AG-784
Adaptive Threat Level Escalation
EU AI Act
SOX
FCA
ISO 27001
Adaptive Threat Level Escalation governs the real-time escalation of threat levels within an autonomous agent governance framework. The protocol defines a five-tier threat scale (Level 1 through Level 5) and establishes the rules by which an agent's operating environment transitions upward through these tiers in response to events generated by the detection pipeline. The core rationale is that static threat postures are inadequate for modern autonomous systems operating in adversarial environments; governance must be capable of dynamically adjusting its defensive posture as conditions change.
The escalation mechanism operates on the principle of evidence-weighted triggers. Each detection event carries metadata including source confidence, temporal proximity to prior events, and severity classification. These attributes feed into an escalation function that determines whether the current threat level should increase. The protocol ensures that escalation decisions are deterministic given the same input state, enabling reproducibility and auditability of every transition. This determinism is essential for regulatory compliance, where supervisory bodies require that governance decisions be explainable and traceable.
The distinction between this protocol and traditional alerting systems is structural enforcement. Rather than merely notifying operators, AG-784 mandates that threat level changes trigger concrete governance actions — tightening operational boundaries (per AG-001), increasing logging fidelity (per AG-006), and restricting delegated authority (per AG-009). The threat level is not an advisory metric; it is an operational state variable that reshapes the agent's governance envelope in real time.
This protocol applies to all autonomous agents, semi-autonomous systems, and orchestrated multi-agent deployments operating under the Agent Governing framework. Specifically:
Autonomous agents operating in financial services, critical infrastructure, and regulated industries face a spectrum of adversarial threats ranging from prompt injection to coordinated multi-agent manipulation. Without adaptive threat escalation, a governance framework operates at a fixed defensive posture — either too permissive (allowing attacks to succeed) or too restrictive (impeding legitimate operations). Neither extreme is acceptable in production environments.
Concrete Failure Scenario: A financial trading agent governed at a static threat level processes a sequence of subtly manipulated market data inputs over a 90-second window. Each individual input falls below the anomaly detection threshold, but their cumulative effect steers the agent toward executing a series of wash trades. Without adaptive escalation, the governance layer never tightens restrictions because no single event triggers an alert. With AG-784 in place, the composite scoring engine (AG-790) feeds weighted signals into the escalation function, which raises the threat level from 2 to 4 within 30 seconds, triggering mandatory human oversight (AG-019) and halting autonomous trade execution.
From a regulatory perspective, the EU AI Act (Article 9, Risk Management) requires that high-risk AI systems implement measures proportionate to identified risks, including the ability to respond to emerging threats. SOX Section 302 mandates that internal controls over financial reporting be responsive to changing risk conditions. The FCA's SYSC 6.1.1 requires firms to establish effective risk management systems. AG-784 operationalises these requirements by embedding dynamic risk response directly into the governance infrastructure.
At the Basic level, an organisation has implemented a numeric threat level variable that can be set manually or through simple threshold-based rules. Escalation is triggered by individual detection events exceeding a fixed severity threshold. Logging of threat level changes exists but may lack full metadata. There is no integration with composite scoring, and escalation decisions are not deterministic across distributed deployments. Human operators can override threat levels without cryptographic controls.
At the Intermediate level, the escalation function incorporates multiple detection sources and applies weighted scoring (integrating with AG-790). Escalation decisions are deterministic and logged with full metadata including triggering event identifiers and function output scores. Threat level changes automatically trigger governance actions (boundary tightening, enhanced logging) at defined thresholds. Hysteresis mechanisms prevent oscillation. Manual overrides require authenticated authorisation but may not yet use cryptographic signing.
At the Advanced level, the escalation engine operates with sub-500ms latency, integrates with federated threat propagation (AG-788), and all escalation decisions are cryptographically attributable (AG-016). The escalation function has been validated through independent adversarial testing, including simulated attack sequences designed to evade detection. Governance state is sealed at critical thresholds (AG-786), and the complete escalation history is tamper-evident (AG-006). The system supports per-agent-class threshold configuration and has demonstrated correct behaviour under sustained adversarial load in production-equivalent environments.
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No threat level variable exists. The system operates at a fixed governance posture with no dynamic escalation capability. |
| 1 | Basic | A threat level variable exists and can be modified by detection events, but escalation logic is instruction-level (e.g., scripted rules), non-deterministic, or lacks full metadata logging. Manual overrides are unrestricted. |
| 2 | Infrastructure-layer enforcement | Escalation is enforced at the infrastructure layer with deterministic logic, full metadata logging, automatic governance action triggers at defined thresholds, and authenticated manual override controls. Integration with composite scoring and federated propagation is operational. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated by independent adversarial testing. Test campaigns include simulated multi-vector attack sequences, escalation evasion attempts, and sustained load testing. Results are documented and sealing integrity is confirmed. |
Scenario: The escalation engine experiences processing delays due to queue congestion in the detection pipeline, causing threat level evaluation to exceed the 500ms requirement. During the delay window, an adversary exploits the stale threat level to execute actions that would have been blocked at the higher level.
Impact: HIGH. The agent operates with insufficient governance restrictions during the delay. In a financial context, this could permit unauthorised transactions. In a safety-critical context, it could allow harmful actions to proceed unchecked.
Mitigation: Implement priority queuing for escalation evaluations, monitor engine latency with circuit-breaker patterns, and default to escalation (fail-closed) when latency thresholds are breached.
Scenario: Two governance nodes processing the same event stream produce different escalation decisions due to floating-point inconsistencies, clock skew, or race conditions in event ordering. This creates a split-brain condition where one node operates at Level 3 while the other operates at Level 4.
Impact: CRITICAL. Split-brain governance undermines the entire framework's reliability. Agents may receive contradictory governance directives, and audit trails become inconsistent. Regulatory investigations could be hampered by conflicting records.
Mitigation: Use integer arithmetic exclusively in the escalation function, enforce event ordering through sequence numbers, and implement consensus protocols for multi-node deployments.
Scenario: A compromised operator account or insider threat manually reduces the threat level from 4 to 2, bypassing the cryptographic authorisation requirement. The governance layer relaxes restrictions, and an ongoing attack proceeds without adequate containment.
Impact: CRITICAL. Manual override without proper authorisation negates the adaptive escalation mechanism entirely. The attacker effectively controls the governance posture.
Mitigation: Require multi-party cryptographic authorisation for any manual de-escalation (AG-017), log all override attempts (successful and failed) to the tamper-evident record (AG-006), and alert on any override that occurs during an active threat sequence.
Scenario: The escalation function is configured to operate solely on individual event severity, ignoring the composite threat score provided by AG-790. A coordinated low-severity attack that individually falls below thresholds but collectively represents a significant threat never triggers escalation.
Impact: HIGH. The system is blind to distributed or slow-burn attacks that rely on staying below individual detection thresholds.
Mitigation: Ensure composite scoring integration is tested as part of standard deployment verification (TC8) and treat absence of AG-790 integration as a finding in compliance audits.
| Requirement | EU AI Act | SOX | FCA SYSC | ISO/IEC |
|---|---|---|---|---|
| R1: Threat level state variable | Art. 9(2)(a) — Risk identification | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.7 |
| R2: 500ms evaluation latency | Art. 9(2)(b) — Risk estimation | -- | SYSC 6.1.2 | ISO/IEC 27005:2022 Cl. 8.2 |
| R3: Transition logging | Art. 12 — Record-keeping | Sec. 302, 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.15 |
| R4: Level 4 automatic actions | Art. 9(4)(b) — Mitigation measures | Sec. 302 | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.24 |
| R5: Level 5 human oversight + sealing | Art. 14 — Human oversight | Sec. 302 | SYSC 6.1.1, 3.2.20 | ISO/IEC 27001:2022 A.5.24 |
| R6: Deterministic escalation | Art. 9(7) — Testing | Sec. 404 | SYSC 6.1.2 | ISO/IEC 25010:2023 |
| R10: Authenticated override | Art. 14(4)(e) — Override capability | Sec. 302 | SYSC 3.2.20 | ISO/IEC 27001:2022 A.5.3 |
| Protocol | Relationship |
|---|---|
| AG-785 (Threat Level Auto-Decay and Stabilisation) | Complementary: AG-785 governs the reverse process of de-escalation when threats subside. |
| AG-786 (Cryptographic Governance State Sealing) | Dependency: AG-784 triggers sealing at Level 5 escalation. |
| AG-787 (Governance Seal Integrity Verification) | Supporting: Verifies seals created during escalation events. |
| AG-788 (Federated Threat Level Propagation) | Integration: Escalation events may be broadcast to federated peers. |
| AG-789 (HMAC-Signed Threat Broadcast Authentication) | Security: Authenticates escalation broadcasts between platforms. |
| AG-790 (Multi-Source Weighted Threat Composite Scoring) | Input: Composite scores feed into the escalation function. |
| AG-791 (Pipeline-Integrated Threat Event Ingestion) | Input: Detection pipeline events are the primary trigger for escalation. |
| AG-001 (Operational Boundary Enforcement) | Governance action: Boundaries tighten at elevated threat levels. |
| AG-006 (Tamper-Evident Record Integrity) | Audit: All escalation transitions are recorded in tamper-evident logs. |
| AG-009 (Delegated Authority Governance) | Governance action: Authority restrictions activate at Level 4. |
| AG-012 (Agent Identity Assurance) | Authentication: Override attempts require identity verification. |
| AG-019 (Mandatory Human Oversight Enforcement) | Governance action: Human oversight activates at Level 5. |
Document generated under Patent 7 governance framework. Classification: INTERNAL. Review cycle: Quarterly.