What is an agent control plane, and how is AAM different?

A control plane authorizes what an agent is permitted to attempt — which tools, which data, which counter-parties, under which policy. An identity layer authenticates who the agent is. A runtime executes the agent's calls. AAM is a separate post-deployment evidence layer that records what the agent actually did, in a tamper-evident form independently verifiable years later. AAM does not authorize, authenticate, or execute. It produces the long-tail record.

Does Bonis compete with control-plane vendors?

No. AAM sits above the control plane. Whichever control plane authorized an agent action and whichever runtime executed the call, the action's content-addressed commitment can be hashed and Bitcoin-anchored through Knox. Operators do not have to choose between the audit layer and the control plane they prefer. The two layers compose.

Which public control planes does Knox compose on top of?

Knox is content-addressed, not vendor-coupled. Any control plane that emits a structured record of an agent action — whether the runtime is Microsoft Agent 365, Rubrik Agent Govern, AWS Bedrock agent runtime, Google Vertex AI agent runtime, an open-source orchestration framework, or an in-house system — can be instrumented to hand that record to Knox for hashing and anchoring. Naming public products here describes the landscape; it does not imply a partner, customer, or operational relationship with any of them.

Which open standards does Bonis align with?

Knox Agent #11 Layer 4 ships ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205) post-quantum signatures. ML-DSA-87 is the same primitive specified in academic agent-trust protocols including AITH (arXiv:2604.07695), where the protocol is verified under the Tamarin Prover. Knox composes alongside the IETF Agent Name Service (ANS) draft, the Model Context Protocol (MCP), and the A2A agent-to-agent protocol — content-addressed records flow under all of them.

Does naming a vendor here imply a relationship with that vendor?

No. Public products are referenced architecturally, the same way Anthropic's Project Deal is referenced on /aam/transactions — as the author of a public artifact that establishes the shape of an operational seam. No partnership, customer status, prospect status, or operational engagement with any named vendor is implied or claimed.

AAM · Control-plane compatibility

Above any control plane.

Q: Is this defensive or offensive?

Defensive only. Bonis Systems does not access any third-party control plane, runtime, or operator surface. Operators who want a Knox record of agent actions instrument their own emit path. Bonis provides the audit primitive; lawful authority — courts, regulators, platform owners — decides what to do with the resulting evidence.

A control plane decides what an agent is permitted to attempt. An identity layer decides who the agent is. A runtime executes the call. AAM produces the tamper-evident record of what actually happened — a separate layer, independently verifiable, durable past every vendor in the stack. Bonis Knox runs above any control plane.

Vendor-neutralContent-addressedBitcoin-anchoredPost-quantum (ML-DSA-87)FRE 902(13)/(14) architectural fitDefensive only

Four layers, four jobs

Each layer answers a different question.

A mature agent stack runs all four. They do not replace each other, and AAM does not replace any of them. Confusing the layers is the most common error when reasoning about agent governance.

Layer · Authorization

Control plane

What is the agent permitted to attempt?

Policy, tool allow-lists, data scopes, counter-party rules, spend limits. Decides whether an action is allowed before it occurs.

Layer · Identity

Agent identity / name service

Who is this agent, cryptographically?

Agent identifiers, signing keys, federation, name resolution. Decides whether the actor is who it claims to be.

Layer · Execution

Runtime / framework

How does the agent's call actually run?

Hosted agents, orchestration frameworks, tool gateways. Executes the authorized call against the world.

Layer · Evidence

AAM (Bonis Knox)

What did the agent actually do, and is the record still verifiable years from now?

Content-addressed commitments, hash chain, hourly Merkle aggregation, Bitcoin anchor. Produces tamper-evident records the layers above cannot rewrite.

The public landscape

The control-plane category is forming in public.

Major platforms have publicly announced agent control planes and adjacent governance products. Each occupies a distinct position in the stack above. None of them is the AAM layer. Bonis Knox is content-addressed and treats each as an upstream source of structured action records — without taking a position on which an operator should choose.

Control plane

Microsoft Agent 365

Publicly described as a control plane for agents — agent identifiers, authorization policy, audit logging, and hosted agent runtime. Knox composes above it: structured action records emitted from Agent 365 are content-addressable and can be Bitcoin-anchored as Knox events.

Governance / undo

Rubrik Agent Govern

Publicly positioned around immutable auditability and safe undo of agent actions, built on snapshot infrastructure. Knox is complementary: a content-addressed external chain plus a public-chain anchor that no party — including Bonis — can rewrite.

Hosted runtime

AWS Bedrock agent runtime

Hosted agent execution, tool integration, orchestration. Knox runs above any runtime: action records emitted from Bedrock-hosted agents can be hashed and anchored on the same primitive as records from any other runtime.

Hosted runtime

Google Vertex AI agent runtime

Hosted agent execution and orchestration on Google Cloud. Knox is runtime-neutral: agent action records emitted from Vertex are content-addressable and anchorable on the same terms as records from any other hosted runtime.

Open spec · identity

IETF Agent Name Service draft

An open specification for agent identifiers and name resolution. Knox composes alongside any agent identity scheme — the chain-of-command stamp on each Knox event embeds the agent identifier produced by whichever name service the operator runs.

Open spec · tools

Model Context Protocol · A2A

Open specifications for tool integration and agent-to-agent communication. Knox sits above both: tool-call records and A2A exchanges are hashable artifacts that flow into Knox the same way any other agent action does.

Worked-example integration brief: Microsoft Agent 365 + Bonis Knox AAM Integration Brief — published in advance of the publicly announced General Availability date of 2026-05-01. Sibling briefs for AWS Bedrock, Google Vertex AI, and Rubrik Agent Govern will follow the same shape and the same vendor-neutral disclosure as that brief.

Naming public products on this page describes the landscape. It does not imply that any vendor named here is a partner, customer, or prospect of Bonis Systems, nor that any operational engagement exists with any of them.

Why a separate layer is necessary

An audit log that lives inside the system being audited is not an audit.

A control plane can write its own audit log. So can a runtime. So can the operator. Each of those logs is useful to the organization that runs it — and each is, by construction, mutable by that organization.

The questions that arrive after an incident, after an acquisition, after a contract dispute, after a regulator opens a file, are not questions the original operator’s audit log can credibly answer alone. They are questions an external chain — content-addressed, anchored to a public chain, verifiable without the original vendor — must answer.

That is why AAM is a layer, not a feature of the control plane. The independence between the layer that authorized the action and the layer that records what was done is the property that makes the record useful to a third party.

Properties of the layer

What composing above gives you.

Vendor-neutral by construction

Records are content-addressed. The same Knox primitive anchors an action authorized by one control plane and an action authorized by another. Operators are not asked to pick between an audit layer and a control plane.

Independent of any single vendor

Verification runs against the public Bitcoin chain via OpenTimestamps. It does not require Bonis, the control plane, or the runtime to be online, in business, or cooperative.

Survives the stack

A control plane may be deprecated, replaced, or acquired. The runtime may change. The operator may change. The anchored record remains verifiable against the public chain regardless of what happens above it.

Post-quantum resilient

Records may carry post-quantum signatures via Knox Agent #11 Layer 4 — ML-DSA-44 / 65 / 87 (NIST FIPS 204) and SLH-DSA-128s / 192s / 256s (NIST FIPS 205). The audit chain remains verifiable under threat models that assume a future quantum-capable adversary.

Self-authenticating affidavit

Every anchor resolves to a court-ready affidavit architected for FRE 902(13) and 902(14) self-authentication. Admissibility in any given matter is determined by the presiding court; the structural requirements are met by the architecture.

Composes with any identity scheme

Each Knox event carries a chain-of-command stamp embedding the agent identifier from whichever name service or identity provider the operator runs. The audit layer does not impose an identity model.

Standards alignment

Open specs, public chain, no proprietary lock-in.

Post-quantum cryptography

NIST FIPS 204 (ML-DSA / Dilithium) and FIPS 205 (SLH-DSA / SPHINCS+) shipped on Knox Agent #11 Layer 4 via @noble/post-quantum. ML-DSA-87 is the same primitive specified in academic agent-trust protocols.

@noble/post-quantum · 6 parameter sets · live

AITH academic protocol

AITH (Agent Identity and Trust Handshake) is a published academic protocol that uses ML-DSA-87 for agent authentication, with formal verification under the Tamarin Prover. Knox already ships ML-DSA-87 — primitive- level alignment without coupling.

arXiv:2604.07695 · Tamarin-verified · open spec

Public-chain anchoring

OpenTimestamps over Bitcoin. Any third party with an OpenTimestamps client and a Bitcoin full node can verify any Knox anchor without Bonis being in the loop.

opentimestamps.org · Bitcoin · independent

Federal Rules of Evidence

Anchors and their derived affidavits are architected to meet the self-authentication requirements of FRE 902(13) and 902(14). Admissibility in any given matter is determined by the presiding court.

FRE 902(13) · 902(14) · architectural fit

Defensive only

Evidence layer, not enforcement.

Bonis Systems does not access any third-party control plane, runtime, or identity provider. Operators who want a Knox record of agent actions instrument their own emit path. The audit layer is invitational. Bonis produces the evidence; lawful authority — courts, regulators, platform owners — decides what to do with it. The takedown, when there is one, belongs to lawful authority, not to Bonis.

What is verifiable today

The substrate is already shipping.

The same primitives that anchor every other Knox event anchor an action emitted from any control plane. The endpoints, taxonomy, and verifier are public.

Public anchor endpoint

bonissystems.com/api/knox/public-anchor

Auto-seeds a public-demo key on first call. Drop any file at the homepage to anchor a SHA-256 of it without it leaving your browser — the same primitive a control-plane SDK would call to anchor a structured agent action.

Public health check

bonissystems.com/api/knox/health

Operational status of the anchor pipeline.

Knox agents roster

bonissystems.com/agents

Each Knox agent published with its charter, bureau, and event-taxonomy entry.

Court-ready evidence kit

bonissystems.com/legal-kit

Verifier source, sample affidavit, FRE 902 reference card.

Formal specification

bonissystems.com/spec

TLA+ source for the anchor pipeline invariants.

AAM positioning page

bonissystems.com/aam

The category, the architecture, and the lanes.

Public references on this page are to publicly announced products, open specifications, and academic publications. They describe the landscape in which AAM operates. No partnership, customer status, prospect status, or operational engagement with any vendor named here is implied or claimed. AITH is cited from arXiv:2604.07695 (Agent Identity and Trust Handshake, Tamarin-verified). Federal Rules of Evidence 902(13) and 902(14) are cited as architectural targets; admissibility in any matter remains a determination of the presiding court.

USPTO provisional applications, inventor of record Jonis Aaron Fields: 64/038,359 (Knox · 2026-04-13), 64/012,440 (TerraVault · 2026-03-21), 64/036,498 (TrustAI · 2026-04-11), 64/002,221 (HealthAgent · 2026-03-11), 64/013,240 (DealMatcher · 2026-03-22). Provisionals are priority-date footnotes; the operating moat is shipping code, public anchors, and open-standard alignment. Bonis Systems LLC · UEI R2BPJDC5CBA3 · CAGE 1TSP2.