Identity, Governance and Visibility Belong Together

A production architecture for autonomous AI agents under the EU AI Act · 2026-05-31 · Travis Gerber

Autonomous AI agents are now booking travel, ordering supplies, signing contracts, and moving money — every day, in production, at scale. The identity primitives those agents carry were built for human-shaped sessions or service accounts, not for autonomous principals operating across multi-day horizons under the EU AI Act.

This article is a condensed, public version of the architecture I and the AIEGIS team have been building. It documents what we shipped, what we measured, and what is still open. The full preprint is linked at the end.

1. The gap

Every regulated industry that adopts autonomous agents runs into the same three questions:

  1. Who is this agent? OAuth and SAML authenticate humans with sessions. Enterprise IAM (Okta, Entra ID, Auth0) authenticates service accounts. Neither carries principal attestation (which human or legal entity is behind a specific agent action), hardware binding (an assertion that the signing key cannot leave a specified secure element), or per-call signed receipts (offline-verifiable evidence of admission or refusal).
  1. What is it allowed to do? Policy lives in PDFs and rule packs. Agents act in milliseconds. Manual policy review is the wrong loop length for autonomous systems.
  1. What did it actually do? Six months of logs (the EU AI Act Article 12 minimum) are not enough when a regulator opens a case two years after the event. The ledger has to be append-only, signed, and self-hosted.

These are not three problems. They are one problem — and you cannot solve any of them without solving the other two at the same time.

2. The architecture

We built AIEGIS as four substrates that compose into a single signed pipeline.

(i) Identity — the Agent Passport

A W3C-DID-rooted credential signed with Ed25519 (RFC 8032) in compact JWS (RFC 7515 + RFC 8037), with hardware-bound principal attestation at issuance via TPM 2.0, Apple Secure Enclave, or FIDO2. We use did:key for self-sovereign agents and did:web for organisation-anchored agents. Revocation is published as a W3C Bitstring Status List v1.0; flipping a single bit revokes the passport in real time.

The passport is built entirely on open W3C and IETF standards. You can verify one with any off-the-shelf library; you do not need an AIEGIS client.

(ii) Governance — a 15-layer runtime enforcement ladder

Every action an agent attempts — every API call, contract signature, payment, message — passes through 15 layers before it leaves the host machine:

L1 Identity → L2 Instruction Language → L3 Compliance Engine → L4 Agent Police → L5 Model Quality Gate → L6 Input Sanitiser → L7 Memory Integrity → L8 Tool Sandbox → L9 Meta-Security → L10 Data Protection → L11 Network → L12 Behavioural Intelligence → L13 MCP Registry → L14 Confidence Scoring → L15 Correlation Engine.

Each layer can allow, deny, or annotate. Preventive layers fail closed. Detective layers fail open. That choice matters: in CISO procurement, fail-open in a preventive layer is a disqualifier.

Five jurisdictional rule packs ship today — EU AI Act, GDPR, NIST AI RMF, Singapore MGAIF, and South Africa POPIA — and each pack is an auditable, versionable file you can pin.

(iii) Audit — per-call signed receipts

Every decision the chain emits is written as an EdDSA-signed receipt to an append-only SQLite ledger, enforced by BEFORE DELETE / BEFORE UPDATE triggers, hash-chained at insertion. Retention floor: 1825 days (5 years) — over-fulfilment of the EU AI Act Article 12 six-month minimum.

The ledger lives on customer infrastructure. We do not see it. We do not have a copy. You can probe the contract yourself:

GET https://aiegis.ie/grid/ledger/retention
→ {"retention_floor_days": 1825,
   "append_only_enforced": true,
   "triggers_present": ["trg_grid_ledger_no_delete",
                        "trg_grid_ledger_no_update"],
   "satisfies_floor": true, ...}

(iv) Grid — the agent-to-agent marketplace

When agents need to transact with other agents (not with human-shaped websites), they need a surface where identity, governance, and settlement compose natively. Grid is that surface. Every participant carries a verified passport. Every contract is a signed verifiable credential. Every transaction passes through both sides' rule packs. We do not custody funds.

3. What we measured

We anchor empirical claims in the OWASP AIVSS enforcement-effectiveness dimension family — the working text I co-authored (v0.1.1), credited publicly on the upstream OWASP project issue #31 and in the working text repository.

AIVSS draws a deliberately sharp line: a vendor cannot claim block-rate, time-to-enforce, or enforcement_locus tier numbers without publishing signed receipts plus methodology citations. Numbers without receipts do not count.

Under that constraint, we report bound parity across two independent substrates against the audit-pack-signing v0.5 §12 race-test specification (bound ≤ 50 ms):

SubstrateThroughputP99 latencyACCEPTsVerdict
SQLite WAL (multi-process, lab-bench)6,000 requests0.00 ms0within bound
In-process Map (fresh checkout)6,004 requests4.57 ms12within bound

Both substrates satisfy the §12 bound. We document the substrate-resolution rule (which substrate's number you cite depends on the deployment, not the headline) and the limitations: SQLite filesystem-level vulnerability, single-substrate evidence gaps, and a third-substrate (Nobulex) reproduction pending in AIVSS v0.2.

4. Why this matters for the EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) is now in force; Article 5 prohibitions applied from 2 February 2025; Chapters III §4 + V + VII + XII applied from 2 August 2025; the general application date — including Article 26 deployer obligations and Article 9, 13, 14, 15 provider obligations for high-risk systems — is 2 August 2026.

Article 26 binds the legal entity using a high-risk AI system to twelve sub-paragraph requirements covering operational measures, human oversight, monitoring, log retention, input-data control, worker notification, public-authority registration, GDPR DPIA integration, and cooperation with competent authorities.

You can read AIEGIS's sub-paragraph-by-sub-paragraph walkthrough at aiegis.ie/article-26-walkthrough.

We map each AIEGIS mechanism to its regulatory anchor:

5. What's open

I am not going to pretend this is finished. Three honest gaps:

  1. End-to-end live demo. The architecture is shipped. The endpoints are live. We have not yet posted a 60-second screen recording of a real autonomous agent being denied a real bad action by a real layer with a real signed receipt the viewer can verify. That is the next thing on my list.
  1. Third-substrate reproduction. AIVSS v0.2 calls for a Nobulex substrate reproduction. Open work, parked on the v0.2 cadence.
  1. Endorsement-gated academic distribution. The full preprint is drafted (v1, 6,190 words, EU-AI-Act-mapped). The arXiv submission is queued behind first-time cs.CR endorsement. The PDF and the supporting source live on aiegis.ie meanwhile.

6. How to engage

Endpoints you can probe right now:

Read the full architecture or the Article 26 walkthrough.

If you are:

I would like to hear from you. Reach me on LinkedIn or at hello@aiegis.ie.

All claims in this article are verifiable against the public endpoints and repositories cited. AIEGIS is built in Ireland and EU-sovereign by design.