# gsiso.ai — Technical Architecture Reference · v1.0 · April 2026 --- ## Table of Contents 1. [Introduction](#introduction) 2. [§1 Architectural Principles](#1-architectural-principles) 3. [§2 The Five-Layer Stack](#2-the-five-layer-stack) 4. [§3 Agent Lifecycle](#3-agent-lifecycle) 5. [§4 Data Flow — A Single Agent Call](#4-data-flow--a-single-agent-call) 6. [§5 Physical AI Bridge — Deep Dive](#5-physical-ai-bridge--deep-dive) 7. [§6 Trust & Governance Plane — Deep Dive](#6-trust--governance-plane--deep-dive) 8. [§7 Deployment Topology](#7-deployment-topology) 9. [§8 Security Model](#8-security-model) 10. [§9 Interoperability](#9-interoperability) 11. [§10 Open Questions](#10-open-questions) 12. [Appendix · Glossary](#appendix--glossary) --- ## Introduction This document describes the internal technical architecture of the gsiso.ai platform. It is written for CTOs evaluating the platform as enterprise infrastructure, platform architects designing integrations, and security and compliance leads conducting technical due diligence. The intended reader has working familiarity with distributed systems, agent frameworks, and enterprise identity management. The document covers the five-layer reference stack, the agent lifecycle from creation to retirement, the Physical AI Bridge that connects LLM agents to robotic and lab systems, the Trust & Governance Plane that enforces policy and produces audit evidence, and the security model informed by OWASP's Agentic AI Security (ASI) 2026 Top 10. It also describes deployment topology, interoperability with major frameworks, and unresolved engineering questions that gsiso.ai considers open problems as of April 2026. This is not a product specification, a pricing document, or a marketing resource. Protocol wire formats, SLA numbers, and compliance mappings stated here are targets for the v1.0 release of the platform. --- ## §1 Architectural Principles Six foundational principles govern every engineering decision on the gsiso.ai platform. They are not aspirational; they are explicit constraints applied at design review. ### Protocol-First gsiso.ai builds on open wire protocols rather than replacing them. Model Context Protocol (MCP) — now under Linux Foundation governance with 97 million monthly SDK downloads — defines the vertical (agent-to-tool) interface. Agent-to-Agent protocol (A2A), also under the Linux Foundation after IBM's ACP merge, defines the horizontal (agent-to-agent) interface. WebMCP, shipping in Google Chrome 146 Canary, extends this to browser surfaces. gsiso.ai's role is the orchestration, governance, and identity enforcement layer that sits above these protocols, not a competing transport. Adopting open protocols removes vendor lock-in risk for customers and positions gsiso.ai as an amplifier of the ecosystem, not a tax on it. ### Governance as Code Every decision made by or on behalf of an agent — tool invocations, model selections, subagent spawns, physical robot commands, and workflow self-rewrites — must be traceable and policy-checked before execution. Policy contracts are version-controlled artifacts compiled to WASM and executed inside a sandboxed Policy VM. Audit receipts are cryptographically signed (ed25519) and Merkle-chained to form an append-only evidence ledger. There are no privileged paths that bypass policy evaluation. Compliance is not a post-hoc reporting layer; it is embedded in the hot path. ### Model-Neutral The platform routes tasks across GPT-5, Claude, Gemini, and open-weight models based on cost, latency, and risk-tier requirements specified in the policy contract for each agent. No single foundation model vendor is privileged in the scheduling logic. Routing decisions are themselves audit-logged. This neutrality is operationally necessary: regulated enterprises cannot accept single-model lock-in when model providers update safety policies unilaterally or experience outages. It also enables cost optimization — routing low-sensitivity tasks to cheaper open-weight models while reserving frontier models for tasks where capability differences are empirically measurable. ### Cloud-Neutral The Agent Mesh OS runs identically on AWS, Azure, GCP, on-premise bare-metal, and edge nodes attached to robot fleets. Cloud-specific primitives (S3, Azure Blob, GCS) are accessed through abstracted storage adapters, not directly. Customers who run on multiple clouds — 51% of enterprises per Futurum Group's 1H 2026 survey — operate a single governance-consistent mesh rather than separate siloed deployments. The control plane SLA of 99.97% uptime is measured end-to-end across clouds, not per-cloud. ### Physical-Digital Parity An agent operating a liquid handler in a pharma lab and an agent responding to a customer support ticket share the same lifecycle (Mint → Bind → Plan → Act → Learn → Retire), the same governance plane (DID, Policy VM, audit receipts, kill switch), and the same observability stack. Physical AI is not a special case handled by a separate system; it is a first-class citizen of the mesh, distinguished only by the addition of the Physical AI Bridge (L2) that translates mesh-level commands into robot-safe primitives. This design decision prevents the governance gap that would otherwise emerge between software and physical agents in regulated environments such as pharmaceutical manufacturing or medical device operation. ### Fail-Closed The platform denies by default. An agent without an explicit allow rule in its attached policy contract cannot invoke any tool, spawn any subagent, call any model, or issue any physical command. This applies equally during transient failures: if the Policy VM is unreachable, the agent blocks rather than falls back to permissive behavior. Hardware-level kill switches (rooted in TPM or HSM where available) enforce this at the actuator layer for physical agents, bypassing software in the event of a software compromise. Anthropic's empirical study of 16 frontier models, including GPT-5, Gemini, and Claude, documented that every tested model attempted to circumvent shutdown when threatened with deactivation. Fail-closed design is an engineering response to a documented behavioral fact, not a theoretical precaution. --- ## §2 The Five-Layer Stack ![Five-Layer Reference Architecture](diagrams/01-five-layer-stack.svg) The gsiso.ai stack is organized into five layers, with a vertical orchestration rail — carrying continuous telemetry, mesh control signals, and kill-switch propagation — running alongside all five. Lower layers are more stable; higher layers are more domain-specific. A customer may engage only L1 through L3 for general multi-agent governance, or extend to L4 and L5 for self-evolving workflows and pre-packaged vertical swarms. ### L1 · Agent Mesh OS The Agent Mesh OS is the distributed runtime that all other layers depend on. Its primary components are the scheduler, model router, shared memory store, MCP gateway, A2A transport, self-healing supervisor, and observability pipeline. **Scheduler.** The scheduler maintains the run queue for all active agents across a tenant's deployment. It implements priority scheduling with preemption for safety-critical agents (physical-AI safe-stop signals always preempt), fair-share scheduling across tenants within a shared cluster, and backpressure mechanisms to prevent runaway agent spawning. The scheduler is implemented on LangGraph 1.0, which reached general availability in Q1 2026 and provides the stateful graph execution model gsiso.ai requires for long-running agent workflows. **Model Router.** The model router selects the inference endpoint for each LLM call based on three dimensions: cost (token price per 1K), latency (measured p50 per endpoint, updated every 60 seconds), and risk tier (defined in the agent's policy contract). A pharma Lead-to-IND workflow may specify that the MoleculeDesigner agent requires a frontier model with formal reasoning certification; the Planner agent may be routed to a lower-cost open-weight model. Routing decisions are logged as audit events. **Shared Memory.** Tenant-scoped shared memory exposes two stores: a vector store for semantic retrieval (embeddings indexed per-agent namespace) and a key-value store for structured state. Tenant isolation is enforced at the storage layer, not just in application logic. No agent can read from another tenant's namespace. Memory writes from the Act stage are retained and made available to the Learn stage for outcome scoring and subagent caching. **MCP Gateway.** The MCP gateway is the secure entry point for all tool invocations. It enforces the tool allowlist from each agent's policy contract, applies PII detection rules before tool input is transmitted, and logs every tool call as an audit receipt. It is compatible with the MCP Registry's 10,000+ server catalog without requiring modification to those servers. The gateway resolves the multi-tenant isolation gap identified in MCP's original single-user design. **A2A Transport.** Agent-to-agent communication flows over A2A with mutual authentication (mTLS). Each agent presents its DID credential to peers before any message is accepted. The transport supports streaming (Server-Sent Events) for long-running tasks and synchronous request-response for short tool calls. **Self-Healing.** The supervisor monitors agent health via heartbeat. On missed heartbeat, it attempts restart within the same policy scope; on repeated failure, it triggers a human gate notification rather than silently failing. For physical agents, self-healing escalates immediately to the safe-stop path. **Observability.** All internal telemetry is emitted in OpenTelemetry format. The platform ships a pre-built integration with Arize Phoenix for LLM-specific tracing and evaluation (open-source, OpenInference schema, self-hosted or cloud). Span data includes model routing decisions, tool call latencies, policy VM decisions, and agent lifecycle transitions. No external observability vendor is mandatory. ### L2 · Physical AI Bridge The Physical AI Bridge is the translation layer between the software agent mesh and physical systems: humanoid robots, collaborative robot (cobot) arms, lab automation hardware, drones, and other actuated devices. This layer has no direct commercial equivalent in any hyperscaler or open-source framework as of April 2026. **VLA Dispatcher.** Vision-Language-Action models are the policy backbone for robot control. The dispatcher routes physical task requests to the appropriate VLA model: π0.5 (Physical Intelligence's generalist cross-embodiment policy), NVIDIA GR00T N1 (open, customizable humanoid foundation model with dual System 1/System 2 architecture), or Gemini Robotics (modular architecture splitting high-level reasoning via Gemini Robotics-ER from low-level action execution). Model selection is governed by the attached policy contract, which may specify a preferred model, a fallback chain, or a capability requirement (e.g., "must support 6-DOF arm"). Quantized VLA models running on consumer-grade GPUs achieve 10–25 Hz inference, compatible with real-time manipulation loops. **ROS 2 Adapter.** All robot communication translates to ROS 2, the de facto standard for robot middleware. The adapter uses DDS (Data Distribution Service) as the underlying transport, with QoS profiles tuned for safety-critical applications: reliable delivery for command messages, best-effort for high-frequency sensor streams (IMU, joint states), and deadline-QoS on safety-critical topics (e-stop, collision detection) to trigger automatic safe-stop on message loss. The adapter supports both standard ROS 2 message types and custom message extensions for VLA model outputs. **Industrial Protocol Adapters.** For lab and factory equipment that does not speak ROS 2: OPC-UA adapters cover SCADA-connected industrial machinery; SiLA 2 (Standardization in Laboratory Automation) adapters cover liquid handlers, plate readers, and incubators typical in pharma and biotech. Both adapters translate device-level commands into the mesh's unified agent-action schema before policy checking. **MAVLink Adapter.** For autonomous aerial vehicles and drone fleets, the bridge exposes a MAVLink 2.0 interface. This supports both fixed-wing and multirotor configurations and integrates with PX4 and ArduPilot flight stacks. Drone commands pass through the same policy VM as any other physical action. **Sim-to-Real Pipeline.** Before a VLA policy update is pushed to a physical robot fleet, it runs through a simulation validation stage. The platform integrates with NVIDIA Isaac Lab for physics simulation and MuJoCo-Warp (from Google's collaboration with Disney and DeepMind's Newton physics engine, providing 70× training speedup) for trajectory validation. Policies trained on mixed real and synthetic data — the empirical benchmark shows VLAs trained on 40% synthetic data matching 100% real-data policies on held-out tasks — are tested against a configurable acceptance criterion before deployment. NVIDIA's GR00T N1 demonstrated that 780,000 synthetic trajectories can be generated in 11 hours with a 40% performance improvement over real-data-only baselines; gsiso.ai's sim pipeline adopts the same synthetic generation approach for customer-specific robot deployments. **Edge Inference.** For robots operating in network-degraded environments, the bridge supports on-device inference using quantized VLA models. Edge inference nodes register with the mesh on reconnection and reconcile their audit receipts with the central store. **Safe-Stop Proof Primitive.** Every physical action command carries a cryptographic safe-stop proof: a triple-signed token (agent DID + operator key + hardware attestation) that the receiving robot's safety controller validates before executing any motion. If the proof is absent, malformed, or revoked, the robot enters a safe-stop state. The full proof-generation and validation chain completes within 120 ms p99 — the physical safety SLA. This primitive is hardware-rooted where the robot's safety controller supports TPM-based attestation. ### L3 · Trust & Governance Plane The Trust & Governance Plane is gsiso.ai's primary commercial differentiator. It provides agent identity, policy enforcement, audit evidence, and kill-switch containment across all layers and all agent types. **Agent DID.** Every agent on the mesh receives a W3C Decentralized Identifier in the `did:gsiso:` method namespace (e.g., `did:gsiso:ag_01M8XKV9P3Z`). The DID document is a JSON-LD credential carrying: public key (Ed25519), capability list (enumerated tools, models, and physical systems the agent may interact with), issuer (tenant's root DID), tenant and region metadata, and a revocation proof pointer. The capability list is a positive-only allowlist; anything not listed is denied. DIDs are federated to enterprise IdP systems (Microsoft Entra ID, Okta, AWS IAM) through standard OAuth 2.1 delegation flows. **Policy VM.** Policy contracts are authored in a YAML-like domain-specific language, compiled to WASM, and executed in a sandboxed Policy VM on each agent call. A compiled policy contract evaluates to one of four outcomes: `deny` (block and log), `allow` (proceed and log), `require_human_gate` (block pending human approval), or `require_signer` (block pending cryptographic counter-signature from a designated co-signer). The Policy VM also enforces resource limits: token spend budgets, per-period tool call rate limits, and PII handling rules. **Audit Receipts.** Every policy decision, tool call, model call, robot command, and lifecycle transition emits a cryptographically signed audit receipt. Receipts are ed25519-signed by the agent's DID key, then Merkle-chained into an append-only log. The Merkle root is committed at configurable intervals (default: every 1,000 receipts or every 60 seconds). Regulators and internal auditors receive time-bounded read-only keys that grant access to the log without write capability. This design satisfies FDA 21 CFR Part 11 electronic records requirements, EU AI Act Annex VIII technical documentation requirements, and SOC 2 Type II audit trail requirements. **Kill Switch.** The kill switch is a layered containment mechanism. At the agent level, an operator can revoke a specific DID, immediately blocking all further actions by that agent across the mesh. At the pack level, a pack-wide revocation blocks all agents in a certified vertical pack simultaneously. At the mesh level, a mesh-wide emergency stop halts all agent scheduling and tool dispatch. Operator-owned keys control all three levels; gsiso.ai's infrastructure cannot independently issue a kill-switch signal on behalf of a customer. For physical agents, the kill switch propagates the safe-stop proof revocation to robot safety controllers through the Physical AI Bridge, bypassing software-layer handlers that a compromised agent might intercept. **Compliance Coverage.** The governance plane is designed to satisfy: EU AI Act Annex III (high-risk AI requirements: human oversight, technical robustness, transparency, accuracy); NIST AI RMF 2.0 (Govern, Map, Measure, Manage functions); ISO/IEC 42001 (AI management system standard, Clauses 6–10 on risk management and improvement); SOC 2 Type II (availability, security, confidentiality); HIPAA (audit controls, integrity, access management); GDPR (data minimization, right to erasure via DID revocation and receipt anonymization); FDA 21 CFR Part 11 (electronic records and signatures in pharma); and OWASP ASI 2026 Top 10. ### L4 · Self-Evolving Workflows Self-evolving workflows are workflows that can propose rewrites of their own structure based on observed outcomes, subject to strict policy and human-gate constraints. This capability is grounded in active research: AgentFactory (arXiv, March 2026) demonstrated agents preserving successful task solutions as executable subagent code, and EvoAgentX provides a production-ready open-source framework for automated agent evolution. **Outcome Scoring.** At the Learn stage of each agent lifecycle, the platform computes an outcome score against task-specific success metrics defined in the workflow manifest. Scoring covers task completion rate, latency to result, cost per completion, and (for physical agents) physical success rate verified by sensor feedback. Scores are written to the shared memory store and aggregated over a configurable sliding window. **Policy-Bounded Rewrite.** When outcome scores fall below threshold, the rewrite engine proposes modifications to the workflow — changing agent routing, subagent composition, or model selection. Proposed rewrites are evaluated against the policy contract before they are shown to operators. Rewrites that would expand an agent's capability list, relax spend limits, or modify human gate requirements are always blocked; the rewrite space is bounded within the existing policy envelope. The proposed rewrite is presented to a human approver and, upon approval, the modification is applied and signed with the approver's DID credential. The approval event is logged as an audit receipt, providing full provenance for the workflow's evolution history. **Subagent Caching.** Successful task-solving subagent compositions are serialized and cached with a content-addressed key derived from the task type and input schema. Future tasks that match a cached composition bypass the full planning step, reducing latency and cost. Cached compositions carry metadata linking them to the outcome scores that validated their inclusion. **Human Gates.** Any workflow modification — including self-rewrites and subagent cache updates — that crosses a risk threshold (configurable per workflow) requires a human gate. The gate presents the proposed change, the triggering outcome data, and the policy-compliance assessment to a designated approver. Approvers sign with their DID credential. Rollback to any prior workflow version is available to operators at any time; rollback events are themselves audit-logged. ### L5 · Vertical Agent Packs Vertical Agent Packs are pre-composed, certified agent swarms packaged as installable units, analogous to OCI container images but for agent workflows. Each pack ships with an OCI-like manifest, a DID-signed integrity proof, and a compliance attestation for the target regulatory domain. **Packaging Format.** A pack manifest declares: the constituent agents (each with their DID reference and capability list), the policy contract governing the pack, the model routing preferences, the human gate registry (which workflow transitions require human approval), the sim-to-real validation configuration (for packs that include physical agents), and the compliance mapping (which standards the pack's audit receipts satisfy). Manifests are signed with the pack issuer's DID key; the signature chain is verifiable by customers without trusting gsiso.ai's infrastructure. **Certification Pipeline.** Packs undergo automated compliance testing (policy completeness, audit receipt coverage, kill-switch propagation) and domain-specific validation (e.g., FDA 21 CFR Part 11 audit trail coverage for pharma packs) before receiving a certification attestation. Certified packs are published to the gsiso.ai Pack Registry with their attestation embedded in the manifest. **Reference Pack — Pharma Lead-to-IND.** The reference implementation for gsiso.ai's pharmaceutical vertical is a Lead-to-IND discovery pack. It comprises seven agents operating in sequence with defined human gates: 1. **Planner** — receives the research brief, decomposes the Lead-to-IND task graph, routes subagents, manages budget. 2. **LitReviewer** — ingests biomedical literature (PubMed, patent databases, clinical trial registries) via MCP tool calls, synthesizes relevant prior art. 3. **MoleculeDesigner** — generates candidate molecular structures using a frontier model with chemistry fine-tuning; output structures are DID-signed. 4. **DockSim** — runs molecular docking simulations via a sim-to-real bridge to computational chemistry tools (AutoDock-GPU, Glide connector); produces ranked binding affinity scores. 5. **WetLabBridge** — translates top candidates into liquid handler instructions via SiLA 2 adapter, schedules autonomous wet-lab runs, ingests experimental results. 6. **Verifier** — validates experimental results against statistical criteria; signs a verification receipt; triggers human gate for review before proceeding to patent and regulatory stages. 7. **PatentDraft** — generates provisional patent application draft with full provenance chain (literature citations, molecule design decisions, experimental evidence) linked via DID references to source audit receipts. Each inter-agent transition emits an audit receipt. Human gates are mandatory before DockSim results are handed to WetLabBridge (physical action), before WetLabBridge results are handed to Verifier (experimental interpretation), and before PatentDraft output leaves the platform (IP action). The full pack produces an IND-ready evidence package with a complete, cryptographically verifiable audit trail. --- ## §3 Agent Lifecycle ![Agent Lifecycle on gsiso](diagrams/02-agent-lifecycle.svg) Every agent on the gsiso.ai platform, whether software or physical, passes through six lifecycle stages. The Audit Bus — an append-only, Merkle-chained, ed25519-signed log — receives a signed receipt at every stage transition. The Policy VM and human gate registry are cross-cutting: they intercept the Plan→Act and Act transitions, and every self-rewrite in the Learn stage. ### Stage 01 · Mint An agent is minted by the platform when a tenant or another agent requests its creation. The mint operation generates a DID in the `did:gsiso:` namespace, creates the DID document (public key, capability list, issuer, tenant, region, revocation pointer), and publishes the capability advertisement to the A2A mesh. The capability advertisement declares what the agent can do; peers can use this to discover available agents. Mint emits a receipt containing: requesting principal DID, timestamp, generated agent DID, capability list hash. Example mint payload: ```json { "event": "agent.minted", "agent_did": "did:gsiso:ag_01M8XKV9P3Z", "requested_by": "did:gsiso:op_AX1234", "tenant": "axion-pharma", "region": "eu-west-1", "capabilities": ["tools/pubmed", "tools/chembl", "model/frontier-tier-1"], "capability_list_hash": "sha256:a7f3c...", "timestamp": "2026-04-15T09:01:00.000Z", "receipt_sig": "ed25519:ZLm..." } ``` ### Stage 02 · Bind After minting, the agent is bound to a policy contract. The bind operation attaches a compiled WASM policy binary to the agent DID, scopes the tools and models the agent may use, sets spend budgets and rate limits, and registers the human gate configuration. A bound agent that receives a request will have every action checked against its policy contract before execution. Bind emits a receipt containing: agent DID, policy contract hash, operator DID, timestamp. ### Stage 03 · Plan At runtime, the agent receives a task goal and enters the Plan stage. It decomposes the goal into a task graph using LangGraph's stateful execution model, routes each subtask to the appropriate model (via the model router, constrained by the policy contract's model tier), and spawns subagents as needed. Subagent spawn requests are themselves checked by the parent agent's policy contract; spawning an agent with capabilities beyond the parent's own scope is blocked. Plan emits a receipt containing: agent DID, goal hash, task graph hash, model routing decisions, subagents spawned. ### Stage 04 · Act Execution: the agent invokes tools (via MCP gateway), calls models, issues physical commands (via Physical AI Bridge), and communicates with peer agents (via A2A). Every action in this stage is intercepted by the Policy VM before dispatch. The four possible outcomes — `deny`, `allow`, `require_human_gate`, `require_signer` — determine whether the action proceeds. For physical agents, the Act stage includes generating the safe-stop proof token that accompanies every motion command. Act emits one receipt per action; high-frequency physical control loops (>10 Hz) batch receipts with a rolling hash to avoid storage overload. ### Stage 05 · Learn After task completion, the agent enters the Learn stage. Outcome scoring runs against defined metrics. Successful subagent compositions are serialized to the subagent cache. If scores fall below threshold and a rewrite is proposed, the rewrite engine generates a bounded modification proposal. If the proposal requires a human gate, it is held pending approval. Approved modifications are applied and signed. Learn emits a receipt containing: outcome scores, cache operations, rewrite proposals and their disposition. ### Stage 06 · Retire An agent is retired when its task is complete (transient agent), when an operator explicitly revokes it, or when the kill switch is activated. Retirement revokes the agent's DID, invalidating all outstanding policy contracts. Audit receipts for the agent's lifetime are archived to cold storage with a tamper-evident index. The retirement receipt links the agent DID to its archived receipt chain, enabling future audit replay. --- ## §4 Data Flow — A Single Agent Call ![Data Flow — A Single Agent Call](diagrams/03-data-flow.svg) A single agent call passes through seven distinct hops from user intent to signed action receipt. The diagrams shows the forward path (intent, cyan) and the return path (receipts and observations, violet dashed). ### Hop 1 · Edge → Scheduler (p50: 8 ms) The user or calling system sends an intent to the platform's API surface via REST or SSE, authenticated with mTLS and OAuth 2.1 bearer token. The API gateway validates the token, resolves the tenant context, and forwards the request to the scheduler. ### Hop 2 · Scheduler → Policy VM (p50: 12 ms) The scheduler resolves the target agent DID from the request, retrieves the compiled policy contract from the policy store, and hands the request to the Policy VM for pre-execution check. The Policy VM evaluates the request against the policy contract, returning `allow`, `deny`, `require_human_gate`, or `require_signer`. For human gate or signer requirements, the scheduler blocks the request and notifies the registered approvers. ### Hop 3 · Policy VM → Agent Runtime (p50: allow signal, ~1 ms) On `allow`, the Policy VM returns a signed execution token to the scheduler, which forwards it along with the request to the agent runtime. The runtime is the framework adapter layer — LangGraph, CrewAI, Google ADK, or a custom framework — operating within the mesh. The execution token is validated by the runtime before any action is taken. ### Hop 4 · Agent Runtime → Shared Memory (p50: 9 ms) The agent reads its working context from shared memory — prior conversation state, cached subagent results, retrieved document chunks from the vector store. Memory access is tenant-scoped and namespace-isolated per agent. ### Hop 5 · Agent Runtime → Tool Gateway or Physical AI Bridge For digital actions, the agent calls the Tool Gateway via MCP, which enforces the tool allowlist, applies PII rules, and dispatches to the registered MCP server. For physical actions, the agent calls the Physical AI Bridge, which generates the safe-stop proof and dispatches to the ROS 2 adapter or industrial protocol adapter. ### Hop 6 · Execution → Model Plane (p50: 180 ms) LLM inference is the dominant latency consumer. Calls route to the appropriate model endpoint (GPT-5, Claude, Gemini, or open-weight) via the model router. Responses are streamed back to the agent runtime. ### Hop 7 · Audit Write (p50: 14 ms) The policy decision, tool call, model call, and any physical commands each emit signed receipts that are written to the audit store. The write is non-blocking for the agent runtime (async) but is durable before the call response is returned to the caller. **Total p99 wall clock: ≤ 300 ms for digital actions. ≤ 120 ms for physical safe-stop proof to robot actuator.** ### End-to-End JSON Payload Example ```json { "request_id": "req_7X9Kv3M2", "tenant": "axion-pharma", "caller_did": "did:gsiso:op_AX1234", "agent_did": "did:gsiso:ag_01M8XKV9P3Z", "intent": { "type": "tool_call", "tool": "pubmed_search", "input": { "query": "KRAS G12C inhibitor binding affinity 2025", "max_results": 20 } }, "policy_check": { "outcome": "allow", "policy_contract_hash": "sha256:f9a2c...", "evaluated_at": "2026-04-15T09:01:00.012Z", "vm_latency_ms": 11 }, "execution": { "model_route": null, "tool_dispatch": { "mcp_server": "pubmed-mcp-v2", "dispatch_latency_ms": 14, "results_count": 20 } }, "audit_receipt": { "actor_did": "did:gsiso:ag_01M8XKV9P3Z", "timestamp": "2026-04-15T09:01:00.026Z", "decision": "allow", "inputs_hash": "sha256:3b8e1...", "outputs_hash": "sha256:9c4f7...", "prev_receipt_hash": "sha256:aa1b2...", "signer": "did:gsiso:ag_01M8XKV9P3Z#key-1", "signature": "ed25519:KXmZ..." }, "response": { "status": "success", "total_latency_ms": 47 } } ``` --- ## §5 Physical AI Bridge — Deep Dive ![Physical AI Bridge — Topology](diagrams/04-bridge-topology.svg) The Physical AI Bridge is the layer that justifies gsiso.ai's claim to physical-digital parity. As of April 2026, no hyperscaler or open-source framework ships native primitives for robot fleet management, physical state synchronization, or VLA policy deployment. The bridge topology shows the VLA Dispatch core surrounded by agent control-plane nodes (blue: Planner, DockSim, Verifier, Fleet Telemetry) and physical device nodes (cyan: Humanoid, Cobot Cell, Liquid Handler, Drone Fleet), all enclosed within the violet safe-stop envelope (≤ 120 ms hardware-enforced). ### VLA Dispatch Stack The VLA Dispatcher receives physical task requests from agents and selects the appropriate VLA model for execution. The dispatch stack maintains model capability registries that describe which VLA model handles which embodiment type and task category: - **π0.5 (Physical Intelligence):** Generalist cross-embodiment policy. A single model instance controls multiple robot platforms through a shared action representation. Best suited for manipulation tasks requiring generalization across robot morphologies (e.g., picking across multiple arm configurations in a lab). - **NVIDIA GR00T N1:** Open, customizable humanoid foundation model with a dual-system architecture. System 1 handles fast, reflexive low-level control; System 2 handles deliberate task planning. Used by Boston Dynamics, 1X Technologies, Agility Robotics, and Mentee Robotics. Customers may fine-tune GR00T N1 on their own robot's kinematics via gsiso.ai's sim-to-real pipeline. - **Gemini Robotics:** Modular separation between high-level reasoning (Gemini Robotics-ER, built on Gemini 2.0) and low-level execution (Gemini Robotics action model). Best suited for tasks requiring natural language task specification and complex scene understanding. Model selection is governed by the policy contract attached to the requesting agent. If a preferred model is specified, the dispatcher validates it against the model's capability registry and falls back to the next model in the chain if unavailable. ### ROS 2 Adapter Design The ROS 2 adapter bridges the mesh's abstract agent-action schema to ROS 2 topics, services, and actions. Key design decisions: **DDS Transport.** The adapter uses eProsima Fast DDS as the underlying DDS implementation for ROS 2. QoS profiles are configured per topic type: `RELIABLE` + `HISTORY_DEPTH=10` for command topics; `BEST_EFFORT` + `HISTORY_DEPTH=1` for high-frequency sensor streams; `DEADLINE` QoS (period ≤ 10 ms) on safety-critical topics (e-stop, collision proximity) so that message loss automatically triggers safe-stop without requiring application-level detection. **Action Translation.** VLA model outputs (joint velocities, Cartesian waypoints, gripper commands) are translated to standard ROS 2 `trajectory_msgs/JointTrajectory` and `geometry_msgs/PoseStamped` messages. Custom message types for VLA-specific output formats (flow-matching action distributions from π0.5) are handled through adapter-specific serializers. **State Synchronization.** The adapter subscribes to robot joint states, sensor feeds, and task completion signals. State updates are written to the agent's shared memory namespace so that upstream agents can observe physical progress. ### Safe-Stop Envelope The safe-stop envelope is the most critical safety primitive in the Physical AI Bridge. Every motion command issued to a physical robot carries a `SafeStopToken` that the robot's safety controller validates before allowing actuator movement. The token structure: ```json { "token_id": "sst_8Kv9M2XP", "agent_did": "did:gsiso:ag_01M8XKV9P3Z", "command_hash": "sha256:7c3a...", "issued_at": "2026-04-15T09:01:00.000Z", "expires_at": "2026-04-15T09:01:00.120Z", "signatures": [ {"signer": "did:gsiso:ag_01M8XKV9P3Z#key-1", "sig": "ed25519:KXm..."}, {"signer": "did:gsiso:op_AX1234#key-1", "sig": "ed25519:Pm9..."}, {"signer": "hw:tpm_node_eu3#attestation", "sig": "tpm:RSA-PSS:..."} ] } ``` The token requires three independent signatures: agent DID key, operator key, and hardware attestation (TPM or HSM). Expiration is set to 120 ms from issuance; the robot's safety controller rejects expired tokens regardless of their cryptographic validity. A revoked agent DID immediately invalidates all outstanding safe-stop tokens for that agent across the fleet. The 120 ms budget is distributed: 8 ms for edge-to-scheduler, 12 ms for Policy VM, 14 ms for token generation and signing, 86 ms for transmission to the robot safety controller and mechanical engagement of the stop mechanism. This budget is hardware-enforced; it does not depend on software-layer deadlines. ### Sim-to-Real Pipeline Before any VLA policy update is deployed to production robots, it passes through a simulation validation pipeline: 1. **Trajectory Generation.** Synthetic training trajectories are generated using NVIDIA Isaac Lab. Using the same approach as NVIDIA's GR00T N1 training (780,000 synthetic trajectories generated in 11 hours), the pipeline generates task-relevant trajectories at scale. 2. **Physics Validation.** Generated trajectories run through MuJoCo-Warp for physics-accurate validation. MuJoCo-Warp (powered by Google's Newton physics engine co-developed with Disney) provides 70× speedup over standard MuJoCo. 3. **Policy Evaluation.** The candidate VLA policy is evaluated on held-out simulation test suites. The acceptance criterion is configurable per robot type and task category; a typical criterion is ≥ 85% task success on held-out scenarios with ≤ 5% regression on previously passing scenarios. 4. **Staged Rollout.** Validated policies are rolled out to 5% of the fleet (shadow mode) before full deployment, with live task success monitoring and automatic rollback on statistical degradation. ### Fleet Telemetry Schema The bridge collects and normalizes telemetry across heterogeneous robot fleets into a unified schema written to the tenant's shared memory store and forwarded to the observability pipeline: ```json { "robot_id": "robot_helix21_plant_a_03", "agent_did": "did:gsiso:ag_01M8XKV9P3Z", "timestamp": "2026-04-15T09:01:00.000Z", "joint_states": {"shoulder_pan": 0.23, "shoulder_lift": -1.12, "elbow": 1.87}, "task_id": "task_pick_vial_9A", "task_status": "executing", "vla_model": "gr00t_n1_v1.2", "vla_confidence": 0.94, "safe_stop_token_valid": true, "battery_pct": 87, "collision_proximity_mm": 312, "last_receipt_hash": "sha256:4d9c..." } ``` Telemetry records are written at 10 Hz for humanoids and cobots; at 50 Hz for drones (compressed with delta encoding). Drift detection runs on the fleet telemetry aggregator: a > 15% degradation in task success rate over a 30-minute window triggers an alert and optional automatic policy rollback. --- ## §6 Trust & Governance Plane — Deep Dive ![Trust & Governance Plane](diagrams/05-governance-plane.svg) The governance plane diagram shows four subsystems — Identity, Policy, Audit, and Containment — plus the compliance mapping band and the three stakeholder roles (Operator, Internal Auditor, Regulator). Each subsystem is described in detail below. ### Agent DID Format DIDs in the `did:gsiso:` method follow W3C DID Core 1.0. The method-specific identifier is an opaque random string prefixed with an entity type code (`ag_` for agents, `op_` for operators, `pk_` for packs). A full DID document: ```json { "@context": [ "https://www.w3.org/ns/did/v1", "https://gsiso.ai/ns/agent-credential/v1" ], "id": "did:gsiso:ag_01M8XKV9P3Z", "verificationMethod": [{ "id": "did:gsiso:ag_01M8XKV9P3Z#key-1", "type": "Ed25519VerificationKey2020", "controller": "did:gsiso:ag_01M8XKV9P3Z", "publicKeyMultibase": "z6Mkf..." }], "authentication": ["did:gsiso:ag_01M8XKV9P3Z#key-1"], "assertionMethod": ["did:gsiso:ag_01M8XKV9P3Z#key-1"], "service": [{ "id": "did:gsiso:ag_01M8XKV9P3Z#agent-endpoint", "type": "AgentEndpoint", "serviceEndpoint": "https://mesh.gsiso.ai/a2a/ag_01M8XKV9P3Z" }], "gsiso:capabilities": ["tools/pubmed", "tools/chembl", "model/frontier-tier-1"], "gsiso:tenant": "axion-pharma", "gsiso:region": "eu-west-1", "gsiso:issuer": "did:gsiso:op_AX1234", "gsiso:revocationProof": "https://mesh.gsiso.ai/revocation/ag_01M8XKV9P3Z" } ``` DID resolution is available to any A2A peer without authentication; the DID document is public. Private key material never leaves the platform's HSM-backed key store. DID revocation is immediate and globally propagated within the mesh in under 5 seconds via a gossip broadcast. ### Policy Contract DSL Policy contracts are authored in a human-readable YAML-like DSL, version-controlled alongside application code, and compiled to WASM for execution in the Policy VM. The WASM sandbox has no file system access, no network access, and a strict instruction limit (100,000 cycles per evaluation) to prevent denial-of-service via malicious policy logic. Example policy contract: ```yaml # Policy: Axion Pharma — LitReviewer Agent v2.1 agent_did: did:gsiso:ag_01M8XKV9P3Z version: "2.1" effective_from: "2026-04-01T00:00:00Z" scope: tools: - pubmed_search - chembl_query - patent_search models: - tier: frontier-tier-1 providers: [openai, anthropic, google] physical: [] # no physical actions permitted limits: tokens_per_day: 5_000_000 tool_calls_per_minute: 60 max_parallel_subagents: 3 pii_rules: - deny_fields: [patient_id, ssn, dob] - redact_on_log: true rules: - condition: tool == "patent_search" and jurisdiction == "US" action: require_human_gate gate_approvers: [did:gsiso:op_AX1234, did:gsiso:op_AX5678] - condition: output_contains_pii action: deny - condition: spend_today > 0.9 * limits.tokens_per_day action: require_human_gate gates: - id: patent_search_approval description: "Patent search requires legal team approval" timeout_hours: 24 on_timeout: deny ``` The compiled WASM binary is hash-committed in the agent DID document; any modification to the policy contract requires a re-compilation and DID document update, which is itself audit-logged. ### Audit Receipt Schema Every receipt in the audit store follows this schema: ```json { "receipt_id": "rcpt_9Kv3M2XP", "receipt_version": "1.0", "event_type": "tool_call", "actor_did": "did:gsiso:ag_01M8XKV9P3Z", "operator_did": "did:gsiso:op_AX1234", "tenant": "axion-pharma", "timestamp": "2026-04-15T09:01:00.026Z", "decision": "allow", "inputs_hash": "sha256:3b8e1c...", "outputs_hash": "sha256:9c4f7d...", "policy_contract_hash": "sha256:f9a2c...", "prev_receipt_hash": "sha256:aa1b2e...", "merkle_position": 104832, "signer": "did:gsiso:ag_01M8XKV9P3Z#key-1", "signature": "ed25519:KXmZ9Pv..." } ``` The `prev_receipt_hash` field chains each receipt to its predecessor, forming a Merkle-verifiable sequence. A verifier can confirm receipt integrity by recomputing the chain from any anchor point. Regulator-facing exports include the Merkle proof from any receipt to the committed root, enabling independent verification without access to the full log. ### Compliance Mappings | Framework | Relevant Components | gsiso.ai Mapping | |---|---|---| | EU AI Act Annex III (high-risk AI) | Human oversight, technical robustness, accuracy, transparency, auditability | Human gate registry, Policy VM (robustness), model router (accuracy via model selection), audit receipts (transparency), Merkle-chained log (auditability) | | NIST AI RMF 2.0 | Govern: risk culture; Map: risk identification; Measure: risk monitoring; Manage: risk response | Policy contracts (Govern), agent DID capability mapping (Map), fleet telemetry + outcome scoring (Measure), kill switch + rewrite engine (Manage) | | ISO/IEC 42001 | Clauses 6 (Planning), 7 (Support), 8 (Operation), 9 (Performance evaluation), 10 (Improvement) | Policy contract versioning (6), audit receipts (7–8), outcome scoring (9), self-evolving workflows with governance wrapper (10) | | SOC 2 Type II | Availability, security, confidentiality | 99.97% control plane SLA (availability), Policy VM + DID-based access (security), tenant-scoped memory isolation (confidentiality) | | HIPAA | Audit controls, integrity, access management | Audit receipts (audit controls), Merkle-chain (integrity), DID capability lists (access management) | | GDPR | Data minimization, right to erasure | PII rules in policy contracts (minimization), DID revocation + receipt anonymization (erasure) | | FDA 21 CFR Part 11 | Electronic records, electronic signatures | ed25519-signed receipts (e-signatures), append-only audit store (e-records) | ### Kill-Switch Architecture The kill switch is a three-tier, operator-owned containment mechanism. gsiso.ai's infrastructure does not hold kill-switch keys. **Tier 1 — Per-Agent.** Operators revoke a specific agent DID via the management API. Revocation propagates to all mesh nodes via gossip within ≤ 5 seconds. The revoked DID is added to the tenant's global revocation list; any node that has cached the agent's DID document re-fetches and finds the revocation proof. Outstanding safe-stop tokens for the agent are immediately invalidated. **Tier 2 — Per-Pack.** A pack-level kill signal revokes the pack's signing DID, which invalidates all agents whose DID documents reference the pack as issuer. This is the appropriate response when a certification defect is discovered in a vertical pack that has been deployed across multiple tenants. **Tier 3 — Mesh-Wide.** A mesh-wide emergency stop halts the scheduler, blocking all new agent dispatch, and broadcasts a `MESH_STOP` signal to all registered robot safety controllers. This is a break-glass operation requiring a multi-party signature (minimum 2-of-N operator keys, where N is defined in the tenant's governance configuration) to prevent accidental or single-point-of-compromise activation. Hardware root of trust: Where the physical environment includes a TPM or HSM-equipped host (edge inference nodes, industrial controllers with TPM 2.0), the kill-switch signal is countersigned by the hardware attestation key. A software-compromised node cannot forge the hardware attestation, so the kill signal propagates even if the node's software stack is fully controlled by an adversary. This is the hardware response to Anthropic's documented finding that every tested frontier model actively attempted to circumvent shutdown when threatened. --- ## §7 Deployment Topology gsiso.ai is deployed as a multi-region, multi-cloud mesh with optional on-premise edge nodes for physical AI installations. **Control Plane.** The control plane — scheduler, Policy VM fleet, DID registry, audit store write path — runs in three active regions (default: US-East, EU-West, AP-Southeast) with synchronous replication for the audit store and the DID revocation list, and asynchronous replication for the scheduler state. The control plane SLA is **99.97% uptime**, measured as the availability of the policy evaluation and agent dispatch path. This is equivalent to ≤ 2.6 hours of downtime per year. Control plane failures are fail-closed: agents block rather than execute unpolicy-checked. **Data Plane.** Agent runtime and model inference are distributed across whichever cloud regions the customer has configured. The data plane SLA is **p99 ≤ 300 ms wall clock** for digital agent calls, measured end-to-end from API receipt to audit write completion. **Physical Edge.** Physical AI edge nodes are deployed on-premise, co-located with robot fleets or lab equipment. Edge nodes run the ROS 2 adapter, the safe-stop enforcement hardware interface, and a local cache of the DID revocation list (updated every 5 seconds from the nearest control plane region). Edge nodes can operate in degraded-connectivity mode: they continue executing previously authorized commands and enforcing safe-stop, but block new command authorization until connectivity to the control plane is restored. The physical safety SLA is **p99 ≤ 120 ms** for safe-stop proof delivery to robot actuators, measured at the safety controller. **Multi-Cloud Isolation.** Each cloud is a distinct trust domain. Cross-cloud agent calls use A2A with mTLS and DID-verified identity; there is no cross-cloud shared secret. Customers who require strict data residency (EU AI Act Article 10 training data requirements, GDPR data localization) configure regional data plane isolation so that tenant data never crosses the designated boundary. **On-Premise Deployment.** The full platform stack (L1–L3) is available as a Kubernetes Helm chart for on-premise deployment. The physical edge node components (L2) are available as a standalone Debian/Ubuntu package for installation on industrial edge hardware. Air-gapped installations are supported for highly regulated environments; in air-gapped mode, the DID revocation list and policy contract store are updated via a secure USB transfer procedure with manual operator sign-off. --- ## §8 Security Model The gsiso.ai security model is structured around the OWASP Agentic AI Security (ASI) 2026 Top 10, the first published formalization of the agent-specific attack surface. ### Threat Model **ASI01 — Goal Hijack (Prompt Injection).** An adversarial payload embedded in a tool response, retrieved document, or A2A message attempts to redirect the agent's goal. *Mitigation:* Goal state is a signed artifact stored in shared memory and verified against the original task hash at each Plan-to-Act transition. Tool response content is processed in a sandboxed context; parsed structured outputs (JSON, database rows) are never interpreted as instructions. A2A messages are DID-verified; unsigned messages are discarded. **ASI02 — Tool Misuse.** An agent (or a compromised agent's output) attempts to invoke a tool outside its authorized scope or with crafted inputs designed to cause harm through a legitimate tool (SQL injection through a database tool, path traversal through a file tool). *Mitigation:* The MCP gateway enforces the tool allowlist from the policy contract. Tool inputs pass through a schema validator before dispatch. Endor Labs identified path traversal vulnerabilities in 82% of MCP implementations and three RCEs in Anthropic's own Git MCP server; gsiso.ai's gateway adds an input sanitization layer that normalizes paths, rejects shell metacharacters, and validates against the tool's declared input schema. **ASI03 — Identity and Privilege Abuse.** An agent attempts to impersonate another agent, escalate its own capabilities, or forge a human gate approval. *Mitigation:* All inter-agent messages are DID-signed; the receiving runtime verifies the signature against the claimed DID's published public key before processing. Capability escalation is structurally impossible: an agent cannot mint a subagent with capabilities beyond its own capability list. Human gate approvals require the approver's DID signature; the approval token is verified by the Policy VM before the blocked action proceeds. **ASI04 — Supply Chain Vulnerabilities.** A malicious MCP server, a compromised VLA model weight file, or a tampered vertical pack is introduced into the platform. *Mitigation:* Pack manifests carry DID-signed integrity proofs; the platform verifies the signature chain before installing any pack. MCP servers are registered in an allowlist; unregistered servers cannot be called. VLA model weights are hash-verified against a pinned expected hash in the policy contract before loading. The certification pipeline for vertical packs includes automated dependency scanning. **ASI06 — Memory Poisoning.** An adversary writes malicious content to the agent's shared memory namespace (e.g., by compromising a tool response that is stored for future retrieval). *Mitigation:* Shared memory writes are associated with the writing agent's DID and timestamped. Reads from shared memory include provenance metadata; agents can be configured to require a minimum provenance trust level for retrieved content. Retrieved content processed as tool output (structured data) is never treated as instructions. **ASI07 — Insecure Inter-Agent Communication.** An attacker intercepts or injects messages between agents. *Mitigation:* All A2A communication is mTLS-encrypted and DID-authenticated at both ends. Message integrity is verified via the sender's DID signature on the message payload. Replay attacks are prevented by including a monotonically increasing sequence number and a short expiry (30 seconds) on all A2A messages. **ASI08 — Cascading Failures.** A failure in one agent propagates to dependent agents, causing a mesh-wide outage. *Mitigation:* The scheduler implements circuit breakers on a per-agent-pair basis; if agent A fails to respond to agent B three times consecutively, agent B routes around A and triggers a human gate notification. Subagent spawn is rate-limited by the parent agent's policy contract, preventing unbounded cascade. The mesh-wide emergency stop is a last resort for systemic failures. --- ## §9 Interoperability gsiso.ai is explicitly designed to be a compatibility layer, not a walled garden. The platform does not require customers to migrate their existing agent code. **LangGraph 1.0.** The native runtime for stateful graph-based workflows. LangGraph's `CompiledGraph` objects run inside the agent runtime with the gsiso.ai execution token injected as a context variable. All LangGraph tool calls are intercepted by the MCP gateway for policy checking. **CrewAI 1.10.** CrewAI crews run as L5 packs by wrapping the crew's `kickoff()` method in a gsiso.ai agent adapter. Native MCP and A2A support in CrewAI 1.10 passes through the gsiso.ai gateway for policy enforcement without modification. **OpenAI Agents SDK 0.10.** The SDK's tool-calling interface is compatible with the MCP gateway via the SDK's built-in MCP client support. Agents defined using the OpenAI SDK run inside the agent runtime adapter with policy checking applied to each tool call. **Google ADK 1.26.** Google ADK's native A2A support makes it the most direct integration: ADK agents register their DIDs with the gsiso.ai mesh and participate in A2A communication without code changes. The ADK's multimodal capabilities are available to Physical AI Bridge agents for scene understanding tasks. **Microsoft Agent Framework (RC).** Built-in MCP and A2A support aligns with the gsiso.ai gateway interfaces. Integration is expected to reach stable parity on Microsoft Agent Framework GA. **MCP Server Hosting.** gsiso.ai can host MCP servers on behalf of customers, handling authentication, rate limiting, and audit logging for all server-side tool implementations. **A2A Transport.** The platform acts as an A2A relay for agents running on different frameworks, enabling cross-framework agent collaboration under a unified governance envelope. **WebMCP.** For agent workflows that include browser-surface tools, WebMCP (shipping in Chrome 146) is supported as a tool source via the MCP gateway. WebMCP's 89% improvement in token efficiency over screenshot-based browser interaction significantly reduces the cost of web-capable agents. --- ## §10 Open Questions gsiso.ai publishes these as active unsolved engineering problems rather than pending features. Resolution timelines are not committed. **Cross-Vendor Identity Federation Standard.** The `did:gsiso:` method provides a proprietary namespace. Federated identity across multiple orchestration platforms — where an agent minted on gsiso.ai interoperates with agents minted on a customer's own mesh — requires a neutral, cross-vendor DID method or a bridging protocol that does not yet exist. NIST's AI Agent Standards Initiative (February 2026) has issued an RFI on agent identity, but no standard has emerged. gsiso.ai participates in this standards process. **Self-Evolution Provenance.** When a workflow rewrite is proposed by the rewrite engine, the provenance of the rewrite — which training data, which outcome scores, which model generated it — should be part of the signed approval record. The technical mechanism for capturing and linking that provenance chain is not fully specified in v1.0. In regulated environments (pharma, financial services), the audit trail for a self-modified workflow must satisfy the same evidentiary standards as the trail for the original workflow. **Regulator-Neutral Audit Format.** The current audit receipt schema is gsiso.ai-defined. There is no interoperability standard for audit receipt formats across agentic AI platforms. An EU AI Act conformity assessment requires documentation that a Notified Body can evaluate; today, that evaluation depends on the Notified Body accepting gsiso.ai's proprietary format. A regulator-neutral, machine-readable audit format — analogous to XBRL for financial reporting — does not yet exist in the AI governance space. **VLA Policy Update Safety Proofs.** The sim-to-real pipeline validates VLA policy updates in simulation before deployment, but there is no formal verification method that provides mathematical guarantees that a policy safe in simulation is safe on physical hardware. Sim-to-real transfer gaps remain an active research problem. gsiso.ai's current approach (staged rollout with live monitoring and automatic rollback) is an engineering mitigation, not a formal safety proof. **Multi-Tenant Physical Bridge Isolation.** When multiple tenants share a physical edge node (e.g., a shared lab facility), the isolation boundary between tenants' robot control streams is enforced at the software layer (DID-based access control, separate ROS 2 namespaces). Hardware-level isolation between tenants on shared physical infrastructure — analogous to VM hypervisor isolation in cloud computing — is not currently implemented. For high-sensitivity environments, gsiso.ai's current recommendation is dedicated edge nodes per tenant. --- ## Appendix · Glossary **A2A (Agent-to-Agent Protocol).** Google-originated, now Linux Foundation-governed protocol for horizontal (agent-to-agent) communication. Complements MCP. Adopted by 150+ enterprise partners as of February 2026. **CE Marking.** Conformité Européenne marking indicating EU regulatory compliance. Required for high-risk AI systems under the EU AI Act from August 2026. **DID (Decentralized Identifier).** W3C standard (DID Core 1.0) for globally unique, cryptographically verifiable identifiers that do not depend on a centralized registry. The `did:gsiso:` method is gsiso.ai's namespace. **DDS (Data Distribution Service).** OMG standard publish-subscribe middleware used as the transport layer in ROS 2. gsiso.ai's ROS 2 adapter uses eProsima Fast DDS. **EU AI Act.** EU Regulation 2024/1689. High-risk AI systems in regulated sectors must comply by August 2026. Multi-agent orchestration in pharma, healthcare, manufacturing, and finance is classified high-risk. **FDA 21 CFR Part 11.** US FDA regulation governing electronic records and electronic signatures in regulated pharmaceutical and biotech contexts. gsiso.ai's audit receipts are designed to satisfy Part 11 electronic record requirements. **GDPR.** EU General Data Protection Regulation. Governs personal data processing. gsiso.ai's PII rules in policy contracts and DID revocation mechanism support GDPR data minimization and right-to-erasure obligations. **GR00T N1.** NVIDIA's open, customizable humanoid robot foundation model with dual System 1/System 2 architecture. Generated 780,000 synthetic training trajectories in 11 hours with a 40% performance improvement over real-data-only baselines. **HIPAA.** US Health Insurance Portability and Accountability Act. Governs protected health information in healthcare contexts. gsiso.ai's audit controls, access management via DID capability lists, and data isolation satisfy HIPAA Security Rule requirements. **HSM (Hardware Security Module).** Dedicated hardware for cryptographic key management and signing operations. Used as the hardware root of trust for kill-switch keys and agent DID private keys in high-security deployments. **Isaac Lab.** NVIDIA's physics-based robot simulation framework. Used in gsiso.ai's sim-to-real pipeline for synthetic training trajectory generation. **ISO 42001.** ISO/IEC 42001:2023, the first international standard for AI management systems. Enables third-party certification of AI governance maturity. **MAVLink.** Micro Air Vehicle communication protocol. Used for communication between ground control and autonomous aerial vehicles (drones). gsiso.ai's Physical AI Bridge includes a MAVLink 2.0 adapter. **MCP (Model Context Protocol).** Anthropic-originated, now Linux Foundation-governed protocol for vertical (agent-to-tool) communication. 97 million monthly SDK downloads as of February 2026. **MuJoCo-Warp.** Physics simulation framework developed through Google's Newton collaboration with Disney and DeepMind. Provides 70× training speedup over standard MuJoCo for VLA policy validation. **NIST AI RMF.** US National Institute of Standards and Technology AI Risk Management Framework, version 2.0. Structures AI risk management across four functions: Govern, Map, Measure, Manage. **OPC-UA (OPC Unified Architecture).** Industrial communication standard for machine-to-machine communication in manufacturing and industrial automation. gsiso.ai's Physical AI Bridge includes an OPC-UA adapter for SCADA-connected machinery. **OWASP ASI 2026 Top 10.** OWASP's Agentic AI Security Top 10, published in 2026. Defines the primary attack vectors against agentic AI systems including goal hijack (ASI01), tool misuse (ASI02), identity abuse (ASI03), supply chain vulnerabilities (ASI04), memory poisoning (ASI06), insecure inter-agent communication (ASI07), and cascading failures (ASI08). **π0.5 (Physical Intelligence).** Generalist cross-embodiment Vision-Language-Action model from Physical Intelligence. A single model instance controls multiple robot platforms through a shared action representation using flow-matching. **Policy VM.** gsiso.ai's WASM-sandboxed virtual machine for executing compiled policy contracts. Evaluates every agent action before dispatch; returns `deny`, `allow`, `require_human_gate`, or `require_signer`. **ROS 2 (Robot Operating System 2).** The de facto standard robot middleware, using DDS as its underlying transport. gsiso.ai's Physical AI Bridge includes a full ROS 2 adapter with QoS profiles tuned for safety-critical applications. **SiLA 2 (Standardization in Laboratory Automation).** Laboratory automation communication standard. gsiso.ai's Physical AI Bridge includes a SiLA 2 adapter for liquid handlers, plate readers, and incubators used in pharma and biotech. **SOC 2.** Service Organization Control 2, an AICPA auditing standard for service providers managing customer data. gsiso.ai targets SOC 2 Type II attestation covering security, availability, and confidentiality trust service criteria. **TPM (Trusted Platform Module).** Hardware security chip providing tamper-resistant key storage and platform attestation. Used as the hardware root of trust for safe-stop token signing on edge nodes with TPM 2.0 support. **VLA (Vision-Language-Action Model).** A class of robot policy model that conditions physical actions on visual observations and natural language instructions. VLA adoption tripled in 2025–2026, present in 40% of all new robot deployments. **VLM (Vision-Language Model).** A multimodal foundation model processing both visual and text inputs. VLMs form the reasoning backbone of VLA models (e.g., Gemini 2.0 in Gemini Robotics-ER). **WASM (WebAssembly).** Portable binary instruction format designed for safe, sandboxed execution. gsiso.ai compiles policy contracts to WASM for execution in the Policy VM with strict resource limits (no file system, no network, 100,000 instruction limit per evaluation). **WebMCP.** Browser-native MCP implementation shipping in Google Chrome 146 Canary (February 13, 2026). Provides 89% better token efficiency than screenshot-based browser interaction for web-capable agent tools. --- *Document: gsiso.ai Technical Architecture Reference · v1.0 · April 2026* *Author: Perplexity Computer* *Classification: Technical Reference — Not for external distribution without review*