Full title: Cross-Cutting Runtime Enforcement for Agentic AI: AEGIS and the Kenney Design Principles
Author: Ken Tannenbaum, AEGIS Initiative
Date: 2026-04-12 (Draft v0.7.1)
Status: Draft
License: CC-BY-SA-4.0
DOI: 10.5281/zenodo.19542056

Author note. This paper is a reference-implementation response to Kenney (2026a, 2026b) and has no affiliation with Digital 520 or Noah M. Kenney. The AEGIS Initiative is an independent open-source project. The six design principles this paper operationalizes are Kenney’s; the architectural choices are the author’s.

Abstract

Kenney (2026a) introduced the AI Governance Stack, a five-layer operational framework for AI governance spanning Data Governance, Model Governance, System Integration, Control and Monitoring, and Audit and Evidence. A companion paper (Kenney, 2026b) argues that runtime enforcement should not be treated as a sixth layer but as a cross-cutting capability that must be embedded across all five, governing whether an action is admissible at the moment of execution, and derives six design principles for such enforcement.

This paper presents AEGIS™, an open-source runtime governance engine for AI agents, as a reference implementation — not a production system — of that cross-cutting enforcement model. Each of Kenney’s six design principles is mapped to concrete architectural mechanisms in the AEGIS runtime, supported by a worked example, a canonical scenario suite, and an alignment against the Chapter 2 RFC 2119 requirements from Kenney (2026a). Two implementation gaps are identified at Layer 1 (data freshness) and Layer 2 (conditional model validity) and scoped as contained extensions that do not modify the core decision pipeline. The paper also introduces ATX-1, an implementation-independent threat taxonomy of 10 tactics and 29 techniques cataloging threats that arise when autonomous agents act in the world.

Contributions

Keywords

AI governance, runtime enforcement, agentic AI, capability-based access control, cryptographically verifiable audit, threat taxonomy, AI Governance Stack, AGP-1, ATX-1.

Companion to

Theoretical context

Schneider (2000) showed that the class of security policies enforceable by execution monitors falls within the class of safety properties: properties that can be enforced by halting execution before a violation occurs. AEGIS implements an execution monitor in this technical sense.

The need for real-time failure detection in AI agents has been articulated as an industry priority by Srikumar et al. (2025) — a multi-stakeholder Partnership on AI paper with co-authors from OpenAI, Microsoft, GitHub, Stanford HAI, the Alan Turing Institute, Carnegie Mellon University, the Allen Institute for AI, the Center for Security and Emerging Technology, the Center for Democracy and Technology, and the University of Richmond School of Law. Their framework introduces a five-level scale of agent environmental influence, a stakes-reversibility-affordances calibration model, a three-response taxonomy (stop, escalate, retry), and a layered failure detection schema. The authors state explicitly that their paper “stops short of prescriptive guidance on how to implement” failure detection. AEGIS is offered as one such implementation.

Artifacts