Sovereign Assurance Boundary: Certificate-Bound Admission for Agentic Infrastructure

Agentic infrastructure introduces a critical control-plane authorization problem: non-deterministic reasoning systems can propose high-stakes mutations to production resources, yet existing security mechanisms -- such as identity and access management (IAM), policy engines, consensus protocols, and audit logs -- either enforce static, context-unaware permissions or merely record actions post-execution. This paper introduces the Sovereign Assurance Boundary (SAB), a certificate-bound runtime admission layer for autonomous execution authority. SAB intercepts agent proposals at an assurance airlock, compiles them into typed execution contracts $C$, and binds these contracts to cryptographic evidence digests $H(E)$ and policy versions. The contracts are then routed through consequence-aware certification paths. Upon successful admission, the system emits a signed Sovereign Assurance Certificate ($Ω$) that is strictly scoped to a specific execution identity, revocation epoch, and validity window. Finally, a sovereign execution broker verifies $Ω$ and performs fresh pre-execution revocation and drift checks before invoking infrastructure APIs. We detail the airlock-broker architecture, formalize its admission and revocation invariants, and report preliminary feasibility measurements from a Go prototype evaluated over 2,500 admission attempts. Ultimately, this broker-enforced model prevents autonomous reasoning from directly mutating state, transforming delegated execution authority into a cryptographically verifiable, evidence-bound, revocable, and replayable runtime artifact.

翻译：智能基础设施引入了一个关键的控制平面授权问题：非确定性推理系统可能对生产资源提出高风险变更，然而现有安全机制——如身份与访问管理（IAM）、策略引擎、共识协议及审计日志——要么强制执行静态且无视上下文的权限，要么仅在操作执行后进行记录。本文提出主权保障边界（Sovereign Assurance Boundary, SAB），一种面向自主执行权限的证书绑定运行时准入层。SAB在保障气闸处拦截智能体提案，将其编译为类型化执行契约$C$，并将这些契约绑定至加密证据摘要$H(E)$和策略版本。随后，契约通过后果感知的认证路径进行路由。成功准入后，系统会签发一份签名的主权保障证书（$Ω$），该证书严格限定于特定的执行身份、撤销周期和有效时间窗口。最终，主权执行代理验证$Ω$，并在调用基础设施API前执行新鲜的预执行撤销和漂移检查。我们详细阐述了气闸-代理架构，形式化了其准入与撤销不变量，并报告了基于Go原型在2500次准入尝试上评估的初步可行性测量结果。总之，这种代理强制执行模型阻止自主推理直接变更状态，将授权执行转化为可加密验证、证据绑定、可撤销且可重放的运行时制品。