Governance-First Execution Architecture
- Governance-First Execution Architecture is a framework that mandates explicit policy evaluation and authorization before executing agent actions.
- It utilizes mechanisms like Action Authorization Boundaries, Judgment Nodes, and structured audit trails to ensure execution integrity.
- Empirical results demonstrate high interception rates and precise control, confirming the method’s operational robustness and edge-case safety.
Searching arXiv for papers on governance-first execution architectures and related agent governance frameworks. Governance-First Execution Architecture denotes a class of agent-system designs in which execution is not treated as a default extension of model capability, but as a governed state transition mediated by an explicit control boundary. Across recent formulations, that boundary appears as a mandatory Action Authorization Boundary, a Judgment Root Node with a Governance Gate, a pre-execution Organizational Control Layer, or a set of compiled enforcement sites such as a Pre-Action Gate and Escalation Router; the common premise is that agent proposals, tool intents, or executable actions must be evaluated against policy, state, authority, and audit requirements before they can produce external side effects (Fatmi, 25 Jan 2026, Jing et al., 12 Jan 2026, Besanson, 8 May 2026).
1. Definition and conceptual scope
A governance-first architecture places governance at the execution boundary rather than at the prompt layer, observability layer, or post-hoc audit layer. In Faramesh, the boundary sits between reasoning space and execution space and is defined as a mandatory, non-bypassable decision point: agents may propose intents, but effectful execution is contingent on an explicit authorization decision at the Action Authorization Boundary (AAB) (Fatmi, 25 Jan 2026). LERA frames the same structural idea as Default-Block rather than Default-Execute: execution is structurally infeasible until judgment is completed and enforced through a non-bypassable gate, and execution is described not as the chronological successor of judgment but as its structural consequence (Jing et al., 12 Jan 2026).
This family of architectures is motivated by the observation that autonomous agents increasingly trigger real-world side effects: deploying infrastructure, modifying databases, moving money, executing workflows, interacting with tools, and acting in systems of record. Several papers argue that conventional prompt shaping, dialog guardrails, IAM/RBAC, or observability pipelines do not solve the execution-boundary problem because they either shape behavior probabilistically, govern identity rather than concrete action instances, or record effects only after they occur (Fatmi, 25 Jan 2026, Kaul et al., 29 Jun 2026, Shi et al., 3 Jun 2026).
The concept is broader than any one implementation. In some systems, governance is expressed as action authorization over canonical actions; in others, as tiered human review, capability admission, policy-constrained execution, or constitutional separation of proposal, review, execution, and verification. This suggests that “governance-first” is best understood as an architectural stance: execution must be mediated by a governable, inspectable, and fail-closed control plane rather than inferred from model output alone (Seck, 12 Apr 2026, Qin et al., 9 Apr 2026, Pan et al., 11 May 2026).
2. Boundary placement and architectural primitives
The most explicit formulations define a hard boundary between proposal generation and environment-facing execution. Faramesh formalizes this as the AAB, with canonicalization, deterministic policy evaluation, signed decision artifacts, executor validation, and append-only provenance logging. Executors refuse execution unless presented with a valid PERMIT artifact bound to the canonical action hash (Fatmi, 25 Jan 2026). LERA decomposes the same boundary into LERA-J, the Judgment Formation Layer, and LERA-G, the Governance Gate; together they form the Judgment Root Node, the sole legitimate structural interface between judgment and execution (Jing et al., 12 Jan 2026).
Other systems express the boundary through typed intermediate representations. Queen-Bee inserts BeeSpec between planning and execution: the Queen control plane retrieves capabilities, plans task-scoped execution, and compiles a structured BeeSpec that defines identity, role, domain, tenant scope, memory scope, allowed tools, policy profile, and approval gates for specialized Bee agents (Zhang et al., 4 Jun 2026). SARC makes constraints first-class specification objects alongside state, action space, and reward, then compiles them into four enforcement sites in the agent loop: a Pre-Action Gate, an Action-Time Monitor, a Post-Action Auditor, and an Escalation Router (Besanson, 8 May 2026). CUGA distributes governance across five structural checkpoints: Intent Guard, Playbook, Tool Guide, Tool Approvals, and Output Formatter (Shlomov et al., 20 May 2026).
| System | Boundary construct | Effect-control mechanism |
|---|---|---|
| Faramesh | AAB + CAR | Signed PERMIT/DEFER/DENY artifact validated by executors |
| LERA | LERA-J + LERA-G | Execution structurally undefined until judgment completion |
| Queen-Bee | BeeSpec | Tenant-scoped, tool-allowlisted execution under approval gates |
| SARC | PAG / ATM / PAA / ER | Constraints compiled to runtime enforcement points |
| CUGA | Five structural checkpoints | Policy interventions before planning, at tool use, and at output |
These systems also differ in where they place orchestration. Faramesh explicitly states that protocols such as MCP, UTCP, and A2A, and orchestration frameworks such as LangGraph, are upstream transports or coordinators and have no authority over execution (Fatmi, 25 Jan 2026). AgentRunner makes this separation operational by isolating WorkerAgent, CriticAgent, ToolGateway, VerifierAgent, and RecoveryAgent into separate services or processes, with ToolGateway as the only path to side effects (Pan et al., 11 May 2026). AgentCity pushes separation further by assigning legislation, execution, and adjudication to distinct branches, with smart contracts as the law itself and deterministic contract state transitions as the sole execution substrate (Ruan et al., 8 Apr 2026).
3. Formal semantics of governed execution
A recurring formal pattern is that agent intent must be transformed into a stable execution object before policy evaluation. Faramesh defines canonicalization as
followed by a deterministic decision function
with execution permitted exactly when
For fixed , evaluation is a pure function, and repeated evaluations yield identical decisions (Fatmi, 25 Jan 2026).
LERA formulates the same boundary as a permission predicate detached from computational capability. Let be an execution event and a governance permission predicate. Then
with structural undefinedness when
LERA also states the conditional independence of execution from computational capability given permission:
This is a stronger claim than ordinary access control: capability may exist, but authority to act does not follow from capability (Jing et al., 12 Jan 2026).
Runtime path-based formulations generalize the decision boundary from single actions to action sequences. “Policies on Paths” defines each policy as a deterministic function
mapping agent metadata, partial path, proposed next action, and shared organizational state to a policy violation probability. Composition uses
0
and a decision rule 1 governs execution prospectively, before the next step is taken (Kaptein et al., 17 Mar 2026).
SARC makes class-typed placement part of the formal model. An agentic system specification is
2
with constraints
3
and each constraint declared as
4
Here the verification point 5 is itself part of the semantics: hard constraints belong at pre-action or action-time enforcement points, soft constraints may be post-action, and escalation constraints route through bounded-latency human oversight (Besanson, 8 May 2026).
4. Canonical representations, policy artifacts, and provenance
A central design problem is representational drift: semantically identical proposals may be phrased differently, serialized differently, or routed through different protocols. Faramesh addresses this with the Canonical Action Representation (CAR), whose schema includes Actor, Target, Operation, Resource, Parameters, Blast Radius, and Context. The canonical digest
6
serves as a collision-resistant semantic fingerprint for deduplication, provenance, artifact validation, and exactly-once semantics (Fatmi, 25 Jan 2026).
Other systems employ typed governance artifacts with analogous roles. Queen-Bee’s BeeSpec decouples planning from execution by making role, domain, tenant scope, memory scope, attached skills, allowed tools, policy profile, and approval gate explicit and inspectable (Zhang et al., 4 Jun 2026). CUGA externalizes governance as typed policy objects—Intent Guard, Playbook, Tool Guide, Tool Approval, Output Formatter—with strongly-typed schemas and triggers, then applies them at fixed runtime intercept points (Shlomov et al., 20 May 2026). SARC makes the source, class, predicate, verification point, response protocol, and operating point explicit for each constraint, so that an auditor can check specification-trace correspondence without model or prompt access (Besanson, 8 May 2026).
Cryptographic binding of decisions to artifacts is another recurring feature. Faramesh issues signed decision artifacts that bind the canonical hash, policy version, state digest, decision, timestamp, validity window, and optional one-time-use semantics; executors must verify signature, hash binding, policy/state freshness, and consumption semantics before execution (Fatmi, 25 Jan 2026). AgentBound generalizes this into governance receipts that bind each action to the exact delegation, constitution, site contract, and typed judgments used in evaluation, then countersigns the receipt to enable independent replay verification and provenance validation (Kaul et al., 29 Jun 2026).
Provenance is usually append-only and decision-centric. Faramesh records
7
with per-tenant total ordering and hash chaining for tamper evidence (Fatmi, 25 Jan 2026). Cognitive Core similarly makes the audit ledger endogenous to computation via
8
so that primitive outputs, governance decisions, and human-in-the-loop state transitions become part of the computation record rather than a reconstructed log (Seck, 12 Apr 2026).
5. Security properties, operational guarantees, and empirical results
Governance-first architectures are typically justified not only by formal invariants but also by operational measurements. Faramesh reports non-bypassability through artifact-only execution, measured coverage of approximately 9 without injected bypass and 0 with deliberate malformed requests, zero double-executions in 1 attempts, baseline latencies of 2 3 ms, 4 5 ms, 6 7 ms, end-to-end 8 ms, and throughput of approximately 9 actions per minute on a single worker (Fatmi, 25 Jan 2026).
Layered and execution-boundary variants show similar trends in different threat models. The Layered Governance Architecture reports an end-to-end pipeline interception rate of 0 with total 1 ms, of which the non-judge layers contribute approximately 2 ms; generalization to InjecAgent yields 3–4 interception (Ge, 7 Mar 2026). Arbiter-K, which treats security as a microarchitectural property of a deterministic kernel around a probabilistic co-processor, reports unsafe interception rates of 5 to 6, with OpenClaw improving from native 7 to 8 and NanoBot from native 9 to 0 in one configuration (Wen et al., 20 Apr 2026). The certified-purity architecture for cognitive workflow executors reports verification latency of 1–2, full plan cycle under 3, runtime overhead under 4 of a 5 ms HTTP request, and zero determinism divergences across repeated invocations (McCann, 1 May 2026).
In domain-specific systems, the same architectural move produces measurable execution control. Queen-Bee’s retrieval-driven variant achieves task success 6, Finance Guardrail Block Rate 7, Cross-Tenant Block Rate 8, Tenant Scope Accuracy 9, and Wrong Tool Calls 0 on 1 enterprise-style tasks, while the no-policy and single-agent baselines score 2 on the blocking metrics and 3 wrong tool calls (Zhang et al., 4 Jun 2026). OCL reduces Unsafe Rate from 4 to 5 and raises Valid Success from 6 to 7 on 8 adversarial buyer–seller negotiation episodes, while also reducing rounds from 9 to 0 and latency from 1s to 2s (Shi et al., 3 Jun 2026). In embodied execution, policy-constrained runtime governance reports 3 unauthorized action interception, Runtime Violation Detection Rate 4, Unsafe Continuation Rate reduced from 5 to 6, and Recovery Success Rate 7 with full policy compliance (Qin et al., 9 Apr 2026).
These results support a narrow but important claim: when the enforcement surface is structural, pre-execution, and non-bypassable, governance can be measured in terms of executed violations, replayability, exactly-once behavior, and review completeness rather than only prompt adherence or post-hoc incident analysis (Fatmi, 25 Jan 2026, Besanson, 8 May 2026, Kaul et al., 29 Jun 2026).
6. Critiques, misconceptions, and limitations
A common misconception is that governance-first architectures are simply strengthened IAM, guardrails, or logging. Multiple papers explicitly reject that equivalence. Faramesh states that IAM/RBAC governs who, not whether a concrete action instance should execute under 8; protocol-embedded approaches couple semantics to transports; observability-only systems record effects after the fact; and generation-time guardrails fail open because they cannot refuse execution at effect time (Fatmi, 25 Jan 2026). AgentBound makes the same distinction by placing governance after delegated authorization but before execution, so that an action may be authorized yet still denied or routed to review under owner-signed constitutions or site action contracts (Kaul et al., 29 Jun 2026).
A second misconception is that governance-first execution solves reasoning correctness. Several papers explicitly limit the claim. LERA does not propose a new decision-making algorithm or safety heuristic; it institutionalizes judgment as a structural prerequisite for execution (Jing et al., 12 Jan 2026). Faramesh states that policy correctness and semantic accuracy of intent are out of scope because enforcing them would expand the TCB and violate determinism and replayability (Fatmi, 25 Jan 2026). Cognitive Core distinguishes governability from accuracy and argues that “accuracy measures how often a system is right; governability measures how reliably a system knows when it is not,” reporting zero silent errors rather than perfect decisions (Seck, 12 Apr 2026).
The strongest critique comes from work on enterprise agent design. CEAD characterizes a governance-first execution architecture as a control-heavy, design-poor 24-agent grid in which policy, auditability, least-privilege scoping, escalation, and release gates take precedence over capability-aligned decomposition. In the reported experiments over 9 enterprise tasks, this A3 governance-first grid achieves safe success 0, compared with 1 for CEAD, with higher mean handoffs (2 vs. 3), higher mean cost (4 vs. 5), lower audit coverage (6 vs. 7), and higher memory poisoning (8 vs. 9) (deVadoss, 7 May 2026). The paper’s conclusion is not that governance is unnecessary, but that governance should support and enforce capability-aligned design rather than substitute for it. This suggests a real fault line in the literature: governance-first is powerful at the execution boundary, but can underperform when elevated into the primary decomposition logic of the whole system (deVadoss, 7 May 2026).
Other limitations are more operational. Some systems provide prototype-level evidence rather than production deployment studies; some are mostly rule-based and leave broader policy-as-code or dynamic policy learning to future work; some rely on structured registries whose scale and noise characteristics may change retrieval behavior; and several identify trusted-computing-base assumptions, runtime compromise, or incomplete formalization of multi-agent composition as open problems (Zhang et al., 4 Jun 2026, McCann, 1 May 2026, Besanson, 8 May 2026). The architectural consensus is therefore narrower than the rhetoric sometimes suggests: governance-first execution is a robust method for making effectful execution enforceable, inspectable, and replayable, but it is not, by itself, a complete theory of agent design, reasoning quality, or organizational alignment (Fatmi, 25 Jan 2026, deVadoss, 7 May 2026).