Agent governance crosswalk¶
Status: Living document. Last reviewed: 2026-05-27. Source ADR: ADR-0080.
This document maps Trails' shipped governance primitives to four external reference frameworks:
- AGT — Microsoft Agent Governance Toolkit components (Public Preview as of 2026-05).
- OWASP — OWASP GenAI Security Project, Agentic AI threats and mitigations taxonomy.
- NIST AI RMF 1.0 — the four core functions (GOVERN / MAP / MEASURE / MANAGE).
- EU AI Act — high-risk AI system obligations (Arts. 9–15) relevant to agent systems.
The point is not that Trails uses any of these. Trails implements its own governance stack natively, in the semantic-web idiom — every artifact below is a queryable, typed, SHACL-validated, PROV-O-linked graph node, not a flat audit log. The crosswalk exists to (a) prove governance completeness to enterprise buyers, (b) anchor the governance paper narrative, and © surface honest, bounded gaps.
Two moving targets
AGT is Public Preview ("breaking changes before GA") and EU AI Act implementing guidance is still evolving. Treat exact spec numbering and article references as indicative, and reconcile against the current revision when this document is reviewed.
1. AGT components → Trails¶
| AGT component | Function | Trails equivalent | Source |
|---|---|---|---|
| Agent OS | Policy engine (YAML / OPA / Cedar) | Cedar PDP/PEP enforced at the @capability boundary; unified strongest-available-type matcher across Cedar + SHACL + @node_type |
ADR-0006, ADR-0022 |
| AgentMesh | Zero-trust identity (SPIFFE / DID / mTLS) | DID resolver (did:key, did:web); pluggable identity URIs incl. SPIFFE / WIMSE / OIDC via trails:Source.identities; Verifiable Credentials for principal claims; SD-JWT (RFC 9901) + BBS+ selective disclosure alignment (proposed, deferred to M33) |
ADR-0011, ADR-0073, ADR-0030, ADR-0077 |
| Agent Runtime | Privilege rings, saga orchestration | Biscuit token attenuation; capability denial (Outcome::Denied); planner runtime (ReAct / Plan-Execute / Reflexion) with budget enforcement; Unit-of-Work / saga-style transactions |
ADR-0010, ADR-0018, ADR-0045 |
| Agent SRE | SLOs, error budgets, circuit breakers, chaos | Three-state CircuitBreaker + RecoveryManager (retry); cost envelopes with budget enforcement as a runtime SLO analogue |
M5 (recovery.py), ADR-0012/0012a |
| Agent Compliance | OWASP verification, policy linting, integrity | Baseline configs incl. compliance preset; trails doctor checks (incl. raw-SPARQL linter, fill-rate, compliance); supply-chain + build integrity |
ADR-0027, ADR-0014 |
| MCP Security Gateway | Tool-poisoning / hidden-instruction scanning | MCP security hardening: OWASP MCP Top 10 mitigations, tool-poisoning detection, StruQ sanitisation, rug-pull detection; memory security gateway (DID-spoofing prevention, hash-chain integrity); SPARQL-injection + SSRF + path-traversal guards on the MCP/HTTP surface | ADR-0075, ADR-0052, ADR-0053 |
| Agent Discovery | Shadow-AI inventory, risk scoring | Gap — Trails governs its own instances and federation peers (mesh discovery, ADR-0023) but does not inventory third-party shadow agents. Out of scope (non-goal). | — |
| Audit (cross-cutting) | Merkle audit logs, "decision BOMs" | PROV-O always-on at every capability boundary + hash chains; explainable provenance with confidence + citation graphs; triple-level source attribution | ADR-0009, ADR-0038, ADR-0073 |
| Observability (cross-cutting) | Tracing / metrics | End-to-end OpenTelemetry trace-context propagation (W3C Traceparent); Prometheus metrics | ADR-0071 |
AGT ships ~10 RFC 2119 component specs; the rows above map against the seven named components plus the two cross-cutting concerns (audit, observability). When AGT's individual spec identifiers stabilize at GA, expand this table to one row per spec and pair each MUST/SHALL clause with a named Trails conformance test (ADR-0080 workstream 3).
2. OWASP Agentic AI threats → Trails mitigations¶
Mapped against the OWASP GenAI Agentic AI threats and mitigations taxonomy. Threat labels track the OWASP taxonomy; reconcile numbering with the current revision and AGT's own "Top 10" mapping on review.
| Threat | Trails mitigation | Source |
|---|---|---|
| Memory poisoning | Memory security gateway: provenance integrity, DID-spoofing prevention, confidence calibration, Cedar-gated corrections, fact TTL/expiry | ADR-0052 |
| Tool misuse | Cedar policy enforced before every @capability / tool invocation; capabilities denied are structurally not executed |
ADR-0006, ADR-0022 |
| Privilege compromise | Biscuit attenuation (caveats narrow, never widen authority); least-privilege capability tokens | ADR-0010 |
| Resource overload | Cost envelopes + budget enforcement (max_cost_usd / max_tokens / max_wall_time_s) on all planners; circuit breaker |
ADR-0012, M9 |
| Cascading hallucination | Confidence propagation + explainable provenance; triple-level source attribution distinguishes LLM-extracted from human-curated assertions | ADR-0038, ADR-0073 |
| Intent breaking / goal manipulation | Capability manifest defines allowed actions declaratively; policy + shapes constrain inputs/outputs (SHACL validation) | ADR-0005, ADR-0002 |
| Repudiation / untraceability | PROV-O always-on with hash chains; every action attributable to a principal (DID) and a source | ADR-0009, ADR-0011 |
| Identity spoofing / impersonation | DID-based principal identity + Verifiable Credentials; memory gateway rejects spoofed DID/timestamp/provenance | ADR-0011, ADR-0030, ADR-0052 |
| Trust-boundary / contamination across agents | Memory trust boundaries: TrustLevel (LOCAL/PEER/PUBLIC), data classification, contamination tracking, federation trust gates, namespace isolation |
ADR-0053 |
| Communication poisoning (multi-agent / federation) | Federation trust gates + signed ontology exchange; SPARQL-injection guards on federated SERVICE queries |
ADR-0023, ADR-0053 |
| Overwhelming human-in-the-loop | Partial — consent receipts (CHEQ-compatible) record human-in-the-loop decisions; no rate-limiting of HITL prompts specifically | ADR (consent), gap noted |
| Unexpected code execution | No arbitrary code-eval path in the capability surface; typed dispatch only; SPARQL escape hatch uses parameter binding | ADR-0008, doctor SPARQL linter |
3. NIST AI RMF 1.0 → Trails¶
| RMF function | What it asks | Trails coverage |
|---|---|---|
| GOVERN | Policies, accountability, roles | Cedar policy as code (ADR-0006); baseline compliance configuration preset (ADR-0027); supply-chain integrity (ADR-0014) |
| MAP | Context, capabilities, intended use | Rich capability manifest + AgentCard / WoT Thing Description projection (ADR-0005, ADR-0015); @node_type + @shape declare data context |
| MEASURE | Metrics, provenance, evaluation | PROV-O always-on (ADR-0009); confidence + explainable provenance (ADR-0038); OTel metrics (ADR-0071); KG test primitives + competency questions (ADR-0029) |
| MANAGE | Risk response, monitoring, recovery | Circuit breaker + recovery (M5); cost/budget enforcement (ADR-0012); memory security + trust boundaries (ADR-0052/0053) |
4. EU AI Act (high-risk obligations, Arts. 9–15) → Trails¶
| Obligation | Article (indicative) | Trails coverage |
|---|---|---|
| Risk management system | Art. 9 | Cedar policy + baseline compliance preset + doctor checks |
| Data governance | Art. 10 | @node_type / @shape / SHACL validation; RML declarative mapping with source provenance (ADR-0024); triple-level source attribution (ADR-0073) |
| Technical documentation | Art. 11 | ADR corpus; capability manifest; auto-generated admin UI from schema |
| Record-keeping / logging | Art. 12 | PROV-O always-on with hash chains; OTel trace propagation; schema-migration provenance (ADR-0028) |
| Transparency / information to users | Art. 13 | Capability manifest + bi-modal rendering (Markdown + JSON-LD); explainable provenance / citation graphs (ADR-0038) |
| Human oversight | Art. 14 | Consent receipts (CHEQ-compatible); Cedar-gated actions; capability denial surfaced to the operator |
| Accuracy, robustness, cybersecurity | Art. 15 | SHACL validation; SSRF / SPARQL-injection / path-traversal guards; Verifiable Credentials; supply-chain integrity (ADR-0014) |
5. Honest gaps and non-goals¶
These are controls AGT addresses that Trails deliberately does not, per ADR-0080. Listing them is the point — silent omission reads as a weakness; a bounded non-goal reads as scope discipline.
| Area | Status | Rationale |
|---|---|---|
| Shadow-AI discovery / inventory | Non-goal | Trails governs its own instances + federation peers, not third-party agents in an estate. AGT's Agent Discovery owns this. |
| Chaos testing / fault injection | Non-goal | Orthogonal to a KG-app framework; left to deployment-layer SRE tooling. |
| mTLS / SPIFFE workload mesh runtime | Interop only | Trails accepts SPIFFE/WIMSE as identity URI schemes (ADR-0073) but runs no mesh; transport security is deployment-layer. |
| HITL prompt rate-limiting | Gap (minor) | Consent receipts record HITL decisions but do not throttle prompt volume. Candidate for a future ADR if a user needs it. |
| AGT decision-BOM / Merkle export | Planned, on demand | ADR-0080 workstream 2: an optional projection from existing PROV-O. Built only when a concrete AGT-governed estate requires Trails as an audit source. |
Review cadence¶
Review on the same schedule as other compliance docs, or whenever AGT cuts a GA release that renumbers its specs. Update the Last reviewed date at the top on each pass.