Protocol-Layer Governance for LLM Agents: Identity-Bound Oversight with Zero-Modification Deployment and Multi-Hop Authority Propagation

Governing an LLM agent at runtime requires identity-bound, cryptographically verifiable human authorisation to resolve persistent halt states. The deployment question that remained open is: how does the governance stack reach an agent without modifying the agent's code? We answer this question by positioning the governance stack at the Model Context Protocol (MCP) layer. We introduce the MCP Governance Proxy, a stateful protocol-layer governance control plane that intercepts tool calls between any MCP-compatible agent client and any MCP server, applying the P7–P8 governance stack (IML + RAM + Recovery Loop + APB) transparently. No modification to the agent client or server is required; the proxy is a drop-in addition to the deployment topology. This positions governance at the protocol boundary rather than inside the agent — the same architectural move that service meshes make for microservice traffic and that zero-trust gateways make for API calls. We prove three theorems. Transparency Invariance (T9. 1) establishes that on the non-halt path the proxy is observationally equivalent to a direct connection: the agent's tool-call results are unchanged. Halt Latency Bound (T9. 2) establishes that a governance event at the proxy propagates a halt signal to the agent within a latency bounded by Δₙet + Δᵥerify + Δₚolicy, all of which are small relative to LLM inference times. Multi-Hop Authority Propagation (T9. 3) establishes that in Agent-to-Agent (A2A) delegation chains, when a sub-agent's tool call triggers a governance event, the required APB has well-defined binding semantics: the accountable principal is the one registered for the originating agent, and the delegation chain is recorded in the evidence block. We validate the construction through five experiments. E1 (latency overhead): 10, 000 governed tool calls; the O (1) windowed IML monitor achieves a P95 overhead of 51. 8 µs, well below the 10 ms T9. 1 gate. E2 (real-agent APB, 5 seeds × 200 steps): 310 HALT events with 100% APB validity; T9. 1 holds. E3 (multi-hop A2A, depths 1–5): 334 HALT events across all depths, 100% originator binding; T9. 3 holds for all chain lengths. E4 (concurrency): N ∈ 1, 4, 16, 64 threads, 0 exceptions, 100% APB validity; true-parallel process mode validated up to N=16. E5 (security adversarial suite): five attack vectors (wrong-key signing, evidence tampering, replay, revoked-principal, authority substitution) ; adversary success rate = 0%. This is Paper 9 of the Agent Governance Series (P0–P9). Phase I (P0–P7) established a formally verified governance stack. Phase II (P8–P9) addresses governance of governance: who authorises, and how does governance reach any agent without modifying it. P9 closes the deployment gap identified in P7 §13 and P8 §10.