The AI Systems Stack (AISS)
The AI Systems Stack (AISS)
A Reference Model for AI Systems and Agentic AI Architectures
© 2026 Kanjani AI Research & Causum. All rights reserved.
Abstract
The proliferation of AI protocols (A2A, MCP, ANP, ACP), hosting runtimes (AgentCore, Azure AI), governance frameworks (AIGP), and AI application patterns (single-model apps, RAG pipelines, multi-agent systems, SaaS AI) has created a fragmented landscape where practitioners cannot reason about how these technologies relate.
This document proposes the AI Systems Stack (AISS) — a layered reference model that maps the full lifecycle of AI systems from infrastructure to human interaction. It applies to:
- Single-model AI applications (chatbots, summarizers, classifiers)
- RAG and retrieval pipelines (knowledge-grounded AI)
- Autonomous AI agents (single-agent reasoning loops)
- Multi-agent agentic systems (orchestrated, delegating, collaborating)
- SaaS AI features (embedded AI in third-party products)
- AI-augmented workflows (human-in-the-loop with AI assistance)
Like the OSI model for networking, AISS does not mandate specific implementations. It provides a shared vocabulary and architectural mental model for the industry.
The stack is the same regardless of whether the system is a simple chatbot (using Layers 0, 1, 5, 7) or a full multi-agent system (using all layers). Simpler systems simply skip layers they don’t need.
System Types and Layer Usage
Not every AI system uses every layer. The stack accommodates the full spectrum:
graph LR subgraph "Simple AI App" S0[L0: Infra] --> S1[L1: Governance] --> S5[L5: Reasoning] --> S7[L7: Experience] endgraph LR subgraph "Full Agentic System" F0[L0] --> F1[L1] --> F2[L2] --> F3[L3] --> F4[L4] --> F5[L5] --> F6[L6] --> F7[L7] end| AI System Type | Layers Used | Example |
|---|---|---|
| Single-model chatbot | 0, 1, 5, 7 | Customer support bot |
| RAG pipeline | 0, 1, 3, 5, 7 | Knowledge-grounded Q&A |
| Tool-using agent | 0, 1, 3, 5, 7 | Code assistant with file access |
| Autonomous agent | 0, 1, 2, 3, 5, 7 | CPG analysis agent |
| Multi-agent system | 0, 1, 2, 3, 4, 5, 6, 7 | Orchestrated workflow (CPG → Index → Query) |
| SaaS AI (governed) | 0, 1, 7 | Gateway-governed vendor AI |
| AI-augmented workflow | 0, 1, 5, 6, 7 | Human-in-the-loop with AI steps |
Key insight: Layer 1 (Governance) is present in ALL system types. It is the only universal layer. Infrastructure (L0) and Experience (L7) are also near-universal. Everything in between depends on the architecture.
The Seven Layers
block-beta columns 1 block:stack L7["Layer 7: Experience\nHuman-AI interaction surfaces"] L6["Layer 6: Orchestration\nMulti-agent coordination & workflow"] L5["Layer 5: Reasoning\nSingle-agent cognition & tool use"] L4["Layer 4: Communication\nAgent-to-agent messaging"] L3["Layer 3: Capability\nTool & resource access protocols"] L2["Layer 2: Identity & Discovery\nAuthentication, routing, sovereignty"] L1["Layer 1: Governance & Evidence\nPolicy enforcement, trace, proof"] L0["Layer 0: Infrastructure\nCompute, hosting, runtime lifecycle"] end
style L1 fill:#0d9488,color:#fff style L2 fill:#3b82f6,color:#fff style L3 fill:#8b5cf6,color:#fff style L4 fill:#f59e0b,color:#fff style L5 fill:#ef4444,color:#fff style L6 fill:#ec4899,color:#fff style L7 fill:#6366f1,color:#fff style L0 fill:#374151,color:#fffLayer Definitions
Layer 0: Infrastructure
Purpose: Physical and virtual compute that hosts AI agents.
| Concern | Description |
|---|---|
| Compute lifecycle | Container start, stop, scale, health check |
| Networking | VPC, DNS, load balancing, TLS |
| Storage | Model weights, vector stores, state persistence |
| Observability | Metrics, logs, distributed tracing |
Implementations: AWS Bedrock AgentCore, Azure AI, ECS Fargate, Kubernetes, Lambda
Key property: Agents at higher layers should be infrastructure-agnostic.
Layer 1: Governance & Evidence
Purpose: Policy enforcement, evidence capture, and provable assurance for all AI activity across all other layers.
| Concern | Description |
|---|---|
| Pre-execution policy | CHECK — is this action authorized? |
| Post-execution record | RECORD — what actually happened? |
| Lifecycle trace | TRACE — linked evidence across stages |
| Quality evaluation | EVALUATE — did the outcome match intent? |
| Jurisdictional context | Which regulatory/policy framework applies? |
Implementations: AIGP (pre-invocation governance + evidence); Mars® (post-invocation conformance verification + certification)
Key property: Governance is not a layer that agents pass through once — it wraps ALL layers. Every action at Layers 2–7 can be governed, recorded, and evaluated.
graph LR subgraph "Layer 1: Governance" CHECK[CHECK] --> ALLOW{Allow?} ALLOW -->|Yes| EXECUTE[Execute] ALLOW -->|No| DENY[Deny + Record] EXECUTE --> RECORD[RECORD] RECORD --> TRACE[TRACE] TRACE --> EVALUATE[EVALUATE] EVALUATE --> VERDICT[Verdict] endPre/post-invocation split within Layer 1. Governance at this layer has two phases divided by the structural boundary at model output:
- Pre-invocation (AIGP): CHECK/admissibility, context enrichment, and the RECORD/TRACE evidence capture up to the point the model produces output.
- Post-invocation (Mars®): verification of the output against a governing specification, producing an independently re-derivable grounded verdict and conformance certificate. The
EVALUATE → VERDICTstep above is, at its authoritative end, a Mars® post-invocation act; AIGP’s own output-side evaluation (e.g., sycophancy gating) hands off to Mars® at the boundary.
The two compose across a single structural seam and are separately owned (AIGP: Kanjani AI Research & Causum; Mars®: Causum). See the AIGP↔Mars bridge (specification/extensions/mars-w1-witness-profile.md, specification/references/mars-post-invocation-bridge.md).
Layer 2: Identity & Discovery
Purpose: How agents find each other, prove identity, negotiate capabilities, and route across sovereignty boundaries.
| Concern | Description |
|---|---|
| Agent identity | Cryptographic proof of who an agent is |
| Service discovery | Finding agents/helpers without hardcoded URLs |
| Capability negotiation | Agreeing on what’s possible before communicating |
| Sovereignty routing | Directing to the correct regional endpoint |
| Token authority | Issuing and validating delegation credentials |
Implementations: ANP (Agent Network Protocol), VLT_PRJ Helper Service Mesh, DID-based identity
Key property: No agent hardcodes another agent’s address. Discovery is dynamic, authenticated, and sovereignty-aware.
sequenceDiagram participant Agent participant Identity as Layer 2: Identity participant Target as Target Agent/Helper
Agent->>Identity: Who can do X in my region? Identity->>Identity: Check sovereignty rules Identity-->>Agent: endpoint + token + region Agent->>Target: Request (with Bearer token) Target->>Identity: Verify token signature Identity-->>Target: Valid ✓ Target-->>Agent: ResponseLayer 3: Capability
Purpose: Standardized access to tools, resources, and data sources.
| Concern | Description |
|---|---|
| Tool discovery | What tools exist and what do they do? |
| Tool invocation | Calling a tool with parameters |
| Resource access | Reading/writing external data |
| Schema negotiation | Input/output format agreement |
Implementations: MCP (Model Context Protocol), OpenAPI tool schemas
Key property: Tools are protocol-accessed, not framework-specific. Any agent on any framework can call any MCP tool.
Layer 4: Communication
Purpose: Agent-to-agent message exchange — the wire protocol for inter-agent collaboration.
| Concern | Description |
|---|---|
| Message format | Structured envelope for agent messages |
| Task lifecycle | Create, update, complete, cancel |
| Streaming | Real-time partial results |
| Error handling | Failure propagation across agents |
Implementations: A2A (Agent-to-Agent Protocol), ACP (Agent Communication Protocol), JSON-RPC
Key property: Communication protocols are framework-agnostic. A Strands agent can talk to a LangChain agent via A2A without either knowing the other’s implementation.
graph LR A[Strands Agent] -->|A2A JSON-RPC| B[LangChain Agent] B -->|A2A JSON-RPC| C[Custom Agent] C -->|A2A JSON-RPC| ALayer 5: Reasoning
Purpose: Single-agent cognition — the reasoning loop that drives autonomous behavior.
| Concern | Description |
|---|---|
| Model invocation | Calling LLMs for reasoning |
| Tool selection | Deciding which tool to use |
| Memory | Short-term and long-term context |
| Planning | Multi-step goal decomposition |
| Reflection | Self-evaluation and correction |
Implementations: Strands Agents, LangChain/LangGraph, CrewAI, AutoGen, Semantic Kernel, LlamaIndex
Key property: The reasoning layer is where “agency” lives. It’s the only layer that makes decisions. All other layers are infrastructure for those decisions.
Layer 6: Orchestration
Purpose: Coordinating multiple agents to accomplish complex goals.
| Concern | Description |
|---|---|
| Workflow definition | What steps, in what order |
| Agent selection | Which agent handles which step |
| Context partitioning | Each agent sees only what it needs |
| Result aggregation | Combining outputs from multiple agents |
| Failure handling | Retry, fallback, circuit breaking |
Implementations: Workflow engines (RUN_PRJ), multi-agent planners, supervisor agents, DAG executors
Key property: Orchestration exists to prevent monolithic agents. Each agent has bounded context and bounded responsibility.
graph TD O[Orchestrator] --> A1[CPG Agent] O --> A2[Graph Index Agent] O --> A3[Query Agent] A1 -->|CPG output| A2 A2 -->|Indexed| A3Layer 7: Experience
Purpose: Human-AI interaction surfaces — where humans observe, direct, and override AI systems.
| Concern | Description |
|---|---|
| Natural language interface | Chat, voice, visual interaction |
| Transparency | Showing what the AI did and why |
| Override controls | Human-in-the-loop, kill switch, correction |
| Feedback | Quality signals from users back to governance |
| Trust calibration | Helping humans know when to trust AI output |
Implementations: Chat UIs, dashboards, agent cards, governance consoles (GOV_APP), approval workflows
Key property: Humans remain sovereign. Layer 7 ensures that autonomy at Layers 5–6 never exceeds the boundaries set at Layer 1.
Cross-Cutting Concern: Governance Permeates All Layers
Unlike OSI where each layer only interacts with adjacent layers, governance (Layer 1) wraps every other layer:
graph TB subgraph "Governance wraps all layers" direction TB G1[L1: Governance]
G1 -.->|"Infra events"| L0[L0: Infrastructure] G1 -.->|"Identity verification"| L2[L2: Identity & Discovery] G1 -.->|"Tool authorization"| L3[L3: Capability] G1 -.->|"Message policy"| L4[L4: Communication] G1 -.->|"Model & budget control"| L5[L5: Reasoning] G1 -.->|"Workflow approval"| L6[L6: Orchestration] G1 -.->|"Feedback & transparency"| L7[L7: Experience] endThis is the fundamental difference from network stacks: you cannot opt out of governance. Every tool call (L3), every agent message (L4), every model invocation (L5), every workflow step (L6) — all are governable.
Protocol Mapping
| Layer | Protocol/Standard | Role |
|---|---|---|
| 7 | AG-UI, Custom UIs | Human-facing interaction |
| 6 | Workflow JSON, DAGs | Multi-agent coordination |
| 5 | Strands, LangGraph, CrewAI | Agent reasoning frameworks |
| 4 | A2A (Google/AWS) | Agent-to-agent messaging |
| 3 | MCP (Anthropic) | Tool and resource access |
| 2 | ANP (Agent Network Protocol) | Discovery + identity + routing |
| 1 | AIGP (pre-invocation) + Mars® (post-invocation) | Governance + evidence + evaluation; post-invocation grounded verdict & conformance certificate |
| 0 | AgentCore, ECS, K8s | Compute lifecycle |
Design Principles
-
Layer independence — Each layer can evolve without breaking others. You can swap A2A for ACP at Layer 4 without touching Layer 5 agents.
-
Governance sovereignty — Layer 1 has authority over all other layers. An agent cannot reason its way past governance.
-
Discovery over configuration — Agents should discover capabilities (L2) rather than hardcode endpoints. This enables sovereignty, failover, and rotation.
-
Protocol over framework — Layers 1–4 define wire protocols, not framework APIs. This ensures cross-framework interoperability.
-
Human sovereignty — Layer 7 ensures humans retain ultimate authority, especially the ability to observe, override, and halt.
Comparison to OSI
| OSI Model | Agentic Intelligence Stack |
|---|---|
| Fixed 7 layers, strict adjacency | 8 layers (0–7), governance wraps all |
| Each layer talks only to neighbors | Governance interacts with every layer |
| Physical → Application (bottom-up) | Infrastructure → Experience (bottom-up) |
| Designed for packet switching | Designed for autonomous decision-making |
| Identity at every layer (MAC, IP, TLS) | Identity concentrated at Layer 2 |
| No “governance” equivalent | Governance is foundational (Layer 1) |
Why This Matters
Without a shared reference model:
- Vendors position competing products as solving “the agent problem” when they address different layers
- Enterprises can’t evaluate which protocols they need
- Interoperability claims are untestable (what layer are you interoperating at?)
- Governance is treated as optional rather than foundational
With AIS:
- “We use A2A (L4) with MCP tools (L3), governed by AIGP (L1), hosted on AgentCore (L0)”
- Everyone knows exactly what’s covered and what’s missing
- Gaps become visible: “We have no Layer 2 — our agents can’t discover each other”
- Governance positioning is unambiguous: it’s not competing with A2A or MCP, it’s a different layer entirely
Extensibility
The AIS is a reference model, not a rigid specification. Implementations may:
Add or merge layers — A system that doesn’t need multi-agent orchestration can collapse Layers 5 and 6. A system with complex identity requirements might split Layer 2 into sub-layers.
Define sub-layers — Any layer can be decomposed. For example:
| Layer | Sub-layer | Concern |
|---|---|---|
| 2a | Authentication | Proving agent identity (tokens, certs, DID) |
| 2b | Discovery | Finding agents/services dynamically |
| 2c | Routing | Sovereignty-aware endpoint resolution |
| 3a | Tool Schema | Declaring what tools exist |
| 3b | Tool Execution | Actually calling the tool |
| 5a | Planning | Goal decomposition |
| 5b | Execution | Tool selection + invocation loop |
| 5c | Reflection | Self-correction + learning |
Domain-specific layers — Verticals (healthcare, finance, defense) may introduce domain layers between existing ones. Example: a “Safety Layer” (1.5) between Governance and Identity for autonomous vehicles or clinical AI.
The test for whether a new layer or sub-layer is justified: does it have a distinct protocol or contract boundary? If two concerns share a single protocol, they’re one layer. If they have independent wire formats, they’re separate.
Citation
Kanjani AI Research & Causum (2026). The Agentic Intelligence Stack: A Reference Model for Autonomous AI Systems.AIGP Protocol Specification, Addendum. https://github.com/owner-spec/aigp-protocol