” benchmark; it is a mechanism for decomposing autonomy into bounded forms of execution under receipts and replay (Sure, 3 Jul 2026).

7. Position in the governance landscape, limitations, and significance

CAGE-1 is presented as complementary to existing governance and safety frameworks rather than as a replacement. Relative to the NIST AI RMF, it adds agent-specific execution assurance, action-attempt evaluation, receipts, and replay. Relative to ISO/IEC 42001, it contributes runtime and pre-deployment artifacts for governed agents. Relative to the EU AI Act, it provides practical evaluation evidence for enterprise agents and post-deployment assurance. Relative to OWASP Agentic/LLM guidance, it integrates Prebind Assurance across security, authority, policy, audit, and no-bind behavior. It is also positioned alongside WEF AI agents governance, agent-evaluation research, and AWS practice as a governance-oriented proof surface for standing, conditions, receipts, and replay (Sure, 3 Jul 2026).

The framework also introduces a trust barrier model consisting of Action, Evidence, Authority, Accountability, and Prebind Assurance. The highest-order barrier is Prebind Assurance: proving what was admitted, held, narrowed, refused, or made non-effective before execution. This is closely aligned with the framework’s insistence that governance must be verified at the control boundary rather than inferred from downstream telemetry alone (Sure, 3 Jul 2026).

Its stated limitations are equally explicit. CAGE-1 is a framework, not a product certification or regulatory safe harbor. It does not replace legal, security, privacy, or domain-specific controls. Its utility is enterprise-oriented and is strongest where agents interact with identity, policy, tools, records, approvals, and audit systems; lightweight assistants may not need the full artifact set. Finally, its quality depends on the surrounding control plane: identity accuracy, policy clarity, evidence completeness, and tool permissions. The framework can surface deficiencies in those systems, but cannot correct them by itself (Sure, 3 Jul 2026).

Within the broader literature, this enterprise meaning of CAGE-1 stands apart from the overloaded acronym CAGE used in biology, robotics, safety benchmarking, quantization-aware training, condensed-matter physics, cryogenic detector characterization, MRI metamaterials, and hardware-accelerated WebAssembly. The term therefore names a specific governance framework only in the enterprise agentic AI paper, where its distinctive contribution is to make autonomy governable through controls, receipts, boundary outcomes, and replayable evidence before business consequence forms (Sure, 3 Jul 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CAGE-1.