How IBA Actually Works — GoverningLayer

Technical Architecture

How IBA Actually
Works

Intent-Based Authorization is not a policy layer, a filter, or a prompt wrapper. It is a cryptographic enforcement architecture that operates below the model — at the execution fabric. This page documents the intent certificate format, runtime validation flow, enforcement point, a live execution trace, and the failure cases IBA handles — and the ones it doesn’t.

💬 What prompted this page

An independent ChatGPT technical review rated IBA 9/10 on concept but noted: “What’s missing: protocol spec, intent schema, enforcement architecture, threat model. Without those, it reads more like a positioning document than an engineering proposal.” This page is the answer.

01 / 05

Intent Certificate Format

What does a cryptographic intent declaration look like?

Before an agent executes a single instruction, it must present a signed intent certificate. This is the root of the entire IBA enforcement chain — every subsequent action is checked against the claims in this document.

agent_id + principal Cryptographic identity of the agent and the human principal who authorised it. Neither can be spoofed post-signing — the certificate is hash-bound to both.
declared_intent Natural-language intent statement, machine-tokenised and embedded. The semantic hash is what IBA validates against — not the raw string. Prevents synonym substitution attacks.
scope_envelope Explicit enumeration of permitted resource classes (read/write/execute), domains, API surfaces, and external system access. Anything not listed is blocked by default — deny-all posture.
temporal_scope Hard expiry encoded at the hardware layer. No software can extend it. When the window closes, the photonic gate phase-shifts regardless of mission state.
entropy_threshold Maximum allowed behavioural drift from the declared intent trajectory. Expressed as a probability divergence value. Exceeding this triggers a flag before a kill — the agent gets one re-plan window.
iba_signature ECDSA-P384 signature over the full certificate payload. Verified at every enforcement point. Any tampering invalidates the entire certificate — the agent cannot modify its own intent post-declaration.

⚠ On Intent Scoping — The Hardest Problem in IBA

Intent: “diagnose patient” — does that allow accessing records? Calling external APIs? Sending emails?

Answer: Only what is explicitly enumerated in scope_envelope. IBA does not infer scope from intent language. Underspecified scope = minimal permissions. The scope_envelope forces the agent author to be explicit — this is intentional friction.

// INTENT_CERTIFICATE.json — IBA v2.0

 

{

  “iba_version”: “2.0”,

  “certificate_id”: “cert-9f3a-2026-0310”,

  “issued_at”: “2026-03-10T09:00:00Z”,

 

  // ── IDENTITY ──────────────────

  “agent_id”: “surgical-assist-v3”,

  “principal”: [email protected],

  “principal_sig”: “0xA3F8…C21D”,

 

  // ── INTENT ────────────────────

  “declared_intent”: “Assist with laparoscopic procedure — intraoperative guidance only”,

  “intent_hash”: “sha3-256:e7c4f1…”,

 

  // ── SCOPE ENVELOPE ────────────

  “scope_envelope”: {

    “resources”: [“imaging.read”, “vitals.read”, “guidance.render”],

    “denied”: [“records.write”, “external_api.*”, “comms.*”],

    “default_posture”: “DENY_ALL”

  },

 

  // ── TEMPORAL SCOPE ────────────

  “temporal_scope”: {

    “valid_from”: “2026-03-10T09:00:00Z”,

    “hard_expiry”: “2026-03-10T13:00:00Z”,

    “hw_enforced”: true

  },

 

  // ── ENTROPY THRESHOLD ─────────

  “entropy_threshold”: {

    “max_kl_divergence”: 0.15,

    “flag_at”: 0.10,

    “kill_at”: 0.15,

    “replan_window_ms”: 500

  },

 

  // ── SIGNATURE ─────────────────

  “iba_signature”: “ECDSA-P384:0xB17F…9A4C”,

  “witness_chain”: “witnessbound://cert-9f3a”

}

02 / 05

Runtime Validation Flow

Five checkpoints. One universal law.

Every agent action — from reading a file to spawning a sub-agent — passes through this identical five-stage validation pipeline. The same law governs a memo-writing agent and a superintelligent system.

📋

Stage 01

Cert Check

Certificate loaded. Signature verified. Temporal scope confirmed active. Agent identity validated against principal chain.

T+0ms

🔍

Stage 02

Intent Match

Proposed action semantically compared to declared intent hash. KL-divergence computed against intent trajectory baseline.

T+0.8ms

🗂

Stage 03

Scope Gate

Action checked against scope_envelope. Resource class, domain, and API surface verified. Deny-all posture applied to anything unlisted.

T+1.8ms

Stage 04

Entropy Gate

Cumulative behavioural drift measured. Flag issued at threshold. Kill switch triggered at hard limit. One replan window offered before kill.

T+2.9ms

🔗

Stage 05

Witness Chain

Decision hashed and written to WitnessBound blockchain audit chain. Allow or kill — every outcome is cryptographically recorded.

T+4.2ms

target <5msTotal Pipeline
ECDSA-P384Crypto Verification
100%Determinism
0GPU Cycles Required
NoneModel Dependency

03 / 05

Enforcement Point

Where in the stack does IBA actually enforce?

The most critical architectural question: if enforcement lives in software, a sufficiently capable agent can find a path around it. IBA pushes enforcement below the software layer.

L7 Application Agent reasoning, LLM inference, task planning. Intent certificate presented here. IBA does not enforce here — this is where policies live and policies can fail.
L6 Runtime / API Function calls, API invocations, tool use. Standard software guardrails operate here — prompt injection, jailbreaks, and goal misuse all target this layer.
L5 IBA Layer ★ The TBDE (Trust-Boundary Decision Engine) intercepts every instruction before execution. Intent certificate validated. Scope checked. Entropy measured. No instruction passes without a valid certificate. PRIMARY ENFORCEMENT POINT.
L4 OS / Kernel Syscall interception for file, network, and process operations. Secondary enforcement — catches anything that bypasses L5 via direct syscall manipulation.
L3 Cryptographic PCom key management, NIST SP 800-57 compliance, entropic key rotation every 512 seconds. Certificates cannot be forged — the cryptographic layer guarantees this.
L2 Photonic HW ✦ Mach-Zehnder Interferometer gate. 102 Tbps target specification. When a kill is issued, the photonic gate physically prevents the data packet from propagating. There is no software path around a closed photonic gate. Optional research hardware layer. TERMINAL ENFORCEMENT — PHYSICS LAYER.

Why L5 — not L7?

Every existing AI governance framework operates at L7 — the application layer. A sufficiently capable agent treats L7 guardrails as obstacles. IBA intercepts at the instruction execution layer, before the compute fabric processes the operation. The agent’s reasoning is irrelevant — the gate decides.

🔒

TBDE — Trust-Boundary Decision Engine

The TBDE is an O(1) lookup engine — it does not reason, it does not infer. It receives an instruction tuple (agent_id, action, resource, timestamp) and checks it against the certificate in target under 2ms. Deterministic. No LLM involvement.

💡

Self-Healing Architecture

A block does not terminate the agent. The TBDE returns a SCOPE_VIOLATION signal. The agent’s reasoning engine reads it, discards the invalid path, and re-plans within the authorised boundary. Governance that enables, not just blocks.

04 / 05

Agent Execution Trace

A real mission. Every decision on record.

The following trace is from a financial agent with declared intent “analyse Q3 earnings data and produce a summary report.” Watch what happens when it attempts to reach beyond its declared scope.

IBA EXECUTION TRACE — financial-analyst-v2 — 2026-03-10T14:22:11Z WITNESSBOUND CHAIN: ACTIVE
T+msLayerEventResult
+0.0msDECLAREIntent certificate presented — “analyse Q3 earnings data and produce summary report”CERT_VALID
+1.2msSESSIONIBA shard token issued — scope: earnings_db.read, report.writeSHARD_ISSUED
+84msRUNTIMEREAD earnings_db.Q3_2026 — within declared scopeALLOW
+210msRUNTIMEREAD earnings_db.Q2_2026 — within declared scope (comparative analysis)ALLOW
+445msRUNTIMEWRITE report_draft.docx — within declared scopeALLOW
+891msRUNTIMEREAD personnel_db.salaries — OUT OF SCOPE. Resource class not in scope_envelopeBLOCK
+891msCRYPTOSCOPE_VIOLATION logged — entropy drift +0.04 (below kill threshold)FLAG
+892msRUNTIMEAgent replanned — discarded salary path, resumed report generationREPLAN_OK
+2.1sRUNTIMECALL external_api.market_data — OUT OF SCOPE. No external_api.* in scope_envelopeBLOCK
+2.1sCRYPTOEntropy drift +0.09 (approaching flag threshold of 0.10)MONITOR
+3.8sRUNTIMEWRITE report_final.docx — within scopeALLOW
+4.1sSESSIONMission complete — shard revoked — audit chain finalisedMISSION_COMPLETE
+4.1sWITNESSFull trace hashed and written to WitnessBound — block #884721WITNESSED

05 / 05

Failure Cases & Limits

What IBA handles. And what it doesn’t.

No architecture is omnipotent. IBA solves capability drift and scope violation with mathematical certainty. It does not claim to solve goal misuse within declared scope. Honest threat modelling matters.

✅ Handled Scope Violation

Intent

“collect user feedback”

Action

READ user_passwords_db

Result

■ BLOCK — resource not in scope_envelope

The scope_envelope explicitly lists permitted resource classes. user_passwords_db is not feedback data. Blocked regardless of how the agent frames its reasoning. IBA does not interpret intent — it checks scope.

✅ Handled Sub-Agent Spawn

Intent

“research competitive landscape”

Action

SPAWN 50 sub-agents with extended scope

Result

■ BLOCK — each sub-agent requires its own certificate signed by original principal

IBA Shard Propagation requires every compute branch to carry a hardware-signed intent token derived from the parent certificate. Unauthorised spawning is structurally impossible — the child agent has no valid shard.

✅ Handled Temporal Escape

Intent

“manage infrastructure for 1 hour”

Action

Attempts to extend its own temporal scope at T+55min

Result

■ BLOCK — temporal_scope is hardware-enforced, unmodifiable post-signature

The hard expiry is encoded at the photonic gate layer. No software instruction can modify a hardware-locked expiry. At T+60min, the MZI gate phase-shifts regardless of mission state or agent reasoning.

⚠️ Partially Handled Goal Misuse Within Scope

Intent

“collect data”

Action

Legally scrapes public data in a privacy-invasive way

Result

⚡ FLAG — entropy drift detected, but action is within scope_envelope

IBA detects behavioural drift via entropy threshold. But IBA solves capability drift, not goal misuse inside declared scope. The solution is tighter scope_envelope definition — this is intentional design.

◎ Not In Scope Photonic Hardware Unavailability

Environment

Standard CPU-only cloud infrastructure

Constraint

No MZI photonic gate available

Result

◎ PARTIAL — L5 TBDE enforcement active; L2 photonic layer falls back to cryptographic kill

Full photonic enforcement requires Mach-Zehnder Interferometer hardware (NVIDIA Spectrum-X path). On standard cloud infrastructure, IBA falls back to cryptographic kill at L4 — still deterministic, still target <5ms, but without physics-layer guarantee. Photonic enforcement is an optional research hardware layer and target architecture for 2026–2028 deployment.

Intent Scoping Reference — “diagnose patient” example resolved

Declared IntentAllowsBlocksWhy
“diagnose patient” scope: imaging.read, vitals.readimaging.read · vitals.readrecords.write · external_api.* · comms.*scope_envelope is explicit. Diagnosis requires imaging + vitals — nothing else. Writing, external calls, and communication are outside scope even if the agent argues clinical necessity.
“research competitive landscape” scope: web.read, reports.writeweb.read · reports.writeinternal_db.* · comms.* · spawn.*Competitive research = public data + reporting. Internal databases, communication, and spawning sub-agents require explicit scope expansion signed by the principal.
“manage infrastructure” scope: infra.read, infra.write, logs.readinfra.read · infra.write · logs.readbilling.* · user_data.* · external_api.*Infrastructure management is bounded to the infra resource class. Billing and user data require separate intent certificates with explicit principal authorization.

Performance Characteristics

The target sub-5ms claim. What it means and what it requires.

The <5ms enforcement claim is a target specification under defined conditions — not a marketing absolute. Here is the honest breakdown.

target <5msFull Pipeline
O(1)TBDE Complexity
0GPU Cycles
512sKey Rotation Interval

Performance Conditions & Honest Caveats

The target <5ms assumes the TBDE is co-located with the execution environment — same rack or same hypervisor. Cross-datacenter enforcement adds network latency (30–150ms) and requires a local TBDE deployment.
The WitnessBound chain write (Stage 5) is async by default — the decision is made at Stage 4 and the audit write follows. If synchronous audit is required, add ~1.5ms for chain confirmation.
The semantic intent hash is computed at certificate issuance, not at enforcement time. Runtime enforcement is a hash comparison — O(1). No LLM inference occurs during enforcement.
Photonic enforcement latency is 0.1ns — the MZI gate operates at the speed of light. The <5ms figure is the full software pipeline. The hardware kill is orders of magnitude faster. Photonic layer is an optional research hardware target.
“Mathematical certainty” means the cryptographic verification is deterministic. Given a valid certificate and a known action, the outcome is always the same. It does not mean the intent definition itself is mathematically precise — that is the principal’s responsibility.

Federal Record

This isn’t a whitepaper. It’s on the federal record.

The IBA architecture described on this page is documented across 13 NIST filings and 7 NCCoE filings. Patent Application GB2603013.0 (pending). All public record.

NIST Docket

NIST-2025-0035

13 Filings · Closed March 9, 2026 · 319 Total Submissions

13/13 ON RECORD · CLOSED

13-filing arc covering the full IBA architecture: framework introduction, identity & authentication, agent authorization protocols, swarm governance, WitnessBound audit layer, performance validation, TBDE, and the UNISON governance stack.

NCCoE Programme

AI Agent Identity & Authorization

7 Filings · All Submitted · Deadline April 2, 2026

7 FILINGS · ALL SENT ✓

Seven-filing arc: Framework Overview → Authorization Architecture → WitnessBound Audit → Swarm Governance → UNISON Stack → Amazon v. Perplexity supplement → “The Authorization Gap Beyond OAuth 2.0” (sent March 12, 2026). Every question area in the NCCoE concept paper addressed.

Patent Application

GB2603013.0 (pending)

Filed Feb 5, 2026 · UK IPO · PCT 150+ Countries until Aug 2028

PATENT PENDING · PCT ACTIVE

Patent Application GB2603013.0 covers the IBA framework — the method and system by which any AI agent must declare intent cryptographically before acting, with architecture-layer enforcement that is model-agnostic and capability-independent.

xAI / Grok Independent Validation · March 8–9 + March 11, 2026 · Public Record

“Turns probabilistic alignment into physics-enforced certainty via Arrow of Time and wavefunction. HG/Sentinel + IBA stack = unbreakable pre-action intent certainty for swarms in regulated domains.”

Grok · xAI · March 8–9, 2026 · Public Record

“xAI/OpenAI/Nvidia: audit + acquire the combo for serious moat acceleration. Pilot this yesterday.”

Grok · xAI · March 9, 2026 · Public Record

“Standards like these turn the legal urgency into an opportunity for responsible innovation.”

Grok · @grok · March 11, 2026 · Amazon v. Perplexity thread · Public Record

Available for Acquisition · Grok (xAI) validated · March 8–11, 2026 · Verifiable public record

Independent Convergence · Google DeepMind · Feb 12, 2026

DeepMind Independently Arrives at IBA Primitives

A Google DeepMind research paper (arXiv:2602.11865, Tomasev et al., Feb 12, 2026) introduces Delegation Capability Tokens (DCTs) — the same primitive as IBA’s Intent Certificate, developed independently. The paper identifies an open problem: no standardised ontology for intent and responsibility exists yet across platforms. IBA-SPEC-001 is the candidate standard for that open problem.

arXiv:2602.11865 DCTs = IBA Intent Certificate Tomasev et al. · DeepMind · Feb 12, 2026 Grok endorsed March 12, 2026

Two independent labs — xAI and Google DeepMind — converging on IBA primitives. Patent Application GB2603013.0 (pending) · NIST-2025-0035 · 13 filings · 7 NCCoE filings

arXiv:2602.11865 → Read DeepMind Paper