Cryptographic execution architectures — including mandate signing, digest attestation, and hardware-witnessed refusal — are well-suited to enforcing execution legitimacy: verifying that an action is authorized, attesting its provenance, and refusing unauthorized execution at the hardware boundary. However, these mechanisms operate on deterministic, bounded artifacts. Semantic intent is neither deterministic nor bounded. Intent is probabilistic, context-sensitive, semantically mutable, and vulnerable to drift, mimicry, and adversarial shaping. A mandate can be hashed. A digest of admissibility can be attested. But whether an agent's reasoning path was semantically aligned with the mandate — whether its interpretation was admissible under the operative governance substrate — cannot be determined by cryptographic verification alone. This paper argues that any multi-agent execution architecture that routes integrity enforcement exclusively through cryptographic attestation will succeed at enforcing execution legitimacy while failing at enforcing semantic legitimacy. The missing layer is a governance substrate capable of detecting drift, enforcing refusal surfaces, tracing lineage, and adjudicating admissibility at the intent layer. The INF-* schema introduced in The Governance Orchestrator (DOI: 10.5281/zenodo.19076517) provides a structured formalization of this layer and its relationship to both semantic and hardware enforcement components.
Narnaiezzsshaa Truong (Thu,) studied this question.