The Tool-Call Boundary

Thirty days. Three control planes. One missing artifact.

Three governance toolkits shipped between April 2 and May 5. Each enforces tool-call policy at sub-millisecond latency. None of them produces the signed record of which calls were allowed, which were blocked, and what the agent did next.

Enforcement is now a solved category. Audit is not.

What the new control plane does.

The shape is consistent across the launches. A policy engine sits in front of every tool an agent can call. Each tool invocation routes through the engine. The engine checks the agent's identity, the call signature, and the active policy. It decides in sub-millisecond time. Allow, block, or quarantine.

The Cloud Security Alliance has named this layer the agentic control plane. The Model Context Protocol gets treated as a first-class access channel, governed with the same rigor as an API gateway. Decentralized identifiers bind the agent to a cryptographic identity. Trust scores adjust as the agent's behavior shifts.

This is real progress. A year ago the question was whether the agent should be allowed to call the tool at all. That question now has an answer at the gateway.

The next question does not.

What the control plane does not produce.

A policy engine decides. It does not narrate.

The decision sits in the engine's own log for a window measured in days. The format is operator-readable. The audience is the platform team. The retention is governed by infrastructure SLA, not by examination period. The signature, when there is one, binds the policy version to the decision, not the decision to the model that produced the call.

A regulator opening that log six months later does not see what happened. A regulator sees that something was allowed. The reason the agent generated the call. The state the model was in when it generated it. The branch the agent took after the call returned. None of it is in the gateway.

The trajectory is not the policy log. The policy log is one row in the trajectory.

Where the seam is.

Tool-call enforcement and trajectory signing are different jobs, on different clocks, owned by different functions.

Enforcement sits at the gateway. It runs in line with the call. It blocks the action before the agent can take it. The consumer is the platform team and the security operations center. The standard is policy correctness.

Trajectory signing sits at the substrate. It runs alongside the run, capturing what happened in the order it happened, and seals the record after the fact. The consumer is the model risk function, the internal auditor, and the examiner. The standard is evidentiary integrity.

These two jobs are not interchangeable. The procurement instinct in most firms is to buy the control plane and assume the audit is included. It is not. The audit is the part that did not ship.

A toolkit that enforces a policy without signing the trajectory leaves the second-line and third-line functions with the same problem they had a month ago. The agent did something. The log does not say why.

The procurement question.

Three sentences for the next purchase order.

Show me the signed record. Show me the format the examiner reads. Show me where the record lives when the agent vendor is replaced.

If the answer to the first is the gateway log, the toolkit is a control product. If the answer to the second is the operator dashboard, the toolkit is not yet audit. If the answer to the third is the vendor's cloud, the artifact is not portable, and portability is the procurement leverage.

A control plane that cannot answer these three becomes a deferred liability. The decisions get made. The record of the decisions does not survive the vendor change, the framework migration, or the examiner's first request.

What sits above it.

The trajectory is what the gateway decision becomes after the run completes. Every tool call the gateway approved or denied, in the order the agent attempted them. The state the agent was in at each one. The branch the agent took when the gateway said no. The model signature at the moment of the run. The hash chain that binds the sequence so a later edit produces a verifiable break.

This is the layer the new control planes presuppose and do not produce. The control plane is the gate. The trajectory is the record of what the gate decided, why, and what happened next.

The two layers do not compete. They compose. The firm that buys one without the other has bought half the artifact.

What we are building.

Wayfinder Systems Group is building the audit layer that sits above the control plane. Every tool call, every policy decision, every state transition, every branch the agent took after a block, signed and chained at the moment it happened. The control plane decides. The substrate signs. The reviewer reads exceptions. The examiner reads the trajectory. Patents pending. We call her Velma.