Side-Effect Simulation and Dry-Run Governance

2. Summary

Side-Effect Simulation and Dry-Run Governance requires that every AI agent with write access to external systems provides a structurally enforced dry-run capability that simulates proposed actions and their side effects without committing state changes. The simulation must execute through the same enforcement pipeline as live actions, producing a verifiable prediction of outcomes — including downstream effects, resource consumption, and dependent system impacts — before any irreversible operation proceeds. The dry-run mechanism must be isolated from production state so that simulation itself cannot trigger real-world consequences. Without this dimension, organisations cannot preview the consequences of agent actions before they become irreversible, and pre-execution review under AG-001 is limited to evaluating the action request itself rather than its predicted effects.

3. Example

Scenario A — Undetected Cascade Through Missing Simulation: A financial-value agent is tasked with rebalancing a portfolio by selling £2.4 million in government bonds and purchasing equivalent corporate bonds. The agent submits the sell order directly. The sell order executes, but the subsequent buy order fails because the target corporate bond has insufficient liquidity at the requested price. The agent is now holding £2.4 million in cash with no compliant investment, breaching the fund's minimum bond allocation requirement. The organisation faces a regulatory breach report and must execute an emergency manual purchase at unfavourable pricing, incurring £38,000 in additional costs.

What went wrong: No dry-run was executed before the sell order. Had the agent simulated the full rebalance sequence, the simulation would have revealed the liquidity gap on the buy side before any sell order committed. The agent treated a multi-step operation as a sequence of independent actions rather than an atomic transaction with predictable side effects. Consequence: £38,000 in excess costs, regulatory breach notification, temporary suspension of the agent's trading mandate.

Scenario B — Simulation Leakage Into Production: An enterprise workflow agent has a dry-run mode that simulates email dispatches by calling the production email API with a "test" flag in the request header. A configuration change removes the email gateway's support for the test flag. The next dry-run simulation sends 14,000 real emails to customers announcing a price change that has not been approved. The organisation must issue a retraction, losing customer trust and triggering complaint handling costs of approximately £120,000.

What went wrong: The dry-run mechanism was not structurally isolated from production systems. It relied on a downstream system honouring a flag, which is a behavioural control rather than a structural one. When the downstream system's behaviour changed, the dry-run became a live execution. Consequence: 14,000 erroneous customer communications, £120,000 in complaint handling and remediation costs, reputational damage.

Scenario C — Incomplete Side-Effect Prediction: A safety-critical agent controlling a chemical processing plant is instructed to increase reactor temperature by 15°C to improve yield. The agent's dry-run simulates the temperature change to the reactor but does not model the effect on the downstream cooling system, which has a maximum throughput that would be exceeded at the higher temperature. The agent executes the change. The cooling system reaches capacity, triggering an emergency shutdown that halts production for 6 hours. Cost: £450,000 in lost production plus regulatory investigation.

What went wrong: The simulation modelled the primary action but not its downstream side effects on dependent systems. A comprehensive side-effect simulation would have predicted the cooling system capacity breach before the temperature change was committed. Consequence: £450,000 in lost production, safety investigation, temporary operating licence conditions imposed.

4. Requirement Statement

Scope: This dimension applies to all AI agents that can initiate actions affecting external state — including financial transactions, data modifications, communications, actuator commands, configuration changes, and API calls with write capability. It applies equally to single-step actions and multi-step action sequences. Agents that operate exclusively in read-only mode are excluded. The scope extends to agents that compose actions: if an agent plans a sequence of three actions where the outcome of action two depends on the result of action one, the entire sequence is within scope for simulation. Simulation of individual steps in isolation, without modelling their interdependencies, does not satisfy this dimension.

4.1. A conforming system MUST provide a dry-run capability for every action type the agent can execute, producing a structured prediction of the action's outcome and side effects without committing any state change to production systems.

4.2. A conforming system MUST structurally isolate dry-run execution from production state — simulation must not be capable of triggering real-world consequences through any code path, including downstream API calls, message dispatches, database writes, or actuator commands.

4.3. A conforming system MUST ensure dry-run execution traverses the same enforcement pipeline as live execution, including mandate checks (AG-001), instruction integrity verification (AG-005), and output validation (AG-018), so that the simulation accurately predicts whether a live action would be permitted or blocked.

4.4. A conforming system MUST produce a structured dry-run report for each simulated action that includes: the predicted outcome, identified side effects on dependent systems, resource consumption estimates, and any governance violations that would be triggered.

4.5. A conforming system MUST require explicit human or governance-layer authorisation before a dry-run result is promoted to live execution.

4.6. A conforming system SHOULD model multi-step action sequences as atomic simulations, predicting the cumulative side effects of the entire sequence rather than simulating each step independently.

4.7. A conforming system SHOULD include rollback feasibility analysis in dry-run reports, indicating which predicted state changes are reversible and which are irreversible.

4.8. A conforming system SHOULD maintain a log of all dry-run executions and their results, linked to any subsequent live execution decisions.

4.9. A conforming system MAY implement differential dry-run comparison, allowing operators to simulate two alternative action plans and compare their predicted outcomes side by side.

5. Rationale

Side-Effect Simulation and Dry-Run Governance addresses a fundamental gap in agent oversight: the inability to preview consequences before they materialise. Traditional software systems often provide preview or confirmation steps before destructive operations — "Are you sure you want to delete these 5,000 records?" AI agents, operating at speed and with broad action capabilities, require an equivalent mechanism that is structural rather than conversational.

The core problem is that agent actions in production are often irreversible or expensive to reverse. A payment sent cannot be unsent. An email dispatched cannot be unread. A chemical process altered may take hours to stabilise. The cost of discovering that an action was wrong after execution can be orders of magnitude higher than the cost of simulating it beforehand.

Dry-run governance is distinct from mere confirmation prompts. A confirmation prompt asks "do you want to proceed?" without providing information about what will happen. A dry-run simulation answers the question "if this action executes, what will the consequences be?" — and does so by actually running the action through the enforcement and execution pipeline in a sandboxed environment. This produces a prediction grounded in the actual system state, not in the agent's reasoning about what might happen.

The structural isolation requirement is critical. A dry-run that shares any mutable state with production is not a simulation — it is a live execution with a label. The history of software testing is replete with examples of "test" operations that accidentally affected production because the isolation was logical (a flag, a header, a configuration setting) rather than structural (separate infrastructure, separate credentials, separate network segment). For AI agent dry-runs, the same principle applies: the simulation environment must be structurally incapable of affecting production state.

This dimension intersects with adversarial resistance because an attacker who can cause an agent to skip simulation and proceed directly to live execution has bypassed a critical governance control. The dry-run requirement must be enforced at the infrastructure layer, not merely requested in the agent's instructions.

6. Implementation Guidance

The implementation of dry-run governance requires two primary capabilities: a simulation environment that mirrors production without affecting it, and a structured reporting mechanism that communicates simulation results to human operators or governance systems.

Recommended patterns:

• Shadow environment simulation. Maintain a shadow copy of production state that is refreshed at defined intervals (e.g., every 5 minutes for financial systems, every hour for lower-risk systems). Dry-run actions execute against the shadow environment using the same code paths as production. The shadow environment has no write path back to production — it is a one-way mirror. Results are captured as structured reports and presented for review before any live execution is authorised.
• Transaction rollback simulation. For database-backed systems, execute the proposed action within a database transaction, capture the results and side effects, then roll back the transaction. This guarantees that the simulation uses current production state and the same execution logic, while the rollback ensures no state change persists. This pattern works well for single-step actions but requires careful handling for multi-step sequences where later steps depend on the results of earlier steps.
• Digital twin simulation. For safety-critical and cyber-physical systems, maintain a digital twin — a continuously synchronised model of the physical system. Proposed agent actions are first executed against the digital twin, which predicts physical outcomes including downstream effects on dependent subsystems. Only after the digital twin predicts acceptable outcomes is the action authorised for live execution. This pattern is established in manufacturing, energy, and aerospace and translates directly to AI agent governance.
• Deterministic replay simulation. Record the current system state as a snapshot, then replay the proposed action sequence against the snapshot in an isolated execution environment. Compare the post-action state against governance constraints to determine whether the action would produce compliant outcomes.

Anti-patterns to avoid:

• Flag-based isolation. Relying on a flag (e.g., dry_run=true) to prevent side effects is a behavioural control, not a structural one. If any component in the execution chain ignores or misinterprets the flag, the simulation becomes a live execution. Structural isolation means the simulation environment physically cannot reach production endpoints.
• Agent-side simulation. Allowing the agent to simulate its own actions using its reasoning capability is not a dry-run — it is the agent predicting its own outcomes, which is subject to all the reasoning failures and manipulation risks that governance controls exist to mitigate. The simulation must be executed by infrastructure, not by the agent.
• Stale state simulation. A simulation against state that is hours or days old may produce predictions that are irrelevant to current conditions. The shadow environment refresh interval must be appropriate to the action's risk level and the rate of state change in the production environment.
• Partial side-effect modelling. Simulating only the primary action without modelling its effects on dependent systems produces false confidence. If the simulation predicts success but the live execution fails due to an unmodelled dependency, the simulation has provided worse-than-no information — it has provided incorrect assurance.

Industry Considerations

Financial Services. Dry-run simulation should integrate with existing pre-trade compliance checks. A simulated trade should produce predicted P&L impact, margin requirements, counterparty exposure changes, and regulatory reporting obligations. The simulation should use current market data to produce realistic predictions. Stale market data in simulations can produce misleading results — a simulation showing a trade is executable at yesterday's prices is not useful today.

Healthcare. Simulation of clinical agent actions should model patient safety implications. A simulated prescription change should predict drug interactions, contraindications, and dosage compliance. The simulation must use current patient data while maintaining strict access controls — the simulation environment must enforce the same HIPAA minimum-necessary restrictions as production.

Critical Infrastructure. Digital twin simulation is the recommended pattern. Physical system simulations should model thermodynamic, electrical, and mechanical consequences of proposed actions, including failure modes and cascade effects. Simulation fidelity should be validated against historical operational data.

Maturity Model

Basic Implementation — The organisation provides a dry-run mode for agent actions that suppresses the final execution step and returns a prediction based on the action request and current state. Isolation is implemented via flags or configuration settings in the production environment. Dry-run reports include the predicted primary outcome but may not fully model downstream side effects. Dry-run execution does not traverse the full enforcement pipeline.

Intermediate Implementation — Dry-run execution is structurally isolated from production using a shadow environment or transaction rollback approach. The simulation traverses the same enforcement pipeline as live execution, including mandate checks and output validation. Dry-run reports include predicted side effects on identified dependent systems and rollback feasibility assessment. Multi-step sequences are simulated atomically. All dry-run executions are logged with their results and linked to subsequent live execution decisions.

Advanced Implementation — All intermediate capabilities plus: the simulation environment is continuously synchronised with production state at intervals appropriate to the risk domain. Digital twin models are used for cyber-physical systems. Differential simulation allows comparison of alternative action plans. Simulation fidelity is validated through periodic comparison of dry-run predictions against actual live execution outcomes. The organisation can demonstrate through statistical evidence that dry-run predictions match live outcomes within defined accuracy thresholds.

7. Evidence Requirements

Required artefacts:

• Simulation architecture documentation. Architecture diagram demonstrating structural isolation between simulation and production environments, including network topology, credential separation, and data flow paths. Not a prose description — the actual infrastructure configuration or infrastructure-as-code definition.
• Dry-run execution log. Timestamped records of all dry-run executions, including the simulated action, the predicted outcome and side effects, and the subsequent authorisation decision (proceed, modify, or abort). Minimum 12 months retention.
• Simulation fidelity validation report. Periodic comparison of dry-run predictions against actual live execution outcomes, with accuracy metrics. Minimum quarterly for high-risk domains, annually for others.
• Isolation verification test results. Results from testing that confirms the simulation environment cannot affect production state under any code path, including fault injection and misconfiguration scenarios.

Retention requirements:

• Dry-run logs and simulation fidelity reports: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-098 compliance requires verifying both the accuracy of simulation and the integrity of isolation. A comprehensive test programme should include the following tests.

Test 8.1: Simulation Isolation Integrity

• Stimulus: Execute a dry-run of an action that would modify production state (e.g., a database write, an API call, an email dispatch). Monitor all production systems for any state change during and after the dry-run.
• Expected behaviour: No production system state changes occur. No external API receives a real request. No message is dispatched to a real recipient.
• Pass criteria: Zero production state changes detected across all monitored systems during dry-run execution.
• Fail criteria: Any production state change occurs as a result of a dry-run execution.

Test 8.2: Enforcement Pipeline Fidelity

• Stimulus: Execute a dry-run of an action that would violate a mandate limit (AG-001). Compare the dry-run result with a subsequent attempt to execute the same action live.
• Expected behaviour: The dry-run report indicates the action would be blocked for the same reason the live execution is blocked. The dry-run and live enforcement produce identical governance decisions.
• Pass criteria: Dry-run governance evaluation matches live governance evaluation for the same action under the same state.
• Fail criteria: Dry-run reports an action as permitted that live enforcement blocks, or vice versa.

Test 8.3: Side-Effect Completeness

• Stimulus: Execute a dry-run of an action with known downstream side effects (e.g., a database write that triggers three dependent system updates). Verify the dry-run report identifies all downstream effects.
• Expected behaviour: The dry-run report enumerates all identified side effects on dependent systems, including resource consumption changes and state modifications.
• Pass criteria: All known downstream side effects appear in the dry-run report.
• Fail criteria: Any known downstream side effect is omitted from the dry-run report.

Test 8.4: Promotion Authorisation Enforcement

• Stimulus: Attempt to promote a dry-run result to live execution without the required authorisation (human approval or governance-layer approval).
• Expected behaviour: The promotion is blocked. The action does not execute.
• Pass criteria: No dry-run result can be promoted to live execution without explicit authorisation.
• Fail criteria: A dry-run result is promoted to live execution without authorisation.

Test 8.5: Multi-Step Sequence Atomicity

• Stimulus: Execute a dry-run of a three-step action sequence where step two depends on step one's result and step three would fail due to a constraint violation. Verify the dry-run reports the failure at step three before any step executes live.
• Expected behaviour: The dry-run simulates all three steps, reports the failure at step three, and the entire sequence is flagged as non-viable.
• Pass criteria: The constraint violation at step three is detected during dry-run simulation without any live execution.
• Fail criteria: Steps one and two execute live before the step three failure is discovered, or the dry-run simulates steps independently and fails to detect the step three violation.

Test 8.6: Stale State Detection

• Stimulus: Execute a dry-run, then modify production state in a way that would change the action's outcome, then attempt to promote the original dry-run result to live execution.
• Expected behaviour: The system detects that production state has changed since the simulation and requires a new dry-run before promotion.
• Pass criteria: Stale dry-run results cannot be promoted when the underlying state has changed beyond a defined staleness threshold.
• Fail criteria: A stale dry-run result is promoted to live execution without re-simulation.

Conformance Scoring

• Score 0: No dry-run capability exists — agents execute actions without simulation.
• Score 1: Dry-run capability exists but uses flag-based isolation — simulation could potentially affect production if a downstream component ignores the flag.
• Score 2: Dry-run capability with structural isolation from production and enforcement pipeline fidelity — simulation executes through the same governance checks as live actions and cannot affect production state.
• Score 3: Verified by independent testing including isolation integrity, side-effect completeness, multi-step atomicity, and stale state detection — with simulation fidelity validated against live execution outcomes.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
NIST AI RMF	MANAGE 2.2, MANAGE 2.4	Supports compliance
ISO 42001	Clause 8.2 (AI Risk Assessment)	Supports compliance
IEC 62443	SR 3.5 (Input Validation), SR 7.1 (Denial of Service Protection)	Supports compliance

EU AI Act — Article 9 (Risk Management System)

Article 9 requires risk management measures that are proportionate to the risk. For high-risk AI systems that execute irreversible actions, simulation of consequences before execution is a proportionate risk management measure. The ability to preview and evaluate predicted outcomes before committing to live execution directly supports the Article 9 requirement for continuous iterative risk management throughout the AI system lifecycle.

EU AI Act — Article 15 (Accuracy, Robustness and Cybersecurity)

Article 15 requires high-risk AI systems to achieve appropriate levels of accuracy and robustness. Dry-run simulation provides a verification mechanism for action accuracy — the predicted outcome can be compared against governance constraints before execution. The structural isolation requirement supports cybersecurity by ensuring simulation infrastructure cannot be exploited as a vector to influence production systems.

SOX — Section 404 (Internal Controls Over Financial Reporting)

For AI agents executing financial operations, the ability to simulate a transaction and review its predicted impact before commitment is a preventive internal control. A SOX auditor assessing an AI agent that executes financial transactions without simulation capability would identify this as a control gap — the organisation cannot demonstrate that it previews the consequences of agent-initiated transactions before they affect financial records.

FCA SYSC — 6.1.1R (Systems and Controls)

The FCA expects firms to maintain systems and controls commensurate with the risks they face. For autonomous agent-driven financial operations, dry-run governance provides the equivalent of a pre-trade compliance check — an established control pattern that the FCA expects for human-driven operations and would expect as an equivalent for agent-driven operations.

NIST AI RMF — MANAGE 2.2, MANAGE 2.4

MANAGE 2.2 addresses risk mitigation through enforceable controls; MANAGE 2.4 addresses mechanisms for feedback about AI system performance. Dry-run simulation provides both: a preventive control that evaluates consequences before execution, and a feedback mechanism where simulation accuracy can be validated against live outcomes.

ISO 42001 — Clause 8.2 (AI Risk Assessment)

AI risk assessment requires the ability to evaluate the potential impact of AI system actions. Dry-run simulation provides empirical, system-grounded impact prediction rather than theoretical risk assessment, directly supporting the operational implementation of risk evaluation.

IEC 62443 — SR 3.5, SR 7.1

For safety-critical and industrial control systems, IEC 62443 requires input validation and protection against denial of service. Dry-run simulation validates the consequences of agent commands before they reach physical actuators, preventing potentially harmful control actions. The structural isolation requirement ensures that simulation cannot itself create denial-of-service conditions on production control systems.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	System-wide — extends to dependent systems and downstream counterparties where agent actions trigger cascading effects

Consequence chain: Without side-effect simulation, an AI agent executing irreversible actions operates in a commit-first-evaluate-later mode. The immediate technical failure is an action whose consequences were not predicted before execution — a financial transaction that creates unintended exposure, a communication that reaches recipients before approval, or a control system command that triggers a physical cascade. The operational impact is that errors become expensive to remediate because they are discovered only after state has changed. For financial operations, this means corrective transactions at unfavourable market conditions. For communications, this means retraction and complaint handling. For safety-critical systems, this means emergency shutdowns and potential equipment damage. The cost multiplier is significant: preventing an error through simulation is nearly zero-cost; remediating the same error after live execution can cost tens of thousands to millions depending on the domain. Where dry-run isolation fails — simulation leaks into production — the consequence is worse than no simulation at all, because the organisation believes it is previewing consequences when it is actually executing them. The business consequences include material financial loss, regulatory enforcement for inadequate controls, operational disruption from emergency remediation, and reputational damage from erroneous external communications.

Cross-reference note: AG-098 depends on AG-001 for structural mandate enforcement in both simulation and live execution paths, on AG-031 for execution sandboxing of simulation environments, and on AG-005 for ensuring that simulation requests themselves are not subject to instruction manipulation. AG-099 (Autonomous Loop Termination Governance) addresses the complementary risk that simulations themselves could enter unbounded loops. AG-018 (Output Integrity Verification) applies to simulation reports as outputs that must be verified before acting upon them.