GATE: The Governed Agent Trust Environment
Highlights:
- 19 Controls in 4 Layers: Identity and integrity, runtime enforcement, observability and forensics, and orchestration and ecosystem.
- Deterministic Perimeter: A control plane that wraps the probabilistic model, with policy-as-code, hash-chained ledger, and signed action evidence at every tool boundary.
- Tier-Aware Governance: Three new v1.3 controls adjust pass criteria to deployment autonomy, treating sandbox and high-privilege deployments differently against the same evidence stream.
- Open and Implementable: JSON Schema contracts, OPA/Rego policy bundles, a Python reference library, 19 conformance checks, and a CLI runner. CC BY 4.0 for the specification, MIT for the code.
- EU Regulatory Alignment: Evidence maps to EU AI Act Articles 12, 14, 15, and 72 (for providers of high-risk systems under Annex III), plus the Cyber Resilience Act Annex I essential cybersecurity requirements.
Overview
The Architectural Problem: Production agentic AI requires governance at the tool boundary, where actions actually have consequences. Prompt guardrails and alignment work at the model layer; they cannot answer whether every action was authorised, whether the system can be stopped within five seconds, or whether an auditor can reproduce exactly what happened. GATE specifies the control plane that closes those questions.
Layer 1: Identity and Integrity: Every agent instance gets a unique, short-lived cryptographic identity bound to its runtime artefacts: the container image, the policy bundle, the prompt configuration. No shared service accounts. No long-lived API keys. v1.3 adds C17 Agent Discovery and Shadow AI Detection, continuously enrolling or terminating ungoverned workloads.
Layer 2: Runtime Enforcement: A Tool Gateway authenticates the agent, validates requests against a schema, evaluates policy-as-code, checks invariants, enforces budgets, and emits evidence before anything executes. No bypass paths. v1.3 adds C18 Data Quality Gates at the memory retrieval boundary, enforcing freshness, confidence, and provenance thresholds before retrieved content reaches the model.
Layer 3: Observability and Forensics: Every governed action produces a policy decision record, a hash-chained ledger event in WORM storage, and a replay trace step. Given a run ID, an operator can reproduce exactly what happened without relying on the model producing the same output twice. v1.3 adds C19 Model Behaviour Monitoring, distinct from adversarial validation, for gradual drift detection.
Layer 4: Orchestration and Ecosystem: Multi-agent messages are signed, versioned, and nonce-protected to prevent replay and spoofing. The orchestration control plane enforces backpressure, safe rollout, and rollback. Continuous adversarial validation runs in CI to gate deployments against attack scenarios.
From Evidence to Attestation: The hash-chained ledger plus the conformance runner produce regulator-ready evidence as a side effect of operating the system, rather than as a year-end exercise. The same evidence stream supports internal SRE, external audit, and supervisory authority engagement.
Who This Framework Is For
- AI Engineers and Architects building agents that need to operate in production with auditable governance.
- CISOs and Security Architects establishing zero-trust models for non-human identities and tool boundaries.
- GRC and Compliance Counsel mapping runtime evidence to EU AI Act, Cyber Resilience Act, and adjacent regimes.
- CTOs and AI Leaders establishing the technical substrate for scalable autonomy.
About the Author
GATE is an open framework authored by Andrew Stevens, CTO and CISO at Sakura Sky, published under CC BY 4.0 (specification) and MIT (reference implementations). The canonical framework home is deterministicagents.ai; the implementation repositories live at github.com/deterministic-agents. This page on the Sakura Sky white papers surface mirrors the framework for discovery.
For the launch context, see “GATE: The Missing Infrastructure Layer for Agentic AI”. For the v1.3 release notes, see “GATE v1.3: New Controls for Shadow Agents, Data Quality, and Model Drift”. For the conformance runner walkthrough, see “The GATE Conformance Runner: What You Can Automate and What You Cannot”.