Governance Controls
Most-restrictive-wins. Always.
A platform that issues 50 million governed decisions a day needs more than a single off-switch. Trinitite ships seven layers of independent control — from a fleet-wide kill switch down to per-call retry budgets and IMDS metadata shielding. Operators interleave them; the platform always honors the most restrictive level that applies.
L0 → L6 — most-restrictive-wins
At every decision the most restrictive level that applies wins. A per-NHI suspension (L2) overrides a route breaker (L4); an org-wide block (L1) overrides everything below.
The seven levels
L0 — Emergency Shutdown
Trips the entire control plane. All inference and MCP traffic halts. Reserved for "we just discovered a critical compromise" scenarios. A single API call (or a dashboard click backed by 2-of-N approvals) takes the fleet offline. Restoring service is also explicit — the platform does not auto-recover from L0.
L1 — Org Settings
Coarse-grained org-wide policy: block model families, providers, regions, or tool classes for the whole tenant. Useful for a temporary "no Anthropic until we clear an issue" or "no MCP tools touching production for the next 4 hours." Changes are themselves logged to the Glass Box Ledger as config-audit events.
L2 — Per-NHI Profile
Suspend, downgrade, or rate-limit a specific Non-Human Identity without touching its peers. The right knob when one agent has gone weird and you need to stop it without disrupting the rest of the fleet. See NHI Governance for the tier model.
L3 — Economic Session Breaker
Per-session token-burn caps and dollar ceilings. The breaker trips automatically when an agent is about to exceed its session budget; the trip is recorded as a session.economic.tripped event. Resetting requires either a config change (raise the ceiling) or operator approval. This is the layer that catches runaway loops before they invoice you.
L4 — Inference / MCP Breaker
Open the breaker on a specific provider, model, or MCP server. When the breaker is open, calls to that route fail fast with a deterministic route_breaker_open error — no retries against a flaky upstream. Auto-closes after a configurable cool-down or stays manual.
L5 — EX-2.7 Retry Limiter
Per-call retry budget. The Guardian tolerates a small, configurable number of upstream-side failures before tripping the retry limiter. Exceeded retries collapse to a soft-breaker state at L4. Prevents a single failing tool from generating thousands of redundant Guardian decisions.
L6 — IMDS Shield
Egress-side shield that blocks AI tool calls and code-completion outputs from reaching Instance Metadata Service endpoints (e.g. 169.254.169.254 on AWS). One of the most exploited paths in agentic AI compromises; the shield catches it deterministically regardless of how the AI tried to reach it. See Skill Vault for related supply-chain controls.
Programmatic access
Every control is exposed via the Governance Controls API. Typical operations:
POST /v1/governance/shutdown— trip L0 (requires emergency RBAC).POST /v1/governance/breakers/:route— open / close an L4 breaker.POST /v1/governance/nhi/:id/suspend— L2 per-NHI suspension.GET /v1/governance/state— full posture snapshot, including which level is the most-restrictive in effect for any given route or NHI.
Every control transition writes a Merkle-chained config-audit event. Reverting a control still writes — there is no "untrip" without an audit trail.
Choosing the right level
| Scenario | Use level | Why |
|---|---|---|
| Compromised credential, blast radius unknown | L0 | Fastest fleet-wide stop; investigate from a known-clean state. |
| Provider outage we don't trust | L4 | Open the breaker for that provider; everything else keeps running. |
| Single agent looping on a flaky tool | L5 | Retry limiter trips before the loop generates significant cost. |
| Test tenant accidentally pointed at a real LLM provider | L1 | Block the provider for the whole tenant in one config change. |
| Refund bot calculated a $9.9M refund | L3 | Economic session breaker cuts it off mid-session, not after the fact. |
| Code-completion model emits an IMDS curl | L6 | Egress shield blocks regardless of how the curl was constructed. |
What's next
→ NHI Governance — the per-identity layer (L2) and tier ladder.
→ MCP Gateway — where L4 and L5 most often trip.
→ Glass Box Ledger — every control transition is recorded here.
→ Governance Controls API — the programmatic surface.