AIGP-Lite — AI Governance Protocol for Edge and IoT
AIGP-Lite — AI Governance Protocol for Edge and IoT
PRIVATE AND PROPRIETARY. Owned by Kanjani AI Research & Causum. See NOTICE.md.
Status: SPEC
Purpose
Extend AIGP governance to resource-constrained, intermittently connected devices running AI at the edge. Provides eventual governance where real-time governance is not feasible.
Protocol Comparison
| Full AIGP | AIGP-Lite | |
|---|---|---|
| Connectivity | Always-on | Intermittent or air-gapped |
| Governance timing | Synchronous (before execution) | Asynchronous (after execution) |
| Policy check | Real-time REQUEST | Cached policy, local evaluation |
| Audit record | Immediate RECORD | Buffered, batch sync |
| DNA signing | Per-record, real-time | Batch, on sync |
| Compute requirement | Standard (cloud/server) | Minimal (embedded/edge) |
Core Operations
1. REGISTER (once, on provisioning)
Device → governance-server: REGISTER{ "device_type": "predictive-maintenance-v2", "fleet_id": "factory-floor-east", "model_id": "vibration-classifier-v3", "capabilities": ["anomaly_prediction", "maintenance_scheduling"], "aigp_version": "lite-0.1", "sync_interval_seconds": 3600}One registration per device type. Individual devices inherit from fleet registration.
2. EXECUTE (local, no network required)
Device runs AI inference locally. No REQUEST check (latency-sensitive). Records buffered.
3. BUFFER (local storage)
{ "sequence": 12847, "timestamp": "2026-05-26T14:30:00.123Z", "operation": "anomaly_prediction", "model_id": "vibration-classifier-v3", "input_hash": "sha256:...", "output_summary": "bearing_failure_predicted", "confidence": 0.94, "action_taken": "maintenance_ticket_created", "safety_level": "MEDIUM", "latency_ms": 12}Records stored in local secure buffer (TPM/TEE if available).
4. SYNC (periodic, when connected)
Device → governance-server: SYNC{ "device_id": "factory-floor-unit-042", "device_type": "predictive-maintenance-v2", "last_sync_sequence": 12000, "records": [...], // batch of buffered records "batch_size": 847, "sync_timestamp": "2026-05-26T15:00:00Z"}governance-server:
- Receives batch
- DNA-signs the batch (server-side)
- Detects sequence gaps (missing records = potential tampering)
- Updates Neptune graph (device topology)
- Evaluates records against current policy (retroactive governance)
- Returns updated policy cache to device
5. POLICY_CACHE (returned on sync)
{ "policy_version": "2026-05-26T14:00:00Z", "ttl_seconds": 86400, "rules": [ {"operation": "anomaly_prediction", "action": "ALLOW", "log": true}, {"operation": "autonomous_shutdown", "action": "REQUIRE_CONFIRMATION", "safety": "CRITICAL"} ]}Device caches policy locally. If policy expires and no sync available, device falls back to conservative mode (log everything, restrict CRITICAL operations).
Security Model
| Threat | Mitigation |
|---|---|
| Record tampering on device | Secure enclave (TPM/TEE), sequence numbers |
| Records lost before sync | Local redundancy, gap detection on governance-server |
| Stale policy | TTL + conservative fallback |
| Device impersonation | Device certificate (mTLS on sync) |
| Fleet-wide compromise | Anomaly detection on sync patterns |
| Replay attack | Sequence numbers + timestamps |
Applicability
| Sector | Use Case | Sync Pattern |
|---|---|---|
| Manufacturing | Predictive maintenance, quality control | Hourly (WiFi available) |
| Healthcare | Diagnostic AI, patient monitoring | Real-time where possible, buffered in ambulance/remote |
| Automotive | ADAS decisions, route optimization | Cellular when available, batch on return to depot |
| Energy | Grid optimization, demand prediction | Satellite sync every 4-6 hours |
| Defense | Tactical inference | Air-gapped, manual export |
| Retail | In-store analytics | Nightly batch sync |
Client SDK (Target)
Lightweight C/Rust library for embedded systems:
- ~50KB footprint
- No dynamic allocation
- Ring buffer for records
- mTLS for sync
- JSON or CBOR serialization
Deployment Modes — From Cloud to Air-Gap
Mode 1: Full AIGP (Cloud/PaaS)
App → AIGP REQUEST → governance-server → allow/deny → execute → AIGP RECORD → DNA sign- Real-time governance
- Requires always-on connectivity to governance-server
Mode 2: AIGP Gateway (Self-hosted in VPC)
App → Model Runtime ↕ (intercepted) AIGP Gateway Sidecar ↓ mTLS governance-server (external)For self-hosted models that CAN reach a trusted host but shouldn’t call governance-server directly:
- Gateway sidecar deployed in same VPC/subnet as model
- Intercepts all model invocations transparently
- Performs REQUEST (policy check) and RECORD (audit)
- Model runtime doesn’t need AIGP awareness — gateway wraps it
- Communication to governance-server over mTLS (encrypted, authenticated)
Deployment:
# docker-compose or K8s sidecaraigp-gateway: image: aigp-gateway:latest environment: governance-server_URL: https://www.your-governance-server.com AIGP_APP_ID: self-hosted-llama AIGP_MODE: INTERCEPT network_mode: service:model-runtime # shares network with modelMode 3: AIGP-Lite (Edge/IoT)
Device → execute locally → buffer RECORD → sync when connected → DNA sign on sync- Eventual governance (hours)
- For intermittently connected devices
- Detailed in sections above
Mode 4: AIGP-Offline (Air-Gapped)
Air-gapped env: Model → local AIGP agent → encrypted buffer → signed locally
Audit cycle: Export encrypted archive → secure media → governance-server import → verify + ingestFor environments with NO network connectivity to governance-server:
Provisioning (before deployment):
governance-server → generate: - Policy snapshot (what's allowed) - Signing key pair (pre-provisioned, rotated on maintenance) - Device/model registration→ export to secure media→ load into air-gapped environmentRuntime (air-gapped, no connectivity):
Model invocation → local AIGP agent intercepts → evaluates against cached policy (allow/warn/block) → buffers RECORD with local signature (pre-provisioned key) → sequence numbered (gap detection)Audit export (periodic — days/weeks):
Local AIGP agent → exports encrypted archive of all records since last export → writes to removable media (USB/optical) or one-way data diode → archive includes: records + signatures + sequence manifestImport at governance-server:
Secure media → governance-server import endpoint → verify signatures against pre-provisioned public key → detect sequence gaps (potential tampering/loss) → DNA-sign the batch (server-side, adds to evidence chain) → ingest into audit trail → update Neptune graph (device activity) → flag anomalies for reviewPolicy updates (on maintenance windows):
governance-server → generate updated policy snapshot → export to secure media → load into air-gapped environment → local AIGP agent picks up new policyGovernance Guarantee by Mode
| Mode | Latency | Prevention | Detection | Audit |
|---|---|---|---|---|
| Full AIGP | Real-time | ✅ | ✅ | ✅ |
| AIGP Gateway | Near real-time | ✅ | ✅ | ✅ |
| AIGP-Lite | Hours | ⚠️ Cached policy | ✅ Eventual | ✅ Eventual |
| AIGP-Offline | Days/weeks | ⚠️ Cached policy | ✅ On export | ✅ On import |
Key Principle
Governance does not require real-time connectivity. It requires eventual accountability.
Even in an air-gapped environment, you can prove what happened. The latency of governance varies — the existence of governance does not.