APR-Series × A2AS: A Governance Architecture for Agentic AI Runtime Security

The A2AS framework (Agentic AI Runtime Security and Self-Defense, v1.0, September 2025) introduces a runtime security layer for AI agents and LLM-powered applications, anchored in the BASIC security model: Behavior certificates, Authenticated prompts, Security boundaries, In-context defenses, and Codified policies. A2AS correctly identifies the enforcement problem — how to secure what an agent does at runtime — and proposes concrete mechanisms for doing so. This note proposes the governance architecture that sits above and scopes that enforcement plane. The APR-Series substrate governance framework, developed and timestamped independently across a Zenodo corpus beginning in 2025, defines five substrate-level invariants. These invariants are not controls. They are the conditions that must hold across the full operational lifecycle of an agentic system for any runtime control — including A2AS controls — to be meaningful. This note establishes a precise technical mapping between A2AS enforcement mechanisms and APR-Series governance invariants, proposes a module-level binding architecture, defines a reusable visual grammar for substrate-governed agentic systems, and positions the two frameworks as complementary layers of a complete agentic AI governance stack. A2AS without APR-Series is enforcement without governance. APR-Series without A2AS is governance without an enforcement plane. Together they form the first complete substrate-to-runtime governance stack for agentic AI systems.