Skip to content

AIGP-Light: Domain Boundaries & Gap Analysis

AIGP-Light: Domain Boundaries & Gap Analysis

What’s excluded and why. What’s missing and what we should add.

Date: July 2026


Part 1: What’s Not in AIGP-Light (And Why)

These capabilities exist in the full AIGP protocol but are deliberately excluded from AIGP-Light — not because they’re unimportant, but because they belong to different disciplines.

Excluded Capability Discipline It Belongs To Why It’s Not D&R
VLT / Delegation Tokens Trust Chain Governance Verifying authority chains is a governance concern — D&R detects if the system is behaving, not whether it has permission
Consent Management Privacy & Ethics Whether a data subject consented is a legal/ethical question, not an operational security question
Regulatory Contexts (EU AI Act, Japan, AU) Compliance Jurisdictional obligation tracking is multi-month lifecycle work, not millisecond runtime defense
Streaming Governance Protocol Engineering Token-by-token policy requires buffer management and semantic understanding — D&R operates at the call boundary
Anticipation Engine Predictive Governance Predicting future policy needs is governance strategy — D&R reacts to current behavior
Evidence Graph (Merkle DAG) Audit & Legal Cryptographic evidence chains serve legal provenance — D&R serves operational containment
Dialect Subscription Governance Marketplace Consuming third-party governance expertise is a platform economics function
Multi-agent Orchestration Agentic Governance Managing delegation scope, authority bounds, and inter-agent trust is governance — D&R monitors whether agents are failing, not whether they’re authorized
African/Japanese/Regional Contexts Jurisdictional Compliance Regional regulatory nuance has no bearing on whether latency is spiking

The Principle

If the capability requires understanding WHY the system is acting, it’s governance. If the capability requires detecting WHAT the system is doing and WHETHER it’s normal, it’s D&R.

D&R is behavioral. Governance is intentional. Both are necessary. Neither replaces the other.


Part 2: Critical Gap Analysis — What’s Missing from AIGP-Light for D&R

Based on industry research (Uber ADR system, OWASP Agentic Top 10, MITRE ATLAS, Microsoft MCP security guidance, Obsidian AI XDR), the following capabilities are legitimately D&R but not yet in AIGP-Light:

Gap 1: Adaptive Behavioral Baselines

Current state: AIGP-Light uses fixed thresholds (e.g., p95 > 3000ms).

What’s missing: Adaptive baselines that learn what “normal” looks like for each specific workload and drift-detect against learned behavior — not just static numbers.

Why it matters: A coding agent and a customer service agent have radically different normal latency, token volume, and error patterns. A fixed threshold either false-alarms on one or misses degradation on the other.

What to add:

  • Rolling baseline calculation (mean + stddev over configurable window)
  • Threshold as deviation multiplier: actual > baseline_mean + (N × stddev)
  • Optional warm-up period (don’t alert until baseline is established)
  • Baseline persistence (save/load so restarts don’t lose history)

Complexity: Low. No ML needed — purely statistical. Fits the zero-dependency constraint.


Gap 2: Prompt Injection Detection (Behavioral Indicators)

Current state: AIGP-Light detects refusals (string pattern match) but not the attack that causes them.

What’s missing: Behavioral indicators of prompt injection — not semantic analysis (that’s an ML model), but observable side effects:

  • Sudden role confusion (agent starts acting as a different persona)
  • Instruction leakage (system prompt appearing in output)
  • Unexpected tool calls (agent calling tools it normally doesn’t)
  • Topic deviation (response has no semantic relation to input)

Why it matters: Prompt injection is OWASP #1 for LLM apps. Refusal detection catches model-side defenses firing, but not successful injections that bypass them.

What to add:

  • Output pattern detection: configurable regex/string patterns that indicate compromise (e.g., system prompt leak markers)
  • Tool call anomaly: alert when tools are called that aren’t in the expected set for this workload
  • Output length anomaly combined with topic deviation score (simple keyword overlap with expected domain)

Complexity: Medium. Stays within zero-dep constraint if limited to statistical/pattern-based. Full semantic detection belongs in a dedicated guardrail layer (not D&R).


Gap 3: Cross-Boundary Correlation

Current state: Each AIGP-Light instance monitors one boundary independently. Model, MCP, and A2A have separate policies with no awareness of each other.

What’s missing: Correlation across boundaries to detect cascading failures:

  • Model error → triggers tool retry loop → triggers cost explosion
  • Agent A delegates to Agent B → Agent B fails → Agent A retries 10x → both circuit break

Why it matters: Agentic workloads fail as systems, not as individual calls. Isolated detection misses the cascade pattern.

What to add:

  • Shared signal bus: allow multiple AigpLight instances to share a SignalStore
  • Correlation rules: “if model error_rate > X AND tool error_rate > Y within Z seconds → ALERT(cascade)”
  • Propagation detection: detect when one circuit break should trigger related circuit breaks

Complexity: Medium. Requires an optional shared state mechanism (in-process bus, not external service).


Gap 4: Incident Escalation & Playbook Integration

Current state: AIGP-Light responds (LOG, ALERT, CIRCUIT_BREAK) but doesn’t integrate with incident response workflows.

What’s missing:

  • Structured alert payloads compatible with SIEM/SOAR (CEF, STIX, or at minimum structured JSON with severity/category)
  • Escalation rules: “if circuit breaker fires 3 times in 1 hour → escalate to PagerDuty/Slack”
  • Runbook links: attach remediation guidance to specific alert types

Why it matters: SOC teams don’t act on raw JSON. They need alerts in their existing tooling with actionable context.

What to add:

  • Alert formatters: CEF, STIX/TAXII, generic webhook with configurable payload template
  • Escalation policy: configurable repeat-threshold before escalation
  • Alert enrichment: include recent trace IDs, signal snapshot, and suggested action

Complexity: Low. Formatter is pluggable. Doesn’t require external dependencies — just structured output.


Gap 5: SIEM/XDR Telemetry Export

Current state: Traces go to JSONL files or stdout.

What’s missing: Direct integration with security telemetry infrastructure:

  • OpenTelemetry export (OTLP)
  • Syslog/CEF for legacy SIEM
  • CloudWatch / Datadog / Splunk HEC push
  • Kafka/EventBridge for streaming analytics

Why it matters: Security teams already have observability infrastructure. D&R data that lives in a separate JSONL file is invisible to them.

What to add:

  • OTLP exporter (optional dependency — maigp-light[otlp])
  • Syslog exporter (stdlib — no dependency)
  • Generic HTTP push exporter with configurable endpoint + headers
  • Keep file/stdout as default (zero-dep), exporters are opt-in

Complexity: Low for syslog/HTTP. Medium for OTLP (requires opentelemetry-sdk as optional dep).


Gap 6: Causal Chain Visibility (Agent Reasoning Trace)

Current state: AIGP-Light records that a call happened, how long it took, and whether policy fired. It does not record WHY the call was made.

What’s missing: Linking D&R events to the agent’s reasoning chain:

  • Which step in the agent’s plan triggered this tool call?
  • What was the agent’s stated intent before the call?
  • Was this call part of a retry loop?

Why it matters: Uber’s ADR paper (MLSys 2026) identifies this as the #1 gap: “EDR tools see file writes but not the agent reasoning, prompts, or causal chains linking intent to execution.”

What to add:

  • Optional context field on calls: gov.call(fn, context={"step": "research", "intent": "find vulnerabilities", "attempt": 2})
  • Context propagation in traces (included in span attributes)
  • No parsing or understanding of context — just capture and include

Complexity: Low. It’s just an optional dict passed through to the trace. Zero analysis overhead.


Gap 7: Canary & Test Harness

Current state: No built-in way to test D&R rules before production.

What’s missing:

  • Synthetic signal injection: “simulate 20% error rate and verify circuit breaker fires”
  • Dry-run mode: evaluate policy without executing responses
  • Canary mode: run new policy alongside old policy, compare decisions

Why it matters: You don’t deploy firewall rules without testing them. You shouldn’t deploy D&R rules without testing them.

What to add:

  • gov.simulate(signals: SignalSnapshot) → PolicyResult — evaluate without side effects
  • gov.inject(observations: list[CallObservation]) — feed synthetic data
  • dry_run: true config option — evaluate and log but don’t execute responses

Complexity: Low. The PolicyEngine already evaluates independently — just expose it.


Part 3: Priority Roadmap

Gap Priority Effort Rationale
Canary & Test Harness P0 1 day Safety — can’t ship D&R rules you can’t test
Adaptive Baselines P0 2 days Fixed thresholds don’t work across diverse workloads
Causal Chain Context P1 0.5 day Low effort, high value — optional context field
Incident Escalation P1 1 day SOC integration is table stakes for cyber tooling
SIEM Export P1 1 day Security teams need data in their existing tools
Cross-Boundary Correlation P2 3 days Important for multi-agent but not needed for single-boundary
Prompt Injection Indicators P2 2 days High value but must be careful not to become a guardrail (different tool)

Part 4: What We Won’t Add (Belongs Elsewhere)

Capability Why Not D&R Where It Belongs
Semantic content analysis (is this output harmful?) Requires ML inference — violates zero-dep, adds latency Guardrails layer (e.g., Llama Guard, NeMo Guardrails)
Model evaluation (is this output correct?) Quality judgment, not behavioral detection Evaluation framework (AIGP Mars, RAGAS, etc.)
Policy authoring (what should be allowed?) Governance decision-making AIGP Governance + Dialects
Identity/access management AuthN/AuthZ is infra IAM, VLT, trust chains
Data loss prevention Content classification DLP tools, content filters
Training data security Supply chain, not runtime ML pipeline security

The line is: if it needs to understand meaning, it’s not D&R. If it needs to observe behavior, it is.