A cloud reference framework of controls for enterprise-grade trustworthy AI agents. When an AI system can take real-world actions, the primary production constraint becomes trust - not model capability.
GATE specifies 19 controls across four layers that wrap probabilistic agents in a deterministic shell of governance. The model proposes; the control plane decides. Built on the architectural argument set out in the Trustworthy Agentic AI Blueprint.
Download the Frameworkv1.3 adds three new controls and a CLI conformance runner, closing three assumptions that v1.2.8 left implicit. The four-layer architecture is unchanged; existing C01 through C16 implementations remain compatible.
Identity & Integrity layer. Continuously discovers agent-like behaviour across the governed environment and routes ungoverned workloads to enrolment or termination. Closes the assumption that the agent estate is closed - in practice, engineers stand up agents for experimentation, vendors ship them inside SaaS, and workload identities get reused for purposes their owners never anticipated.
Runtime Enforcement layer, at the memory-retrieval boundary. Enforces freshness, confidence, and provenance thresholds before retrieved content reaches the model. Closes the assumption that retrieved content is usable - a well-governed agent operating on stale data still produces wrong outputs.
Observability & Forensics layer. Runs continuous statistical comparison of production behaviour against a signed baseline. Distinct from C16 adversarial validation: C16 detects attacks, C19 detects gradual drift. A model can produce increasingly poor decisions without being attacked. C19 catches that.
gate-conformance v1.2.0 ships a CLI runner that automates 9 of GATE's 19 checks against a live evidence store. The other 10 return PARTIAL - a structured handoff, not a false guarantee. Three new tier-aware checks (Check16, Check17, Check18) branch internally on autonomy tier so the same evidence constitutes PASS at sandbox and FAIL at bounded or high_privilege when appropriate.
Prompts are configuration, not governance. Enterprises cannot safely rely on prompt-only safety for systems that plan and execute actions across enterprise tools.
LLMs are non-deterministic and can be influenced by adversarial inputs. Trust must be engineered into the surrounding platform with controls that are deterministic, enforceable, and auditable outside the model.
When an agent can write to a database, call a payments API, or rotate a credential, the cost of an unbounded action is no longer reversible. The control plane authenticates, authorizes, and records every action before it takes effect.
Audit, incident response, and regulatory inquiry all require the same primitive: a tamper-evident record of who did what, on what authority, with what consequences. GATE makes that record a first-class output of every run - an architectural property the executive operating model increasingly depends on.
GATE uses “deterministic” to describe the control plane boundaries that surround the agent - not the model itself. LLMs remain probabilistic. What GATE enforces is operational determinism at the tool and memory boundary.
GATE defines a trustworthy agent as one whose failures are contained (limited blast radius), attributable (who did what), reproducible (deterministic replay), governable (policy, budgets, approvals), and auditable (tamper-evident evidence). Each control in the framework targets one or more of these properties directly.
A cross-cutting pattern that turns the 16 controls into a closed-loop autonomy dial: measure → score risk → constrain execution → audit. Higher autonomy tiers require more controls, stronger evidence, and tighter human-in-the-loop gates. The dial is calibrated against actual telemetry, not declared in policy.
19 controls across four layers. Each control specifies Why (the risk), What (the mechanism), How (implementation patterns), Evidence (what to log), and Failure Modes (common foot-guns). Built to be read like a platform spec, not a conceptual paper. v1.3 adds C17, C18, and C19 to the original 16.
Prove who/what is acting and that execution is untampered.
Enforce deterministic policy, budgets, and execution boundaries.
Produce evidence, replayability, and non-repudiation.
Safely scale to distributed and multi-agent autonomy.
GATE is open and vendor-neutral. The control catalog and v1.2.0 conformance runner output map to recognised governance standards and regulatory regimes so enterprise teams can use them alongside existing programs.
Each GATE control maps to GOVERN, MAP, MEASURE, and MANAGE functions, with explicit traceability tables in the appendix.
High-level theme alignment table covers the management-system clauses an ISO 42001 implementation needs to evidence.
Conformance-runner evidence maps to Articles 12 (record-keeping), 14 (human oversight), 15 (accuracy, robustness, cybersecurity), and 72 (post-market monitoring). Runtime layer for providers and deployers of high-risk AI systems.
Evidence supports Annex I Part I (essential cybersecurity requirements) and Part II (vulnerability handling). Substantive obligations apply from 11 December 2027.
Regulatory mappings are general engineering guidance, not legal advice. Specific obligations depend on your role under each regulation, the system you operate, your jurisdiction, and your supervisory authority. The runner produces the runtime layer of evidence these regimes assume exists; it does not replace the broader compliance programme that wraps it. Built for Cloud Architects, AI Architects, Platform Engineering, Security Engineering, GRC, and SRE/Operations teams.
GATE ships with open-source companion artifacts. All MIT-licensed and ready to fork. v1.3 bumps gate-contracts, gate-policies, and gate-python to v1.1.0 (new schemas, policies, and modules for C17/C18/C19) and gate-conformance to v1.2.0 (CLI runner).
Canonical project home: deterministicagents.ai
What the 167-page framework argues, in short form.
Agentic AI is crossing from “assistive” software into systems that plan and execute actions across enterprise tools. When an AI system can take real-world actions, the primary production constraint becomes trust, not model capability. The core challenge is architectural: models are probabilistic and influenceable; trust must be engineered into the surrounding platform.
gate-conformance v1.2.0 CLI runner automates 9 of the 19 checks against a live evidence store; the other 10 return PARTIAL with explicit manual_steps payloads. No false guarantees. Wire it into CI for a gate, not just a report.“Trust must be engineered into the surrounding platform with controls that are deterministic, enforceable, and auditable outside the model.”
GATE is intended for adoption. The companion repositories provide schemas, policy templates, matrices, and runbooks that architects can use to model and map implementations in real cloud environments. This page reflects v1.3 (June 2026).
The architectural argument GATE implements, and the executive operating model it supports.
A 167-page open framework for engineering teams productionizing agentic AI. CC BY 4.0 documentation; MIT-licensed reference contracts and code. Available as a direct PDF download.
Download GATE v1.3167 Pages | ~2.4MB | Version 1.3 | CC BY 4.0