Proof-Carrying Agent Actions: New framework governs AI agents across any runtime

Zexun Wang’s new paper presents Proof-Carrying Agent Actions (PCAA), a runtime-neutral governance model designed to bring consistent control and auditability to heterogeneous agent systems. The core problem: different agent runtimes—local coding tools, framework SDKs, managed platforms, API gateways, and observer-only integrations—record high-risk actions (like publishing data externally) in incompatible formats. A shell command in one runtime becomes a tool call in another, making it nearly impossible to answer basic governance questions: what action was authorized, under whose authority, and with what approval semantics?

PCAA solves this by centering control on an action certificate rather than a vendor-native session record. It organizes governance around five checkpoints: pre-action admissibility, action open, assumption capture, approval, and outcome closure. These checkpoints are bound to a portable action envelope, runtime and approval receipts, and a replay-ready proof. The model extends standard approaches by making the certificate “externality-aware”—carrying boundary facts like destination visibility and account provenance—and by defining explicit enforceability classes rather than a single reviewed/unreviewed bit.

To validate the approach, Wang implemented a reference control plane and tested it on a protected benchmark expanded from 24 executable seeds to 96 traces across four runtime families. Results show PCAA preserves route quality while exposing distinct failure modes under ablation—proving the model can remain portable under runtime churn without collapsing into vendor-specific control surfaces. This work, submitted to arXiv on June 2, 2026, bridges software engineering, AI safety, and cryptography.