Agentic Security at Trent: From Judgment to Time-Bounded Delegation
DOAgents, consistent reasoning limits, and the power of ‘I don’t know’
Neil D. Lawrence
Trent AI Offsite
Building on our previous Trent session
- Last time: explicit intent and shared context reduce misimplementation.
- This time: extend that logic from single assistants to networks of agents.
- Core question: how do we keep institutional judgement while scaling delegation?
Security at machine speed
- Agentic systems turn language into actions (tools, APIs, workflows).
- Teams ship faster; attack surface and ambiguity both expand.
- The bottleneck shifts to judgement, coordination, and timely escalation.
Institutional tacit knowledge
- The “judgement layer” in organisations is often tacit: norms, exceptions, escalation paths, and context that rarely makes it into documentation.
- It lives in handoffs and approvals: what gets challenged, what gets waived, and what triggers a halt.
- Ceding this tacit knowlege without making it explicit is how we accumulate agentic debt.
DOAgents for agent networks
- Use a data-oriented interface between agents: shared state, explicit contracts, typed handoffs.
- Model work as subgraphs: retrieval, synthesis, planning, tool-use, verification.
- Analyse at the graph level, not just individual prompts.
Why this helps Trent now
- Makes the judgement layer inspectable: what each agent saw, decided, and handed off.
- Enables selective autonomy: low-risk paths can run fast, high-risk paths route to review.
- Creates a foundation for measurable SLOs on security outcomes, not just latency.
Reasoning limits and trust
Consistent Reasoning
Assume an agent \(R\) with two properties: Logical consistency \(R\) never believes both \(P\) and \(\not P\).
Trust in its own reasoning If \(R\) concludes something by valid reasoning, it believes that conclusion.
This models an ideal thinker or reasoning AI.
Consistent Reasoning Paradox (CRP)
The paradox shows that an agent that is:
logically consistent
fully reflective about its own reasoning
perfectly trusting of its conclusions
cannot maintain all those properties simultaneously.
The missing primitive: “I don’t know”
- Agents need an explicit I don’t know action, not just low-confidence prose.
- “I don’t know” must be operational: halt, escalate, or request additional evidence.
- This is a control primitive for safety, not a model weakness.
Agentic Debt
- Agentic AI could pay down technical and intellectual debt.
- But it can create agentic debt: delegation without authority/authorship
Agentic Debt
- Delegation of workflows without crisp boundaries.
- Agentic debt is about unsafe or illegible delegation.
Time-bounded delegation in DOAgent graphs
- Assign each node/subgraph a time budget \(\tau_i\) and termination policy.
- At timeout: complete with evidence, or emit I don’t know and escalate to human.
- Optional prompt augmentation: agents see remaining time and adapt search depth.
Choosing time budgets (\(\tau_i\))
- Tune empirically from traces: success rate, escalation rate, and incident outcomes.
- Optimize expected cost: human interruption cost vs compute waste vs risk penalty.
- Different tasks need different \(\tau_i\): triage may be short; remediation planning longer.
20-minute takeaway
- Institutional tacit knowledge is the judgement layer; don’t silently cede it.
- DOAgent-style graphs make delegation explicit, inspectable, and governable.
- “I don’t know” + time-bounded escalation can convert agentic debt into managed risk.