Assured Intelligence Systems: A Governed Architecture for Persistent Tool-Using Agents

Journal Article · Joshua K. Cliff, 2026 · 33 pages · 9 sections · 1 appendix · 23 formal results · CC BY 4.0 Persistent tool-using agents require governance semantics over consequential state transitions, not outputs alone. This paper presents Assured Intelligence Systems (AIS), a formal architecture that separates representation, memory, planning, action, governance, verification, release, and self-edit into typed layers governed by a single non-compensatory admissibility relation over support, policy, verification, and recovery. The core mechanism is conjunctive admissibility: every consequential transition must clear four independent burdens — evidentiary support, policy authorization, verification reconstructibility, and recovery availability — before it may proceed. No burden can compensate for another. This non-compensatory gate structure is what distinguishes AIS from approval hooks, output filters, and weighted safety scores. The architecture introduces route-qualified state (operating mode as formal governance state, not metadata), explicit control surfaces at the boundaries where internal possibility meets external consequence, typed receipts with replay and recovery handles for every consequential transition, consequence-scaled assurance profiles that adjust governance strictness based on harm potential and irreversibility, and a conservative compiled admission kernel for bounded-time runtime governance. For side-effecting tools — database writes, API calls, file mutations — the control plane requires execution-closure semantics: every write-capable commit must resolve to exactly one governed terminal state (sealed, compensated, quarantined, or failed-before-effect), carry idempotency binding for duplicate-effect suppression, bind authorized preconditions for stale-approval rejection, track lineage parents for descendant-closure rollback, and where consequence warrants it, carry attestation-bearing release with an external trust anchor. The paper establishes 23 formal results across three classes. Structural contract results (governed admissibility preservation, no-bypass execution, surface completeness, route legality, receipt completeness, consequence-scaled admissibility monotonicity, conservativeness of the compiled admission kernel) hold by construction when the architecture is instantiated. Robustness and composition results (planning-layer invariance, receipt-chain completeness, composed bypass-freedom, governed-learning preservation, anomaly-implies-future-support-burden violation, adaptive-threshold stability) hold under stated premises about estimator fidelity, delegation well-formedness, and coherence geometry. Operational-architecture results specify evaluation, deployment, rollback, attestation, and self-edit obligations for any instantiated program. The architecture maps onto current LLM-based agent systems through a unified failure atlas (seven core failure classes plus execution-integrity refinements) and includes a concrete operational embedding sketch showing where AIS objects attach to the Model Context Protocol (MCP). This is a self-contained journal-form article derived from the broader AIS monograph (doi:10.5281/zenodo.19324243). It reorganizes the material around control-plane semantics and operational governance for the agent-governance literature while preserving the same claim boundary. The contribution is architectural and formal: no deployment validation, runtime benchmarking, or production-readiness claim is made. The monograph remains the expanded book-form reference.