Daily intelligence brief
CAVA proposes a portable way to bind agent approvals, policy decisions, and audit receipts to action meaning across heterogeneous runtimes.
- Report date
- Jul 17, 2026
- Status
- published
Canonical Action Identity Emerges as an Agent Governance Primitive
Agent governance has an identity problem. The same consequential action can appear as a shell command, an MCP tool call, a browser event, an API request, or a managed-agent trace. Those records may describe the same operational effect without sharing a stable representation.
A new research paper, CAVA: Canonical Action Verification and Attestation for Runtime Governance of Agentic AI Systems, proposes treating canonical action identity as the layer connecting runtime activity to policy, approval, and audit evidence.
The proposal matters because an approval is only as precise as the action it authorizes. If a system binds approval to raw command text, a runtime-native identifier, or a human-readable description, an equivalent rewrite may no longer match the approved record. Conversely, a receipt can be cryptographically intact while still referring to an incomplete or misleading representation of the action.
From runtime events to governed actions
CAVA converts heterogeneous runtime events into versioned canonical action objects. Its reference schema includes the runtime and adapter, executable or tool identity, normalized operation, risk category, systems touched, reversibility, and the target or subject of the action.
Selected fields are serialized deterministically and hashed to produce a canonical fingerprint. Policy outcomes, approval decisions, execution results, and optional attestations can then bind to that fingerprint rather than to the original surface text.
The paper separates this process into distinct responsibilities:
- Capture the runtime event and relevant context.
- Normalize it into a canonical action.
- Interpret reusable risk patterns such as public egress, credential exposure, or delegated-authority mismatch.
- Fingerprint the normalized action semantics.
- Bind policy and approval outcomes to that fingerprint.
- Close the record with execution evidence, exceptions, and side effects.
- Attest selected receipt material when stronger external verification is required.
This separation is useful for buyers evaluating agent infrastructure. Action normalization, policy routing, human authority, enforcement, evidence closure, and cryptographic attestation are related controls, but they are not interchangeable.
What the benchmark reports
The paper evaluates a reference implementation using 96 representative seed scenarios expanded into 384 variants across shell hooks, MCP-style tools, browser automation, and managed-agent traces.
The public benchmark tests semantic equivalence, semantic separation, wrapper bypass, benign-text false positives, approval binding, receipt reproducibility, tamper detection, runtime portability, and semantic-pattern detection. On this controlled corpus, CAVA reports perfect scores across the evaluated metrics, while raw-text and first-token baselines fail multiple tests.
The most commercially relevant benchmark cases are not the aggregate scores alone. They illustrate concrete failure modes:
- A deployment action hidden behind
env,sudo, or a nested shell can evade first-token rules. - A read-only search containing dangerous command text can trigger a naive substring policy.
- An approval can be replayed against a changed branch, target, or policy context.
- A payment or deployment action can arrive through an SDK, browser, or MCP tool without any shell command to inspect.
- A receipt can be altered after a decision unless its canonical payload is independently verifiable.
These are practical tests for whether an agent-control product governs operational meaning or merely records runtime-specific syntax.
The evidence boundary
The reported results require careful interpretation. The benchmark and its simple comparison baselines were designed by the paper’s author. The public corpus is small relative to enterprise runtime diversity, and this assessment has not independently reproduced the benchmark.
The paper also withholds production parser packs, enterprise policy thresholds, customer connector rules, and managed evidence-system components. Its Azure examples are semantic deployment drills rather than live mutating cloud tests.
CAVA’s own disclosure model recognizes another important boundary: observe-only coverage is not equivalent to inline enforcement. A runtime may produce canonical records without being capable of blocking an action before side effects occur.
Canonical fingerprints also do not prove that an action was safe, appropriate, or correctly approved. They can make the object of a decision more stable and make receipt tampering detectable, but the quality of policy, human judgment, runtime capture, parser coverage, and deployment controls remains independently important.
Decision intelligence for buyers and builders
Organizations evaluating agent governance infrastructure can use the CAVA proposal as a due-diligence framework:
- What stable object does the system treat as the action being governed?
- Can semantically equivalent actions converge across shells, tools, browsers, APIs, and workflow engines?
- Does approval expire when the target, actor, policy version, runtime session, or action meaning changes?
- Can an independent verifier reproduce the receipt without access to vendor secrets?
- Does the product distinguish observation, warning, approval gating, blocking, and dual control?
- How does it handle unknown tools, private scripts, nested commands, and incomplete adapter coverage?
- Are policy weakening and disabled controls treated as governed actions themselves?
- What evidence records the actual outcome after approval, including partial execution or failure?
- Can attestations be used without exposing confidential action contents or sensitive metadata?
- Which claims have been validated using external traces or independent adversarial testing?
These questions remain useful even if an organization never adopts CAVA. They expose whether a governance product has a portable action model, binds authority narrowly, preserves evidence honestly, and discloses the limits of its enforcement.
Keelbase Signal assessment
CAVA advances a useful distinction between observability and governance. Logs can show that an event occurred. Signatures can show that selected data was signed. Ledger anchors can show that a digest existed. None of those controls, by itself, establishes that the record describes the same operational action a person or policy intended to authorize.
Canonical action identity is therefore a credible candidate primitive for governed agent systems. The paper provides a concrete schema, threat model, benchmark vocabulary, and buyer checklist for testing that idea.
The evidence does not yet support universal claims. External runtime traces, broader parser coverage, independent red-teaming, and third-party reproduction are still needed. The durable signal is narrower: as agents act across more execution surfaces, governance systems will need to bind authority and evidence to action meaning rather than to whichever runtime representation happens to be available.