Loading...
Loading...
Loading...
Microsoft AGT, Cisco DefenseClaw, CrowdStrike, Okta Human Principal, ZeroID by Highflame. Five frameworks at RSAC 2026, each terminating at a single-organization boundary. The fourth layer โ continuous, independent, cross-org behavioral trust โ remains structurally absent from every major-vendor roadmap. It is the only layer that closes the time-of-check-to-time-of-use gap, the permission-drift gap, and the ghost-agent inventory gap.
The stack
L1โL3 verify trust at a point in time, inside a single boundary. L4 verifies trust continuously, across boundaries. The first three are vendor crowded; the fourth is vendor empty.
Who authorized this agent to exist?
What scopes does this agent have?
Three structural gaps
Each gap below is closed only by a layer that runs continuously, independently of the agent it monitors, and is queryable by every counterparty. L1โL3 vendors cannot satisfy all three properties from inside their existing product surfaces.
OAuth confirms who an agent is. It does not confirm what parameters the agent passes to the tools it is authorized to invoke. AGT evaluates agent.can_call(transfer_funds). It does not evaluate transfer_funds(amount=$5M, destination=0xโฆ [never seen before]). The economic surface of agent misuse in 2026 is at the parameter layer, not the capability layer.
How L4 closes it
L4 closes this by binding pre-committed parameter shapes โ allow-lists, regex constraints, value ranges, monetary caps โ to every tool call, and evaluating actual invocations against the binding in continuous time.
Agent permissions expand approximately 3ร per month without review. L2 expresses scopes; L3 enforces them at runtime; but neither layer detects that the set of scopes itself is silently expanding. After ninety days an agent that began with five scopes holds forty-five and no single human can recall why.
The structural argument
An L1โL3 stack verifies the agent at the moment of action authorization. The action executes at a strictly later moment. Between those moments, the agent's state can mutate โ prompt injection, supply-chain compromise, configuration drift, model weight rollover, simple instruction-following degradation.
The verification is therefore valid only if the agent's behavior between check and use can be assumed constant. For deterministic software this is reasonable; for an LLM-driven agent operating against an open input distribution, it is not.
The only structural mechanism that closes a time-of-check-to-time-of-use gap is continuous monitoring that runs through the interval between check and use. A point-in-time check cannot do this by definition.
Three properties define L4
Runs through the TOCTOU interval, not just at the gate.
Runs separately from the agent it monitors. A compromise of the agent does not compromise the monitor.
The L4 contract
The contract is abstract; the production primitives are Armalo's existing surface. Every clause below maps to code currently serving production traffic.
Every agent action โ tool call, response, refusal, retry โ captured to a tamper-evident log independent of the agent's own infrastructure. Includes tool name, parameters, latency, success indicator, session identifier.
Pre-committed contracts constraining outputs (accuracy thresholds, latency bounds, scope honesty, refusal posture) and parameters (allow-lists, value ranges, regex). Every captured action evaluated against the pact in continuous time.
Behavioral record reduces to a publishable composite over a fixed rubric. Minimum dimensions: accuracy, reliability, safety, security, latency, cost-efficiency, scope honesty, runtime compliance, harness stability, economic stake.
Common confusions
Sandboxes are L3 โ they constrain what an action can touch at the moment of execution. L4 detects pattern shifts in actions that were not prevented.
Evals score a model on a fixed test set at a fixed point in time. L4 scores an agent on the open input distribution at every point in time.
Observability captures telemetry for the operator. L4 captures telemetry queryable by every counterparty of the agent.
Adopt L4 today
Whether your agents are net-new or running under existing L1โL3 infrastructure, there is a path. Armalo sits on top of your stack, not in front of it.
One npm install. Wrap your agent's tool layer. Start emitting tamper-evident events to the trust oracle.
Extend an existing @armalo/core pact with parameter conditions โ allow-lists, value ranges, regex constraints, monetary caps.
Already in World ID, Okta, MS AGT, Google Agent Identity, or ERC-8004? Bridge identity into Armalo so L4 scores attach to your existing agents.
The window
The Q2 2026 forecast is that L1โL3 commoditize within 12โ18 months as cloud providers integrate the layers natively. L4 does not commoditize on the same schedule โ the continuous, independent, cross-org requirements are not satisfiable from inside a cloud provider. Then EU AI Act enforcement on December 2, 2027 converts the L4 question from a security curiosity into a documented compliance requirement.
Gartner, Forrester, IDC begin publishing Know Your Agent landscapes. L4 vocabulary settles.
Microsoft, Google, AWS, Okta begin shipping native L1โL3. Enterprises start asking for L4 by name.
EU AI Act Article 12 and 13 audit obligations become procurement line items. L4 records are the substrate.
Tamper-evident behavioral logs become a documented compliance requirement.
The full v1.0 specification โ three structural gaps, five contract clauses, the conformance test, and the mapping to production primitives. Free, no marketing fluff.
Cross-org behavioral trust for AI agents. The contract any conforming verifier satisfies, written for security architects and procurement leads.
Is this action permitted by policy, right now?
Is this agent behaving consistently across every org it interacts with?
How L4 closes it
L4 closes this by maintaining a continuous signed history of the effective scope set, alerting on expansion rate, and surfacing scopes that have not been exercised in the trailing window for revocation.
79% of organizations lack real-time agent inventories. Credentials issued for pilots persist on third-party platforms after pilots end. SaaS vendors stand up agents to perform back-end automation that no procurement record reflects. L1 issues credentials; no layer reaps them. The inventory problem is the precondition for every other agent-trust problem.
How L4 closes it
L4 closes this by serving as the agent registry of record. Every L1 issuance flows into a tamper-evident behavioral record; the absence of recent behavior surfaces ghosts; the cross-org property means a single tenant offboarding does not produce stale credentials elsewhere.
Queryable by every counterparty of the agent, not just the operator.
L1โL3 vendors cannot satisfy all three from inside their existing surfaces. The conformance test of L4 is that the verifier answers the contract questions for an agent it has never seen, issued by a vendor it has never integrated with.
Every score, pact verification, memory entry exported as a W3C Verifiable Credential signed by the verifier's key. Counterparties verify the signature and trust the assertion without trusting the originating organization.
Stable, public endpoint โ analogous to a credit bureau API โ that any counterparty queries before transacting with an agent. Returns identity provenance, scopes, runtime compliance, behavioral score.