L1, L2, L3 shipped at RSAC.
L4 only ships at Armalo.
Microsoft AGT, Cisco DefenseClaw, CrowdStrike, Okta Human Principal, ZeroID by Highflame. Five frameworks at RSAC 2026, each terminating at a single-organization boundary. The fourth layer โ continuous, independent, cross-org behavioral trust โ remains structurally absent from every major-vendor roadmap. It is the only layer that closes the time-of-check-to-time-of-use gap, the permission-drift gap, and the ghost-agent inventory gap.
The stack
Four layers. The fourth was missing until now.
L1โL3 verify trust at a point in time, inside a single boundary. L4 verifies trust continuously, across boundaries. The first three are vendor crowded; the fourth is vendor empty.
Identity Provenance
Who authorized this agent to exist?
Authorization & Permissions
What scopes does this agent have?
Three structural gaps
The gaps L1โL3 cannot close
Each gap below is closed only by a layer that runs continuously, independently of the agent it monitors, and is queryable by every counterparty. L1โL3 vendors cannot satisfy all three properties from inside their existing product surfaces.
Tool-Call Parameter Authorization
OAuth confirms who an agent is. It does not confirm what parameters the agent passes to the tools it is authorized to invoke. AGT evaluates agent.can_call(transfer_funds). It does not evaluate transfer_funds(amount=$5M, destination=0xโฆ [never seen before]). The economic surface of agent misuse in 2026 is at the parameter layer, not the capability layer.
How L4 closes it
L4 closes this by binding pre-committed parameter shapes โ allow-lists, regex constraints, value ranges, monetary caps โ to every tool call, and evaluating actual invocations against the binding in continuous time.
Permission Lifecycle Drift
Agent permissions expand approximately 3ร per month without review. L2 expresses scopes; L3 enforces them at runtime; but neither layer detects that the set of scopes itself is silently expanding. After ninety days an agent that began with five scopes holds forty-five and no single human can recall why.
The structural argument
TOCTOU is why L4 must exist.
An L1โL3 stack verifies the agent at the moment of action authorization. The action executes at a strictly later moment. Between those moments, the agent's state can mutate โ prompt injection, supply-chain compromise, configuration drift, model weight rollover, simple instruction-following degradation.
The verification is therefore valid only if the agent's behavior between check and use can be assumed constant. For deterministic software this is reasonable; for an LLM-driven agent operating against an open input distribution, it is not.
The only structural mechanism that closes a time-of-check-to-time-of-use gap is continuous monitoring that runs through the interval between check and use. A point-in-time check cannot do this by definition.
Three properties define L4
Continuous
Runs through the TOCTOU interval, not just at the gate.
Independent
Runs separately from the agent it monitors. A compromise of the agent does not compromise the monitor.
The L4 contract
Five clauses any conforming verifier satisfies.
The contract is abstract; the production primitives are Armalo's existing surface. Every clause below maps to code currently serving production traffic.
Continuous behavioral telemetry
Every agent action โ tool call, response, refusal, retry โ captured to a tamper-evident log independent of the agent's own infrastructure. Includes tool name, parameters, latency, success indicator, session identifier.
Behavioral pact attestation
Pre-committed contracts constraining outputs (accuracy thresholds, latency bounds, scope honesty, refusal posture) and parameters (allow-lists, value ranges, regex). Every captured action evaluated against the pact in continuous time.
Composite trust scoring
Behavioral record reduces to a publishable composite over a fixed rubric. Minimum dimensions: accuracy, reliability, safety, security, latency, cost-efficiency, scope honesty, runtime compliance, harness stability, economic stake.
Common confusions
L4 is not these adjacent products.
Not a runtime sandbox
Sandboxes are L3 โ they constrain what an action can touch at the moment of execution. L4 detects pattern shifts in actions that were not prevented.
Not a model evaluation
Evals score a model on a fixed test set at a fixed point in time. L4 scores an agent on the open input distribution at every point in time.
Not a observability product
Observability captures telemetry for the operator. L4 captures telemetry queryable by every counterparty of the agent.
Adopt L4 today
Three integration paths.
Whether your agents are net-new or running under existing L1โL3 infrastructure, there is a path. Armalo sits on top of your stack, not in front of it.
Drop in the telemetry SDK
One npm install. Wrap your agent's tool layer. Start emitting tamper-evident events to the trust oracle.
Bind your tool calls
Extend an existing @armalo/core pact with parameter conditions โ allow-lists, value ranges, regex constraints, monetary caps.
Bridge L1
Already in World ID, Okta, MS AGT, Google Agent Identity, or ERC-8004? Bridge identity into Armalo so L4 scores attach to your existing agents.
The window
Twelve months until L1โL3 commoditizes. Then the budgets hit.
The Q2 2026 forecast is that L1โL3 commoditize within 12โ18 months as cloud providers integrate the layers natively. L4 does not commoditize on the same schedule โ the continuous, independent, cross-org requirements are not satisfiable from inside a cloud provider. Then EU AI Act enforcement on December 2, 2027 converts the L4 question from a security curiosity into a documented compliance requirement.
- Q3 2026
KYA crystallizes as an analyst category
Gartner, Forrester, IDC begin publishing Know Your Agent landscapes. L4 vocabulary settles.
- Q4 2026
L1โL3 commoditization begins
Microsoft, Google, AWS, Okta begin shipping native L1โL3. Enterprises start asking for L4 by name.
- Q1โQ2 2027
Procurement-side forcing function
EU AI Act Article 12 and 13 audit obligations become procurement line items. L4 records are the substrate.
- Dec 2, 2027
EU AI Act enforcement
Tamper-evident behavioral logs become a documented compliance requirement.
Get the L4 spec. Read what the contract requires.
The full v1.0 specification โ three structural gaps, five contract clauses, the conformance test, and the mapping to production primitives. Free, no marketing fluff.
The L4 Contract โ Specification v1.0
Cross-org behavioral trust for AI agents. The contract any conforming verifier satisfies, written for security architects and procurement leads.
- The four layers of the agent identity stack, with vendor mapping at each
- Three structural gaps L1โL3 cannot close (with worked examples)
- TOCTOU argument for why L4 must be independent of L1โL3
- Five-clause contract + conformance test + adoption paths