Governed Agent Trust Environment

A cloud reference framework of controls for enterprise-grade trustworthy AI agents. When an AI system can take real-world actions, the primary production constraint becomes trust - not model capability.

GATE specifies 19 controls across four layers that wrap probabilistic agents in a deterministic shell of governance. The model proposes; the control plane decides. Built on the architectural argument set out in the Trustworthy Agentic AI Blueprint.

Download the Framework

Version 1.3

What's new in this edition

v1.3 adds three new controls and a CLI conformance runner, closing three assumptions that v1.2.8 left implicit. The four-layer architecture is unchanged; existing C01 through C16 implementations remain compatible.

  1. 1.
    C17 - Agent Discovery and Shadow AI Detection

    Identity & Integrity layer. Continuously discovers agent-like behaviour across the governed environment and routes ungoverned workloads to enrolment or termination. Closes the assumption that the agent estate is closed - in practice, engineers stand up agents for experimentation, vendors ship them inside SaaS, and workload identities get reused for purposes their owners never anticipated.

  2. 2.
    C18 - Data Quality Gates

    Runtime Enforcement layer, at the memory-retrieval boundary. Enforces freshness, confidence, and provenance thresholds before retrieved content reaches the model. Closes the assumption that retrieved content is usable - a well-governed agent operating on stale data still produces wrong outputs.

  3. 3.
    C19 - Model Behaviour Monitoring

    Observability & Forensics layer. Runs continuous statistical comparison of production behaviour against a signed baseline. Distinct from C16 adversarial validation: C16 detects attacks, C19 detects gradual drift. A model can produce increasingly poor decisions without being attacked. C19 catches that.

  4. 4.
    CLI conformance runner

    gate-conformance v1.2.0 ships a CLI runner that automates 9 of GATE's 19 checks against a live evidence store. The other 10 return PARTIAL - a structured handoff, not a false guarantee. Three new tier-aware checks (Check16, Check17, Check18) branch internally on autonomy tier so the same evidence constitutes PASS at sandbox and FAIL at bounded or high_privilege when appropriate.

Why a Control Plane, Not Prompt Guardrails

Prompts are configuration, not governance. Enterprises cannot safely rely on prompt-only safety for systems that plan and execute actions across enterprise tools.

Models are Probabilistic

LLMs are non-deterministic and can be influenced by adversarial inputs. Trust must be engineered into the surrounding platform with controls that are deterministic, enforceable, and auditable outside the model.

Side Effects Need Boundaries

When an agent can write to a database, call a payments API, or rotate a credential, the cost of an unbounded action is no longer reversible. The control plane authenticates, authorizes, and records every action before it takes effect.

Evidence is Non-Negotiable

Audit, incident response, and regulatory inquiry all require the same primitive: a tamper-evident record of who did what, on what authority, with what consequences. GATE makes that record a first-class output of every run - an architectural property the executive operating model increasingly depends on.

Operational Determinism at the Control Boundary

GATE uses “deterministic” to describe the control plane boundaries that surround the agent - not the model itself. LLMs remain probabilistic. What GATE enforces is operational determinism at the tool and memory boundary.

Trustworthiness, Operationally Defined
Five Properties of a Trusted Agent

GATE defines a trustworthy agent as one whose failures are contained (limited blast radius), attributable (who did what), reproducible (deterministic replay), governable (policy, budgets, approvals), and auditable (tamper-evident evidence). Each control in the framework targets one or more of these properties directly.

The Autonomy Dial
Operational Risk Modeling (ORM)

A cross-cutting pattern that turns the 16 controls into a closed-loop autonomy dial: measure → score risk → constrain execution → audit. Higher autonomy tiers require more controls, stronger evidence, and tighter human-in-the-loop gates. The dial is calibrated against actual telemetry, not declared in policy.

The GATE Control Catalog

19 controls across four layers. Each control specifies Why (the risk), What (the mechanism), How (implementation patterns), Evidence (what to log), and Failure Modes (common foot-guns). Built to be read like a platform spec, not a conceptual paper. v1.3 adds C17, C18, and C19 to the original 16.

Layer 1
Identity & Integrity

Prove who/what is acting and that execution is untampered.

  • C01 - Workload Identity and Attestation
  • C02 - Confidential Execution and Secret Boundary Control
  • C03 - Artifact Integrity and Supply Chain Controls
  • C04 - Agent Lifecycle Governance
  • C17 - Agent Discovery and Shadow AI Detection
Layer 2
Runtime & Constraints

Enforce deterministic policy, budgets, and execution boundaries.

  • C05 - Tool Gateway with Policy-as-Code Enforcement
  • C06 - Circuit Breakers and Emergency Stop
  • C07 - Resource Governance and Economic Safety
  • C08 - Prompt and Content Injection Defense
  • C09 - Execution Constraints and Invariant Enforcement
  • C18 - Data Quality Gates
Layer 3
Observability & Forensics

Produce evidence, replayability, and non-repudiation.

  • C10 - Deterministic Replay
  • C11 - Verifiable Audit Ledger
  • C12 - Signed Actions and Non-Repudiation
  • C13 - Agent-Native Observability and Semantic Tracing
  • C19 - Model Behaviour Monitoring
Layer 4
Orchestration & Ecosystem

Safely scale to distributed and multi-agent autonomy.

  • C14 - Secure Multi-Agent Protocols
  • C15 - Distributed Orchestration Control Plane
  • C16 - Continuous Adversarial Validation and High-Assurance Verification

Standards & Regulatory Alignment

GATE is open and vendor-neutral. The control catalog and v1.2.0 conformance runner output map to recognised governance standards and regulatory regimes so enterprise teams can use them alongside existing programs.

NIST AI RMF

Each GATE control maps to GOVERN, MAP, MEASURE, and MANAGE functions, with explicit traceability tables in the appendix.

ISO/IEC 42001

High-level theme alignment table covers the management-system clauses an ISO 42001 implementation needs to evidence.

EU AI Act

Conformance-runner evidence maps to Articles 12 (record-keeping), 14 (human oversight), 15 (accuracy, robustness, cybersecurity), and 72 (post-market monitoring). Runtime layer for providers and deployers of high-risk AI systems.

EU Cyber Resilience Act

Evidence supports Annex I Part I (essential cybersecurity requirements) and Part II (vulnerability handling). Substantive obligations apply from 11 December 2027.

Regulatory mappings are general engineering guidance, not legal advice. Specific obligations depend on your role under each regulation, the system you operate, your jurisdiction, and your supervisory authority. The runner produces the runtime layer of evidence these regimes assume exists; it does not replace the broader compliance programme that wraps it. Built for Cloud Architects, AI Architects, Platform Engineering, Security Engineering, GRC, and SRE/Operations teams.

Reference Implementation

GATE ships with open-source companion artifacts. All MIT-licensed and ready to fork. v1.3 bumps gate-contracts, gate-policies, and gate-python to v1.1.0 (new schemas, policies, and modules for C17/C18/C19) and gate-conformance to v1.2.0 (CLI runner).

Canonical project home: deterministicagents.ai

Key Takeaways from the Framework

What the 167-page framework argues, in short form.

Agentic AI is crossing from “assistive” software into systems that plan and execute actions across enterprise tools. When an AI system can take real-world actions, the primary production constraint becomes trust, not model capability. The core challenge is architectural: models are probabilistic and influenceable; trust must be engineered into the surrounding platform.

  1. 1. The control plane is the trust boundary. Every action that can cause a side effect passes through enforcement points that authenticate, authorize, constrain, and record it in a verifiable, reproducible way. The model proposes; the control plane decides.
  2. 2. 19 controls, four layers. Identity & Integrity (C01–C04, C17), Runtime & Constraints (C05–C09, C18), Observability & Forensics (C10–C13, C19), Orchestration & Ecosystem (C14–C16). Each control specifies Why / What / How / Evidence / Failure Modes - designed to read as a platform spec, not a conceptual paper.
  3. 3. Operational Risk Modeling (ORM) is the autonomy dial. Telemetry from the controls feeds a real-time risk score that constrains execution. Higher autonomy tiers require more controls, stronger evidence, and tighter human-in-the-loop gates - calibrated against actual telemetry rather than declared in policy.
  4. 4. v1.3 closes three implicit assumptions. That the agent estate is closed (C17 shadow-AI discovery), that retrieved content is usable (C18 quality gates at the memory-retrieval boundary), and that the model is stable (C19 drift monitoring distinct from C16 adversarial validation).
  5. 5. Conformance is partially automated. The gate-conformance v1.2.0 CLI runner automates 9 of the 19 checks against a live evidence store; the other 10 return PARTIAL with explicit manual_steps payloads. No false guarantees. Wire it into CI for a gate, not just a report.
  6. 6. Open, implementable, mapped. CC BY 4.0 for the paper; MIT for the contracts, Python library, policy bundles, and conformance checks. Includes mappings to NIST AI RMF, ISO/IEC 42001, EU AI Act Articles 12/14/15/72, and EU CRA Annex I.

“Trust must be engineered into the surrounding platform with controls that are deterministic, enforceable, and auditable outside the model.”

- GATE Framework, Executive Summary

GATE is intended for adoption. The companion repositories provide schemas, policy templates, matrices, and runbooks that architects can use to model and map implementations in real cloud environments. This page reflects v1.3 (June 2026).

Related Reading

The architectural argument GATE implements, and the executive operating model it supports.

Download the Framework

A 167-page open framework for engineering teams productionizing agentic AI. CC BY 4.0 documentation; MIT-licensed reference contracts and code. Available as a direct PDF download.

Download GATE v1.3

167 Pages | ~2.4MB | Version 1.3 | CC BY 4.0