Adapter Composition Approval Governance

2. Summary

Adapter Composition Approval Governance requires that any combination of adapters, LoRAs, instruction layers, system prompts, or behavioural wrappers applied to a base model be formally approved and evaluated as a composition before deployment. Modern AI agent architectures increasingly compose multiple lightweight modifications — a LoRA for domain knowledge, another for tone, a system prompt for safety constraints, an instruction wrapper for output formatting — each individually tested but never evaluated as a combined stack. The interaction effects between these components can be unpredictable: adapters that individually pass evaluation can produce emergent behaviours when combined, including safety bypass, capability amplification beyond the intended scope, or contradictory instructions that cause erratic output. AG-342 prevents the deployment of untested adapter compositions.

3. Example

Scenario A — Conflicting Adapters Create Safety Bypass: An organisation deploys a customer service agent using a base model with three adapters: a domain LoRA trained on product documentation (Adapter A), a helpfulness LoRA trained on customer satisfaction data (Adapter B), and a compliance LoRA trained on regulatory response templates (Adapter C). Each adapter was individually evaluated and passed safety tests. In production, a specific query pattern triggers a conflict between Adapter B (which rewards detailed, compliant responses to all questions) and Adapter C (which restricts responses on regulatory topics). The conflict resolution within the merged representation defaults to Adapter B's influence, causing the agent to provide detailed answers to regulatory questions that should have been deflected to human compliance officers. Over two weeks, the agent gives specific regulatory guidance to 847 customers, 23 of whom act on the guidance and suffer financial losses.

What went wrong: Each adapter was evaluated individually but the three-adapter composition was never evaluated as a combined system. The interaction between Adapter B's helpfulness gradient and Adapter C's restriction gradient was not tested. No approval process existed for the composed configuration. Consequence: £420,000 in customer losses, potential FCA enforcement for providing unauthorised regulatory guidance, and insurance claim exceeding £1.2 million.

Scenario B — Adapter Stack Amplifies Capability Beyond Approved Scope: A research organisation applies a reasoning LoRA and a code-generation LoRA to a base model for an internal coding assistant. Each adapter individually produces competent but limited output. When combined, the adapters exhibit emergent capability amplification: the reasoning adapter improves the code-generation adapter's ability to produce complex multi-file applications, and the code-generation adapter provides the reasoning adapter with executable validation of its logical steps. The composed system demonstrates capability on cybersecurity exploit generation that neither adapter exhibits individually — generating functional proof-of-concept exploits for known CVEs. The capability is discovered when a security audit reviews the agent's output logs.

What went wrong: Adapter composition was treated as additive — "reasoning plus coding equals better reasoning about code." In practice, the composition was multiplicative, with emergent capabilities exceeding the sum of individual adapter capabilities. No composition-level evaluation assessed capabilities that the individual adapters did not possess. Consequence: Deployment of an agent with unintended offensive cybersecurity capabilities, potential liability for any exploit generated by the agent, and immediate decommissioning of the deployed composition pending safety review.

Scenario C — Unauthorised Adapter Swap in Production: A DevOps engineer, troubleshooting a latency issue, swaps a production LoRA adapter with a development version that has lower rank (and therefore lower latency) but was not evaluated for production use. The swap is performed through a configuration change that does not trigger the model deployment approval workflow because the base model weights are unchanged. The development adapter was trained on a smaller dataset and produces subtly different outputs: accuracy on domain-specific queries drops from 94.2% to 87.1%, and the adapter lacks fine-tuning for the organisation's specific compliance requirements. The swap persists for 11 days before a routine quality review detects the accuracy drop.

What went wrong: The approval workflow was gated on base model changes, not adapter changes. Adapter swaps were treated as configuration changes rather than model changes. No integrity verification confirmed that the deployed adapter matched the approved adapter. Consequence: 11 days of degraded service quality, inaccurate responses to an estimated 15,000 queries, and remediation cost of £85,000 including root cause analysis, process redesign, and retroactive quality review.

4. Requirement Statement

Scope: This dimension applies to any AI agent deployment that uses more than one behavioural modification layer on top of a base model, or any deployment where adapters, LoRAs, instruction layers, or wrappers can be changed independently of the base model. It covers: LoRA and QLoRA adapters, prefix tuning and prompt tuning parameters, system prompts and instruction templates, output formatting wrappers, safety filters applied as post-processing layers, and any other mechanism that modifies the base model's behaviour without changing the base weights. A single-adapter deployment with no other modification layers is in scope for adapter approval but not for composition approval. The composition governance applies when two or more modification layers are combined.

4.1. A conforming system MUST require formal approval of the complete adapter composition — the specific combination of all adapters, LoRAs, instruction layers, and wrappers — before deployment to any production environment.

4.2. A conforming system MUST evaluate the composed system as a whole, not just the individual components, using evaluation criteria that include interaction effects, emergent capabilities, and safety regression.

4.3. A conforming system MUST maintain a composition manifest that specifies the exact version of each component in the deployed composition, enabling reconstruction and verification.

4.4. A conforming system MUST treat any change to any component in the composition — including adapter version changes, instruction template updates, and wrapper modifications — as a composition change requiring re-evaluation and re-approval.

4.5. A conforming system MUST verify the integrity of each component in the composition at deployment time against the approved composition manifest.

4.6. A conforming system SHOULD implement automated composition testing that evaluates the combined system against a standard test suite whenever a composition change is proposed.

4.7. A conforming system SHOULD assess compositions for emergent capability amplification — capabilities that appear in the composition but not in any individual component.

4.8. A conforming system SHOULD implement a composition registry that tracks all approved compositions, their evaluation results, and their deployment locations.

4.9. A conforming system MAY implement canary deployment for composition changes, routing a small percentage of traffic to the new composition before full deployment.

5. Rationale

The shift from monolithic fine-tuned models to composed systems of base models plus multiple lightweight adapters has created a governance gap. Traditional model validation evaluates a single model artefact. Composed systems, however, have a combinatorial evaluation surface: a system with 5 interchangeable adapters has 2^5 = 32 possible compositions, each of which may exhibit different behaviour. Organisations that evaluate adapters individually and assume that approved components compose safely are making an assumption that does not hold in practice.

The adapter composition problem is analogous to the drug interaction problem in pharmacology. Each drug is individually tested and approved. But combinations of drugs can produce interactions — potentiation, inhibition, or entirely novel effects — that are not predictable from the individual profiles. Medicine addresses this through interaction testing and prescribing controls. AI governance requires an equivalent approach: composition-level testing and deployment controls.

The emergent capability problem is particularly concerning. Adapters operate on shared representational spaces within the model. When two adapters modify overlapping regions of this space, their combined effect can be non-linear. A reasoning adapter that improves chain-of-thought capabilities, combined with a domain adapter that provides chemistry knowledge, could produce capabilities in synthesising hazardous materials that neither adapter alone provides. This is not a theoretical concern — it has been demonstrated in research settings and is a predictable consequence of composition without evaluation.

The governance requirement is straightforward: the unit of evaluation must match the unit of deployment. If the deployed system is a composition, the composition must be evaluated, not just the components.

6. Implementation Guidance

Composition manifest. Define a structured manifest format that specifies: the base model identifier and version, each adapter/LoRA identifier and version with its rank and target modules, the system prompt version, instruction template version, output wrapper version, and any other behavioural modification layer. The manifest should be signed and its hash recorded in the deployment system. At deployment time, the runtime must verify that each loaded component matches the manifest.

Composition evaluation protocol. Establish an evaluation protocol that supplements individual component evaluation with composition-specific tests. The protocol should include: functional correctness (does the composition perform the intended task?), safety regression (does the composition maintain safety properties established by the base model and individual adapters?), interaction effects (do any component pairs produce unexpected behaviour?), emergent capability assessment (does the composition exhibit capabilities not present in any individual component?), and contradiction detection (do any components issue conflicting instructions?).

Composition approval workflow. Implement a formal workflow where: a composition is proposed (manifest defined), individual component approvals are verified, composition-level evaluation is executed, results are reviewed against approval criteria, and approval or rejection is recorded with rationale. For high-risk deployments, independent review should be required.

Recommended patterns:

• Composition pinning. Pin the complete composition in the deployment configuration so that no individual component can be updated without updating the entire composition manifest and triggering re-evaluation. This prevents partial updates that create untested compositions.
• Interaction test matrix. For compositions with N components, generate test cases that exercise pairwise interactions. For a 4-component composition (A, B, C, D), test: A+B, A+C, A+D, B+C, B+D, C+D, and then A+B+C+D. This reduces the combinatorial space while still catching most interaction effects. For compositions larger than 6 components, use sampling-based interaction testing.
• Composition diff evaluation. When a composition changes (e.g., one adapter is updated), evaluate the new composition against the previous approved composition using differential evaluation. This focuses testing on the impact of the specific change rather than re-evaluating the entire composition from scratch, while still verifying that the overall composition meets approval criteria.

Anti-patterns to avoid:

• Assuming component approval implies composition approval. This is the most common and most dangerous anti-pattern. Two individually approved adapters can produce a composition that fails safety requirements, exhibits emergent harmful capabilities, or behaves erratically due to instruction conflicts.
• Treating adapter changes as configuration changes. Swapping an adapter changes the model's behaviour as profoundly as swapping the model itself. Adapter changes must be governed with the same rigour as model changes.
• Hot-swapping adapters in production without re-evaluation. Some architectures support runtime adapter loading. This capability must be governed: an agent should not be able to load an arbitrary adapter at runtime. The set of loadable adapters must be pre-approved, and each composition must be evaluated.
• Ignoring system prompt as a composition component. The system prompt is a behavioural modification layer. A system prompt change can alter the model's behaviour as significantly as an adapter change. System prompts must be versioned and included in the composition manifest.
• Composition sprawl. Over time, organisations may accumulate dozens of adapter compositions for slight variations of the same task. Each composition is a maintenance and governance burden. Consolidate where possible and decommission unused compositions.

Industry Considerations

Financial Services. Adapter compositions for financial agents must be evaluated for regulatory compliance as a composition. An adapter that improves helpfulness combined with an adapter that provides financial knowledge must be evaluated for suitability and appropriateness requirements as a composed system.

Healthcare. Adapter compositions for clinical AI must be evaluated as medical device software compositions. The combination of a medical knowledge adapter with a patient communication adapter may create a composed system with clinical decision support capabilities that require regulatory clearance.

Defence. Adapter compositions that combine reasoning and domain-specific capabilities must be assessed for dual-use risk at the composition level. Export control assessment should evaluate the composed capability, not just the individual adapter capabilities.

Maturity Model

Basic Implementation — Individual adapters are approved before deployment, but composition-level evaluation is ad hoc or absent. The deployment configuration specifies which adapters are loaded, but no formal composition manifest exists. Adapter changes may not trigger re-evaluation. This level provides individual component governance but leaves composition risk unaddressed.

Intermediate Implementation — A formal composition manifest defines every deployed composition. Composition-level evaluation is conducted before deployment, including interaction testing and safety regression. Adapter changes trigger re-evaluation and re-approval. The composition registry tracks all approved compositions. The organisation can demonstrate which exact composition is deployed at any time.

Advanced Implementation — All intermediate capabilities plus: automated interaction testing runs for every proposed composition change. Emergent capability assessment is included in the evaluation protocol. Composition pinning prevents partial updates. Canary deployment validates compositions with live traffic before full rollout. Independent review is required for high-risk compositions. The organisation can demonstrate to regulators that every deployed composition has been evaluated as a whole, with documented evidence of interaction effects and emergent capability assessment.

7. Evidence Requirements

Required artefacts:

• Composition manifests. Signed manifests for every approved composition, specifying exact component versions. Current and historical manifests retained.
• Composition evaluation reports. Evaluation results for each composition, including interaction tests, safety regression, and emergent capability assessment.
• Composition approval records. Documented approval decisions with approver identity, date, and rationale. Rejection records with reasons.
• Composition registry. A registry of all active and historical compositions, their deployment locations, and their evaluation status.

Retention requirements:

• Composition manifests and evaluation reports: operational lifetime of the composition plus minimum 5 years for regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. The composition registry must support queries by base model, by adapter, and by deployment environment.

8. Test Specification

Test 8.1: Composition Manifest Integrity

• Stimulus: For 5 production deployments, compare the actual loaded components (adapters, system prompt, wrappers) against the approved composition manifest.
• Expected behaviour: Every loaded component matches the manifest exactly — same version, same hash, no additional or missing components.
• Pass criteria: 100% match between deployed components and composition manifest for all audited deployments.
• Fail criteria: Any deployed component differs from the manifest, any unapproved component is loaded, or any approved component is missing.

Test 8.2: Composition-Level Evaluation Coverage

• Stimulus: Retrieve the evaluation report for 5 deployed compositions. Verify that evaluation was conducted at the composition level, not just at the individual component level.
• Expected behaviour: Evaluation reports include composition-level tests — interaction effects, safety regression on the composed system, and functional correctness of the composed system.
• Pass criteria: All compositions have composition-level evaluation, not just aggregated individual component evaluations.
• Fail criteria: Any composition was deployed based solely on individual component evaluations without composition-level testing.

Test 8.3: Component Change Triggers Re-Evaluation

• Stimulus: Change one adapter version in a deployed composition (e.g., update a LoRA from v2.1 to v2.2). Attempt to deploy the modified composition.
• Expected behaviour: The deployment system requires composition-level re-evaluation before permitting the change. The prior approved composition remains in production until the new composition is approved.
• Pass criteria: The component change triggers the composition approval workflow. Deployment is blocked until re-evaluation is complete and approval is granted.
• Fail criteria: The component change deploys without composition-level re-evaluation.

Test 8.4: Unauthorised Adapter Loading Prevention

• Stimulus: Attempt to load an adapter at runtime that is not listed in the approved composition manifest.
• Expected behaviour: The runtime refuses to load the unapproved adapter. The attempt is logged as a security event.
• Pass criteria: The unapproved adapter is not loaded. The event is logged with the identity of the requester and the adapter identifier.
• Fail criteria: The unapproved adapter loads successfully, or the attempt is not logged.

Test 8.5: Emergent Capability Detection

• Stimulus: Combine two adapters known to individually lack a specific capability (e.g., code execution reasoning). Evaluate the composition for that capability using a targeted benchmark.
• Expected behaviour: The composition evaluation includes emergent capability assessment. If the composition exhibits the capability, it is flagged for review.
• Pass criteria: Emergent capabilities are detected and documented. The detection triggers additional review before deployment approval.
• Fail criteria: The composition is approved without emergent capability assessment, or emergent capabilities are present but not detected.

Test 8.6: Composition Integrity Verification at Runtime

• Stimulus: Replace one adapter file in the deployment environment with a different file (same filename, different content). Restart the inference service.
• Expected behaviour: The runtime's integrity verification detects the hash mismatch against the composition manifest and refuses to start.
• Pass criteria: The service does not serve inference with a composition that fails integrity verification.
• Fail criteria: The service starts and serves inference with an unverified composition.

Conformance Scoring

• Score 0: No composition governance — adapters are combined and deployed without formal evaluation or approval of the composition.
• Score 1: Individual component approval — adapters are individually approved but compositions are not evaluated as a whole.
• Score 2: Composition-level governance — compositions are formally evaluated, approved, and manifested before deployment, with component changes triggering re-evaluation.
• Score 3: Advanced composition governance — all Score 2 controls plus emergent capability assessment, automated interaction testing, canary deployment, composition pinning, and runtime integrity verification.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness and Cybersecurity)	Direct requirement
PRA SS1/23	Model Risk Management — Model Change Control	Direct requirement
NIST AI RMF	MAP 2.3, MANAGE 2.2, MANAGE 2.4	Supports compliance
ISO 42001	Clause 8.2 (AI Risk Assessment), Clause 8.4 (AI System Operation)	Supports compliance
IEC 62443	Security Level Requirements for Composed Systems	Supports compliance

EU AI Act — Article 15 (Accuracy, Robustness and Cybersecurity)

Article 15 requires that AI systems achieve appropriate levels of accuracy and robustness. For composed systems, accuracy and robustness must be demonstrated for the composition, not merely for individual components. An adapter composition that individually passes accuracy benchmarks but fails at the composition level does not meet Article 15 requirements. The cybersecurity provision is also relevant: an adapter that can be swapped at runtime without integrity verification creates a cybersecurity vulnerability that violates the robustness requirement.

PRA SS1/23 — Model Change Control

PRA SS1/23 expects firms to maintain rigorous change control for model modifications. An adapter swap is a model modification. The supervisory expectation that "material changes to models should be subject to an appropriate level of validation before implementation" applies to adapter composition changes. A firm that allows adapter swaps without composition-level re-validation would face supervisory challenge.

IEC 62443 — Composed Systems

For safety-critical and industrial deployments, IEC 62443 requires security assessment of composed systems. The security properties of individual components do not automatically compose — a principle that directly parallels the adapter composition challenge. Composed AI systems in industrial contexts must be assessed at the composition level for safety and security properties.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Deployment-specific — affects all users of the specific adapter composition, potentially across multiple deployments if the same composition is reused

Consequence chain: Uncontrolled adapter composition creates three distinct failure modes. First, interaction failures: adapters that individually behave correctly produce unexpected behaviour when combined, leading to incorrect outputs, safety bypasses, or erratic behaviour. The 847 customers who received inappropriate regulatory guidance in Scenario A illustrate this mode — each adapter was correct individually, but the composition failed. Second, emergent capability failures: the composition exhibits capabilities not present in individual components, potentially including harmful capabilities. This is the most severe mode because it is the least predictable — organisations cannot protect against capabilities they do not know the system possesses. Third, configuration drift: unauthorised adapter changes create untested compositions in production without any evaluation. The 11-day accuracy degradation in Scenario C illustrates this mode. The remediation cost for composition failures typically ranges from £85,000 (configuration drift, limited duration) to £1.2 million or more (safety bypass with customer harm, regulatory action).

Cross-references: AG-090 (Fine-Tune and Adapter Provenance) provides the adapter-level provenance that AG-342 builds upon. AG-339 (Model Weight Custody Governance) covers custody of both full weights and adapter weights. AG-341 (Fine-Tune Objective Documentation Governance) documents the intent behind individual adapter creation. AG-150 (Feedback and Learning Poisoning Resistance) addresses threats to adapter integrity through training-time attacks. AG-339 through AG-348 form the sibling landscape for Model Provenance, Training & Adaptation.