Three layers. One cryptographic spine.
Bonis Systems operates across three layers of the AI agent stack. Layer 1 records what already happened. Layer 2 prevents errors before deploy. Layer 3 preserves evidence and identity when systems fail. Each layer answers a different question and serves a different buyer; the same Knox primitive underwrites all three. This page is the architecture map.
Bonis is the cryptographic spine across all three layers.
- Layer 1 — AAM (audit-permanence). Already shipped. Knox primitive, eleven public agents, ninety canonical event types, public verify endpoint, Bitcoin anchor. /aam
- Layer 2 — AI Production Discipline. Operationally lived; productization scoped. The methodology Bonis already runs under — Truth Protocol three-source, multi-pass measurement, Stop-and-Save Rule, Coachbuilt floor, Stealth Posture, Evidence Ledger. /aam/production-discipline
- Layer 3 — Continuity & Adversarial Resilience. Anchor primitives + PQC stack shipped; Knox Edge Anchor and HSM/TPM binding in active scope. /aam/continuity
- One cryptographic spine. The Knox primitive underwrites all three layers. SHA-256 commitments, hash chain, Merkle aggregation, Bitcoin anchor, post-quantum signatures.
- Defensive only across every layer. None of the three layers undertakes offensive action against any external system.
Each layer answers a different question.
A mature AI deployment runs all three layers. They do not replace each other. Conflating them is the most common error when reasoning about agent governance.
AAM — Agent Audit and Management
What did the agent actually do? Court-admissible.
AI Production Discipline
How are errors prevented before deploy?
Continuity & Adversarial Resilience
What survives when the world breaks?
What each layer catches that the others can’t.
The three layers are independent failure surfaces. A failure mode that takes down all three simultaneously is rare. A failure mode that takes down one — the Layer-1 audit chain during network loss, the Layer-2 discipline under deploy pressure, the Layer-3 identity layer during HSM compromise — is routine.
Long-tail attribution
Agent did X. The operator's internal log was rewritten between then and the audit. The acquirer cannot independently prove the original state. Layer 1 anchors the original state to Bitcoin so the original record survives the operator and the platform vendor.
Pre-deploy fabrication
A measurement looks good on the first run, ships, then stops being true. A claim looks defensible until an external auditor checks the source. Layer 2 catches both at the moment of authoring with the Truth Protocol three-source rule and multi-pass measurement before the claim ships.
Failure-mode collapse
Network drops. The audit endpoint is unreachable. The hosted signing service is offline. An HSM is under attack. Layer 3 keeps capturing locally, keeps signing from a hardware-bound key, and reconciles with the canonical chain on reconnect.
One Knox primitive across all three layers.
The same primitive underwrites the audit chain (Layer 1), the ship-receipt and Stop-and-Save anchors that enforce the discipline (Layer 2), and the canonical chain the Edge Anchor offline-buffer reconciles into (Layer 3). One primitive; one verifier; one external chain.
Content-addressed commitments
Every event reduces to a SHA-256 commitment over a canonical payload. The hash is the only data leaving the operator boundary unless the operator chooses otherwise.
Sequence-numbered per stream
Each event carries a per-stream sequence number and a hash-link to the predecessor. The chain is reconstructible from any anchor onward, with no gaps.
Hourly Merkle aggregation
Every hour, the active anchors fold into a Merkle tree; the root is a 32-byte commitment to the entire hour of activity. Verification of any one anchor requires only the Merkle path to the root.
Bitcoin anchor via OpenTimestamps
The Merkle root is published to the Bitcoin chain via OpenTimestamps. Verification does not require Bonis, the operator, or any other party to be online or cooperative.
Post-quantum signatures
Layer 4 of Knox ships ML-DSA-44/65/87 (NIST FIPS 204) and SLH-DSA-128s/192s/256s (NIST FIPS 205) via @noble/post-quantum, deployed live on terravault-00360-gkv on 2026-04-24.
Public TLA+ specification
The anchor pipeline ships a public TLA+ specification covering hash-link, sequence-monotonicity, and Merkle-root invariants. Math-checked, not vibes-checked.
Two framings, both correct, different questions.
The four-layer agent stack on /aam/control-planes describes the agent runtime stack from any vendor’s deployment perspective. The Bonis three-layer architecture describes where Bonis itself operates. The two framings interlock cleanly.
From any vendor’s deployment
- Layer · Authorization — Control plane (e.g. Microsoft Agent 365)
- Layer · Identity — Agent identity / name service (e.g. Entra Agent IDs, IETF ANS)
- Layer · Execution — Hosted runtime (e.g. Foundry Hosted Agents, AWS Bedrock, Google Vertex AI)
- Layer · Evidence — AAM (Bonis Knox)
Where Bonis Systems operates
- Layer 1 · AAM — Equivalent to the fourth layer of the agent stack
- Layer 2 · AI Production Discipline — Orthogonal to the runtime stack; pre-deploy methodology
- Layer 3 · Continuity & Adversarial Resilience — Orthogonal to the runtime stack; failure-mode survival
A mature deployment runs all four layers of the agent stack and all three layers of the Bonis architecture. The two framings answer different questions; they do not compete.
Three places explicitly outside the Bonis surface.
Agent control plane
Authorization, tool allow-lists, data scopes, counter-party rules — Microsoft Agent 365, AWS Bedrock, Google Vertex AI, Rubrik Agent Govern, in-house orchestration. Bonis composes above any of them and does not compete for the authorization layer.
Reasoning generator (Layer 3)
Local LLM fallback when hosted models are unreachable — open-source model families (Llama, Phi, Gemma, the broader open-weight ecosystem). Bonis does not ship a reasoning model and does not compete in this lane.
Real-time observability
Operator-internal real-time telemetry that serves the operator inside the deployment. AAM serves external parties years later. The two layers compose; they do not replace each other.
Common questions, answered.
What is the Bonis three-layer agent architecture?
Three layers of the AI agent stack where Bonis Systems operates. Layer 1 — AAM (Agent Audit and Management) — produces the externally-anchored evidence record of what the agent actually did. Layer 2 — AI Production Discipline — prevents errors before deploy via the methodology Bonis already operates under (Truth Protocol three-source rule, multi-pass measurement, Stop-and-Save Rule, Coachbuilt floor, Stealth Posture, Evidence Ledger). Layer 3 — Continuity & Adversarial Resilience — addresses what survives when the network drops, infrastructure fails, or an adversary takes a swing. Three layers, three customer types, one cryptographic spine.
Why three layers and not one?
Each layer answers a different question and serves a different buyer. Layer 1 answers what happened, for an already-deployed operator who needs court-admissible records years later. Layer 2 answers how to prevent errors before deploy, for an about-to-deploy operator who needs the discipline to ship reliably. Layer 3 answers what survives during failure conditions, for life-critical and mission-critical operators where a single network drop or vendor outage cannot collapse the chain of evidence. Conflating the three layers is the most common error when reasoning about agent governance.
What is the cryptographic spine across all three layers?
The Knox primitive — content-addressed SHA-256 commitments, sequence-numbered per stream, hash-linked, Merkle-aggregated hourly, Bitcoin-anchored via OpenTimestamps, post-quantum-signature-ready (ML-DSA-44/65/87, SLH-DSA-128s/192s/256s). The same primitive underwrites Layer 1 (the audit chain), Layer 2 (the Stop-and-Save and ship-receipt anchors that enforce production discipline), and Layer 3 (the canonical chain that the Edge Anchor offline-buffer syncs into when the network returns).
Where does Bonis explicitly not compete?
Three places. (1) Agent control plane — Bonis composes above any control plane (Microsoft Agent 365, AWS Bedrock, Google Vertex AI, Rubrik Agent Govern) and does not compete for the authorization layer. (2) Reasoning generator in Layer 3 — local LLM fallback when hosted models are unreachable is the domain of open-source model families (Llama, Phi, Gemma); Bonis does not ship a reasoning model. (3) Real-time observability — observability tools serve operators inside the deployment in real time; AAM serves external parties years later. The three non-competition lanes are documented inline on the per-layer pages.
Is the architecture defensive only?
Yes — across every layer. Layer 1 produces evidence; Layer 2 prevents defects before deploy; Layer 3 preserves evidence and identity through failure conditions. None of the three layers undertakes offensive action against any external system. The Defensive-Only doctrine is binding across every Knox surface, every Bonis-side agent, and every layer of the architecture.
How does the three-layer architecture relate to the four-layer agent stack?
Different framing for different purposes. The four-layer agent stack on /aam/control-planes (control plane authorizes; identity layer authenticates; runtime executes; AAM evidence layer records) describes the full agent runtime stack from any vendor's deployment perspective. The Bonis three-layer architecture describes where Bonis itself operates — Layer 1 (the AAM evidence layer, equivalent to the fourth layer of the agent stack), Layer 2 (the pre-deploy methodology layer, orthogonal to the runtime stack), Layer 3 (the continuity and resilience layer, orthogonal to the runtime stack). Both framings are correct; they answer different questions.
What is shipped under each layer today?
Layer 1 — Knox primitive, eleven public agents (each with charter / bureau / event taxonomy on /agents), ninety canonical event types, public anchor and verify endpoints, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor, public TLA+ specification, post-quantum signatures across six NIST FIPS 204/205 parameter sets. Layer 2 — Bonis operates the methodology daily; productization (SDK, hooks, Evidence Ledger templates) is scoped under Tier D in the build queue. Layer 3 — anchor primitives, multi-chain routing, and PQC stack shipped; Knox Edge Anchor SW appliance and HSM/TPM binding in active scope per Tier C build queue. Each layer's per-page surface discloses its current state honestly.
Does naming Microsoft Agent 365, AWS Bedrock, or other public products imply a relationship?
No. Naming public products on this page describes the operational landscape — the same convention used on /aam/control-planes and /aam/announcement. It does not imply that any vendor named is a partner, customer, prospect, or operational counterparty of Bonis Systems. Operators evaluating Bonis architecture should consult each vendor's own published product documentation for authoritative product definitions, license terms, and roadmap.