VERA: Verifiable Enforcement for Runtime Agents

A Zero Trust Reference Architecture for Autonomous AI Agents

Berlin AI Labs — February 2026

Abstract

AI agents take real actions with real data at machine speed. Compromised AI agents pose significant risks including data exfiltration, unauthorized financial transactions, and cascading failures across downstream systems, often at speeds that preclude human intervention.

The security community has responded with governance frameworks that specify what to document, what to log, and what to monitor. These frameworks provide valuable guidance but leave a critical gap: none define the runtime enforcement layer that makes governance verifiable.

This paper introduces VERA (Verifiable Enforcement for Runtime Agents), a zero trust reference architecture for AI agents that prioritizes enforcement over documentation, cryptographic proof over policy assertions, and reference implementation over specification prose.

The Enforcement Gap

graph LR subgraph "Governance Layer" A[Policy Guidance] --> B[Control Categories] B --> C[Compliance Mapping] end subgraph "VERA: Enforcement Layer" D[Policy as Code] --> E[PDP/PEP Architecture] E --> F[Runtime Enforcement] F --> G[Cryptographic Proof] end C -.->|"VERA operationalizes"| D style C fill:#4dabf7,color:#fff,stroke:#333 style G fill:#51cf66,color:#fff,stroke:#333

Architecture Overview

VERA places a hardened enforcement plane between the agent runtime and the untrusted world. Trust is never assumed; it is enforced by Policy Enforcement Points (PEPs) and verified by a cryptographic Proof Engine.

graph TB subgraph "Untrusted Zone" U[External Users/APIs] RAG[RAG Corpus] end subgraph "Agent Runtime - Semi-Trusted" AR[Agent Process] MEM[Agent Memory] end subgraph "Enforcement Plane - Trusted" PDP[Policy Decision Point] PEP1[PEP: Tool Wrapper] PEP2[PEP: API Gateway] PEP3[PEP: Memory Guard] PE[Proof Engine] end subgraph "Storage Plane - Trusted" KMS[Key Management Service] LOG[Tamper-Evident Log] ANC[Anchor Backend] end U -->|"Input"| PEP2 PEP2 -->|"Validated"| AR AR -->|"Tool call"| PEP1 PEP1 -->|"Sign"| PE PE -->|"Write"| LOG LOG -->|"Anchor"| ANC

Read the Full Specification

The complete VERA specification, including formal security properties, threat models, and implementation details for all 12 services, is available in our open source repository.

Read Full Paper (GitHub)