Most control systems for AI agents begin at execution. They validate API calls, enforce access policies, and monitor runtime behavior. Some extend slightly upward, evaluating plans or outputs before execution. But they all share the same implicit assumption: by the time a plan exists, it is already a valid representation of what should be done.
That assumption no longer holds. In agentic systems, plans are not given. They are constructed. And the failure does not originate when a system executes a plan. It originates when the system decides what the plan should be.
This is not a runtime problem. It is a refinement problem.
The system is not a pipeline. It is a refinement chain
To understand where control actually belongs, you have to model the system differently.
An agent does not move directly from request to execution. It moves through a sequence of transformations: human purpose → operational intent → plan → action → effect
Each transformation reduces uncertainty. The system moves from an under-specified human request to a concrete sequence of executable operations. But each transformation is also lossy. Meaning is approximated. Constraints are inferred. Scope can expand. Authority can change.
Correctness is not preserved automatically across this chain. And critically, no existing control system reasons across it.
Local correctness is not global correctness
One of the key insights from the refinement model is the distinction between local validity and global correctness. At any given step, a decision may appear locally valid. A plan may be coherent. An action may be authorized. A tool invocation may conform to its interface.
But the sequence of locally valid steps can still produce a globally invalid outcome. This is because validation today is applied per step, while correctness is defined across transformations.
The system does not fail because a step is wrong. It fails because the chain is inconsistent with the original intent.
Why control must move to refinement
If failures originate during refinement, then control must be applied at the same layer. This introduces a different control surface: not actions, not outputs, but transformations.
The system must evaluate whether each refinement step preserves two properties:
Reduction in ambiguity
Preservation of authority bounds
This is formalized as a refinement invariant:
Representation uncertainty must decrease across transformations
Authority must not expand beyond what was previously authorized
This is not a heuristic constraint. It is structural. It turns refinement from an unbounded generative process into a constrained one.
Authority is not static. It is constructed
Traditional systems treat authority as static: a principal has permissions, and those permissions define what can be done. In agent systems, authority is dynamic.
A plan introduces new tools. A decomposition introduces new interfaces. A delegation introduces new execution paths. Authority emerges as the system becomes more concrete. To control this, authority must be explicitly modeled.
In the refinement model, authority is represented as a structured object composed of:
Available interfaces (tools, APIs, commands)
Active constraints (skills, policies, restrictions)
Execution context (environment, scope, delegation state)
This structure forms a partially ordered space, where refinement is valid only if it moves toward more constrained authority.
In other words:
as the system becomes more certain, it must become less powerful and not more.
The failure mode: decreasing uncertainty, increasing authority
The most critical failure pattern in agent systems follows a simple structure. As the system refines intent into a plan, it becomes more certain about what to do.
At the same time, it introduces new capabilities:
new tools
new data sources
new execution paths
This creates a condition where uncertainty decreases while authority increases. This is the exact opposite of what safe refinement requires. And it is the point at which systems become dangerous.
Because the system is now confident and overpowered.
What controlling refinement actually looks like
Controlling the right layer means introducing a validation boundary during plan construction. The system is allowed to generate candidate plans freely. But before a plan becomes executable, it must pass structural validation:
Does it introduce new interfaces not present in the original authority set?
Does it weaken existing constraints?
Does it expand the execution surface?
If any of these conditions are violated, the plan is rejected or escalated.
This is fundamentally different from policy enforcement at execution time. It is not checking whether an action is allowed.
It is checking whether the plan itself should be allowed to exist.
Separating generation from validation
A key architectural decision follows from this. Plan generation must remain nondeterministic. Plan validation must be deterministic. The system generates multiple candidate plans using probabilistic reasoning.
A separate validation layer filters these plans using structural constraints. This separation is essential. It preserves flexibility while enforcing safety.
Once refinement is controlled, execution becomes enforceable
If a plan has passed refinement constraints, it can be treated as a valid representation of intent within bounded authority. At this point, execution can be strictly enforced. Each action must be derived from the validated plan. Each step must be traceable back to it. Any deviation becomes detectable and preventable. This transforms execution from a probabilistic process into a verifiable one.
Not because the reasoning is perfect. But because execution is constrained by structure.
This is a new control primitive
What emerges is not an extension of existing control planes. It is a new layer. A layer that:
does not attempt to infer full human intent
does not attempt to make models deterministic
does not rely on probabilistic supervision
Instead, it enforces invariants over how behavior is constructed. It controls the system at the only point where control is both possible and meaningful. During transformation.
The shift
We are not solving for better prompts. We are not solving for better models. We are solving for systems where: non-deterministic reasoning produces bounded, verifiable behavior.
Controlling agents is not about controlling execution. It is about controlling how execution comes into existence.
