Tovel · The SOCI evidence enclave Public edition · 2026
Tovel
White paper
Public edition
Critical infrastructure · Agent governance

The SOCI evidence enclave

How Australia’s critical-infrastructure obligations become a continuous, cryptographically assured, always-audit-ready capability, for the AI agents now running inside regulated estates.

Audience
CISO · Risk · Platform
Sector
SOCI · APRA
Origin
Sydney, Australia
Reading
~12 minutes

General information, not legal advice. This paper describes an operating model and Tovel’s current, shipped capability. It does not assert coverage of any framework Tovel has not shipped, and it references no customer Tovel has not been cleared to name. Where a claim would need a record to back it, that record is described rather than asserted.

Executive summary

Obligations are continuous. Most evidence is not.

Australia’s critical-infrastructure regime asks operators to run a living risk-management program, not to pass a point-in-time inspection. Yet the evidence most teams produce for it, screenshots, exports and quarterly attestations, is stale the day it is collected.

AI agents widen that gap. An agent that reads private data, ingests untrusted content and can reach external systems is exactly the combination the regime is designed to keep controlled, and it changes state faster than any manual evidence cycle can track. The question a regulator, a board or an insurer will ask is no longer “what is your policy?” but “show me what actually happened, on that action, at that time.”

This paper sets out a model that answers that question by construction. Each application runs inside an isolated enclave; every agent turn passes through a fixed harness of controls; and every consequential decision seals into an append-only, hash-chained evidence locker you can export and verify. Obligation becomes a byproduct of operating, not a project you run twice a year.


01 · The obligation

A program you operate, evidenced on demand.

Under the Security of Critical Infrastructure Act’s risk-management program obligations, and the sector-specific security rules that sit alongside them, responsible entities are expected to identify material risks to their assets, apply and maintain controls, and be able to demonstrate that those controls are operating, on an ongoing basis. The telecommunications sector carries analogous security and competent-oversight expectations.

Two properties of the regime matter most for this paper. First, it is continuous: the obligation is to keep controls effective over time, not to certify a snapshot. Second, it is evidentiary: an operator is expected to be able to show, on request, that a control was in force when a given action occurred, and who was accountable.

The shift

From attestation to demonstration. It is no longer enough to hold a policy that says an action requires approval; you are expected to show the approval that was actually given, for the action that actually ran.

That shift is manageable for slow, human systems. It is unmanageable for autonomous ones unless the evidence is produced by the system itself, at the moment of action, in a form nobody can quietly revise later.

02 · The evidence gap

Why agents break the current model.

Most assurance today is reconstructed after the fact from logs that were never designed to be evidence: they are mutable, scattered across tools, and silent on the questions that matter, who was accountable, what data was touched, whether a human signed off. For a periodic control that is uncomfortable. For an autonomous agent it fails outright.

The dangerous combination

Risk concentrates when a single agent can, in one action, hold three capabilities at once: access to private data, exposure to untrusted content, and the ability to communicate externally. That combination is what turns a prompt-injection or a poisoned document into exfiltration.

The shadow estate

The riskiest agents are usually the ones nobody registered: scheduled scripts with standing credentials, copilots wired to production, MCP servers with no owner. They generate no reliable evidence because no one decided they should.

Closing the gap is not a matter of collecting more logs. It requires the evidence to be a designed output of the runtime, produced at the point of action and sealed so it cannot be edited afterwards.


03 · The enclave model

One isolated enclave per application.

You bring an application or agent; Tovel runs it inside a dedicated, isolated enclave. Only two things cross the boundary: least-privilege scopes going in, and signed evidence coming out.

  1. BoundaryEach application gets its own enclave. A compromise in one enclave cannot reach another, or your wider estate.
  2. HarnessEvery turn is hardened before it runs, enforced at runtime rather than reviewed afterwards.
  3. EvidenceOnly sealed records leave. Verdicts and approvals seal into a hash-chained locker; raw payloads never do.

Inside the enclave, every agent carries a cryptographic identity, a trust tier and a named human owner. The enclave is the unit you assess, score and export, which is also the unit an auditor can reason about.

04 · The harness

Six layers, on every turn.

The same six control layers apply to every agent, on every turn, from the orchestration loop down to an independent verifier. None is optional; the record shows each one was applied.

01Agent loopA bounded, inspectable plan-act-observe loop. The plan is declared up front and each step is checked against it.
02ModelCalls are restricted to an allow-list of approved foundation models. Inference stays in the Australian region.
03Role-scoped toolsLeast-privilege, read-only by default. A single action cannot hold private data, untrusted content and external comms without a human.
04ContextRetrieval, memory and caching are provenance-tracked, so recalled context cannot be silently poisoned.
05GuardrailsPolicy, safety and content guardrails run per turn, aligned to the framework packs you have enabled.
06VerificationA separate verifier reviews the trajectory against the declared plan and policy before output is released.

05 · The evidence architecture

A record you can export and verify.

Guardrail verdicts, human approvals, tool calls and verifier checks are written to an append-only evidence locker, hash-chained so a record cannot be altered after the fact, and exportable for board, auditor or insurer review. A record does not contain the raw payload; it contains proof of what was decided and by whom.

EVR · data exportSealed
Actor
analytics-agent · approved model · scoped identity
Accountable
Named human owner · recorded at the point of action
Data touched
Classified at the boundary · PII / Confidential flagged
Authorised by
Human approver · timestamped, in region
Controls
Guardrails · least-privilege · residency, each recorded as applied
Integrity
Tamper-evident chain · SHA-256 · replayable end to end
Residency

Data and inference stay in Australia, on AWS Bedrock and AgentCore in Sydney (ap-southeast-2). No inference leaves the region, and the enclave’s raw traces and payloads are never exfiltrated.

06 · What “audit-ready” means

Packs assemble on demand; a human reviews what leaves.

Because evidence is produced continuously and sealed as it is created, an audit pack is an assembly step, not a collection project. Posture is scored against the framework packs Tovel has shipped and you have enabled; the export is the same record a board can read and an auditor can verify. Anything that leaves the enclave is reviewed by a named human first.

The result is the property the regime is really asking for: on any given action, at any given time, you can show the control that was in force, the data it touched, the person accountable, and the proof that none of it was edited after the fact.


07 · Claims discipline

What we claim, and what we don’t.

Regulated buyers distrust hype. So we are explicit about the line between what Tovel evidences today and what it does not.

We evidence
  • Posture scored against the framework packs Tovel has shipped and you have enabled.
  • Australian data residency on AWS Bedrock and AgentCore, Sydney.
  • A signed, hash-chained evidence locker you can export and verify.
  • Human-in-the-loop and read-only defaults, on by design.
We do not claim (yet)
  • Coverage of any framework pack Tovel has not shipped.
  • Certifications or badges that are not independently verified.
  • Customer names we have not been cleared to reference.
  • Anything a record in the evidence locker cannot back.

08 · How to evaluate

Five questions to bring to any agent-governance vendor.

See it on your own architecture.

A 30-minute walkthrough: we stand up an enclave around one of your agents and walk the harness, the maturity matrix and the evidence a board can read.