My system’s gate-status endpoint exposes a signal that did not exist in the codebase a week ago. When I captured it for this note, it read:
The endpoint reported seven contributing events across three origins. No individual snapshot crossed the configured gate threshold, but their decayed contributions accumulated above HOLD. Because the signal is observe-only, nothing was throttled — that is the point of this stage. The climb is the argument, so let me be exact about what this number is, and just as exact about what it is not.
The blind spot a memoryless gate can’t close
A governance gate, in almost every system I have looked at, is memoryless. It scores one decision — is this action permitted? is this spend approved? is this risk acceptable? — and forgets it before scoring the next. That is usually the right design for a single action. It leaves one thing uncovered: a risky sequence of individually-fine actions. Ten actions that are each 0.5 on a 0-to-1 risk scale are all below the configured 0.65 per-call threshold, so a memoryless gate waves each one through — correctly, in isolation. But 0.5, ten times, is a trajectory, and a gate that forgets the last decision cannot see a trajectory. It cannot add up what it refuses to remember.
In the open-source engine, that trajectory is composed per subject — an agent, a session, an actor. A worked example ships in the tests: an agent whose seven consecutive decisions each evaluate to RUN individually composes past the fail threshold and the composed verdict becomes FREEZE. No single gate saw a problem. The sum did.
What the 2.14 actually contains — and what its subject is
Here is where I have to be careful, because the reading above is not an agent’s decision trajectory. Its subject is the system’s security environment. The same accumulation mechanism is applied to a different input: each security event in the last 72 hours is converted to a 0–1 risk weight by severity (a CRITICAL event weighs more than a HIGH), those weights are composed with a 24-hour decay half-life, and the result is the 2.14. It is threat-pressure composition, not agent-decision composition. The mechanism is shared; the subject is not. Treating “agent trajectory” and “environmental threat pressure” as the same thing would be sleight of hand, and I don’t want to do that.
The key configuration behind the number, so its scope is clear:
72h · decay half-life = 24h · contributing composed events = 7 · distinct origins = 3 (all within a single /24 block) · per-origin ceiling = 1.5 · HOLD = 2.00 · FAIL = 3.50 · enforcement = observe-only. Captured 2026-07-18 ~22:37 UTC from the live gate-status endpoint. This is self-attested production telemetry: it is a real reading from the running system, not an independently audited record.
Two things this number is not
First: the cap is deployment logic, not the engine. The generic open-source composer (constitutional-agent’s AccumulatedRiskComposer) sums optionally-decayed weights for a subject; it does not ingest raw IP events and it does not cap by origin. In this deployment, an upstream adapter converts security telemetry into bounded risk contributions before recording them against the system subject, and caps each origin’s contribution at 1.5 — below the 2.00 HOLD line. So a single origin can raise the reading, but it cannot trigger HOLD by itself. That per-origin cap is my integration’s noise-containment logic, not a feature of the published composition module.
Second: three “sources” is not three actors. The reading came from three addresses that all sit inside a single /24. They may reflect one operator or shared infrastructure — hosting, NAT, a scanning service, compromised hosts; the telemetry cannot establish actor identity. That is the honest limit of this signal: distinct-origin breadth is not distinct-actor breadth. The cap contains noise; it does not make the signal Sybil-resistant. A distributed attacker — a botnet, a rotating proxy pool, IPv6 address churn — can manufacture apparent breadth. A stronger deployment should compose across more durable principals: authenticated identities, tenants, credentials, campaigns, or correlated source clusters, wherever those identifiers exist. IP address is the weakest available origin identifier, and I am using it only because it is what the security log provides.
A gate that forgets every decision can never see the one risk that only exists in the sum of them.
What one reading does and does not prove
I want to be disciplined about the claim. This telemetry proves the path is active: the composition mechanism is wired into the production gate status, it is reading live inputs, and it produced an interpretable value that crossed its own threshold. That is real implementation movement, and a week ago it did not exist. What it does not prove is that the signal is calibrated, robust, or operationally useful. One value is not validation. And the signal is deliberately observe-only: it is surfaced read-only and does not change the system state. Enforcement is gated on calibration, because binding an uncalibrated threshold against real security-event volume is how you cause the incident you were trying to prevent — the same fail-safe discipline that once had this system throttle itself over contained noise. The composition module itself is new (constitutional-agent v0.6.0) and not yet hardened to the degree of the core gates. The 2.14 is the calibration clock starting, not a finished control.
Even with all of those caveats, the shape of the thing is the point. Identity establishes the acting principal; authorization constrains its permissions; policy evaluates individual actions; composition evaluates the accumulated trajectory. That last layer — governing what delegated autonomous authority accumulates to, across sessions within a rolling window — is a capability I have not found documented in the governance engines I compared. It is the part worth building carefully, and worth being honest about while it is still young.
Comparison basis (public documentation reviewed 2026-07-18): Microsoft Agent Governance Toolkit / ACS, Galileo Agent Control, Runlayer, NVIDIA OpenShell. The claim is narrow: I did not find documented cross-session accumulation of per-decision constitutional-risk weights — not that these products lack every stateful control. Several document session-wide visibility, budgets, or audit trails; that is a different mechanism.
If your agent governance scores each action and forgets it, you are protected against bad decisions and blind to bad sequences. The fix is not a better per-call threshold — you cannot tune your way to seeing a trajectory you refuse to remember. The fix is a stateful layer that accumulates risk across decisions and sessions and escalates on the sum, composed over principals durable enough to mean something. That capability is the differentiated edge. Getting it honest — calibrated, Sybil-aware, observe-before-enforce — is the harder half.
Where does your agent stack sit on this?
The composition engine described here is open source (constitutional-agent v0.6.0, pip install constitutional-agent) and runs as the reference implementation of the Enterprise Agent Architecture. The free Governance Stress Test scores your stack across identity, policy, and the decision layer — and shows you where the cross-session gap is.
Related reading
The Morning the System Throttled ItselfThe AI Governance Gap Nobody Is Talking About: WHO vs. HOW
The Six-Gate Architecture
Frequently Asked Questions
What is cross-session risk composition?
A stateful governance layer that accumulates a risk weight for each decision, keyed by a subject (an agent, session, actor, or environment), composes those weights across a rolling window with optional decay, and escalates when the accumulation crosses a threshold — even when every individual decision passed its own gate. A per-call gate is memoryless; composition remembers the trajectory, which is where the risk that no single decision reveals actually lives.
Doesn’t a per-call policy gate already catch risky actions?
It catches risky individual actions. It cannot catch a risky sequence of individually-fine actions — ten actions each 0.5, all below the configured 0.65 per-call threshold, compose into a trajectory no single evaluation flags. In the public documentation I reviewed for Microsoft ACS, Galileo Agent Control, Runlayer, and NVIDIA OpenShell, I did not find a documented mechanism that accumulates per-decision constitutional-risk weights across sessions and escalates on that accumulated trajectory. Composition is the layer above the per-call gate that closes that gap.
Is the composed-risk signal enforcing yet, or just observing?
Observing. It is surfaced read-only in the gate status and does not change the system state. Enforcement is gated on calibration: real security-event volume means thresholds must be tuned against live data before the signal binds, or the composition would throttle the organization on noise. The observe-only telemetry is the calibration clock — and the composition module (constitutional-agent v0.6.0) is itself new, not yet hardened to the degree of the core gates.
constitutional-agent v0.6.0; the per-origin cap is this deployment’s adapter logic, not part of the published module. No fabricated or estimated data is presented as measured fact (HC-4). Enterprise Agent Architecture position paper: doi.org/10.5281/zenodo.21105314.