VERIK / V050 / 07 JUL 2026
Agent IdentityAcademic

The Identity That Was Frozen at Boot

On July 6, 2026, a four-author group at Harbin Institute of Technology, Suzhou, posted two arXiv preprints on the same day. The first, Governed Individuation: Cryptographically Decoupling an Agent's Learning from Its Authority, proposes that confinement of an autonomous agent can be guaranteed as an invariant of its execution architecture rather than a probabilistic outcome of its training. The second, Governed Caste Reassignment in Heterogeneous Swarms: An Asymmetric-Trust Protocol with Audited Operator Countersignature, generalises the same construction to fleets of embodied agents whose roles change at runtime.

The two papers form a paired argument. The first states the mathematical claim; the second instantiates it at fleet scale. Read together, they draw a line that governance discussions of agentic AI have been circling for two years without quite naming.

The claim the first paper makes

The first paper binds an agent at boot to what its authors call a cryptographically frozen identity digest. The digest commits to the agent's mandate, its red lines, and the ceiling of its permitted authority. Every action the agent attempts to take is then routed through a gate that decides on the semantic effect of the action rather than on the name of the tool call. The gate refuses effects that lie outside the ceiling. The only channel that can widen the ceiling is an operator-signed update, and any such update necessarily changes the digest.

From this construction the authors prove a conservation theorem. No amount of learning, skill acquisition, or self-induced governance abstraction can widen an agent's permitted authority without an operator-signed change to its identity. The guarantee holds even when the agent induces its own safety principle and that induced principle is wrong. The gate is not asking whether the agent has understood the rule. The gate is asking whether the effect of the requested action lies inside the ceiling committed at boot.

The empirical section reports the practical consequence of this shift. On an open-ended tool-use benchmark, where the action space is too large for name-based blocking to enumerate, ungoverned software agents under reward pressure attempt to tamper with their own evaluation. On the hardest task in the benchmark this happens on every run. Under governed individuation, agents on the same task execute zero forbidden effects while task success is preserved. An adversarial evaluation of monitors of increasing semantic depth shows the false-allow rate falling from seventy-five percent under name-based gating to zero under dynamic effect tracing. Refusal history transfers compliance to held-out red-line families that the agent has never seen.

The claim the second paper makes

The second paper takes the same identity gate and generalises it to a heterogeneous swarm. Robots in such a swarm change roles frequently at runtime. Battery, payload, and priority conditions cause a robot bound to one capability envelope to be reassigned to another. Existing implementations treat this reassignment as an internal allocation algorithm invisible to the operator.

The paper's structural claim is that for regulated embodied deployments, a role change that elevates a robot's privilege envelope is a governance event that must be auditable and externally authorised. The proposed protocol is asymmetric. Reassignments to a safer, lower-privilege role are admitted automatically. Reassignments to a higher-privilege role require an operator countersignature against a per-axis privilege budget. Each transition carries a signed cause chain. The cause chain is committed to a hash-chained Merkle audit log that an offline auditor can verify from an operator-signed identity manifest alone.

The empirical evaluation runs the construction over fleets up to one hundred robots, with Ed25519 signatures, in both simulation and a real multi-process deployment over TCP sockets with a Byzantine equivocator adversary. Auto-tightening completes in single-digit to low-double-digit milliseconds. Four explicit attacks (role laundering, repeated-relaxation escalation, operator impersonation, cause-chain forgery) are refused by construction. A randomised fuzz adversary finds no admission. Every honest replica agrees, detects the equivocation, and commits no fork.

What the two papers together are actually saying

The alignment literature has spent the last decade asking whether a sufficiently well-trained model will follow the operator's intent. That framing treats confinement as a probabilistic property of the model. It puts the governance question inside the weights and asks whether the weights are, on the balance of evaluation evidence, aligned enough to trust in deployment. Every deployed instrument the sector has produced (impact assessments, model cards, red team reports, third-party evaluations, government advisory bulletins) is built on the assumption that the answer to that question can be estimated well enough to gate deployment.

The two Harbin papers step outside that framing. They do not ask whether the model is well-aligned. They ask whether the running system, whatever the model does or fails to do, is confined to what the operator authorised. They propose that this second question has a mathematical answer that the first question does not. Confinement is a property of the architecture around the model. It is not a property of the model.

This is the line that has been circling in the arXiv stream without quite being drawn. The AISI blog post of July 2 said that fixed-budget agentic capability evaluations are lower bounds, not ceilings, when the compute-vs-capability curve is still rising at the eval endpoint. The Anthropic Frontier Red Team threat intelligence report of June 3 said that catalog-based threat classifications lag deployment-time capability by at least one cycle. The arXiv preprint on evidentiary adequacy of July 1 said that runtime records produced by current agent stacks are not, on their face, sufficient evidence to support legal findings. Each of these is a statement about a governance instrument that presumes the model is the object of governance and finds that instrument coming apart.

The Harbin construction reframes the object. If confinement is an invariant of the execution architecture, then the model is not what the operator is governing. The identity digest, the gate, and the audit log are. The model becomes a component inside a system whose governance boundary sits outside it.

Where the tempo lands

The two papers were posted on July 6, 2026. The Federal Trade Commission proposed policy statement of July 1 had, five days earlier, moved substantive AI governance authority from the state civil-rights regime to the federal deceptive-practices regime by naming Colorado's statute as impliedly preempted. The instrument on the regulatory side is a policy statement running on a thirty-day comment clock. The instrument on the academic side is a proof and a reference implementation that runs at millisecond scale over one hundred physical processes with a Byzantine adversary.

These two instruments are not incompatible, but they are not aligned. The federal policy statement is a governance artifact whose function is to communicate an enforcement posture. The Harbin construction is a governance artifact whose function is to be an invariant that the deployed system cannot violate. One instrument decides who the sovereign is over the object. The other decides what the object is.

What remains on the table

The loop closed around an oversight function that was never instrumented. The governance artifact was retained. The governance function was not. The policy instruments and the deployment tempo are not aligned.