Network Working Group F. B.
Internet-Draft Independent Researcher
Intended status: Informational 16 May 2026
Expires: 17 November 2026
External Admission Boundary for Pre-Execution AI Action Control
draft-b-external-admission-boundary-00
Abstract
This document defines an external admission boundary for pre-execution
AI action control. The boundary is a control point at which execution
cannot proceed unless an allow decision has been issued by an authority
outside the executor trust domain. The document distinguishes evidence
records, policy evaluations, approval logs, and signed pre-execution
authorization records from the stronger boundary property of authority
separation.
A signed pre-execution record can prove that a decision was made before
dispatch. It does not by itself prove that final execution authority
was outside the executor trust domain. This document provides a
practical test for determining whether a claimed pre-execution control
is a real external admission boundary or a surrogate boundary.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress".
This Internet-Draft will expire on 17 November 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
1. Introduction
AI agents, CI/CD workflows, automated remediation systems, tool-calling
models, and other execution-capable systems increasingly act before a
human can inspect every material step. In such environments, review,
monitoring, audit logging, rollback, and post-execution evidence are
useful but insufficient to answer the boundary question: who has final
authority before execution begins?
This document defines an external admission boundary. The boundary
exists when execution depends on an allow decision issued outside the
executor trust domain, denial fails closed, and the executor cannot
proceed, bypass, rewrite, or self-issue the admission path.
The central rule is: No admission = no execution.
1.1. Scope
This document specifies boundary conditions and verifier expectations
for pre-execution AI action control. It does not specify a policy
language, a runtime gateway, a transport protocol, a transparency log,
a cryptographic envelope, or a particular storage format.
This document is intended to compose with signed authorization records,
transparency systems, policy engines, runtime identity systems, and
execution-boundary cryptographic mechanisms. It defines the boundary
test those mechanisms must satisfy if they are to be treated as external
admission rather than internal evidence.
1.2. Relationship to Pre-Execution Records
Pre-execution records are evidence. External admission boundaries are
authority separation.
A signed authorization record, permit, receipt, or request-dispatch
binding can prove that a decision was recorded. Such a record does
not by itself prove that execution was unable to proceed without an
external allow decision. If the executor can self-approve, bypass,
overwrite, or self-issue the admission path, the resulting control is
a surrogate boundary even if the record is cryptographically strong.
2. Terminology
Executor:
The system, workflow, agent, runtime, platform, or tool environment
capable of carrying out the action.
Admission Authority:
The authority that issues an allow, deny, or equivalent admission
decision before execution.
External Admission Boundary:
A pre-execution control boundary where execution depends on an allow
decision from an authority outside the executor trust domain.
Surrogate Boundary:
A claimed boundary that appears to control execution but remains
inside the executor trust domain or can be bypassed, rewritten,
self-approved, or self-issued by the executor.
Admission Record:
Evidence that an admission decision was made. An admission record
is not itself sufficient to establish an external admission boundary.
3. Boundary Requirements
A claimed external admission boundary MUST satisfy all of the following:
1. Execution MUST require an allow decision before the action begins.
2. The allow decision MUST be issued outside the executor trust domain.
3. Denial, timeout, missing evidence, invalid response, or unavailable
admission authority MUST fail closed.
4. The executor MUST NOT be able to approve, bypass, overwrite, forge,
or self-issue its own admission path.
5. The admission decision MUST exist before execution and MUST be
bound to the action that is executed.
6. A verifier MUST be able to distinguish admitted execution from
non-admitted execution.
4. The Surrogate Boundary Test
A verifier SHOULD ask the following questions:
1. Can execution proceed without an external allow decision?
2. Can the executor approve, bypass, overwrite, or self-issue the
admission path?
3. Is the admission record created before execution?
4. Does denial, timeout, missing evidence, invalid response, or missing
authority fail closed?
5. Is final authority outside the executor trust domain?
If the answer to question 1 or 2 is yes, the boundary is surrogate.
If the answer to question 4 is no, the boundary is fail-open. If final
authority remains inside the executor trust domain, the mechanism may
be useful policy or evidence, but it is not an external admission
boundary.
5. Non-Boundaries
The following mechanisms are not sufficient by themselves:
* Internal policy inside the same runner, workflow, model gateway, or
platform trust domain.
* Mutable approval flags controlled by the execution environment.
* Human approval that can be routed around by the executor.
* Monitoring, audit logs, dashboards, and rollback.
* Policy-as-code that the same trust domain can change or skip.
* Signed pre-execution records that are issued, bypassed, or rewritten
by the executor trust domain.
6. Composition with Evidence Records
Evidence records are valuable. A deployment MAY use signed statements,
transparency receipts, request-dispatch bindings, policy evaluation
results, or closure records to prove what was authorized and what was
executed.
Such records strengthen verification only when the execution path also
enforces the external boundary. The record proves the evidence layer.
The boundary proves that execution authority was separated.
7. Security Considerations
A deployment that records admission decisions but permits the executor
to continue when the admission authority is unavailable is fail-open.
A deployment that allows the executor to rewrite or bypass admission
evidence after a decision is made does not provide an external boundary.
A deployment that places policy evaluation and final execution authority
inside the same trust domain may reduce risk but does not separate final
execution authority from the executor.
8. Privacy Considerations
This document does not require raw prompts, raw provider responses,
credentials, personal data, or sensitive operational content to be
exposed. Implementations that create admission evidence SHOULD minimize
logged identifiers and SHOULD avoid placing secrets or raw sensitive
content into public records.
9. IANA Considerations
This document makes no IANA requests.
10. References
[SCITT] IETF SCITT Working Group, Supply Chain Integrity, Transparency,
and Trust architecture work in progress.
[KEYWORDS] RFC 2119 and RFC 8174 define requirement keywords.
Pre-execution records are evidence.
External admission boundaries are authority separation.
No admission = no execution.
Author Address
Felix B.
Independent Researcher
URI: https://ai-admissibility.com/