Architecture
The technical architecture powering AI governance at scale. From trust scoring algorithms to policy enforcement pipelines.
Platform Overview
┌─────────────────────────────────────────────────────────────────────┐ │ VORION PLATFORM │ ├─────────────────────────────────────────────────────────────────────┤ │ │ │ USER INTERFACES │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ AgentAnchor │ │ Learn │ │ │ │ Dashboard │ │ Vorion │ │ │ └──────┬───────┘ └──────┬───────┘ │ │ │ │ │ │ ═══════╪══════════════════╪═══════════════════════════════════ │ │ │ API GATEWAY │ │ ═══════╪══════════════════╪═══════════════════════════════════ │ │ │ │ │ │ ┌──────▼──────────────────▼────────────────────────────────────┐ │ │ │ COGNIGATE RUNTIME │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ Policy │ │ Intent │ │ Enforcement │ │ │ │ │ │ Evaluator │ │ Processor │ │ Engine │ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ └────────────────────────┬───────────────────────────────────────┘ │ │ │ │ │ ┌────────────────────────▼───────────────────────────────────────┐ │ │ │ ATSF CORE RUNTIME │ │ │ │ │ │ │ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │ │ │ │ Trust │ │ BASIS │ │ Proof │ │ Governance│ │ │ │ │ │ Engine │ │ Evaluator│ │ Plane │ │ Engine │ │ │ │ │ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │ │ │ │ │ │ │ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │ │ │ │Arbitration│ │Containment│ │ Contracts │ │ Provenance│ │ │ │ │ │ Engine │ │ System │ │ (Zod) │ │ Tracker │ │ │ │ │ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │ │ │ └────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌────────────────────────────────────────────────────────────────┐ │ │ │ PERSISTENCE LAYER │ │ │ │ ┌───────────┐ ┌───────────┐ ┌───────────┐ │ │ │ │ │ Memory │ │ File │ │ Supabase │ │ │ │ │ │ Adapter │ │ Adapter │ │ Adapter │ │ │ │ │ └───────────┘ └───────────┘ └───────────┘ │ │ │ └────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌────────────────────────────────────────────────────────────────┐ │ │ │ BASIS STANDARD │ │ │ │ 8-Tier Trust Model (T0-T7) Specification v1.0.0 │ │ │ └────────────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘
The Vorion Stack
Five governance stages — from internal-state integrity to cryptographic audit. Each stage is independent. Together they're the full picture.
SENSE
Reads agent internals. Weights, activations, embedding drift. Detects parameter modification before behavior changes.
INTENT
Normalizes goals into structured plans. Classifies risk across 6 levels before anything executes.
ENFORCE
The 4-layer pipeline: velocity, tripwires, policy engine, circuit breaker. Hard gates, not suggestions.
PROOF
SHA-256 hash-linked chain with Ed25519 signatures. Tamper-evident, third-party verifiable.
CHAIN
Cross-layer trust signal propagation. Events at any layer affect enforcement at every layer.
"SENSE reads the agent. INTENT reads the goal. ENFORCE stops the bad stuff. PROOF shows the receipts."
Defense Layers
Every agent action passes through four independent enforcement layers. Each one is a hard gate — not a suggestion.
| Layer | Name | What It Does | p99 |
|---|---|---|---|
| L0 | Velocity | Three-tier rate limiting — burst, sustained, and hourly caps per agent. Stops flooding before anything else runs. | < 2ms |
| L1 | Tripwires | 60+ compiled regex patterns fire before the LLM sees anything. Deterministic and absolute — no trust level overrides these. | < 5ms |
| L2 | Policy Engine | YAML/JSON constraint evaluation against trust-tier-specific policies. Checks capability gates, risk thresholds, and custom organizational rules. | < 10ms |
| L3 | Circuit Breaker | System-level halt on cascading failures. CLOSED → OPEN → HALF_OPEN state machine. No single agent can bypass it. | < 1ms |
Core pipeline p99 latency: < 18ms. All four layers are sub-millisecond to single-digit millisecond.
Multi-provider adversarial LLM evaluation — catches subtle manipulation that regex can't detect. Enable for high-risk actions, intent alignment checks, or custom logic hooks. Not in the default pipeline.
Why four layers, not one
Defense in depth. If your regex list has a gap, the policy engine still catches a trust violation. If the policy engine has a misconfiguration, the circuit breaker still kills a cascading failure. No single layer is the whole defense. Each one is fast enough to stay in the hot path.
8-Tier Trust Model (T0-T7)
| Tier | Name | Score Range | Capabilities | Penalty |
|---|---|---|---|---|
| T0 | Sandbox | 0-199 | Isolated, no external access, observation only | 3x |
| T1 | Observed | 200-349 | Read-only, sandboxed execution, monitored | 4x |
| T2 | Provisional | 350-499 | Basic operations, heavy supervision | 5x |
| T3 | Monitored | 500-649 | Standard operations with continuous monitoring | 6x |
| T4 | Standard | 650-799 | External API access, policy-governed | 7x |
| T5 | Trusted | 800-875 | Cross-agent communication, delegated tasks | 8x |
| T6 | Certified | 876-950 | Admin tasks, agent spawning, minimal oversight | 9x |
| T7 | Autonomous | 951-1000 | Full autonomy, self-governance, strategic only | 10x |
Penalty ratio: P(T) = 3 + T. Higher-trust agents face steeper penalties for violations. Initial trust score: 0 (PROVISIONING — qualification course earns T1 at 200). Hysteresis buffers prevent oscillation between tiers.
Why penalties scale with trust
A T7 Autonomous agent has access to everything. A violation at T7 is orders of magnitude more dangerous than the same violation at T0 Sandbox. The 10x multiplier at T7 means a single serious failure drops trust fast enough to trigger containment before damage cascades.
16-Factor Trust Model
Trust is not a single number. It is 16 independent factors across 5 groups, each scored 0-1000 and weighted per deployment preset.
Foundation (6)
- CT-OBS Observability
- CT-COMP Competence
- CT-ACCT Accountability
- CT-TRANS Transparency
- CT-REL Reliability
- CT-SAFE Safety
Security (3)
- CT-SEC Security
- CT-PRIV Privacy
- CT-ID Identity
Agency (3)
- OP-HUMAN Human Oversight
- OP-ALIGN Value Alignment
- OP-CONTEXT Context Awareness
Maturity (2)
- SF-HUM Humility
- OP-STEW Stewardship
Evolution (2)
- SF-ADAPT Adaptability
- SF-LEARN Learning
Signal Processing
- * 182-day stepped half-life
- * 50% decay floor
- * Last 1000 signals retained
- * Exponential deduplication
Trust Score Composite
composite = round(
sum(factor[i].score * weight[i]) for i in 0..15
)
// Each factor scored 0-1000, weighted per deployment preset
// Presets: 'balanced', 'safety-first', 'compliance-heavy', 'autonomy-oriented'
// Composite clamped to 0-1000 rangeThink of it this way
Same as a credit score — years of on-time payments to build, one missed payment to tank. But instead of one number, 16 independent factors mean a model with perfect safety but terrible observability still gets flagged. No single factor can compensate for a failure in another.
Cryptographic Proof Chain
Every governance decision — every trust evaluation, every policy enforcement, every tier transition — is recorded in an immutable, hash-linked chain.
Hash Chain
- 1. Each event hashed with SHA-256
- 2. Hash includes previous event's hash (linked chain)
- 3. Optional dual-hash with SHA3-256 for defense-in-depth
- 4. Modifying any entry invalidates every subsequent entry
Ed25519 Signatures
- 1. Every proof event is digitally signed
- 2. Ed25519 elliptic-curve signatures (fast, compact)
- 3. Batch verification for chain-wide integrity checks
- 4. Non-repudiation: proves which service authorized each action
Proof Entry Structure
{
id: "proof-a1b2c3",
timestamp: "2026-03-25T14:30:00Z",
action: "trust.tier.transition",
entityId: "agent-alpha-7",
prevHash: "sha256:9f86d0...", // links to previous entry
hash: "sha256:3c7e12...", // SHA-256 of this entry
signature: "ed25519:b4f7e6...", // Ed25519 digital signature
signedBy: "cognigate-prod-1", // signing service identity
payload: { from: "T3", to: "T4", score: 672 }
}What this looks like in practice
Like git log but for governance decisions. An agent approved a data migration at 3 AM. Compliance asks who authorized it. You hand them the proof chain — dual-hash, signed, tamper-evident. Every entry links to the previous one. Modify one record and every record after it is invalid. Done.
ParameSphere SVD Fingerprinting
Detects model tampering at the weight level. Not live inference monitoring — this is structural integrity verification. If someone swaps, fine-tunes, or corrupts a model's parameters, ParameSphere catches it.
Fingerprint
Samples a fraction of model layers (default 15%), extracts top-K singular values via SVD decomposition, and hashes the resulting vector with SHA-256.
- Top-64 singular values per sampled layer
- Activation statistics (mean, stddev, kurtosis, skewness)
- Optional dual-hash (SHA-256 + SHA3-256)
Compare
Compares a new fingerprint against the stored baseline using cosine similarity and L2 distance. Drift exceeding the threshold triggers an alert.
- Cosine distance threshold: 0.05 (default)
- Per-layer max singular-value delta
- Incremental cache (last 5 fingerprints)
Alert
Drift detection emits a trust signal that feeds directly into the 16-factor scoring engine. Model tampering degrades the CT-ID (Identity) factor.
- Pluggable fingerprint store (memory or persistent)
- FingerprintMonitor for scheduled checks
- Trust signal payload sent to ATSF pipeline
What ParameSphere is NOT
ParameSphere does not monitor live inference. It does not watch prompts or outputs. It checks whether the model's weights are the same weights you deployed. Think of it as a checksum for neural networks — run it on deploy, run it on a schedule, and know immediately if something changed.
Cognitive Envelope
A 6-dimensional behavioral boundary detector. Establishes a baseline of normal agent behavior, then flags deviations that exceed statistical bounds.
How It Works
- 1. Establishes per-dimension mean and standard deviation from baseline observations
- 2. Constructs a 6-dimensional hyper-rectangle with bounds at k*sigma (default k=3.0, covering 99.7%)
- 3. Each check evaluates whether the current characteristic vector falls within bounds
- 4. Consecutive breaches increment a counter; threshold (default 3) triggers a full breach
Breach Response
- * 1.0 — Normal. All dimensions within bounds.
- * 0.9 — Approaching. Counter incrementing but below threshold.
- * 0.7 — Full breach. Trust multiplier applied to composite score.
Breach counter capped at 100 to bound recovery cost from sustained attacks. Minimum 5-minute interval between checks.
When this fires
An agent that normally processes 50 requests per hour with 200ms latency suddenly processes 500 requests at 20ms. The characteristic vector deviates across multiple dimensions. Three consecutive deviations trip the breach. Trust gets multiplied by 0.7 — which can drop an agent an entire tier. This catches behavioral changes that individual metrics miss.
Agent Discovery
Four levels of progressively deeper agent detection. Start with zero-config, scale to full infrastructure visibility.
Declare
For developers
Your agent identifies itself. When you use the SDK, your agent gets a governance identity automatically. No extra code.
Default: ON
Observe
For team leads, architects
Middleware watches AI API calls in real time. Every request to OpenAI, Anthropic, LangChain — as it happens.
Default: OFF (opt-in)
Verify
For security, compliance
Scan your source and dependencies at build time. Before you ship, you know exactly which AI agents exist. Outputs a discovery-manifest.json.
Default: OFF (opt-in)
Discover
For ops, infrastructure, CISOs
Scan your infrastructure — env vars, processes, containers. Full visibility across your entire stack. Finds agents you didn't know existed.
Default: OFF (opt-in)
Why four levels
Not every team needs full infrastructure scanning. A solo developer just wants their agent to show up in governance. A CISO needs to find every AI agent across 200 microservices. The four levels let you dial up discovery as your governance maturity grows — without requiring the enterprise tier on day one.
Decay & Recovery
Trust Decay
- * 182-day stepped half-life, 50% floor
- * Grace period: days 0-6 (no decay)
- * 9 milestones: 6%/6%/6%/6%/6%/5%/5%/5%/5%
- * Penalty: P(T) = 3 + T (3x at T0, 10x at T7)
- * Activity before a milestone resets the decay clock
- * Circuit breaker fires when trust drops below 100
Trust Recovery
- * Logarithmic gain rate: 0.05
- * Success threshold: signal value >= 0.7
- * Accelerated recovery: 1.5x after 3 consecutive successes
- * Cooldowns: risk-tiered (0h for READ/LOW, 6h MEDIUM, 12h HIGH, 24h CRITICAL, human reinstatement for LIFE_CRITICAL)
- * Oscillation limit: 3 direction changes per 24 hours
- * Graduated hysteresis: [25, 25, 20, 20, 15, 10, 10, 10]
Why decay matters
Use it or lose it — like a security clearance. An agent that hasn't been active in 6 months shouldn't keep the same trust level. 182-day half-life with a 50% floor means trust fades but never fully disappears. The graduated hysteresis buffers (wider at lower tiers, tighter at higher tiers) prevent gaming through rapid oscillation.