STATUS: INTERNAL — exploratory, non-shareable, assumptions permitted.
Boundary
This page describes architectural placement patterns only. It does not disclose implementation methods, protocols, schemas, code, algorithms, or proprietary techniques.
1. Opening
MCP-style tool interfaces and system adapters make it easy for agentic AI to initiate real-world actions through enterprise platforms. This increases the importance of a hard separation between:
- Proposal (what an agent wants to do)
- Execution (what the enterprise actually commits)
The key architectural intent is to ensure that consequential actions only become real when they cross a control point designed for admissibility at the moment of binding.
2. The problem
Agents can generate, request, and sequence actions faster than institutions can reliably reconstruct authority, context, and constraints after the fact.
When execution is permitted to proceed and later “explained” or “audited”, the institution is forced into a retrospective posture:
- authority must be inferred rather than proven,
- state must be reconstructed rather than resolved,
- and constraints are applied after consequence has already bound.
3. Existing flow
In many tool-enabled agent patterns, the flow collapses proposal and execution into a single operational path:
Agent → Tool call / MCP server → Enterprise system → Execution
This makes tool access look like execution entitlement, even when the institution’s operating model requires that entitlement to be situational.
4. Required architecture
The required pattern introduces an explicit execution boundary that converts agent intent into a proposal, and only allows execution when admissibility resolves at T=0:
Agent → Proposal → MCP execution boundary → SCIA Runtime admissibility check → Enterprise execution system
MCP execution boundary (concept)
The MCP execution boundary is the architectural control point where:
- the agent’s requested action is treated as a proposal, not a command, and
- admissibility is evaluated before the enterprise commits a binding change.
This boundary is not “extra governance”. It is the point where enterprise consequence is prevented from binding without authority being explicit, contextual, and current.
5. T=0 admissibility question
The governing question at the boundary is:
“Is this agent-initiated action allowed to become real right now?”
“T=0” means the decision is made at the moment execution would bind consequence, not after the fact.
6. What must be resolved
Admissibility requires resolving (at minimum) the following dimensions at the boundary:
- Actor / delegated authority
- Who is initiating the action?
- Under what delegation, mandate, or authority envelope is the agent operating?
- Enterprise state
- What is the current institutional state that makes the action valid or invalid?
- What dependencies or preconditions must already be true?
- Applicable constraints
- What rules, limits, and prohibitions apply in this situation?
- What separation-of-duties, thresholds, and approvals are required?
- Operating context
- What workflow, case, objective, or operational intent is this action part of?
- What environment and operational mode applies (e.g. normal operations vs incident)?
- Evidence bound to the action
- What evidence is presented that supports admissibility?
- What must be bound to the action so later review can see what was known and asserted at T=0?
7. Typed outcomes
The boundary must yield typed outcomes that are stable and operationally meaningful:
- Admissible
- Admissible with conditions
- Escalate
- Not admissible
- Insufficient information
These outcomes define whether execution can proceed, must be constrained, or must be routed to a human authority path.
8. What this is not
To avoid category confusion, the MCP execution boundary is not:
- not model alignment
- not prompt safety
- not agent monitoring
- not a policy overlay
- not post-event audit
It is an architectural placement pattern for pre-execution admissibility, where consequence is prevented from binding unless authority and constraints resolve at T=0.
9. Boundary (no implementation detail)
This pattern is defined at the architecture and control-plane level only:
- No protocol internals
- No schema
- No code
- No implementation-specific mechanisms
The purpose is to specify where admissibility must be enforced, not how any given platform implements it.
10. CTA
Start with one agentic workflow where an AI-initiated action could bind institutional consequence.
Choose a single consequential action, locate the execution point, and insert an admissibility boundary that can answer the T=0 question deterministically.