TRACE: Trusted Runtime for Autonomous Containment and Evidence

Autonomous AI agents increasingly take actions against external systems in environments where mistakes are costly and where post-hoc logs are insufficient for governance. We introduce TRACE (Trusted Runtime for Autonomous Containment and Evidence), a governance-first execution framework that treats the execution agent as untrusted and derives assurance from infrastructure mediation rather than model behavior. TRACE executes each operation under a cryptographically signed policy bundle that pinpoints tool definitions and encodes authorization boundaries, constraints, tripwire predicates, isolation-tier selection, and success criteria. An Interface Gateway enforces complete mediation for all boundary-crossing actions, while independent boundary instrumentation (Y) provides telemetry that deterministic tripwires evaluate to trigger graduated containment levels (L0–L5) and fail-closed halts. TRACE produces a hash-chained, signed evidence log anchored with RFC 3161 timestamps, enabling audit reconstruction and post-incident forensics. We specify ten assurance properties, their dependencies on explicit deployment assumptions, and the corresponding proof obligations for mediation and evidence invariants. To make enforcement auditable without access to model internals, TRACE defines LLM-specific tripwire metrics for repetition (ARI), post-response divergence (PRDS), and plan-trajectory deviation (TMD), and provides an enumerable formal model of the containment finite-state machine. TRACE is presented as an architecture and specification; a research-grade skeleton reference implementation of core algorithms is released alongside this preprint, while full production implementation and empirical validation remain future work.