§ REFERENCE ARCHITECTURE
Reference Deployment
What a governed two-agent production fleet looks like end to end: stack, autonomy tiers, policy set, measured enforcement cost, SIEM routing, and the audit evidence each control produces.
What this page is — and is not
This is a reference architecture, not an anonymized customer case study. The scenario is drawn from how we run and test Execlave ourselves; every capability and number on this page is documented elsewhere on this site — latency figures come from the published, reproducible benchmarks and nothing here is an estimate. When we publish customer case studies, they will be labelled as such.
Scenario & stack
A mid-size product company runs two production agents with different risk profiles — the common starting shape we see.
| Component | Choice | Why |
|---|---|---|
| Support agent | LangChain (Python), customer-facing | Handles end-user input — highest injection and PII exposure. |
| Ops agent | OpenAI Agents SDK (Python), internal | Writes to internal systems — tool misuse is the main risk. |
| Governance | Execlave cloud (self-hosted available) | Both agents instrumented with one SDK call each. |
| Environments | production + staging | Same policies in both; staging is where tightened policies are re-tested. |
| SIEM | Splunk or Microsoft Sentinel | Violations land in the existing SOC queue — see the integration guides. |
# Support agent — LangChain (Python)handler = ExeclaveCallbackHandler(exe, agent_id="support-bot")chain.invoke(input, config={"callbacks": [handler]}) # Ops agent — OpenAI Agents SDK (Python)add_trace_processor(ExeclaveTracingProcessor(exe, agent_id="ops-agent"))Autonomy tiers & policy set
Each agent declares one autonomy level; Execlave applies the matching control bundle. Policies that fall outside the tier are flagged as audited overrides.
| Agent | Autonomy level | What that means |
|---|---|---|
| support-bot | act_with_approval | Replies freely; outbound actions (refunds, emails) queue for human sign-off with a 30-minute approval expiry. |
| ops-agent | autonomous | Writes without per-action approval, inside cost caps, tool allowlist, and external-call limits. |
# Representative policy set (4 of 19 available policy types) prompt_injection: # both agents enforcement: block # 13-language scanning, severity-scoredpii_detection: # support agent enforcement: warn # 14 categories, hashed at the boundarytool_allowlist: # both agents enforcement: block # send_email requires approval; db_write denied to supportcost_budget: # org + per-agent enforcement: block # per-agent daily cap, org monthly cap, burn-rate alert at 80%Four enforcement modes are available per policy — monitor, warn, require_approval, block — so the same policy can roll out as monitor-only first and graduate to block after a week of clean signal. See Policies for the full 19-type catalogue.
What enforcement costs at runtime
Published, measured figures — reproduce them with the checked-in harnesses (backend/scripts/bench-enforcement.ts, bench-enforce-e2e.ts).
| Metric | Measured |
|---|---|
| In-process policy evaluation — p50 / p95 / p99 | 8.4 µs / 10.6 µs / ~21 µs |
| Evaluation throughput — single core | ~96,000 passes/sec |
| Server-side enforce decision, DB-inclusive — p50 / p95 / p99 | 2.1 ms / 2.9 ms / 3.9 ms |
| Semantic tier (model-backed checks) | not yet published — never estimated |
Methodology, environment, and caveats are on the benchmarks page. The practical takeaway for this deployment: pattern-tier governance adds microseconds in-process and low single-digit milliseconds server-side — small enough to sit in the request path of both agents.
When something fires
The operational loop this architecture produces.
A prompt-injection attempt against support-bot is blocked at enforcement time and the trace is marked policy_blocked. The trace streams to the SIEM, where the violation-burst rule (shipped in the Splunk / Sentinel guides) raises an incident in the SOC queue. The analyst follows the incident response workflow: pivot by trace_id, review the span timeline and agent passport, tighten or confirm the policy, and attach the hash-chained audit export to the incident record.
Evidence this deployment produces
What you hand an auditor — each artifact maps to a concrete control above.
| Artifact | Produced by |
|---|---|
| Signed compliance report (RSA-SHA256, offline-verifiable) | GET /api/v1/compliance/report — 7 frameworks including EU AI Act |
| Append-only, hash-chained audit log (retention up to 10 years) | Every enforcement decision, approval, and policy change |
| Approval records with human identity + timestamp | act_with_approval actions on support-bot |
| Per-article EU AI Act evidence mapping | docs/compliance/eu-ai-act — article-by-article |
Full mapping with per-article evidence links: EU AI Act compliance. To reproduce this architecture, start with Getting started and the framework integrations.