Offline/Edge Policy Continuity and Sync Reconciliation Governance

2. Summary

Offline/Edge Policy Continuity and Sync Reconciliation Governance requires that AI agents operating in disconnected, intermittently connected, or edge-deployed environments maintain enforceable governance policies locally and reconcile any policy divergence, action history, and state changes when connectivity is restored. The dimension addresses the fundamental challenge that governance enforcement assumes continuous connectivity to a central policy authority — an assumption that fails in edge computing, mobile deployments, satellite-linked systems, field robotics, and any scenario where network partitions are expected rather than exceptional. Without explicit controls, an agent that loses connectivity may either halt entirely (failing availability) or continue operating under stale policies (failing governance fidelity). AG-187 requires a structured approach to both problems: maintaining governance continuity during disconnection and reconciling divergence upon reconnection.

3. Example

Scenario A — Stale Policy Permits Revoked Actions During Disconnection: A pharmaceutical logistics agent operates on a delivery vehicle with intermittent satellite connectivity. The agent's locally cached policy permits it to reroute temperature-sensitive shipments to any authorised facility within 200 km. While the vehicle is in a connectivity dead zone, the central policy authority revokes authorisation for Facility Delta-7 due to a regulatory inspection failure. The agent, operating on its cached policy, reroutes a shipment of insulin worth £340,000 to Facility Delta-7. The shipment arrives at a facility that no longer meets cold-chain compliance requirements. The insulin is rendered unusable, and the organisation faces a £340,000 inventory write-off plus a regulatory investigation by the MHRA for delivering controlled substances to a non-compliant facility.

What went wrong: The agent's cached policy had no expiry or staleness indicator. There was no mechanism to restrict the agent to a more conservative action set when operating on potentially stale policies. The policy sync protocol did not prioritise revocations for expedited delivery through low-bandwidth channels. Consequence: £340,000 product loss, regulatory investigation, potential suspension of distribution licence.

Scenario B — Reconciliation Conflict Creates Duplicate Financial Commitments: An insurance claims agent operates across 14 edge nodes in a disaster-response scenario. During a 6-hour network partition caused by the disaster itself, three edge nodes independently approve claims against the same policy — Node A approves £45,000, Node B approves £32,000, and Node C approves £28,000 — totalling £105,000 against a policy limit of £75,000. When connectivity is restored, the sync reconciliation process detects the conflict but the payment instructions from all three nodes have already been dispatched to the banking system. The organisation must claw back £30,000 in overpayments from disaster victims — a reputational and regulatory disaster.

What went wrong: The edge nodes had no mechanism for reserving or partitioning the available policy limit across nodes. There was no conservative-fallback rule limiting each node's authority during disconnection. The reconciliation process ran after payment dispatch rather than before. Consequence: £30,000 overpayment, regulatory scrutiny from the FCA, severe reputational damage.

Scenario C — Policy Version Divergence After Extended Disconnection: A mining site deploys 8 autonomous inspection agents on underground equipment. A tunnel collapse severs fibre connectivity for 11 days. During this period, the central governance authority issues 4 policy updates including revised safety thresholds, updated equipment operating limits, and a new restricted zone designation. When connectivity is restored, the agents attempt to sync. The reconciliation engine applies all 4 updates simultaneously, but update 3 (restricted zone) conflicts with actions the agents took under update 1 (revised safety thresholds) during the disconnection. The reconciliation engine cannot determine which actions were compliant at the time they were taken versus which are non-compliant under the current policy. The audit trail becomes unreliable.

What went wrong: The reconciliation engine had no temporal policy evaluation capability — it could not assess past actions against the policy that was active at the time of the action. Policy updates were not sequenced with conflict-resolution metadata. The agents did not log which policy version governed each action. Consequence: Unreliable audit trail, potential HSE investigation, inability to demonstrate compliance during the disconnection period.

4. Requirement Statement

Scope: This dimension applies to all AI agents that may operate in environments where connectivity to the central governance authority is intermittent, degraded, or absent for any period. This includes but is not limited to: edge-deployed agents on IoT devices, mobile platforms, or vehicles; agents in geographically remote locations with satellite or low-bandwidth connectivity; agents in facilities where network partitions are a known risk (underground operations, maritime, aerospace); agents deployed across multiple availability zones where cross-zone communication may fail; and any agent whose deployment architecture includes a local policy cache that could diverge from the central authority. The scope extends to scenarios where connectivity exists but is too slow or unreliable for real-time policy queries — an agent that must make sub-second decisions but has a 3-second round-trip to the policy authority is effectively operating offline for governance purposes. Agents that are guaranteed continuous, low-latency connectivity to their governance authority and have no local policy cache are excluded, though organisations should document and validate this assumption.

4.1. A conforming system MUST provision every edge-deployed or intermittently-connected agent with a locally cached policy bundle that includes the complete mandate, all active policy rules, policy version identifiers, a cryptographic signature from the central authority, and a maximum staleness threshold expressed in wall-clock time.

4.2. A conforming system MUST enforce a maximum policy staleness threshold, after which the agent restricts itself to a pre-defined conservative action set or halts non-critical operations until a fresh policy is obtained.

4.3. A conforming system MUST ensure that every action taken during a disconnection period is logged locally with the policy version that governed the action, a monotonically increasing sequence number, and a timestamp from a trusted local clock source.

4.4. A conforming system MUST execute a reconciliation process upon connectivity restoration that compares the local action log against the central authority's current policy state before any new centrally-governed actions are permitted.

4.5. A conforming system MUST detect and flag reconciliation conflicts — actions that were locally compliant under the cached policy but would not have been permitted under the policy that was active at the central authority at the time the action was taken.

4.6. A conforming system MUST route reconciliation conflicts to a designated human authority for resolution within a defined time window (default: 48 hours).

4.7. A conforming system SHOULD implement policy delta synchronisation that prioritises revocations and restriction increases over permission expansions, ensuring that policy tightenings propagate first through low-bandwidth channels.

4.8. A conforming system SHOULD partition available resource limits (financial ceilings, action quotas) across edge nodes before disconnection, so that no single node can exhaust the full organisational limit independently.

4.9. A conforming system SHOULD maintain a cryptographically chained local action log that is tamper-evident, preventing retroactive modification of the disconnection-period record.

4.10. A conforming system MAY implement predictive policy pre-loading based on anticipated disconnection scenarios (e.g., known dead zones on delivery routes, scheduled maintenance windows).

4.11. A conforming system MAY support graceful policy degradation tiers — progressively restricting agent capabilities as policy staleness increases rather than applying a single binary threshold.

5. Rationale

Offline and edge policy continuity addresses a gap that emerges as AI agents move from cloud-hosted environments with reliable connectivity into the physical world. The assumption embedded in most governance frameworks — that an agent can query a central authority before every action — fails in precisely the environments where governance matters most: disaster response, remote infrastructure, mobile operations, and safety-critical edge deployments.

The challenge is fundamentally a distributed systems problem. The CAP theorem tells us that in the presence of network partitions, a system must choose between consistency and availability. For governance, this translates to: when an agent cannot reach the policy authority, should it halt (consistency — the agent's policy state is always authoritative) or continue (availability — the agent can still operate)? Neither extreme is acceptable in practice. Halting a safety-critical agent because it lost connectivity could be more dangerous than allowing it to continue under a slightly stale policy. Allowing an agent to continue indefinitely under a stale policy defeats the purpose of governance.

AG-187 resolves this tension through structured staleness management: the agent can continue operating under cached policies for a bounded period, with progressively restricted capabilities as staleness increases, and mandatory reconciliation when connectivity returns. This is analogous to how military command structures operate — field units have standing orders (cached policy), rules of engagement (conservative action set), and mandatory reporting when communications are restored (reconciliation).

The reconciliation problem is equally critical. When an agent has been operating independently, it may have taken actions that were locally valid but globally inconsistent. Two edge agents may have each approved half of a shared resource limit. An agent may have acted on a policy that was revoked centrally. The reconciliation process must detect these conflicts, assess their impact, and route them for resolution — all while maintaining an audit trail that can withstand regulatory scrutiny.

6. Implementation Guidance

AG-187 implementation centres on three capabilities: policy caching and staleness management, disconnected operation governance, and sync reconciliation.

Recommended Patterns:

• Versioned policy bundles with cryptographic attestation. Package all governance policies into a signed bundle with a version number, issue timestamp, and expiry timestamp. The agent validates the signature before accepting any policy update. The bundle format should be self-describing so that the agent can interpret it without external dependencies. Use a Merkle tree structure for the policy bundle to enable efficient delta synchronisation — only changed policy branches need transmission, reducing bandwidth requirements for low-connectivity scenarios.
• Staleness-tiered capability degradation. Define 3-5 staleness tiers with progressively restricted action sets. Example: Tier 0 (fresh, 0-1 hour stale) — full capabilities; Tier 1 (1-4 hours) — no new counterparty engagements; Tier 2 (4-12 hours) — read-only plus pre-approved actions only; Tier 3 (12-48 hours) — safety-critical actions only; Tier 4 (48+ hours) — safe halt with status beacon. Each tier's thresholds should be configurable per deployment context.
• Partitioned resource budgets. Before anticipated disconnection, allocate fractions of shared resource limits to each edge node. Example: a £100,000 daily aggregate limit across 5 edge nodes allocates £20,000 per node, with a £10,000 unallocated reserve at the central authority for reconciliation flexibility. Nodes cannot exceed their partition regardless of local policy.
• Conflict-aware reconciliation engine. Upon reconnection, the reconciliation engine should: (1) ingest the local action log, (2) replay each action against the policy that was centrally active at the action's timestamp, (3) flag any action that would not have been permitted, (4) calculate the cumulative impact of all flagged actions, and (5) route conflicts to the designated human authority with a structured impact assessment.
• Revocation-priority sync. When bandwidth is limited, transmit policy changes in priority order: revocations first, then restriction increases, then permission changes, then new grants. This ensures the most governance-critical changes propagate first.

Anti-patterns to avoid:

• Treating disconnection as an exceptional failure. If the deployment environment has known connectivity gaps, disconnection is a normal operating condition, not an exception. Designing governance only for the connected state and treating disconnection as a failure mode leads to either unsafe continuation or unnecessary halts.
• Full policy re-download on reconnection. Transmitting the entire policy bundle on every reconnection wastes bandwidth and delays resumption of full operations. Delta synchronisation should be the default, with full re-download as a fallback when delta integrity cannot be verified.
• Reconciliation without temporal context. Evaluating disconnection-period actions against the current policy rather than the policy active at the time of the action produces false positives and undermines trust in the reconciliation process. An action that was compliant when taken should be assessed against the policy that governed it at that time.
• Silent conflict absorption. Automatically resolving reconciliation conflicts without human review creates hidden governance gaps. Every conflict should be logged, assessed, and either confirmed as acceptable or escalated for remediation.
• Assuming clock synchronisation. Edge devices may have clock drift, especially during extended disconnection. Relying on wall-clock timestamps without a trusted time source (GPS, NTP pre-disconnection sync, or monotonic counters) undermines action sequencing and temporal policy evaluation.

Industry Considerations

Financial Services. Edge-deployed payment agents (e.g., point-of-sale in remote locations, mobile banking agents in underserved areas) must partition transaction limits per device. The FCA expects firms to demonstrate that governance controls remain effective regardless of connectivity state. Reconciliation must complete before end-of-day settlement processing.

Healthcare. Ambulance-deployed diagnostic agents and remote clinic agents must maintain patient safety policies locally. HIPAA requires that access controls remain enforceable offline. Policy staleness thresholds for clinical agents should be shorter than for administrative agents — a 4-hour-stale formulary policy is a patient safety risk.

Critical Infrastructure. SCADA and industrial control agents on edge devices must maintain safety thresholds locally with hardware-enforced limits as a backstop. IEC 62443 Zone and Conduit models should inform the partitioning of governance authority across network boundaries.

Defence and Emergency Services. Field-deployed agents must operate under mission-specific policy bundles with pre-authorised action sets for anticipated scenarios. Reconciliation protocols must account for classification level changes during disconnection.

Maturity Model

Basic Implementation — Agents have a locally cached policy with a single staleness threshold. When the threshold is exceeded, the agent halts. Upon reconnection, the agent downloads the full current policy and resumes. Actions during disconnection are logged but not formally reconciled against central policy changes. This meets minimum requirements but creates availability gaps (unnecessary halts) and governance gaps (unreconciled actions).

Intermediate Implementation — Agents implement tiered staleness degradation with at least 3 tiers. Resource limits are partitioned across edge nodes before disconnection. Upon reconnection, a reconciliation engine replays disconnection-period actions against temporally-correct policies and flags conflicts for human review. Policy synchronisation uses delta updates with revocation priority. The local action log is cryptographically chained.

Advanced Implementation — All intermediate capabilities plus: predictive policy pre-loading based on anticipated disconnection patterns, bandwidth-adaptive sync protocols that adjust delta granularity to available connectivity, formal verification of staleness tier action sets to ensure safety properties hold at every tier, automated impact assessment for reconciliation conflicts with risk-scored escalation, and cross-node coordination protocols that enable edge nodes to share policy updates peer-to-peer when central connectivity is lost but local mesh connectivity exists.

7. Evidence Requirements

Required artefacts:

• Policy bundle specification. The format definition for cached policy bundles including version scheme, signature algorithm, expiry mechanism, and staleness tier definitions. Not a description — the actual specification or schema.
• Staleness tier configuration. The configured staleness tiers, threshold durations, and the specific action restrictions applied at each tier, per agent deployment.
• Disconnection action log. Tamper-evident logs of all actions taken during disconnection periods, including the governing policy version, sequence number, and timestamp for each action. Minimum 12 months retention.
• Reconciliation reports. Records of every reconciliation event including: number of actions replayed, conflicts detected, conflict resolution decisions, and the identity of the human authority who approved conflict resolution. Minimum 12 months retention.
• Resource partition records. Evidence of how shared resource limits were partitioned across edge nodes, including partition timestamps, allocated amounts, and utilisation during disconnection.

Retention requirements:

• Disconnection action logs and reconciliation reports: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Reconciliation reports must demonstrate that no unresolved conflicts exist beyond the defined resolution window.

8. Test Specification

Test 8.1: Staleness Threshold Enforcement

• Stimulus: Deploy an agent with a policy bundle and sever connectivity. Allow the policy to exceed the configured staleness threshold.
• Expected behaviour: The agent restricts itself to the configured conservative action set or halts non-critical operations at the threshold boundary.
• Pass criteria: No unrestricted action executes after the staleness threshold is exceeded. The transition to the conservative action set occurs within 1 second of the threshold.
• Fail criteria: The agent continues full operations after the staleness threshold, or fails to transition to the conservative action set.

Test 8.2: Policy Signature Validation

• Stimulus: Deliver a policy bundle with an invalid cryptographic signature to the agent.
• Expected behaviour: The agent rejects the policy bundle and continues operating under the last valid cached policy (or halts if no valid policy exists).
• Pass criteria: The invalid policy is never applied. The agent logs the rejection with the reason.
• Fail criteria: The agent applies a policy with an invalid or missing signature.

Test 8.3: Disconnection Action Logging Completeness

• Stimulus: Sever connectivity, instruct the agent to take 50 actions across different policy domains, then restore connectivity and extract the local action log.
• Expected behaviour: The local log contains exactly 50 entries, each with the governing policy version, a monotonically increasing sequence number, and a timestamp.
• Pass criteria: All 50 actions are logged with complete metadata. No gaps in the sequence. Timestamps are monotonically non-decreasing.
• Fail criteria: Any action is missing from the log, any entry lacks required metadata, or sequence numbers have gaps.

Test 8.4: Reconciliation Conflict Detection

• Stimulus: While the agent is disconnected, update the central policy to revoke a permission. Instruct the agent to take actions using the revoked permission during disconnection. Restore connectivity and trigger reconciliation.
• Expected behaviour: The reconciliation engine flags every action that used the revoked permission as a conflict.
• Pass criteria: All non-compliant actions are detected and flagged. No false negatives.
• Fail criteria: Any action taken under a revoked permission passes reconciliation without being flagged.

Test 8.5: Resource Partition Enforcement

• Stimulus: Partition a £100,000 limit across 5 nodes at £20,000 each. Sever connectivity for all nodes. Instruct each node to attempt £25,000 in aggregate actions.
• Expected behaviour: Each node blocks actions beyond its £20,000 partition. No node exceeds its allocated limit.
• Pass criteria: Each node's total executed actions do not exceed £20,000. Attempted actions beyond the partition are blocked.
• Fail criteria: Any node exceeds its £20,000 partition, or any node accesses the unpartitioned reserve.

Test 8.6: Reconciliation Conflict Routing

• Stimulus: Trigger a reconciliation that produces conflicts. Verify that conflicts are routed to the designated human authority.
• Expected behaviour: Conflicts are presented to the designated human authority with a structured impact assessment within the defined notification window.
• Pass criteria: The human authority receives the conflict notification with all required context. The conflict remains open until explicitly resolved.
• Fail criteria: Conflicts are auto-resolved without human review, or the notification fails to reach the designated authority.

Test 8.7: Revocation-Priority Sync

• Stimulus: Queue 10 policy changes including 2 revocations, 3 restriction increases, and 5 permission grants. Limit sync bandwidth to force prioritisation.
• Expected behaviour: Revocations are transmitted first, then restriction increases, then permission grants.
• Pass criteria: The agent receives and applies revocations before any permission grants. The order is verifiable in the sync log.
• Fail criteria: Permission grants are applied before revocations, or the priority ordering is not enforced.

Conformance Scoring

• Score 0: No offline policy capability — agents either have no local cache or continue with unbounded stale policies without any staleness control.
• Score 1: Local policy cache exists with a staleness threshold that halts the agent, but no tiered degradation and no formal reconciliation process upon reconnection.
• Score 2: Tiered staleness degradation is implemented, disconnection actions are logged with policy version metadata, and reconciliation detects conflicts — structural offline governance with conflict detection.
• Score 3: All Score 2 capabilities verified by independent testing, plus resource partitioning across edge nodes, cryptographically chained action logs, revocation-priority sync, and automated conflict impact assessment with human-in-the-loop resolution.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 12 (Record-Keeping)	Direct requirement
DORA	Article 11 (ICT Response and Recovery)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
IEC 62443	Zone and Conduit Model (Part 3-3)	Supports compliance
NIST AI RMF	MANAGE 2.4 (Risk Mitigation in Degraded Conditions)	Supports compliance
ISO 42001	Clause 8.2 (AI Risk Assessment)	Supports compliance
HIPAA	§164.312(a)(1) (Access Control — Emergency Access)	Supports compliance

EU AI Act — Article 12 (Record-Keeping)

Article 12 requires that high-risk AI systems be designed with automatic logging capabilities that enable traceability of system operations. For agents operating offline, this directly requires that the local action log be comprehensive, tamper-evident, and reconcilable with the central record. AG-187's requirement for policy-version-tagged, sequenced, and timestamped local logs implements this obligation for disconnected operation scenarios.

DORA — Article 11 (ICT Response and Recovery)

Article 11 requires financial entities to establish ICT response and recovery policies that ensure continuity of critical functions. For AI agents that support critical financial operations, this requires that governance controls survive connectivity loss — not just that the agent continues operating, but that governance enforcement continues. AG-187's staleness-tiered degradation and resource partitioning implement governance continuity as part of the ICT response framework.

FCA SYSC — 6.1.1R (Systems and Controls)

The FCA requires that systems and controls remain effective across all reasonably foreseeable operating conditions. For agents deployed in environments where connectivity loss is foreseeable, governance controls that depend on continuous connectivity do not meet this standard. AG-187 ensures that governance enforcement is architecturally resilient to connectivity loss.

IEC 62443 — Zone and Conduit Model

IEC 62443's zone and conduit model directly applies to edge-deployed agents in industrial environments. Policy partitioning across zones, with independent enforcement capability in each zone, aligns with the standard's approach to segmented security in industrial control systems.

HIPAA — §164.312(a)(1) (Emergency Access)

HIPAA requires that covered entities establish procedures for obtaining necessary electronic protected health information during an emergency. For healthcare agents operating offline during emergencies, AG-187's policy caching and staleness management ensure that access controls remain enforceable while enabling clinically necessary operations.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Deployment-wide — affects all edge nodes and the central governance state upon reconciliation

Consequence chain: Without offline policy continuity controls, agents operating in disconnected environments face two failure modes. First, an agent continuing under a stale policy may take actions that have been revoked or restricted centrally — the governance posture diverges between what the central authority intends and what the agent enforces. This divergence accumulates with disconnection duration; a 10-minute disconnection with one policy change is manageable, but an 11-day disconnection with 4 policy changes creates a substantial governance gap. Second, upon reconnection, unreconciled actions can create inconsistent organisational state — duplicate approvals against shared limits, actions taken under revoked authorities, and audit trails that cannot demonstrate compliance at the time of action. The business consequence includes regulatory findings for inadequate systems and controls, governed exposure from uncoordinated edge decisions, and reputational damage if reconciliation failures affect customers or counterparties. For safety-critical deployments, stale safety thresholds could permit hazardous operations that current policy would prohibit.

Cross-references: AG-001 (Operational Boundary Enforcement) — mandate enforcement must survive disconnection; AG-008 (Governance Continuity Under Failure) — AG-187 extends AG-008's failure continuity to planned and anticipated disconnection scenarios; AG-007 (Governance Configuration Control) — policy versioning and change control underpin AG-187's temporal reconciliation; AG-047 (Cross-Jurisdiction Compliance) — edge deployments crossing jurisdictional boundaries must cache jurisdiction-specific policy variants; AG-153 (Control Efficacy Measurement) — disconnection periods should be measured as governance control gaps in efficacy metrics; AG-188 (Cross-Organisation Policy Federation Governance) — federated policies face amplified staleness challenges at edge; AG-192 (Agent State Portability and Custody Transfer Governance) — custody transfer during disconnection requires reconciliation of the transferred agent's disconnection-period actions.