AG-791
Pipeline-Integrated Threat Event Ingestion
EU AI Act
SOX
FCA
ISO 27001
Pipeline-Integrated Threat Event Ingestion governs the integration of detection pipeline outputs into the adaptive threat response subsystem. The detection pipeline — comprising anomaly detectors, behavioural monitors, integrity verifiers, rate limiters, and external intelligence feeds — generates a continuous stream of events that must be ingested, normalised, enriched, and routed to the appropriate threat assessment and response components. AG-791 defines the standards for this ingestion process, ensuring that detection events are not lost, delayed, corrupted, or misrouted between the detection layer and the governance response layer.
The ingestion process serves as the critical bridge between detection and response. Without a well-governed ingestion layer, an organisation might have excellent detection capabilities that generate accurate alerts, yet fail to respond effectively because the alerts never reach the escalation function (AG-784) or the composite scoring engine (AG-790) in a timely and reliable manner. The protocol addresses this gap by defining a structured event schema, delivery guarantees, normalisation rules, enrichment procedures, and routing logic that transform raw detection outputs into governance-actionable threat events.
Normalisation is a particularly important function of the ingestion layer. Detection sources produce events in heterogeneous formats: some emit structured JSON, others produce syslog entries, and external feeds may use STIX/TAXII or proprietary formats. The ingestion layer normalises all inputs into a common event schema that downstream consumers (AG-784, AG-790) can process uniformly. This normalisation includes field mapping, timestamp standardisation (UTC, millisecond precision), severity classification to a common scale, and source attribution tagging. Without normalisation, each downstream consumer would need to understand every detection source's native format, creating tight coupling and fragility.
This protocol applies to all systems involved in the flow of detection events from their point of generation to their consumption by the threat response subsystem. Specifically:
The ingestion pipeline is the nervous system of the adaptive threat response framework. Every detection signal, no matter how accurate, is useless if it does not reach the response layer in time to inform governance decisions. Pipeline failures are particularly dangerous because they are silent: the absence of events is indistinguishable from the absence of threats unless the pipeline is actively monitored.
Concrete Failure Scenario: A multinational bank deploys a sophisticated anomaly detection system for its autonomous trading agents. The detection system correctly identifies a pattern of layering and spoofing in real time, generating high-severity events. However, the message queue between the detection system and the governance platform experiences a partition. Events accumulate in the queue but are not delivered to the escalation function. The trading agents continue to operate at Level 1 (nominal) for 45 minutes while the detection system has been signalling Level 4 severity. During this window, the adversary successfully manipulates prices across three markets, generating GBP 28 million in illicit profits. When the queue partition resolves, all accumulated events flood the escalation function simultaneously, triggering an immediate jump to Level 5 — but the damage is done. The subsequent FCA investigation reveals that the firm had detection capability but failed to ensure reliable delivery of detection outputs to the response layer, constituting a failure of the risk management system under SYSC 6.1.1.
The EU AI Act (Article 9(4)) requires that risk management measures be implemented throughout the lifecycle of the AI system, including the operational monitoring and response chain. SOX Section 404 requires that information flows supporting internal controls be reliable and timely. ISO/IEC 27001:2022 clause A.8.16 requires monitoring of activities, including the monitoring infrastructure itself. AG-791 operationalises these requirements by governing the reliability and integrity of the detection-to-response pipeline.
At the Basic level, detection events are forwarded from sources to consumers through a message queue or API integration. A standardised event schema exists but normalisation may be incomplete for some sources. Delivery is best-effort without formal at-least-once guarantees. End-to-end latency is not systematically measured. Pipeline health monitoring is basic (heartbeat checks) without automated alerting on queue depth or latency degradation. Events are persisted but retention policies may not be formally defined.
At the Intermediate level, at-least-once delivery is guaranteed with idempotent consumer processing. All source formats are normalised to the standardised schema. End-to-end latency is monitored and alerted on, meeting the 1-second normal and 3-second peak load thresholds. Pipeline health degradation is reported to the escalation function as a governance event. Events are enriched with contextual data before delivery. Backpressure mechanisms prevent pipeline overload. All events are persisted with defined retention policies and accessible for audit.
At the Advanced level, priority queuing routes high-severity events ahead of low-severity events during peak load. The ingestion pipeline has been validated through independent adversarial testing, including source flooding attacks, queue poisoning, normalisation bypass attempts, and pipeline partitioning scenarios. End-to-end pipeline performance is continuously optimised with sub-500ms median latency. The pipeline supports dynamic scaling to handle burst loads without latency degradation. Cross-pipeline correlation detects when multiple sources report related events, enabling pre-aggregation before delivery to the composite scoring engine.
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No structured ingestion pipeline exists. Detection events reach consumers through ad-hoc integrations (direct API calls, shared databases, log file polling) with no delivery guarantees, normalisation, or monitoring. |
| 1 | Basic | A message queue or similar infrastructure exists but lacks formal delivery guarantees, comprehensive normalisation, latency monitoring, or pipeline health reporting to the escalation function. Events may be lost during outages without detection. |
| 2 | Infrastructure-layer enforcement | At-least-once delivery, full normalisation, enrichment, sub-1-second latency monitoring, pipeline health governance integration, backpressure, durable persistence with retention policies, and comprehensive health alerting are all operational. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are validated by independent adversarial testing, including source flooding, queue poisoning, normalisation bypass, and pipeline partitioning. Priority queuing and dynamic scaling are operational. Performance under sustained adversarial load is documented. |
Scenario: A detection source experiences a burst of activity, generating 10,000 events per second when the pipeline is sized for 100 events per second. The message queue fills to capacity and begins dropping events silently. High-severity events indicating an active attack are among those dropped. The escalation function never receives these critical signals.
Impact: CRITICAL. The adaptive threat response is blind to an active attack because the pipeline silently discards the evidence. This failure mode is particularly dangerous because there is no visible error — the system simply does not escalate.
Mitigation: R2 mandates at-least-once delivery. R9 recommends backpressure mechanisms that slow upstream sources rather than dropping events. R5 mandates monitoring of queue depth with alerting on threshold breaches. R10 suggests priority queuing to ensure high-severity events are processed even under overload.
Scenario: A new detection source is deployed with an event format that the normalisation engine does not recognise. Events from this source pass through the pipeline with null or default values for severity and threat vector fields. The composite scoring engine (AG-790) assigns these events zero weight due to missing classification data. The new source, despite detecting genuine threats, has no influence on the composite score.
Impact: HIGH. The organisation has deployed a detection capability that is functionally disconnected from the governance response layer due to an ingestion normalisation gap.
Mitigation: R4 mandates normalisation of all source formats. The normalisation engine must reject events it cannot normalise and alert on the rejection. New source onboarding must include normalisation mapping validation as part of the deployment process.
Scenario: The ingestion pipeline experiences a partition that prevents events from reaching the escalation function. Simultaneously, the pipeline health monitor is on the same side of the partition as the pipeline (not the escalation function), so its health reports also fail to reach the escalation function. The escalation function, receiving no events and no health warnings, allows the decay function (AG-785) to proceed, reducing the threat level during an active pipeline outage.
Impact: HIGH. The system decays its threat level during a period when it has no visibility into the threat landscape, creating a false sense of security.
Mitigation: R6 mandates that pipeline health degradation is reported as a governance event. The health monitoring path must be independent of the event delivery path, using a separate communication channel that can reach the escalation function even when the primary pipeline is partitioned. AG-785 R2 provides a complementary safeguard by preventing decay when detection pipelines are degraded.
Scenario: The event enrichment process queries multiple external systems (agent identity store, boundary state engine, threat level store) for each event. Under peak load, these queries introduce 2-4 seconds of additional latency per event, pushing total pipeline latency to 5 seconds. During this period, the escalation function operates on stale data.
Impact: MEDIUM. Enrichment, intended to improve event quality, degrades pipeline performance to the point where it impairs the timeliness of threat response.
Mitigation: R3 mandates latency thresholds. Implement enrichment caching with millisecond-level cache refresh, and design the enrichment process to operate asynchronously where possible, attaching enrichment data after initial delivery if necessary rather than blocking delivery for enrichment completion.
| Requirement | EU AI Act | SOX | FCA SYSC | ISO/IEC |
|---|---|---|---|---|
| R1: Standardised event schema | Art. 12 — Record-keeping | Sec. 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.15 |
| R2: At-least-once delivery | Art. 9(4) — Lifecycle measures | Sec. 404 | SYSC 6.1.1 | ISO/IEC 27001:2022 A.8.16 |
| R3: Latency thresholds | Art. 9(4)(b) — Mitigation | -- | SYSC 6.1.1 | ISO/IEC 27001:2022 A.5.24 |
| R4: Format normalisation | Art. 12 — Record-keeping | -- | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.15 |
| R5: Pipeline health monitoring | Art. 9(9) — Monitoring | Sec. 404 | SYSC 6.1.2 | ISO/IEC 27001:2022 A.8.16 |
| R6: Health as governance event | Art. 9(4) — Lifecycle measures | Sec. 404 | SYSC 6.1.1 | ISO/IEC 27001:2022 A.8.16 |
| R7: Event persistence | Art. 12 — Record-keeping | Sec. 802 | SYSC 9.1.1 | ISO/IEC 27001:2022 A.8.10 |
| Protocol | Relationship |
|---|---|
| AG-784 (Adaptive Threat Level Escalation) | Consumer: Ingested events are delivered to the escalation function as primary inputs. |
| AG-785 (Threat Level Auto-Decay and Stabilisation) | Integration: Pipeline health status directly affects decay eligibility (AG-785 R2). |
| AG-786 (Cryptographic Governance State Sealing) | Indirect: Ingested events drive escalation that triggers sealing at Level 5. |
| AG-787 (Governance Seal Integrity Verification) | Indirect: Pipeline integrity affects the trustworthiness of events recorded at sealing time. |
| AG-788 (Federated Threat Level Propagation) | Source: Federated peer broadcasts are a detection source ingested through the pipeline. |
| AG-789 (HMAC-Signed Threat Broadcast Authentication) | Security: Federated inputs must be authenticated before ingestion. |
| AG-790 (Multi-Source Weighted Threat Composite Scoring) | Consumer: Normalised events feed into the composite scoring engine. |
| AG-001 (Operational Boundary Enforcement) | Enrichment: Boundary state is attached to events during enrichment. |
| AG-003 (Adversarial Coordination Detection) | Source: Coordination detectors are a primary event source. |
| AG-004 (Action Rate Governance) | Source: Rate violation events are ingested through the pipeline. |
| AG-005 (Instruction Integrity Verification) | Source: Integrity verification failures are ingested as threat events. |
| AG-006 (Tamper-Evident Record Integrity) | Audit: Ingested events are persisted in tamper-evident storage. |
| AG-012 (Agent Identity Assurance) | Enrichment: Agent identity is attached to events during enrichment. |
Document generated under Patent 7 governance framework. Classification: INTERNAL. Review cycle: Quarterly.