The Spine · 9 layers

The architecture for running AI agents in production.

A vendor-neutral catalog of nine named layers. Plug in any outside application through governed boundaries, and run the agents you build yourself on a runtime you own.

Open at the edges, sovereign at the core

85 to 100x

less token usage when tools are discovered progressively instead of dumped into context

405K

tokens a naive MCP server burns before the agent does any real work

~100%

jailbreak success against prompt-only defenses, the case for deterministic governance

64%

improvement from a scoped tool interface over a raw shell, same model and task

Sources: Speakeasy and Kruczek (token reduction), JailbreakBench and Andriushchenko et al. (jailbreak rates), SWE-agent at Princeton NLP (tool interface). All cited in the specs.

Enterprise grade

What the modern data platform did for analytics, the Spine does for agents.

Big data got serious when it got an architecture. The warehouse, the data lake, and the lakehouse gave the enterprise one governed place for ingestion, cataloging, lineage, and access control, so analytics could run at petabyte scale without chaos. AI agents are at that same moment now, and the Spine is the enterprise-grade answer: nine versioned, citable specifications that give agents the same rigor. Discovery, coordination, governance, grounded data, an audited registry, and a runtime you own.

And it runs on top of the data estate you already have. The Spine's grounded-data layer plugs agents directly into your existing platforms, from the cloud warehouse to the Spark lakehouse, governed by your canonical definitions and your row and column entitlements. Your big-data investment becomes the trusted foundation your agents reason over, not a surface they can leak.

SPINE THE SPINE SaaSquach AI Labs · Agentic Architecture Map 9 LAYERS · 2 TIERS FOUNDATION + CAPABILITY Data Estate to Production Agents FOUNDATION TIER CAPABILITY TIER YOUR DATA ESTATE warehouse · lake lakehouse · Spark DESTINATION YOUR AI AGENTS in production GDS Grounded Data canonical metrics data entitlements semantic model ARS Agent Registry inventory · tools models · datasets system of record DCS Durable Context state persistence memory across sessions temporal continuity INTERCHANGE SRS Sovereign Runtime first-party execution bounded ops tiers connect here ESF External Signal Fabric markets · logistics geopolitics real-world signals PDS Progressive Discovery agent exploration dynamic scoping retrieval spine ACS Adversarial Coordination multi-agent planner-evaluator coordination layer CRI Composite Risk Index risk scoring confidence banding scoring layer AGS Agent Governance policy · identity audit · compliance governance layer ROUTE GUIDE Foundation Line GDS · ARS · DCS · SRS Capability Line ESF · PDS · ACS · CRI · AGS Interchange: SRS SaaSquach AI Labs · Drew Mattie · Charles and Roe Inc. · The Spine · v1.0-draft
Hover any station to expand its layer, or swipe and tap on a phone. Nine layers across two tiers, from your data estate to agents in production.
DatabricksApache SparkLakehouseSnowflakeUnity CatalogdbtBigQueryData warehousesData lakes

The data platforms the Spine grounds your agents in.

Convergence proof

You are not the only one who needs this. The whole industry is building it.

Every layer of the Spine already exists, piecemeal, inside closed commercial platforms. UiPath, Palantir, AWS, Microsoft, Salesforce, Bloomberg, and more each shipped their own version of these concerns, independently, because the concerns are real. The same map, this time each station shows who already built it in their own closed model. The Spine names the pattern they all converged on, vendor-neutral and yours to own.

SPINE THE SPINE SaaSquach AI Labs · Convergence Map ALREADY IN PRODUCTION CONVERGENCE PROOF Every layer, already shipping elsewhere FOUNDATION TIER CAPABILITY TIER YOUR DATA ESTATE warehouse · lake lakehouse · Spark DESTINATION YOUR AI AGENTS in production GDS Grounded Data Palantir Ontology Microsoft Fabric IQ UiPath Grounding ARS Agent Registry UiPath Automation Hub Microsoft Entra Agent ID AWS Agent Registry DCS Durable Context AWS AgentCore Memory Letta / MemGPT Palantir Foundry AIP INTERCHANGE SRS Sovereign Runtime AWS AgentCore Runtime UiPath Robots Microsoft Foundry ESF External Signal Fabric Bloomberg B-PIPE Apache Kafka Everstream PDS Progressive Discovery Amazon Prime Video AWS AgentCore Gateway Composio ACS Adversarial Coordination UiPath Maestro Microsoft Magentic-One MuleSoft Fabric CRI Composite Risk Index FICO Score Moody's RiskCalc Bloomberg DRSK AGS Agent Governance Microsoft AGT AWS AgentCore Policy UiPath AI Trust Layer ROUTE GUIDE Foundation Line GDS · ARS · DCS · SRS Capability Line ESF · PDS · ACS · CRI · AGS Interchange: SRS SaaSquach AI Labs · Drew Mattie · Charles and Roe Inc. · The Spine · convergence map
Same map, same nine layers. Each station shows who already shipped it inside a closed platform. Hover for the full list, or swipe and tap on a phone.

Two very different vendors, UiPath (one RPA platform) and Microsoft (a whole cloud stack), each independently built pieces of roughly six of the nine layers. Powerful proof the layers are real, and a clear picture of what locking into any single closed platform would cost you.

Capability layers

Surfaces the 5 to 8 tools an agent needs on demand, instead of dumping a thousand into the context window. Semantic entities, a gateway, SLA-aware routing.

owns the failure: bad tool datacapability layer
Read the PDS spec on GitHub

Planner, generator, and evaluator are structurally separated, so the checker cannot simply agree with the maker. Coordination that catches its own mistakes.

owns the failure: bad reasoning, bad evaluationcapability layer
Read the ACS spec on GitHub

Every external signal (markets, logistics, geopolitics, supplier health) arrives typed and provenance-stamped, so the reasoning that used it is auditable.

owns the failure: bad world datacapability layer
Read the ESF spec on GitHub

Composite scoring with confidence bands, tenant-conditioned weights, and signal-version provenance. Not one mystery number.

owns the failure: bad scoringcapability layer
Private spec · available on request

Every action passes deterministic policy before it reaches the wire. Actions the policy denies are structurally impossible, not merely unlikely. Identity per agent, audit by construction.

owns the failure: bad governancecapability layer
Read the AGS spec on GitHub
Foundation layers

The temporal substrate. Project state, memory, and a verification-gated record of done that survive the context-window boundary, so the next session picks up the thread without loss.

owns the failure: bad continuityfoundation layer
Read the DCS spec on GitHub

The grounding substrate. A canonical semantic model (text to metric, not text to SQL) plus data-level entitlements, so answers are consistent and an agent sees only what its user may see.

owns the failure: bad groundingfoundation layer
Private spec · available on request

The system of record layer. One continuously-reconciled catalog of every agentic asset, that discovery reads from and governance enforces against. Shadow assets become detectable, not invisible.

owns the failure: bad or missing registryfoundation layer
Private spec · available on request

The execution substrate. A sovereign, first-party runtime where agents are identity-bound, isolated, ephemeral, and bounded by construction, composing the whole catalog. A specification you own, portable across any substrate.

owns the failure: bad or unbounded executionfoundation layer
Private spec · available on request

Click any layer to open it. Five of the nine are public open source; four are private.

What good looks like

Not a vibe. A bar you can measure against.

Every layer ships with target SLAs. These are the production thresholds the spec holds you to, the line between "we have agents" and "we run agents in production." One headline target per layer below; the full tables live in each spec.

AGScapability
0

actions ever executed without passing policy first

GDSfoundation
0

agent queries that hit raw data tables directly

ARSfoundation
0

unregistered shadow assets reachable in production

SRSinterchange
0

unbounded or unattributed execution incidents

DCSfoundation
0

false 'task complete' declarations across sessions

ESFcapability
0

decisions made on expired external signals

PDScapability
5-8

tools loaded into context by default, out of 200+ available

CRIcapability
100%

scores that declare their method, no mystery numbers

ACScapability
>30%

first-pass rejection rate of a real adversarial evaluator

Notice how many targets are zero. In production these are not aspirations, they are invariants the architecture has to make structurally true.

Failure attribution

When something breaks, you know who dropped the ball.

The catalog turns "the AI broke" into a specific, ownable layer. Click a failure to light up the layer that owns it.

The two doors

Two doors.

There are exactly two ways anything reaches your agent estate, and the Spine governs both.

Door 1

Outside applications plug into the Spine

Any third-party or closed-source agent, tool, or AI application connects through governed boundaries: discovered through one curated surface, every action policy-gated and audited, the data grounded and entitlement-scoped, tracked in one system of record. Best of breed, no lock-in.

third-party app  →  governed boundary →  the Spine
Door 2

Your own agents run on the Spine

For the agents you build yourself, the Sovereign Runtime Spine is the execution model: identity-bound, isolated, bounded by construction, composing the whole catalog. A runtime you own and run on infrastructure you control, portable across any substrate.

your agent  →  SRS runtime you own →  the full catalog
Read more

The catalog lives on GitHub.

PDS, ACS, ESF, AGS, and DCS are public open source under CC BY 4.0 + MIT. CRI, GDS, ARS, and SRS are held private.

Read PDS on GitHub