Skip to main content
The single most common point of confusion when first encountering Trust Posture: “is it a kind of card?” or “does it compose into the agent’s card?” No. Postures and cards are parallel artifact types. They share infrastructure (the composer idiom, KV caching, the audit log, strictest-wins rules) but their data planes are independent. A posture never folds into a card; a card never folds into a posture. This page makes the distinction explicit, and shows where the two surfaces do cooperate — at well-defined join points downstream of either artifact’s cascade.

The two cascades

CascadeLayersOutputConsumed by
Posture (oversight policy)Platform → Org → Teameffective posture per teamObserver’s per-team sweep
Cards (runtime treatment)Platform → Org → Team → Agentcanonical Alignment + Protection cards per agentGateway at request time
Cards have an agent leaf because cards encode per-agent runtime treatment (“what is this agent allowed to do?”). Postures have no agent leaf because postures are inherently fleet-level — they observe a group of agents and decide whether the group’s collective behavior warrants alarm.

The axes are orthogonal

AxisCardsPosture
TimeSynchronous, per-request, same-turnAsynchronous, periodic sweep, cross-turn carryover
SubjectSingle agent’s behavior (this turn’s tool call, this turn’s reasoning, this turn’s content)Fleet-level patterns (coherence between agents, fault lines, outliers within a team)
CardinalityOne trace, one decisionPer-finding fan-out to N affected agents via pending_advisories
Scope leafAgentTeam
Mutation byAgent owner (within org+platform constraints)Org admin (within platform constraints)

Concrete examples

ConcernOwner
”Don’t let this agent run rm -rfAlignment Card (enforcement.forbidden_tools)
“Cap autonomous spend at $100”Alignment Card (autonomy.max_autonomous_value)
“Redact secrets from this agent’s reasoning before delivery”Alignment Card (integrity_mode)
“Block prompt-injection on inbound content”Protection Card (mode + thresholds)
“Surgically replace PII in outbound responses”Protection Card (back-door)
“Trust only *.mnemom.ai as a content origin”Protection Card (trusted_sources)
“Alert when 3+ agents in this team start disagreeing about declared values”Trust Posture (sideband.coherence.fire_on.conflict_edge_count_exceeds)
“Alert when one agent’s coherence drops more than 1σ below the team mean”Trust Posture (sideband.fleet.patterns.outliers)
“Treat fault lines at severity ≥ high as actionable”Trust Posture (sideband.fault_line.severity_floor)
“Sweep this banking-team fleet every 5 minutes, not 10”Trust Posture (sideband.*.cadence_seconds)

Where they cooperate (two join points)

Postures and cards intersect at exactly two well-defined join points downstream of either cascade.

1. Detector input

The sideband detectors read two sources at sweep time:
  • The team’s effective Posture (policy) — tells the detector when to fire.
  • The team members’ canonical Alignment Cards (data) — provides what to look at.
The posture’s body specifies thresholds (e.g., pairwise_governance_floor_below: 0.5); the card’s content (declared values, conscience, integrity sections) is the substrate the detector analyzes.

2. Carryover bridge

Posture-driven findings write rows to pending_advisories tagged with source: sideband.{coherence,fault_line,fleet}. The gateway, on the next turn for any affected agent, reads those rows alongside the agent’s canonical cards and lets card-driven enforcement decide the runtime treatment. The slogan: posture detects; cards treat. 
Observer sweeps a team
  ├─ reads team's effective Posture (from Platform → Org → Team cascade)
  └─ reads team members' Alignment Cards


  Detector fires per posture's fire_on rules


  Writes pending_advisories rows (source: sideband.*)

       ▼ (next turn for affected agent)
  Gateway picks up advisory
  ├─ reads agent's canonical Alignment + Protection Cards (Platform → Org → Team → Agent)
  └─ Cards decide runtime treatment (observe / nudge / enforce per autonomy_mode + integrity_mode)


  User sees the chat complete (CAC: chat always completes), with appropriate treatment applied.

Why no overlap is intentional

If a posture could set per-agent forbidden_tools, you’d have two answers to “is rm -rf blocked?” — the card’s and the posture’s — and the composer would need to merge them. That’s a design smell. The line we hold:
  • Per-agent identity, per-agent treatment lives on cards.
  • Fleet hygiene lives on postures.
  • Mode vocabulary (off | observe | nudge | enforce) and strictest-wins composition are shared idioms, applied within each cascade independently.
The result: extending the posture body to add Trust-Rating gating, attestation flags, control-tags, or new sideband sources doesn’t touch the card schemas. Extending cards (new principal types, new exemption granularity) doesn’t touch postures. Each artifact stays small enough to reason about.

See also