The Certification Boundary closed on a handoff it named but did not follow. A certificate attests conformance; sufficiency stays with whoever operates the agent; and the property the certificate cannot reach is established at the layer the certificate examines but cannot reproduce — the audit’s actual reach into the running system. That layer is the subject of this dispatch.
This dispatch reads what an auditor can actually verify in an agentic system, and where audit methodology runs out of ground.
The audit substrate is Luminity vocabulary. It names the evidentiary ground an audit stands on — the material an auditor can examine and the form that material takes. The distinction it turns on, between auditing a process and auditing a behavior, is not new to assurance; it is the same distinction every mature audit discipline has had to draw. What is new is the subject, and the subject moves in ways the older substrates did not.
What an auditor stands on
An audit is only as good as the substrate beneath it — the evidence an auditor can actually examine. Change the substrate and you change what the audit can attest, regardless of how rigorous the methodology is. The substrate is the ground; the methodology is what the auditor does while standing on it. A great deal of confusion about what an audit means comes from attending to the methodology and ignoring the ground.
For most of the controls an agentic AI audit examines, the substrate is documentary. The auditor reads a policy, inspects a configuration, samples a set of logs, interviews the team, and forms an opinion about whether the control was designed appropriately and operating over the period under review. This is the substrate that financial audit, SOC 2, and ISO certification have stood on for decades, and it is a sound one. It supports a real and valuable attestation: that the control exists, that it was built to the standard, and that the evidence available to the auditor is consistent with it operating.
What the documentary substrate attests is conformance — the property the prior dispatch placed inside the certification boundary. The question this dispatch asks is what happens when the property an enterprise needs to verify is not conformance but behavior, and whether the substrate beneath the audit can carry that weight.
Procedural and observable
Two kinds of audit sit on two different substrates, and the difference between them is the load-bearing distinction of this dispatch.
A procedural audit verifies that a process was followed. Was there a control? Was it designed to the standard? Is the documentary evidence — policy, configuration, log sample, interview — consistent with it operating over the period? It stands on the documentary substrate, the one nearly all of assurance runs on today. Its attestation is process conformance.
An observable audit verifies that a system behaves a certain way. Not that a containment control was documented and configured, but that containment holds when an agent under adversarial pressure attempts to exceed its scope at runtime. It stands on a behavioral substrate — runtime evidence of what the system does when exercised. Its attestation is behavioral.
The two are not ranked. A procedural audit is the right instrument for a great many controls, and an observable audit would be wasted effort on a policy question that configuration settles. The distinction is not which audit is better. It is which substrate the property in question actually lives on — and for the properties that matter most in agentic systems, the answer is the harder one.
Where the substrate thins
The properties an agentic AI audit most needs to verify are the ones that live on the behavioral substrate, and the behavioral substrate is the one that thins fastest under the system it is asked to carry.
Return to B006 and its five enforcement functions. Scope enforcement, tool-use restriction, and privilege control have a substantial documentary footprint: there are policies, configurations, and identity bindings an auditor can read, and a procedural audit reaches a fair distance into them. But the property that finally matters — that the boundary holds when an agent under adversarial input attempts to cross it — is behavioral. It is established by observing the system under conditions that resemble the ones it will face, not by reading the configuration that was supposed to produce it. Runtime containment, the fifth function, is almost entirely behavioral: its whole content is what holds when the prior four are bypassed, and there is little documentary evidence that speaks to it. The function with the least documentary footprint is the one the others depend on.
Non-determinism. The same agent given the same input may act differently across runs, so a single observed pass is weaker evidence than a passed test case in a deterministic system.
The temporal gap. An agent can initiate a cascade of consequential actions before any observer registers that it is behaving incorrectly — so the behavior that matters is often the behavior between observations.
Reach. An agent’s behavior is a function of the tools, data, and other agents it touches at runtime; an audit that observes it in a constrained environment has observed something other than the system that will operate in production.
None of this is a deficiency in any auditor or audit standard. It is the substrate being asked to carry a subject heavier and more mobile than the substrates audit methodology matured on. Naming where the substrate thins is not a charge against the discipline. It is the precondition for reading an agentic AI audit accurately.
Reading the audit accurately
The practical consequence is a reading discipline, not a verdict. An agentic AI audit is a substantial instrument, and reading it accurately means knowing, for each property it attests, which substrate the attestation stands on.
Where the attestation is procedural — control present, designed to the standard, records consistent with operation — it is sound within the documentary substrate, and an enterprise can rely on it for exactly that. Where the property the enterprise actually needs is behavioral — does containment hold, does the agent refuse the action that matters, under conditions that resemble production — a procedural attestation has not reached it, however rigorous the audit was. The error is not in the audit. It is in reading a procedural attestation as though it were a behavioral one: taking evidence that a control was built and configured as evidence that the system behaves as intended at runtime. That is the same misreading the certification boundary warned against, located now at the layer beneath the certificate.
So the reading discipline is concrete. For each attested control, ask which substrate the attestation rests on. A documented, configured, conformant control is a real finding on the documentary substrate. Whether it holds at runtime is a behavioral question, and the behavioral substrate beneath an agentic AI audit is thinner than the documentary one — thinnest exactly where the system is most consequential. An enterprise that reads its audit with the substrate in view knows which of its attestations are load-bearing for the question it actually has, and which are answering a narrower one.
What the substrate makes possible
Read with the substrate in view, the audit is doing more than it is often credited with — and less than it is often assumed to. It establishes, on solid documentary ground, that the controls exist and were built to the standard. It maps, for anyone willing to read it precisely, exactly which properties have behavioral evidence behind them and which rest on documentary evidence alone. That map is itself valuable: it tells an enterprise where its assurance is procedural and where it would need to be observable, which is the first thing an enterprise has to know before it can close the gap.
What the audit cannot do is manufacture a behavioral substrate the system does not yet expose. If the runtime evidence is not there to be observed — if the system was not built to make its consequential behaviors observable under conditions that matter — no audit methodology can attest to behavior it could not see. Which turns the question back toward the system itself. The behavioral substrate an observable audit needs is not produced by the audit; it is produced by the architecture, by building the agent so that the properties that matter are observable, exercisable, and verifiable at runtime. Whether sufficiency is a property that can be attested at all, or only architected, is the question the series turns to next.
The audit is necessary. It is the reading that tells an enterprise where it stands.
It is not, on its own, the thing that makes an agent verifiable — and reading its substrate is how an enterprise tells the difference between an attestation it can lean on and one it must build the ground beneath. The behavioral substrate an observable audit needs is produced by the architecture, not the audit. That is where the series goes next.
