Abstract
A governance skill is the intermediate representation between policy intent and runtime enforcement. It is a declarative artifact — not a prompt, not a function — that specifies the conditions under which a transition is evaluated, the artifacts required to evaluate it, the constraints the evaluation must honor, the workflow that produces terminal outcomes, the protocol for ambiguity, the routing for escalation, and the failure modes the skill itself governs.
A skill compiles into an invariant set registered against the enforcement dispatcher. This paper specifies the seven fields, their semantics, the compile step, and the anti-patterns that emerge when skills are treated as prose instead of IR.
The IR claim
Policy is what an organization intends; runtime is what a system executes. Between them, ambiguity accumulates. Skills are the discipline that absorbs that ambiguity into a typed artifact the compiler can check. The claim is not "write better prompts"; it is that governance requires a typed intermediate representation whose fields are necessary and whose omissions are errors.
This is the same shape formal pipelines have taken elsewhere: IRs exist because end-to-end translation without one is brittle. Governance skills are that IR for lifecycle authority.
Skill anatomy — the seven fields
A skill is well-typed if and only if all seven fields are present, reference declared event/artifact/authority registries, and produce a compilable invariant set.
Worked skill
skill "agent_tool_exec" {
trigger: event.type == "agent.tool_exec"
inputs:
- ack_envelope : ACKEnvelope@v2 provenance: signed(trusted_keys)
- session : SessionState@v1 provenance: governed
- tool_manifest : ToolManifest@v1 provenance: registry
constraints:
C1 verify_signature(ack_envelope, trusted_keys)
C2 ack_envelope.scope ⊇ event.requested_scope
C3 event.tool_id ∈ tool_manifest.allowlist
C4 event.caller ∈ ack_envelope.delegation_chain
workflow:
step admit : require C1 ∧ C2 ∧ C3 ∧ C4
step envelope : bind(ack_envelope → decision_frame)
step terminate : PROCEED | HALT(301) | ESCALATE(runtime_operator)
ambiguity_protocol:
missing(ack_envelope) → HALT(301, "authority_missing")
malformed(inputs) → HALT(400, "ill_typed_skill_input")
escalation_routing:
on HALT(code=301) → runtime_operator
on HALT(code=409) → policy_author
failure_modes:
- authority_smuggling_via_tool_call → INV-AUTH-004
- delegation_chain_forgery → INV-AUTH-005
- cross_surface_approval_divergence → INV-EQUIV-007
}
This is not a prompt. It is an artifact with a schema the compiler checks.
Compilation: skill → invariant set
1 · typecheck
Inputs resolve to declared schemas. Triggers resolve to the event alphabet. Escalation roles resolve to the authority graph. Failure modes resolve to registered IDs. Unresolved references are compile errors — not warnings.
2 · lower to predicates
Each constraint is lowered to a pure predicate over (event, state, inputs). Workflow steps lower to conjunctions; alternatives lower to branches that must terminate.
3 · bind to routing registry
The lowered invariant set is registered against the trigger in the routing registry. A governed surface that emits that trigger will evaluate the set through enforce(…).
4 · emit residue
Any failure mode listed without a matching invariant becomes a compile error. Any invariant not reachable from some trigger becomes a dead invariant warning. Any field omitted is a skill error.
The compiler must not admit non-determinism through the back door: no invariant may depend on wall-clock time, unseeded randomness, or side-effecting evaluators. Replay stability is a property of the compilation pass, not of the author's intent.
Scope clauses
Every skill carries a scope clause and a non-expansion clause. Scope names the surface, event-class, and lifecycle window the skill governs. Non-expansion forbids the skill from claiming authority over transitions outside that window. Cross-skill overlap resolves through the routing registry, not through precedence in prose.
Anti-patterns
- Prose-as-skill. A markdown description of intent, no typed fields, no compile step. Governs nothing at runtime.
- Implicit fail-open. A workflow that returns no terminal on some branch. The compiler must reject this; the runtime must never encounter it.
- Untyped escalation. Escalation targeted at a role that is not in the authority graph. The route terminates in a string, not a governed receiver.
- Residue concealment. Failure modes declared without invariants, presented as governed. Honest compilation lists the residue.
- Skill as prompt. Including natural-language model instructions in the constraint slot. Constraints are predicates, not guidance.
Conclusion
A governance skill is typed, compilable, and routable. Treated as IR, it closes the gap between intent and enforcement; treated as prose, it reopens the same gap the compilation pipeline was built to close. The discipline is the compiler: what it accepts is governed; what it rejects is residue; what it emits is an invariant set the runtime can evaluate deterministically.