contextcontinuitylayer.orgWhy AI Governance Needs a Propagation Control Plane
Morgan Allen
Context Layer Systems, Inc.
Enterprise AI deployment is accelerating faster than the governance infrastructure underneath it. Agentic systems are already delegating tasks, passing context across service boundaries, and writing references to sensitive subjects into downstream stores. The controls enterprises have built so far answer who may access a system. They do not answer what happens after context propagates.
The urgency is not theoretical. Only about one-third of organizations have governance maturity adequate for the agents they are already deploying, according to McKinsey's 2026 AI Trust research. Deloitte puts the share of enterprises with mature governance models for autonomous systems at roughly 20 percent. The EU AI Act becomes fully applicable on August 2, 2026. The window for intentional architecture is closing, and enterprises that do not design their accountability model will have one designed for them by auditors and regulators instead.
Enterprise governance architecture has clear layers at the top and bottom, but a critical gap in between. Identity and SSO sit upstream, establishing authentication, delegated authorization, and session scope. Applications, agents, and downstream processors sit at the bottom, consuming context and acting on it. The layer that should connect them — a propagation registry that tracks where contextual references travel after access is granted — does not exist as a standard enterprise primitive.
Identity systems confirm authorization at the boundary. An SSO token establishes that a user or agent may act. It does not record which downstream services later received a reference to that subject, under which key version, or under which consent state was active at the time of write. Once context crosses the identity boundary, its lifecycle is untracked.
Downstream applications treat revocation and deletion as local concerns. When a deletion request arrives, each system handles it independently: clearing a row, expiring a cache, flagging a record. There is no shared registry that knows the full scope of propagation, so "deletion" becomes a coordination exercise across systems that may not all respond, may not all confirm, and may not all be known to the requesting party.
| Layer | What it governs | What it does not govern |
|---|---|---|
| Identity / SSO (upstream) | Authentication, delegated access, session scope | Post-access propagation of contextual references |
| Propagation Registry (missing middle) | Where references traveled, key-version lineage, consent state, revocation travel | Application-layer execution logic |
| Applications / Agents (downstream) | Local data handling, task execution | Cross-system revocation coordination, erasure attestation |
The missing middle layer is a propagation registry. Its job is to record at write time which systems, agents, or stores received a reference to a given subject, along with the key version active at that moment, the consent state that authorized the write, and the policy context governing the reference. With that record in place, revocation is no longer a broadcast problem. It becomes a directed, attestable operation across a known set of holders.
The real risk: Without a propagation registry, enterprises cannot answer the two questions regulators and auditors will ask first — where did this context go, and can you prove it was revoked everywhere it landed?
OAuth and OIDC represent the closest architectural precedent for what a propagation control plane could look like, and the sharpest illustration of where that precedent stops. They standardized delegated authorization at internet scale, giving the industry a shared control plane for a precise question: who may access which resource, under which scopes, for how long. That standardization held together distributed application ecosystems for over a decade and remains the foundation of enterprise identity federation today.
"OAuth answered who may access. It never answered what happens to what they accessed."
The omission was defensible in a world of discrete application sessions. A user authenticates, an application acts, the session expires. The blast radius of any one access event was bounded. Revocation meant revoking the token. The token's downstream effects were assumed to be contained within the application that held it.
Multi-agent AI systems break that assumption entirely. An agent that receives delegated context may pass a reference to a sub-agent, write a summary to a vector store, cache a subject identifier in a retrieval index, and trigger a downstream workflow, all within a single task execution. The original token may expire while five downstream systems still hold live references to the subject it authorized.
OAuth was not designed to answer any of these questions, and the industry treated that silence as an acceptable gap for over a decade. It is no longer acceptable when the authorized entity is an autonomous agent operating across organizational boundaries at machine speed.
A propagation registry is not a logging system. Logs record what happened. A propagation registry records what was distributed and maintains the state needed to coordinate what happens next. The distinction matters because observability alone does not produce enforceable governance. A log that tells you a reference propagated to twelve systems is useful. A registry that carries revocation state to those twelve systems and tracks acknowledgment is the actual control plane.
| Stage | Event | Registry action |
|---|---|---|
| Write | Agent writes subject reference to downstream store | Records recipient, key version, consent state, timestamp |
| Propagation | Downstream system passes reference to another agent | Extends lineage record to new recipient |
| Revocation | Consent withdrawn or subject deletion requested | Pushes revocation state to all known holders |
| Acknowledgment | Holder confirms revocation or erasure | Registry updates holder status; audit record sealed |
| Attestation | Auditor or regulator requests proof | Registry produces lineage + revocation + acknowledgment log |
The outcome is not merely better visibility into where context traveled. It is a system that can enforce the claim "this subject reference has been revoked and rendered inaccessible across all holders," and produce a verifiable record to prove it. That is what transforms erasure from a best-effort file operation into an enforceable infrastructure property.
A KMS handles cryptographic erasure through a well-defined mechanism: destroy the key, render any data encrypted under it unrecoverable. NIST defines cryptographic erasure as a purge sanitization technique that works exactly this way, and the mechanism is sound. The problem is not the mechanism. The problem is that key destruction is scoped to the key manager's own authority surface, not to the full population of downstream systems that received references encrypted under that key.
A KMS knows about keys. It does not know about propagation. When a key is destroyed, the KMS has no record of which downstream systems received references encrypted under that key version, which of those systems have since re-encrypted or cached the plaintext, which holders were notified, or whether any of them acknowledged. The destruction event is complete inside the KMS. Its effects on the broader system are entirely unverified.
| Capability | KMS | Propagation Registry |
|---|---|---|
| Key creation and rotation | Yes | Tracks key version at write time |
| Key destruction / cryptographic erasure | Yes | Coordinates destruction across holders |
| Record of which systems received a reference | No | Core function |
| Consent and policy state at write time | No | Recorded at write time |
| Revocation state propagation to holders | No | Traveling property of the token |
| Holder acknowledgment tracking | No | Required for audit closure |
| Erasure attestation across all recipients | No | Produced as verifiable output |
The key is one primitive inside the control plane, not the control plane itself. A propagation registry uses key-version lineage as one of its recorded dimensions, and it coordinates with the KMS to execute cryptographic erasure when a revocation workflow completes. But it cannot delegate its core function to the KMS, because the KMS has no model of the downstream systems that received context in the first place.
The practical consequence: an enterprise that relies solely on KMS-based erasure can prove that a key was destroyed. It cannot prove that every system holding a reference under that key was identified, notified, and confirmed inaccessible. That gap is exactly what auditors and regulators will probe when enforcement pressure intensifies under the EU AI Act and equivalent frameworks.
The regulatory timeline is no longer abstract. The EU AI Act is phasing in obligations across a compressed window, and the enforcement surface it creates maps directly onto the propagation problem.
| Date | Obligation |
|---|---|
| February 2, 2025 | Unacceptable-risk AI practices became legally binding |
| August 2, 2025 | Governance obligations for General-Purpose AI models began |
| August 2, 2026 | Full EU AI Act applicability for high-risk AI systems |
| December 2, 2027 | Extended deadline for stand-alone high-risk AI systems |
| August 2, 2028 | Extended deadline for high-risk AI embedded in regulated products |
The Act requires enterprises to document how AI systems act on sensitive data, maintain audit trails for high-risk decisions, and demonstrate that human oversight mechanisms are operational. None of those requirements can be satisfied by an architecture that treats deletion and revocation as application-layer coordination tasks.
As Deloitte's 2026 enterprise AI research puts it directly: "Organizations that have not explicitly designed their AI accountability model by end-2026 risk having it designed for them via audits, regulators, or visible failures." The propagation registry is not a future-proofing exercise. It is the architectural prerequisite for answering these questions at all.
The practical question for platform and infrastructure teams is not whether to adopt a propagation registry eventually. It is whether current governance architecture can answer the propagation question at all, and if not, how long that gap can be sustained before it becomes a compliance liability.
The strategic test is straightforward: governance that lives in downstream applications is governance that cannot be coordinated. Every application that handles revocation independently is a system that may handle it differently, partially, or not at all. Elevating revocation and erasure into a shared control plane between identity and execution is not an architectural preference. It is the only design that makes those properties enforceable across the full scope of propagation.
Emerging infrastructure efforts, including Secure, Tokenized, Auditable, Context Continuity with Revocation & Erasure Proof (STACCR™), are beginning to operationalize this control plane. CCL defines the open architectural standard. STACCR™ is the production platform that records propagation lineage, carries revocation state with contextual tokens, and produces cryptographic attestation of erasure across distributed holders. That is the missing layer: not a privacy tool, not a KMS wrapper, not an IAM extension, but the infrastructure that makes revocation and erasure enforceable properties of the enterprise stack.
The bottom line: access control is a solved problem. What propagates after access, and what happens to it when consent changes, is not. The control plane for that question is the next necessary layer in enterprise AI architecture.
See how the layer works in practice. The STACCR™ sandbox lets you walk through propagation lineage, revocation state, and cryptographic erasure attestation against a live reference architecture.
Share this article
Classification
© 2026 Context Layer Systems. All rights reserved. CCL/STACCR™ research and design initiated October 2025.