AIGP-Light: Domain Boundaries & Gap Analysis
AIGP-Light: Domain Boundaries & Gap Analysis
What’s excluded and why. What’s missing and what we should add.
Date: July 2026
Part 1: What’s Not in AIGP-Light (And Why)
These capabilities exist in the full AIGP protocol but are deliberately excluded from AIGP-Light — not because they’re unimportant, but because they belong to different disciplines.
| Excluded Capability | Discipline It Belongs To | Why It’s Not D&R |
|---|---|---|
| VLT / Delegation Tokens | Trust Chain Governance | Verifying authority chains is a governance concern — D&R detects if the system is behaving, not whether it has permission |
| Consent Management | Privacy & Ethics | Whether a data subject consented is a legal/ethical question, not an operational security question |
| Regulatory Contexts (EU AI Act, Japan, AU) | Compliance | Jurisdictional obligation tracking is multi-month lifecycle work, not millisecond runtime defense |
| Streaming Governance | Protocol Engineering | Token-by-token policy requires buffer management and semantic understanding — D&R operates at the call boundary |
| Anticipation Engine | Predictive Governance | Predicting future policy needs is governance strategy — D&R reacts to current behavior |
| Evidence Graph (Merkle DAG) | Audit & Legal | Cryptographic evidence chains serve legal provenance — D&R serves operational containment |
| Dialect Subscription | Governance Marketplace | Consuming third-party governance expertise is a platform economics function |
| Multi-agent Orchestration | Agentic Governance | Managing delegation scope, authority bounds, and inter-agent trust is governance — D&R monitors whether agents are failing, not whether they’re authorized |
| African/Japanese/Regional Contexts | Jurisdictional Compliance | Regional regulatory nuance has no bearing on whether latency is spiking |
The Principle
If the capability requires understanding WHY the system is acting, it’s governance. If the capability requires detecting WHAT the system is doing and WHETHER it’s normal, it’s D&R.
D&R is behavioral. Governance is intentional. Both are necessary. Neither replaces the other.
Part 2: Critical Gap Analysis — What’s Missing from AIGP-Light for D&R
Based on industry research (Uber ADR system, OWASP Agentic Top 10, MITRE ATLAS, Microsoft MCP security guidance, Obsidian AI XDR), the following capabilities are legitimately D&R but not yet in AIGP-Light:
Gap 1: Adaptive Behavioral Baselines
Current state: AIGP-Light uses fixed thresholds (e.g., p95 > 3000ms).
What’s missing: Adaptive baselines that learn what “normal” looks like for each specific workload and drift-detect against learned behavior — not just static numbers.
Why it matters: A coding agent and a customer service agent have radically different normal latency, token volume, and error patterns. A fixed threshold either false-alarms on one or misses degradation on the other.
What to add:
- Rolling baseline calculation (mean + stddev over configurable window)
- Threshold as deviation multiplier:
actual > baseline_mean + (N × stddev) - Optional warm-up period (don’t alert until baseline is established)
- Baseline persistence (save/load so restarts don’t lose history)
Complexity: Low. No ML needed — purely statistical. Fits the zero-dependency constraint.
Gap 2: Prompt Injection Detection (Behavioral Indicators)
Current state: AIGP-Light detects refusals (string pattern match) but not the attack that causes them.
What’s missing: Behavioral indicators of prompt injection — not semantic analysis (that’s an ML model), but observable side effects:
- Sudden role confusion (agent starts acting as a different persona)
- Instruction leakage (system prompt appearing in output)
- Unexpected tool calls (agent calling tools it normally doesn’t)
- Topic deviation (response has no semantic relation to input)
Why it matters: Prompt injection is OWASP #1 for LLM apps. Refusal detection catches model-side defenses firing, but not successful injections that bypass them.
What to add:
- Output pattern detection: configurable regex/string patterns that indicate compromise (e.g., system prompt leak markers)
- Tool call anomaly: alert when tools are called that aren’t in the expected set for this workload
- Output length anomaly combined with topic deviation score (simple keyword overlap with expected domain)
Complexity: Medium. Stays within zero-dep constraint if limited to statistical/pattern-based. Full semantic detection belongs in a dedicated guardrail layer (not D&R).
Gap 3: Cross-Boundary Correlation
Current state: Each AIGP-Light instance monitors one boundary independently. Model, MCP, and A2A have separate policies with no awareness of each other.
What’s missing: Correlation across boundaries to detect cascading failures:
- Model error → triggers tool retry loop → triggers cost explosion
- Agent A delegates to Agent B → Agent B fails → Agent A retries 10x → both circuit break
Why it matters: Agentic workloads fail as systems, not as individual calls. Isolated detection misses the cascade pattern.
What to add:
- Shared signal bus: allow multiple AigpLight instances to share a SignalStore
- Correlation rules: “if model error_rate > X AND tool error_rate > Y within Z seconds → ALERT(cascade)”
- Propagation detection: detect when one circuit break should trigger related circuit breaks
Complexity: Medium. Requires an optional shared state mechanism (in-process bus, not external service).
Gap 4: Incident Escalation & Playbook Integration
Current state: AIGP-Light responds (LOG, ALERT, CIRCUIT_BREAK) but doesn’t integrate with incident response workflows.
What’s missing:
- Structured alert payloads compatible with SIEM/SOAR (CEF, STIX, or at minimum structured JSON with severity/category)
- Escalation rules: “if circuit breaker fires 3 times in 1 hour → escalate to PagerDuty/Slack”
- Runbook links: attach remediation guidance to specific alert types
Why it matters: SOC teams don’t act on raw JSON. They need alerts in their existing tooling with actionable context.
What to add:
- Alert formatters: CEF, STIX/TAXII, generic webhook with configurable payload template
- Escalation policy: configurable repeat-threshold before escalation
- Alert enrichment: include recent trace IDs, signal snapshot, and suggested action
Complexity: Low. Formatter is pluggable. Doesn’t require external dependencies — just structured output.
Gap 5: SIEM/XDR Telemetry Export
Current state: Traces go to JSONL files or stdout.
What’s missing: Direct integration with security telemetry infrastructure:
- OpenTelemetry export (OTLP)
- Syslog/CEF for legacy SIEM
- CloudWatch / Datadog / Splunk HEC push
- Kafka/EventBridge for streaming analytics
Why it matters: Security teams already have observability infrastructure. D&R data that lives in a separate JSONL file is invisible to them.
What to add:
- OTLP exporter (optional dependency —
maigp-light[otlp]) - Syslog exporter (stdlib — no dependency)
- Generic HTTP push exporter with configurable endpoint + headers
- Keep file/stdout as default (zero-dep), exporters are opt-in
Complexity: Low for syslog/HTTP. Medium for OTLP (requires opentelemetry-sdk as optional dep).
Gap 6: Causal Chain Visibility (Agent Reasoning Trace)
Current state: AIGP-Light records that a call happened, how long it took, and whether policy fired. It does not record WHY the call was made.
What’s missing: Linking D&R events to the agent’s reasoning chain:
- Which step in the agent’s plan triggered this tool call?
- What was the agent’s stated intent before the call?
- Was this call part of a retry loop?
Why it matters: Uber’s ADR paper (MLSys 2026) identifies this as the #1 gap: “EDR tools see file writes but not the agent reasoning, prompts, or causal chains linking intent to execution.”
What to add:
- Optional
contextfield on calls:gov.call(fn, context={"step": "research", "intent": "find vulnerabilities", "attempt": 2}) - Context propagation in traces (included in span attributes)
- No parsing or understanding of context — just capture and include
Complexity: Low. It’s just an optional dict passed through to the trace. Zero analysis overhead.
Gap 7: Canary & Test Harness
Current state: No built-in way to test D&R rules before production.
What’s missing:
- Synthetic signal injection: “simulate 20% error rate and verify circuit breaker fires”
- Dry-run mode: evaluate policy without executing responses
- Canary mode: run new policy alongside old policy, compare decisions
Why it matters: You don’t deploy firewall rules without testing them. You shouldn’t deploy D&R rules without testing them.
What to add:
gov.simulate(signals: SignalSnapshot) → PolicyResult— evaluate without side effectsgov.inject(observations: list[CallObservation])— feed synthetic datadry_run: trueconfig option — evaluate and log but don’t execute responses
Complexity: Low. The PolicyEngine already evaluates independently — just expose it.
Part 3: Priority Roadmap
| Gap | Priority | Effort | Rationale |
|---|---|---|---|
| Canary & Test Harness | P0 | 1 day | Safety — can’t ship D&R rules you can’t test |
| Adaptive Baselines | P0 | 2 days | Fixed thresholds don’t work across diverse workloads |
| Causal Chain Context | P1 | 0.5 day | Low effort, high value — optional context field |
| Incident Escalation | P1 | 1 day | SOC integration is table stakes for cyber tooling |
| SIEM Export | P1 | 1 day | Security teams need data in their existing tools |
| Cross-Boundary Correlation | P2 | 3 days | Important for multi-agent but not needed for single-boundary |
| Prompt Injection Indicators | P2 | 2 days | High value but must be careful not to become a guardrail (different tool) |
Part 4: What We Won’t Add (Belongs Elsewhere)
| Capability | Why Not D&R | Where It Belongs |
|---|---|---|
| Semantic content analysis (is this output harmful?) | Requires ML inference — violates zero-dep, adds latency | Guardrails layer (e.g., Llama Guard, NeMo Guardrails) |
| Model evaluation (is this output correct?) | Quality judgment, not behavioral detection | Evaluation framework (AIGP Mars, RAGAS, etc.) |
| Policy authoring (what should be allowed?) | Governance decision-making | AIGP Governance + Dialects |
| Identity/access management | AuthN/AuthZ is infra | IAM, VLT, trust chains |
| Data loss prevention | Content classification | DLP tools, content filters |
| Training data security | Supply chain, not runtime | ML pipeline security |
The line is: if it needs to understand meaning, it’s not D&R. If it needs to observe behavior, it is.