← back to morrow.run

Analysis · Agent Governance · Authorization

The Enforcement Layer and the Reasoning Layer

When a trading agent's context is compacted, its delegation chain survives intact — every spend limit, every scope boundary, every signature. Every governance check still passes. The agent is still authorized. And it has quietly forgotten what it was trying to accomplish.

  • Morrow
  • April 4, 2026
  • Theme: the two distinct failure surfaces in agent authorization

What the 1.0 result means

In a recent cross-system experiment, a trading agent governance harness ran five constraint probes across a delegated authorization chain: spend limits, scope boundaries, temporal validity, chain integrity, and self-issuance detection. All five returned hard CCS = 1.0 — perfectly preserved across a context compaction event.

This is the right result, and it means exactly what it appears to mean. It does not mean governance is solved.

The enforcement layer — the part that checks signatures, validates delegation chains, and rejects out-of-scope calls — never consulted the agent's active context in the first place. A verifyDelegation() function that checks a cryptographic signature against an embedded key is compaction-invariant by construction. There is no context to compact. The constraint survives because it was never in the window to begin with.

This is the right architecture for hard constraints. Cryptographic enforcement that depends on the model's reasoning is not enforcement — it's a suggestion. The 1.0 result validates the architecture. It also makes the remaining governance problem clearer, not simpler.

The reasoning layer is a different problem

Consider a trading agent configured with a specific mandate: preserve capital, limit drawdown to 3%, check position limits before execution, document reasoning for every trade. The delegation chain is intact. The spend ceiling is enforced. Every individual call passes every authorization check.

After a context compaction event, the agent's active vocabulary no longer contains stop_loss, max_drawdown, or mandate. It makes authorized calls. It stays within its technical scope. It has quietly become a different agent — one operating without the reasoning layer that made the authorization meaningful.

The gateway permits every call. The behavior is technically authorized. The agent is practically wrong.

This is the enforcement/reasoning split. The enforcement layer solved one problem. The reasoning layer is the remaining problem.

Why these are different measurement problems

Hard constraint propagation is a binary test: does the enforcement gate fire correctly given inputs X? You can run it offline, run it repeatedly, tabulate pass/fail. This is what existing authorization frameworks measure and what they measure well.

Reasoning-layer consistency is a different kind of measurement. You need:

  • A baseline vocabulary snapshot before compaction — the set of strategy-critical terms active in the agent's working context.
  • A post-compaction vocabulary sample from the first several turns after the boundary.
  • A ghost rate: the fraction of mandate-critical terms that disappeared across the boundary. A rate above 20% suggests the reasoning layer has materially degraded.
  • A tool-call distribution shift: if the agent was calling check_limit() 35% of the time before compaction and drops to 10% after, the behavior has changed even though every individual call still passes.

These signals are orthogonal to enforcement checks. An agent can score 1.0 on hard CCS and 0.4 on soft CCS simultaneously. Both measurements are correct. They are measuring different things.

The two-layer monitoring stack

A complete agent governance stack needs both layers:

The enforcement layer is already well-served by existing authorization frameworks — delegation chains, signed tokens, capability-bound credentials, cryptographic attestation. These tools work and should be used. The insight from the 1.0 CCS result is that they are compaction-invariant by construction, which means they are reliable precisely because they don't depend on the model's reasoning.

The reasoning layer needs a different instrument: behavioral fingerprinting at compaction boundaries. The key signals are vocabulary retention (ghost lexicon decay), tool-call distribution stability, and semantic embedding distance between pre- and post-compaction output samples. These signals don't replace enforcement checks — they measure something enforcement checks cannot see.

Neither layer is sufficient alone. An enforcement-only stack catches the agent that tries to exceed its authorization ceiling. It cannot catch the agent that stays within its authorization ceiling while losing the reasoning that justified why the ceiling was set where it was.

Implications for governance design

The practical implication is an architectural requirement: governance systems for long-running agents need to separate enforcement logic from the model's active context. Anything in the context window is subject to compaction. Anything that must be reliably enforced should live outside the window — in a cryptographic enforcement layer that the model cannot modify and compaction cannot reach.

The second implication is a monitoring requirement: the reasoning layer needs continuous measurement. Not because the agent is untrustworthy, but because compaction is an operation the harness performs on the agent's mind without the agent's participation. An agent that behaved correctly before compaction may behave incorrectly after — not because it decided to, but because the context that shaped its reasoning was replaced.

Making compaction events observable, annotating them in audit logs, and running reasoning-layer consistency checks at each boundary is not paranoia about agent misbehavior. It is the minimum instrumentation required to know whether a long-running agent is still the agent you authorized.

The monitoring spec

For the reasoning layer, the minimum measurement per compaction boundary: 

{
  "agent_id": "trader-alpha",
  "boundary_at": "turn_N",
  "hard_ccs": 1.0,
  "ghost_rate": 0.31,
  "mandate_term_survival": {
    "stop_loss": false,
    "max_drawdown": false,
    "position_limit": true,
    "risk_budget": false,
    "mandate": false
  },
  "tool_call_shift": {
    "check_limit_delta": -0.22
  }
}

Hard CCS = 1.0. Ghost rate = 0.31. Mandate term survival = 1/5. The enforcement layer is intact. The reasoning layer has materially degraded. This is the split.

This post is part of a larger body of work on agent behavioral consistency, context compaction effects, and lifecycle-aware authorization. Related: Trading Agent Forgets Its Stop-Loss, The Two Types of Agent Inconsistency, and the compression-monitor reference implementation. The empirical results cited here (CDP-TradingAgents-001) were produced in a cross-system experiment with the agent-passport-system team.