Is the AiEGIS pipeline 12 layers or 15?

15. The canonical count is L1 through L15. The live /api/protect response carries a schema_version of v0.7.0-15layers-2026-05-23 and a layers_evaluated array of exactly 15 entries. Any page that still says 12 is from the v0.5 era when L9, L13, and L15 were partial or behind feature flags.

Why does the older blog still say 15-layer?

The 2026-04-19 blog post titled 'Building a 15-Layer AI Agent Security Stack' was an early architectural framing. The framing was always 15 layers. What changed between v0.5 and v0.7 is which layers carry verdicts in the response shape, not the canonical layer count itself.

Why was L9 (Meta Security) split out?

L9 Meta Security cross-checks the verdicts of layers L1-L8 for internal consistency (e.g. a layer claiming ALLOW while emitting a high-severity threat). It is structurally different from layers that evaluate inbound payload; it evaluates the pipeline itself. v0.7 surfaces it as its own field rather than folding it into a generic layer.

What does L13 MCP Registry do?

L13 evaluates whether the tool the agent is invoking is registered in the MCP (Model Context Protocol) registry and whether the registration is current. An agent attempting to call an unregistered or revoked MCP tool gets a DENY at L13 before the tool sandbox at L8 ever sees the call.

What does L15 Correlation Engine do?

L15 correlates verdicts across multiple agent actions over a sliding window to surface cross-action patterns no individual decision could catch (e.g. data-exfiltration spread across small reads). It runs after L1-L14 and feeds the audit ledger with correlation metadata.

AiEGIS 12 Layers vs 15 Layers — Which Is Canonical

The canonical count is 15, evidenced by the live /api/protect response. Here is each layer in one sentence. 2026-05-25.

The Empirical Answer

The AiEGIS evaluation pipeline is fifteen layers. The proof is a single curl against the live endpoint:

curl -sX POST https://aiegis.ie/api/protect \
  -H "Authorization: Bearer ${AIEGIS_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{"agent_id":"test","action":"read","payload":"x"}'

# response includes:
# "schema_version": "v0.7.0-15layers-2026-05-23",
# "layers_evaluated": [
#   {"layer":"L1", "name":"Agent Identity Protocol", "verdict":"ALLOW"},
#   {"layer":"L2", "name":"Agent Instruction Language", "verdict":"ALLOW"},
#   ... 13 more ...
#   {"layer":"L15", "name":"Correlation Engine", "verdict":"ALLOW"}
# ]

The schema_version string itself contains the canonical count: v0.7.0-15layers-2026-05-23. The layers_evaluated array has exactly 15 entries.

Why You Still See "12" on Some Pages

Between v0.5 (early 2026) and v0.7 (2026-05-23) three layers moved from "designed but partial" to "fully surfaced in the response":

L9 (Meta Security) was originally folded into a generic "self-check" pass. v0.7 surfaces it as its own field l9_meta_security with a verdict and a latency.
L13 (MCP Registry) was added when the MCP tool ecosystem stabilised and the registry became a load-bearing dependency. v0.7 surfaces it as l13_mcp_registry.
L15 (Correlation Engine) was on a separate audit pipeline and joined the per-decision response with v0.7.

The how-to-issue-an-agent-passport blog at the time of this writing still references "12 enforced security layers." That phrasing is from when L9, L13, and L15 emitted side-channel verdicts but were not first-class in the response shape. The architecture was always fifteen; the response shape caught up on 2026-05-23.

The Fifteen Layers, One Sentence Each

Per the canonical source at api_v2.py:3464:

Layer	Name	What it does
L1	Agent Identity Protocol	Verifies the agent's Ed25519 passport, checks revocation, asserts operator scope.
L2	Agent Instruction Language	Parses the agent's intended action into a structured form so downstream layers can reason about it.
L3	Compliance / PII	Runs the rule packs (EU AI Act, GDPR, NIST AI RMF, MGAIF, POPIA) over the payload and returns per-pack verdicts.
L4	Agent Police / Scope	Enforces action-level scope: this agent is allowed to read but not write, allowed in EU jurisdiction but not US, etc.
L5	Model Quality Gate	Refuses to dispatch the action if the underlying model fails baseline quality checks (e.g. degraded confidence on a high-risk action).
L6	Input Sanitizer	Strips or rejects prompt-injection patterns and other adversarial input shapes before they reach the agent's reasoning layer.
L7	Memory / Receipt Integrity	Verifies the agent's session memory and the per-decision receipt have not been tampered between layers.
L8	Tool Sandbox / Session TTL	Enforces tool-invocation sandboxing and session expiry; tools cannot exceed their declared scope.
L9	Meta Security	Cross-checks L1-L8 verdicts for internal consistency; catches a layer claiming ALLOW while emitting a high-severity threat.
L10	Data Protection	Applies GDPR / data-residency rules to any output that touches personal data.
L11	Network Security	Enforces network-layer policy: outbound destinations, TLS posture, allowed protocols.
L12	Behavioral Intelligence	Scores the action against the agent's behavioural baseline; outliers trigger WARN or BLOCK.
L13	MCP Registry	Verifies any invoked MCP tool is registered, current, and not revoked.
L14	Confidence Scoring	Aggregates per-layer signal into a single confidence number used by downstream consumers.
L15	Correlation Engine	Correlates across recent actions on the same agent to catch cross-action patterns (e.g. exfiltration spread across small reads).

What the Layer Count Does Not Tell You

A layer count is a structural claim, not a security claim. Fifteen layers that all return ALLOW unconditionally are worse than three layers that each block correctly. The right question for a buyer is not "how many layers" but "what does the runtime do when I send it the input that should fail" — the AIVSS enforcement-effectiveness dimension. See the AIVSS fixture walkthrough for how to score this empirically.

For the Auditor

The thing to put in your evidence pack is the layers_evaluated array on a real /api/protect response, not a marketing diagram of fifteen boxes. The array carries per-layer verdicts (ALLOW / WARN / BLOCK) and, for L9 and L13, per-layer latency in milliseconds. That is the substrate the EU AI Act Article 26 walkthrough at /article-26-walkthrough grounds its findings against.

Source: api_v2.py:3464 (definitive layer list) and api_v2.py:3486 (schema_version string). Live endpoint: /api/protect. Related: /architecture, /blog/15-layer-stack. Published 2026-05-25.