Skip to content

Assembly Core

The identity, rules, policies, and governance patterns referenced throughout Assembly › Core draw on the active agentic-governance research lineage. This page catalogs the canonical frameworks, their architectural distinctions, and the selection criteria the platform uses when configuring a Unitt's Core for a given workload tier.

Identity

A production-grade identity spec separates the operational profile (name, model, tools, permissions, context budget) from the persona prompt (role, expertise, voice, refusal stance). Claude Code subagents encode this as Markdown frontmatter (name, description, tools, model) plus a dedicated system-prompt body that runs in its own context window with custom tool access. OpenAI Agents SDK uses an Agent class taking name, instructions, model, tools, with instructions delivered via the developer role (renamed from system for o-series to denote higher authority than user input). CrewAI Agents formalize the persona as a role + goal + backstory triple concatenated into the prompt. A good identity spec is declarative, version-controlled, separates capabilities from personality, and exposes the same fields to runtime and governance tooling.

Rules

Rules are static deterministic constraints embedded in the system / developer prompt or memory layer; they apply uniformly to every invocation and are evaluated by the model itself rather than an external engine. Claude Code's CLAUDE.md hierarchy is the canonical pattern: enterprise → user (~/.claude/CLAUDE.md) → project (./CLAUDE.md) → subdirectory → personal (CLAUDE.local.md), concatenated bottom-up with later-discovered files carrying more weight. OpenAI's developer-role guidance and Anthropic's character / role-prompting docs both treat the system prompt as a soft contract; strong default behavior, but not a security boundary. Rules belong here when they are universal, low-risk, and acceptable for the model to occasionally violate under adversarial pressure (style, refusal stance, response format).

Policies

Policies are externally evaluated, deterministic, request-scoped authorization decisions; they are a security boundary, not a soft contract. OPA / Rego remains the de-facto open standard for policy-as-code; the 2025 pattern intercepts each tool invocation and evaluates a Rego policy outside the LLM so the model can propose but cannot decide (Runtime Governance with OPA). AWS Cedar powers Bedrock AgentCore Policy (GA March 3, 2026), evaluating every Gateway tool call with default-deny and forbid > permit semantics. Google Vertex / Gemini Enterprise Agent Gateway enforces Model Armor plus identity-bound policies on every agent-to-tool hop. OpenAI Guardrails provides input / output / tool tripwires.

Migration consideration: Apple acquihired the core OPA maintainers and Styra engineering in August 2025 (Cloud Native Now); OPA remains CNCF-governed but customers should plan to self-host the now-open EOPA / OCP, fork, or migrate to Cerbos / Permit.io / Cedar.

Governance Frameworks

  • NIST AI RMF 1.0 (Govern / Map / Measure / Manage) plus NIST AI 600-1 Generative AI Profile (July 2024, twelve named risks including confabulation and CBRN).
  • CSA AI RMF Agentic Profile extends 600-1 with autonomy-specific controls; aligns with the CSA AI Controls Matrix (243 controls, 18 domains, July 2025) and the AAGATE reference architecture (Kubernetes-native, December 22, 2025).
  • OWASP LLM Top 10 v2025 (prompt injection #1) and OWASP Top 10 for Agentic Applications (December 9, 2025; goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, rogue agents).
  • Microsoft Agent Governance Toolkit (MIT, April 2026): Agent OS (stateless PDP, p99 < 0.1ms), Agent Mesh (DID + Ed25519 + dynamic trust score 0-1000), Agent Runtime (privilege rings, saga orchestration, kill switch); covers all 10 OWASP agentic risks across Python / TS / Rust / Go / .NET.
  • Regulatory deadlines: EU AI Act core obligations apply August 2, 2026 (extraterritorial for EU-market outputs); Colorado's original AI Act enforcement (June 30, 2026) was stayed April 27, 2026, replaced by SB 189 (notice-and-transparency only, effective January 1, 2027 if signed).

Per-Step Authorization Gates

Following NIST SP 800-207, separate the PEP (agent runtime / gateway / MCP server interceptor enforcing the verdict) from the PDP (stateless policy engine returning Permit / Deny in milliseconds). Policies must be re-evaluated per step (every tool call, sub-agent handoff, memory write, external HTTP) because LLM context can shift adversarially mid-trajectory; AgentCore Gateway and AGT's Agent OS both enforce this. The PDP-as-tool pattern exposes the PDP itself as an MCP tool (Cerbos sub-1ms YAML PDP, Permit.io OPA+OPAL gateway) so the agent can pre-query "may I do X?" before attempting it.

Audit Trail

Use an append-only, hash-chained store (each entry contains the SHA of the previous) backed by WORM media (S3 Object Lock, Azure Blob WORM) for GDPR / SOX / HIPAA-by-construction (Microsoft "After the Agent Acts", tamper-evident audit). Instrument with OpenTelemetry GenAI semantic conventions (gen_ai.* namespace), and add governance-specific attributes (policy decision ID, PDP version, principal chain, delegation hash) in OTel Collector processors so redaction and routing stay in one governed pipeline.

Escalation

Treat escalation as a first-class state, not an exception path. LangGraph interrupt() pauses execution before high-risk tool calls and surfaces approve / edit / reject / respond decisions to humans. The 2025 production pattern: cheap reversible actions auto-execute; actions whose confidence falls below a per-tool threshold, that touch destructive verbs, or that hit a policy soft-deny route to a human queue with full reasoning and uncertainty context attached.

Identity Provenance

A2A v0.3+ (July 31, 2025) added signed Agent Cards (JSON capability documents at /.well-known/agent-card.json, signed to defeat card-shadowing). DPoP binds bearer tokens to a holder's key pair so stolen tokens cannot be replayed; combine with delegation chains carrying the human principal hash so the PDP can verify intent end-to-end. AI-SBOM (CISA + G7, 2025; seven clusters: Metadata / Models / Datasets / SLP / KPI / Security / Infrastructure) inventories model weights, training data lineage, prompts, tools, and MCP servers; required for EU AI Act provider obligations.

Validation Of Core

Before an agent is registered as runnable, Core must pass: (a) Schema validation against JSON Schema 2020-12; (b) Governance lint for missing default-deny, conflicting allow / forbid pairs, unresolved tool references; (c) Dry-run policy evaluation against a canonical synthetic trajectory; (d) Signature / SBOM verification of the Agent Card and referenced model / tool digests.

Selection Criteria

Posture Workload Tier Identity Rules Policies Gates Audit Provenance
Minimal Internal dev tools Inline persona Single project file None / Guardrails input only None App logs None
Standard Internal prod Versioned identity + tools Hierarchical (enterprise + project) OPA / Cedar / Cerbos; soft-deny on writes Confidence-gated interrupts on destructive verbs OTel spans, 90d Signed agent card, internal CA
Regulated Customer data, finance, health Identity + signed AI-SBOM Hierarchical, enterprise immutable Per-step PDP; AgentCore / AGT class; default-deny; PDP-as-tool HITL on external sends, scope-out writes Hash-chained WORM, 7y A2A signed card + DPoP + delegation chain
High-stakes / EU AI Act high-risk Public-facing decisions Identity + AI-SBOM + model cards + risk assessment Immutable enterprise rules, signed Multi-PDP (Cedar boundary + OPA app + guardrails); kill switch HITL default-on; confidence floor + budget gates WORM + cryptographic verifier + attestation Full A2A + DPoP + AI-BOM + supply-chain attestation; NIST 600-1 Agentic Profile

Selection Heuristic

The bright line: if violating it is embarrassing, it is a rule; if violating it is a breach, it is a policy; if violating it is a regulator's headline, it is a gate plus an audit obligation. Use rules for universal style and refusal stance. Use policies for any action that touches data, money, identity, external systems, or other agents; where a model jailbreak must not equal an exploit. Use governance gates when policy outcome is conditional on human intent that cannot be encoded, when confidence drops below tier-specific threshold, or when regulators require attestation.

Cross-References