Skip to content

Instantly share code, notes, and snippets.

@yshaaban
Created March 11, 2026 17:55
Show Gist options
  • Select an option

  • Save yshaaban/51f31203be945887df69892e850d5bd7 to your computer and use it in GitHub Desktop.

Select an option

Save yshaaban/51f31203be945887df69892e850d5bd7 to your computer and use it in GitHub Desktop.

In that world the agent isn’t just solving a task. It’s participating in a long-lived program of work that crosses code, infrastructure, security policy, data governance, approvals, and operational monitoring. The question stops being “did the agent reach the right answer?” and becomes “did the system evolve correctly over time while respecting the organization’s constraints?”

That’s a different problem entirely.

The core issue with the original memo is that it implicitly treats steering as trajectory evaluation. You record what the agent did, score the outcome and the process, and train against that signal. That works for bounded tasks like math problems or simple tool-use benchmarks. But for something like building a production service, the meaningful unit isn’t the trajectory. It’s the state transition the agent is proposing in a complex system.

When an enterprise agent acts, it’s not just calling a tool. It’s effectively saying:

“I want to change the state of the system in this specific way.”

That change might be committing code, migrating a database, granting access to a dataset, deploying infrastructure, or rolling out a release. Each of those has implications for security, governance, and operations. The important question is not whether the reasoning trace looked good — it’s whether the proposed change is legitimate given the environment the agent operates in.

That means steering has to operate around system state, not just reasoning traces.

A useful way to think about the environment is as a set of overlapping graphs that the agent is navigating.

There’s a goal graph: the milestones and requirements that define what “done” means.

There’s an artifact graph: specs, code, tests, infrastructure definitions, dashboards, and runbooks.

There’s a resource graph: the actual systems involved — repositories, services, datasets, APIs, environments.

There’s an authority graph: who or what is allowed to perform which actions on which resources.

And there’s an operational graph: the live system state — deployments, incidents, metrics, and cost signals.

An agent’s job is to move these graphs forward without breaking the invariants that keep the system safe and accountable. Every action is effectively a proposed mutation to that environment.

Seen from that angle, verification becomes much broader than checking whether the reasoning process looked clean. You need several kinds of verification operating together.

Some things the system can check deterministically. Your behavioral programming snapshots fall into this category. They tell you exactly what the runtime saw: which actions were proposed, which ones were blocked, which rules fired. That’s real ground truth, and it’s valuable. But it’s only one layer.

Other things live in artifacts. Does the code pass tests? Did static analysis run? Are security scans clean? Does the infrastructure definition match policy? Is there a rollback plan? Those checks don’t come from reasoning traces — they come from the artifacts the agent produced.

Then there’s the environment itself. Did the service behave correctly in staging? Did the load tests pass? Did the canary deployment show regressions? Did the database migration succeed and remain reversible?

Governance is another layer entirely. Did the agent touch data it wasn’t authorized to see? Did it cross a data residency boundary? Did it use an approved toolchain? Did the action stay within its delegated authority?

And finally there’s operational reality. After deployment, did the system remain stable? Did error rates spike? Did cost explode? Did an alert fire?

All of those signals matter. None of them show up in a simple reasoning trajectory.

This is where meta-verification becomes interesting in a more serious way. Instead of asking “how confident are we in this score,” the system should be asking whether the evidence behind a decision actually exists and is coherent.

If a grader claims that a release candidate is safe, the system should be able to check whether the scans ran, whether the tests passed, whether the deployment record exists, and whether the artifact that was deployed is actually the one that was built and reviewed. If those links aren’t there, the evaluation shouldn’t pass regardless of what the grader says.

That’s closer to how real production governance works. Claims must be backed by artifacts and logs, not just explanations.

Once you think about it this way, autonomy also changes shape. The question is no longer “can we trust the model to do this?” It’s “has the system granted the model the authority to do this action under the current conditions?”

In other words, autonomy becomes a function of delegated authority, not model capability.

An agent might be allowed to read repositories and run tests without restriction. It might be allowed to modify code in a feature branch. It might be allowed to deploy to staging if certain checks pass. But deploying to production might require additional approvals or stronger evidence.

That’s exactly how mature infrastructure already behaves: permissions are contextual and scoped, not absolute.

The same principle applies to data governance. Data shouldn’t be treated as a generic input to a tool. It should carry labels — classification, residency, retention rules — and the system should know whether the agent is permitted to interact with that class of data. If the agent proposes a step that crosses a boundary, the control plane should stop it before it happens.

None of this is captured by trajectory scoring.

The practical implication for training is that reward should not be the main mechanism enforcing safety or governance. Hard constraints belong outside the reward function. If an action violates policy or exceeds delegated authority, the system should reject it outright rather than merely assigning it a lower score.

Reward is still useful, but it should shape behavior among allowed actions — encouraging progress toward milestones, good artifact hygiene, efficient experimentation, and honest handling of uncertainty.

The bigger point is that steering enterprise agents is fundamentally a control-plane problem, not just a learning problem.

Learning can help agents plan better, recover from mistakes, and make smarter tradeoffs. But the guardrails that keep a system safe and accountable need to exist independently of the model. They need to be visible in logs, enforceable by policy, and explainable during an audit.

Your BP engine snapshots are valuable in that ecosystem because they expose one piece of ground truth about the agent’s behavior. But they aren’t the whole answer. They’re one verifier among several, and they mostly tell you about local coordination decisions, not the broader system impact of those decisions.

The deeper architecture for steering agents in complex environments is about making every meaningful action observable, authorized, and evidence-backed. When that structure is in place, meta-verification becomes much more powerful because it can reason over concrete artifacts and system state instead of trying to infer everything from text.

That’s the level at which long-range enterprise tasks actually live.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment