Architecture
Five pillars. Structured as a layered stack.
An architecture for autonomous systems cannot rely on application-layer cooperation. If an unadapted or hostile agent loop can bypass a framework SDK or an API gateway, the governance model collapses.
cogward is structured as a bottom-up, self-contained execution stack. Runtime Control is the foundational layer. Every identity mapping, lifecycle directive, audit record, and behavioral signal is enforced by that boundary.
Availability legend
Phase 1 Deployable today with design partners.
Next Production governance and promotion depth.
Later Agent lifecycle, lineage, policy sandbox, and deployment maturity.
Vision Long-running autonomous operations and managed deployment options.
cogward governs access to tools, data, memory, knowledge, and skills. It does not replace those systems.
Frameworks
LangGraph
AutoGen
LlamaIndex
OpenAI Agents SDK
Google ADK
Custom Python
↓ adapter SDK
cogward · control contract
v1.alpha
Manifest schemaIdentity, permissions, budgets, sandbox profile.
MCP gatewaySingle authorisation point for every tool call.
Durable execution engineEncapsulated inside the plane — cogward's own engine, not separately operated.
Evidence chainHash-chained records, snapshot-linked, exportable.
↓ enforced egress
Tools, models, data
MCP servers
Anthropic
OpenAI
Bedrock
On-prem inference
Vector DBs
SQL warehouses
Internal APIs
ServiceNow
Okta & Entra
Splunk & Sentinel
The five-layer architecture stack
Layer 1 · Runtime Control
The secure, bypass-resistant environment where execution occurs. It establishes boundary isolation across four planes simultaneously—network egress, filesystem access, machine identity, and tool API proxying. Agent workloads are contained within this boundary regardless of whether they use a supported adapter or operate as black-box workloads.
Layer 2 · Execution Identity
Every autonomous workload is assigned a unique cryptographic machine identity bound to its registered autonomy class. Dual attribution maps the active software instance to the authenticated human principal whose authority was delegated, before computation begins.
Layer 3 · Lifecycle Authority
This layer manages operational lifecycle states via an event-sourced, durable execution environment. Administrative commands (start, suspend, drain, terminate) are handled as infrastructure operations. Throttles, circuit breakers, and kill-switch configurations act as resource barriers rather than advisory application-layer flags.
Layer 4 · Audit-Grade Evidence
This layer writes the tamper-evident records of the estate. It ingests state signals from Lifecycle Authority and attributions from Execution Identity, appending them to a hash-chained ledger. Sensitive data payloads are stripped inline and replaced with cryptographic classification references.
Layer 5 · Estate Intelligence
Telemetry is transformed into actionable intelligence at the top of the identity-attributed stack. Estate intelligence reads from the events journal and the audit ledger, analysing execution histories, tool call sequences, and goal completion patterns — operating entirely on structured metadata and behavioural signals, not on content payloads. Tool call sequences are tracked as metadata: which tool was called, in which order, at what latency — not what the tool returned. Goal achievement is calculated from declared goal types and structured outcome signals registered in the agent manifest, not from the semantic content of agent responses. The privacy-preserving design principle and the intelligence layer operate on different planes: one governs what is stored about content; the other analyses what happened structurally. For air-gapped environments, updated behavioral signatures are distributed as versioned models, identifying anomalies locally.
Everything else — knowledge, memory, skills, gateways, evaluation, agent development frameworks — organises around these five because it depends on them. A memory store without runtime control cannot enforce tenant isolation. A registry without execution identity cannot attribute action. An auditor without audit-grade evidence cannot verify a compliance claim. The dependency flows toward the runtime.
Not owned by cogward
- organizational knowledge systems
- vector databases
- model providers
- skill marketplaces
- generic observability platforms
- enterprise connector catalogs
cogward governs how agents access them and records what happened.
Layer architecture
Five pillars. Structured as a layered stack.
Each layer depends on the layers below it. Layer 1 is the execution boundary; Layer 5 is the analytical surface. Removing any layer breaks the governance guarantee because every higher-level signal is anchored to the lower-level boundary beneath it.
Layer 1
Runtime Control
The secure, bypass-resistant environment where execution occurs.Boundary isolationIsolation across four planes simultaneously—network egress, filesystem access, machine identity, and tool API proxying.
Contained executionAgent workloads are contained within the execution boundary regardless of whether they use a supported adapter or operate as black-box workloads.
Synchronous policy thresholdCompiled policy thresholds are evaluated inline at the Runtime Control boundary before workload actions leave the envelope.
Physical enforcement pointEvery higher layer derives authority from the same low-level perimeter rather than from framework cooperation.
Layer 2
Execution Identity
Accountability established before computation begins.Cryptographic machine identityEvery autonomous workload is assigned a unique cryptographic machine identity bound to its registered autonomy class.
Dual attributionThe active software instance is permanently mapped to the authenticated human principal whose authority was delegated.
Identity before executionAccountability is established before computation begins, so every subsequent lifecycle state and audit record has a stable actor identity.
Layer 3
Lifecycle Authority
Operational lifecycle states as infrastructure operations.Event-sourced executionOperational lifecycle states are managed through an event-sourced, durable execution environment.
Administrative commandsStart, suspend, drain, and terminate are handled as low-level infrastructure operations.
Absolute barriersThrottles, circuit breakers, and kill-switch configurations act as resource barriers rather than advisory application-layer flags.
Policy intentOperational and policy decisions are converted into deterministic runtime state transitions.
Layer 4
Audit-Grade Evidence
Tamper-evident records of the agent estate.Tamper-evident recordsThis layer writes the records of the agent estate in an append-only format.
Hash-chained ledgerState signals from Lifecycle Authority and attributions from Execution Identity are appended to an independently verifiable ledger.
Privacy by constructionSensitive data payloads are stripped inline and replaced with cryptographic classification references.
Layer 5
Estate Intelligence
Behavioral analysis from the identity-attributed stack.Fleet intelligenceTelemetry is transformed into actionable intelligence at the top of the identity-attributed stack.
Behavioral analysisHistorical execution contexts and goal completion paths are analysed on structured metadata — which tools were called, in which order, at what latency — not on content payloads. Goal achievement is calculated from declared goal types and outcome signals in the agent manifest.
Air-gapped distribution LaterUpdated behavioral signatures are distributed down as versioned models for zero-telemetry-exfiltration environments.
Local anomaly detection LaterAnomalies are identified inside the customer perimeter without exporting production telemetry.
Deployment envelope
Tier A VPC / cloud-isolated
·
Tier B Fully on-premise
·
Tier C Air-gapped / physical media
Next production governance depth Later intelligence, lineage, and deployment maturity
Primitives & Open Specifications
Standard industry protocols composed into a deterministic control plane.
cogward composes open primitives into the five-pillar stack rather than inventing proprietary control surfaces. The implementation boundary stays deterministic: standards handle integration, while the Runtime Control envelope enforces the result.
Isolation Infrastructure
Layer 1 Runtime Control boundary.
Implemented via native Kubernetes security mechanisms—including Namespaces, NetworkPolicies, and ResourceQuotas—to enforce absolute process sandboxing at the Layer 1 Runtime Control boundary.
The plane includes a durable execution layer as a first-class component. Durable execution means: agent sessions persist across infrastructure restarts, accumulated memory and context survive pod failures, long-running workflows can be suspended and resumed at any checkpoint, and every state transition is event-sourced and replayable. These properties are required for governed agent operation — without them, the kill switch and the audit record cannot be complete.
How this interacts with agent frameworks: LangGraph, Pydantic AI, AutoGen, and other frameworks keep their native development model. The framework adapter intercepts tool calls at the boundary and injects execution context — it does not replace the framework's state management. Your agent code runs as-is inside the durable execution envelope. The adapter gives the plane visibility into every tool call and the context it needs for governance, identity, and audit.
For platform teams with existing workflow orchestration infrastructure: cogward's durable execution layer handles agent sessions. It is designed to coexist with existing distributed systems infrastructure rather than replace it. The governance and evidence layer above it — identity, lifecycle authority, audit-grade evidence, estate intelligence — is what cogward provides. The durable execution component enables those capabilities; it is not the product.
Identity Federation
Layer 2 Execution Identity.
Powered by corporate Identity Providers (Okta, Entra ID) utilizing standard OAuth 2.1 delegation architecture and custom OIDC tokens to secure Layer 2 Execution Identity.
The adapter contract remains narrow by design: tool call interception and context propagation. Identity and accountability remain with the stack boundary, not with framework cooperation.
Supported framework adapters continue to use the open-source adapter interface specification.
Tool Enforcement Boundaries
Single synchronous validation interface.
Managed via standard Model Context Protocol (MCP) gateway proxying, forcing all external API integrations and tool requests through a single, synchronous validation interface.
Observability & Log Standards
Dual-attributed telemetry into existing enterprise systems.
Structured around the open Agent Observability Standard (AOS) and OpenTelemetry (OTel) semantic conventions, outputting dual-attributed telemetry directly into your existing enterprise SIEM infrastructure (Splunk, Sentinel).
The audit log remains the compliance artifact: hash-chained, append-only, tamper-evident, and privacy-preserving.
Asynchronous decoupling: cogward splits execution streams to separate the policy enforcement path from the evidence assembly path. The Runtime Control plane evaluates policy thresholds synchronously at the execution boundary. Audit record assembly and behavioral analysis are offloaded to an asynchronous background queue, keeping the enforcement path latency-free.