The Ontology Gap in Agentic Adversary Detection: Why the Field's Conceptual Scaffolding Has Not Kept Pace with the Adversary Substrate

The cybersecurity detection discipline has responded to AI-powered and agentic malware by adapting existing detection primitives — dynamic behavioral analysis, multi-modal correlation, adversarially robust classifiers, concept drift detection, memory forensics — to a new adversary substrate. This paper argues that such adaptation, while operationally necessary, is structurally insufficient. The fundamental problem is not a capability gap but an ontology gap: the field's conceptual scaffolding was built for adversaries that exploit code, not adversaries that reason, replan, and coordinate across layers toward goals. This paper makes three contributions. First, it formalizes the ontology gap as a diagnostic framework, distinguishing between detection disciplines that treat malware as a payload or runtime behavior and detection disciplines that must model malware as an agent with intent, planning loops, and contextual adaptability. Second, it identifies two structural missing pillars in current agentic detection architectures: (1) model-as-substrate governance — the treatment of model weights, training pipelines, and behavioral envelopes as first-class governance objects and attack surfaces, not merely as tools; and (2) cross-layer intent composition — the requirement for a detection architecture capable of inferring adversarial intent across multiple siloed detection layers simultaneously, rather than scoring each layer locally. Third, it extends the Emotional Indicators of Compromise (EIOC) framework (Soft Armor Labs, ORCID 0009-0000-1964-6440) to the agentic adversary detection domain, proposing EIOC-aligned detection indicators for intent drift, boundary-seeking behavior, contextual retargeting, and refusal-quality anomalies as observable signatures of agentic malware. The paper argues that the cross-layer coordination problem — in which AI-powered malware achieves its objectives through coordinated, sub-threshold actions distributed across behavioral, network, memory, and model layers — is not addressable by adding additional siloed detectors. It requires a governance-substrate architecture capable of composing signals into a temporal narrative of adversarial intent, scored against governance-coded trajectory constraints rather than against individual event thresholds. This architecture is described conceptually and related to prior work in substrate governance (APR, ALP, AIOC-G) published under the same ORCID. The paper concludes that the genuine innovation frontier in agentic adversary detection is not technical but architectural and conceptual: detecting agentic behavior rather than malicious code, and building detection disciplines whose ontology matches the adversary they are designed to identify.