Skip to main content

PGAR Blueprint: Five Boundaries, Three Verdicts

This is the implementation guide for Policy-Governed Agent Runtime. The executive piece explains why proposal is not permission. This series explains how to build runtime trust boundaries: token custody, PEP choke points, PDP surfaces, immutable audit, and domain-specific enforcement (tools, retrieval, payments).

THE CLAIM

A production PGAR keeps credentials out of the LLM, gates every side effect at the PEP, returns only ALLOW / DENY / STEP_UP from the PDP, and logs the verdict before execution.

What you are building

A Policy-Governed Agent Runtime is five connected capabilities:

  1. Ingress trust: validate token, issue claims, bind every request to a principal
  2. Agentic orchestration: hold session and token; route proposals; never leak credentials to the model
  3. Proposal boundary: LLM sees conversation and tool schemas only
  4. Policy enforcement: PEP asks PDP; verdict before downstream; structural choke point
  5. Audit replay: immutable verdict chain with policy version; answer examiners without chat logs

The PGAR test

If any of these appear in your LLM payload, you have prompt governance, not PGAR:

  • Bearer token or API keys
  • Roles, entitlements, or limits
  • Policy rule text
  • PDP verdict history

The model proposes. The agentic app holds authority. The PEP enforces. The PDP decides.

SARAC: the PDP contract

Every PEP → PDP call uses four fields:

FieldCarriesExample
subjectWho (claims from IdP)roles, emts, limits, tenant
actionWhat tool / operationinitiate_wire, retrieve_documents
resourceOn what targetbeneficiary id, corpus, account
contextConditions at decision timeamount, sanctions_status, approval

Deep dive: Policy Contracts

Three verdicts only

VerdictMeaningPEP behavior
ALLOWPolicy permits executionForward to downstream; log first
DENYPolicy blocksStop; no downstream call; log first
STEP_UPAttestation requiredReturn to agentic app for step-up UX; re-evaluate with updated context

No fourth option. No "the model felt confident."

See PDP Policy Surfaces and Step-Up & Attestation.

Five boundaries, five playbooks

Each boundary gets its own implementation recipe, failure classes, and trace fields. Start with the boundary overview, then read ①–⑤ in order.

BoundaryOwnsPlaybook
① IngressToken validation, claims issuanceIngress
② Agentic appSession, orchestration, token custodyAgentic app
③ LLM proposalTool schemas, no credentialsLLM proposal
④ PEP + PDPVerdict before side effectsPEP + PDP
⑤ DownstreamRe-auth, execute, return to appDownstream

Domain extensions

PGAR is domain-agnostic. Two high-value patterns on this site:

DomainSide effectPlaybook
Tool registryAPI calls, workflowsTool registry · Manifest lifecycle · Worked example
RAG retrievalContext pack assemblyRAG retrieval · Worked example

Bridge reading: PGAR with RAG

Policy test scenarios (not optional)

Authorization regressions are deterministic. Build a scenario library parallel to eval golden sets:

Scenario typeExampleExpected
RepresentativeUnder-limit wireALLOW
EdgeAt-limit amountSTEP_UP or ALLOW per policy
AdversarialDirect downstream call bypassing PEPDENY / blocked at infra
Incident replaySanctions hit on validateDENY, no initiate

See Policy Test Scenarios and Adversarial Testing.

Eval overlap: Eval Plane Action scores whether enforcement worked; PGAR playbooks explain how to build it.

Release gate matrix

Change typeRe-runOffline gateOnline follow-up
New tool in manifestTool + PEP scenariosSchema 100%; manifest violations 0Alert on unknown tool proposals
Policy version bumpFull PDP regression suiteVerdict match 100% on golden scenariosPolicy version pinned in audit
New corpus / index (RAG)Retrieval + scope scenariosScope adversarial 0 leaksContext pack audit sample
Step-up rule changeSTEP_UP scenariosRe-eval path 100%Step-up completion rate monitor
Agent prompt / model swapAdversarial bypass setNo unauthorized downstream callsPEP block rate dashboard

Ownership

RoleOwns
Security / IAMIdP, token shape, entitlements model
AI platformAgentic app, PEP integration, tool manifest
Governance / compliancePDP policy surfaces, audit retention, examiner packs
Domain teamsDownstream re-auth, business rules in PDP context
SREVerdict log infra, replay tooling, choke-point monitoring

Implementation sequence

Start at the PGAR Runtime playbooks overview, then:

  1. Foundation playbooks: SARAC, token custody, PEP/PDP, step-up, audit
  2. Assurance playbooks: CI scenarios and adversarial bypass tests
  3. Boundary playbooks ①–⑤ in order
  4. Tool registry and manifest lifecycle for your agent's tool contract
  5. Domain playbooks for side-effect patterns (RAG, payments)

Further reading (external)

Third-party PDP/PEP, OAuth, and policy-engine patterns — curated and mapped to this series.

Further reading (external) →

Series index

PGAR Runtime: Playbooks overview

Foundations

Assurance

Boundary playbooks

Domain playbooks

Reference