Open Reference Architecture

Compliant Agent Architecture

Six architectural principles for building AI agents that generate compliance evidence by construction — not bolted on after deployment.

CAA v0.1 · March 2026 · Berlin AI Labs

The Problem

AI agents are indeterministic by nature. They reason about goals, choose tools at runtime, and chain services in ways nobody anticipated. Every existing compliance framework — SOC 2, ISO 27001, HIPAA — was designed to audit static systems with predictable behavior.

The EU AI Act creates a fundamentally different requirement. It asks: What was your AI system allowed to do? What did it actually do? What human controls were active at the moment of decision?

These are runtime questions. No static framework can answer them. And no product bolted onto an agent after deployment can reliably produce the evidence needed, because the evidence has to originate from inside the execution path.

The Compliant Agent Architecture (CAA) defines how to architect AI agents so compliance evidence is generated as a natural byproduct of execution. Not as an afterthought. Not as logging. As an architectural property.

"The real challenge is not proving what happened, but constraining what is allowed before execution."

— Recurring theme from 31 compliance professionals discussing AI agent governance

Design Philosophy

CAA borrows from three fields that have solved analogous problems:

  1. Banking Model Risk (SR 11-7) — The only compliance framework that validates output behavior, not just infrastructure. CAA applies this thinking to agents.
  2. Capability-Based Security — Instead of asking "what should this agent NOT do," CAA asks "what is this agent architecturally ABLE to do." Unforgeable capability tokens, not ACL policies.
  3. Cryptographic Attestation — Every claim of compliance must be backed by a tamper-evident, independently verifiable record. If you can't verify it, it's not evidence.

The Six Principles

01

Capability Declaration

Declare what the agent can do before it runs.

Every agent must declare its permitted tools, data access scopes, and decision authority in a read-only capability manifest before execution begins. The manifest is immutable at runtime. The agent cannot discover or invoke tools outside its declared capabilities.

This is not a policy document. It is an architectural constraint. The runtime environment enforces the manifest the way an operating system enforces process permissions. An agent that attempts to call an undeclared tool fails at the execution boundary, not at a policy check.

// Example: Agent Capability Manifest (capability-manifest.yaml) agent_id: "customer-support-agent-v3" version: "2026.03.29" permitted_tools: - name: "crm_lookup" data_access: [customer_name, ticket_history] pii_level: "restricted" - name: "knowledge_base_search" data_access: [public_docs] pii_level: "none" denied_capabilities: - "external_api_calls" - "cross_border_data_transfer" - "autonomous_financial_decisions" decision_authority: "recommend_only" # cannot execute without human approval max_chain_depth: 3 # max tool calls per request
EU AI Act Art. 9 (Risk Management) AIUC-1 B: Security SR 11-7 (Model Scope)
02

Execution Attestation

Sign every action at the point of execution.

Every tool call, API request, and decision the agent makes generates a signed, tamper-evident execution record at the moment of action. Not reconstructed from logs. Not inferred from outputs. Generated at the execution boundary by the runtime itself.

The execution record contains: the action taken, the capability manifest that authorized it, the input context, the timestamp, and a cryptographic signature. An auditor can independently verify that any specific action was authorized by the manifest and occurred at the claimed time.

// Execution Record (generated automatically at runtime) { "record_id": "exec-2026-03-29T14:32:07.442Z-a7f3", "agent_id": "customer-support-agent-v3", "action": "tool_call:crm_lookup", "input_hash": "sha256:9f86d081...", "manifest_ref": "sha256:e3b0c442...", "authorization": "manifest_rule:permitted_tools[0]", "human_override_active": true, "signature": "ed25519:Kx7f..." }
EU AI Act Art. 12 (Record-Keeping) EU AI Act Art. 13 (Transparency) AIUC-1 E: Accountability
03

Decision Provenance

Trace every decision back to its origin.

For every agent action, capture the full causal chain: what user input triggered the request, what context the model received, what reasoning produced the decision, what permissions authorized it, and what alternatives were considered.

Decision provenance is not "explainability" in the ML sense. It is a verifiable chain of custody from input to output. If an auditor asks "why did the agent do X on Tuesday at 14:32," the answer is a cryptographic proof, not a narrative.

EU AI Act Art. 13 (Transparency) AIUC-1 D: Reliability SR 11-7 (Model Validation)
04

Sovereign Evidence Chain

Never let compliance evidence leave your perimeter.

All execution records, decision provenance, and compliance evidence must be generated and retained inside the deployment boundary. No telemetry egress to third-party clouds. No compliance analysis by external SaaS.

The reason is circular but absolute: if you send agent behavior data to a US-hosted SaaS for EU AI Act compliance analysis, the act of analyzing compliance itself creates a GDPR compliance problem. Sovereignty is not a feature. It is an architectural invariant.

GDPR Art. 44 (Cross-Border Transfer) EU AI Act Art. 12 (Record-Keeping) AIUC-1 A: Data & Privacy
05

Human Override Proof

Prove a human could have stopped it — at every moment.

At every point during agent execution, the system must maintain a verifiable record of which human controls were active, what override capabilities existed, and who held the authority to intervene.

"Human in the loop" is not a design pattern. It is an evidence requirement. The EU AI Act does not ask whether a human could theoretically intervene. It asks whether you can prove that intervention capability was active at the specific moment a decision was made.

EU AI Act Art. 14 (Human Oversight) AIUC-1 C: Safety
06

Deterministic Scope Binding

The agent cannot expand its own authority.

Agent behavior is bounded by configuration, not by prompting. The agent cannot modify its own capability manifest. It cannot escalate its permissions. It cannot invoke tools that were not declared at initialization. Scope expansion requires a new manifest — which requires human approval and generates a new attestation chain.

This principle directly addresses the indeterminism problem. The agent's reasoning may be non-deterministic, but its scope of action is not. The set of things it can do is fixed. How it decides which of those things to do is where the intelligence lives.

EU AI Act Art. 9 (Risk Management) EU AI Act Art. 15 (Accuracy & Robustness) AIUC-1 B: Security SR 11-7 (Ongoing Monitoring)

Standards Mapping

CAA is designed as a control overlay that complements existing frameworks. It does not replace SOC 2, ISO 42001, or AIUC-1. It fills the architectural gap that none of them address.

Requirement SOC 2 ISO 42001 AIUC-1 CAA
Infrastructure security
AI governance process
Adversarial testing
Runtime behavioral evidence
Architectural enforcement
Evidence sovereignty
Capability-bounded agents

Implementation

CAA is an architecture, not a product. It can be implemented with any agent framework. However, we provide open-source reference implementations:

Reference Stack

  1. SemaProof — Open-source agent firewall. Implements Capability Declaration (Principle 1) and Execution Attestation (Principle 2) as an Envoy sidecar. Sub-50ms latency.
  2. VERA Evidence Dashboard — Visualizes the execution record chain. Maps evidence to EU AI Act articles and AIUC-1 domains for auditor review.
  3. CAA Scanner — Free self-assessment that scores your agent architecture against the six CAA principles.

Assess Your Agent Architecture

Score your AI agent's compliance readiness against the CAA principles and EU AI Act in 60 seconds.

Run the Free Scanner See the Evidence Dashboard

Contributing

CAA is an open framework. It will evolve as the regulatory landscape changes and as the community identifies gaps. If you work in AI governance, model risk, or agent infrastructure and see something wrong or missing, we want to hear from you.

Reach out: Yami G on LinkedIn · gopal.yami@gmail.com