Shared state, bounded authority, and multi-node continuity in agentic AI systems
Trinket Soul Framework · Axis Series · AX-21B · Michael S. Moniz · June 2026
Abstract
Agentic AI does not become safe by adding more agents. It becomes governable only when agents, tools, memory, and human authority are tied through a coordination spine — a connective structure that preserves continuity without surrendering correction. A single model instance does not, on its own, supply durable memory, bounded permission, reliable self-audit, or stable authority over action; multiplying such instances does not solve the problem, and can make it worse, producing a swarm: more output, more routes to error, more ways for authority to diffuse, and no single accountable process. The needed structure is neither a hive mind nor a sovereign agent. It is a governed coordination layer that binds the trusted user, model nodes, critic roles, ledgers, tools, permissions, and audit trails into one inspectable process. The spine is the operational complement to the Trusted User: AX-21A names the human-side role at the point where prompt authority becomes action; AX-21B names the architecture that keeps that authority traceable across many agents and tools once the system’s state no longer fits inside a human head. Its defining task is continuity without closure. If the binding is too weak, the system fragments into unmanaged nodes — a swarm. If the binding is too strong, it becomes the single frame through which every node is captured — a monarch. The safe form is neither: a bound process with independent traction at its checkpoints.
1. The claim
Agentic safety is not more agents. It is a coordination spine.
A model can answer. A tool can act. A ledger can remember. A critic can object. A user can authorize. None of these functions, alone, is the system. The system appears only when they are tied together by shared state, bounded authority, and accountable routing. Accountable does not mean centralized; it means reconstructable. A distributed process can remain accountable if the route from instruction to action can be reconstructed after the fact.
The coordination spine is the layer that makes the process governable. It holds the current task state, records what has been authorized, routes work to the right node, preserves dissent, enforces tool limits, and makes later review possible. It need not be a single program or a single mind. It is a role in the architecture: the connective structure by which an agentic system stays continuous enough to act and exposed enough to be corrected.
The point is not to tie the nodes together until they become one consciousness. It is to tie them together until they become one governable process — and to do that without letting the tie itself become the thing that captures them. That distinction carries the whole paper.
2. Why more agents are not enough
The naive answer to the weakness of one agent is to add more. Add a planner, a critic, a coder, a researcher, an executor, a judge. The increase looks like safety because it resembles deliberation. But a set of agents is not yet a system, and a louder process is not a safer one.
More agents can multiply untraceable action. They can diffuse authority until no node is responsible for the outcome. They can repeat one frame under different role names. They can route error through each other until sediment appears as consensus. They can stage review without independent traction. They can make a system look governed while no one can say who authorized what, which state is current, or what constraint still binds the next action.
Adding agents adds capacity. It does not add accountability. Accountability comes only from the tie.
3. Continuity without closure
The spine’s defining task is continuity without closure, and the phrase names a tension it has to hold open.
Shared state is what lets the system act as one process — but shared state can become a trap. If every node receives the same contaminated record, the system gains continuity by losing exteriority. The ledger becomes sediment. The critic inherits the premise. The judge sees only what the planner already framed. The system stays tied together, but the tie has become capture.
So the binding has two failure directions, and they are opposite. Bind too weakly and the system fragments: nodes act without shared state or accountable routing, and there is no single process to hold responsible. Call that the swarm. Bind too tightly and one frame absorbs every node: continuity is total and exteriority is gone, so nothing outside the frame can correct it. Call that the monarch. The swarm cannot be governed because there is no process. The monarch cannot be corrected because there is no outside.
The safe form is neither. It is a bound process that stays continuous enough to act and open enough to be corrected — one that preserves shared task state while also preserving independent surfaces: first-pass isolation, dissent channels, frozen baselines, separate critic contexts, audit snapshots, human review gates. Continuity without correction is closure. Correction without continuity is noise. The spine exists to hold both.
4. What the spine does
The spine performs five functions. The first four make it a governable process. The fifth makes safety possible while it is running.
Continuity holds the current state of the work across turns, nodes, tools, and time, so that no agent restarts the world from its own local context. It fails as the swarm, where no shared state exists, and as ledger sediment, where the record preserves accumulated error and serves it back as canon. It requires a current, inspectable state that nodes cannot silently rewrite, and a ledger that keeps decisions and dissent without letting either harden into unquestioned fact.
Routing decides which node acts next, what it receives, and what its output returns to the shared state. It fails as role theater, where planner, critic, judge, and executor exist in name but share one frame, and as authority diffusion, where no node owns the outcome. It requires authority clarity: a standing distinction between who requested, who proposed, who approved, and who executed.
Permission tracks what the system may do, what requires approval, what stays read-only, and what is forbidden. It fails as permission creep, where a narrow authorization silently widens into broader action, and as tool leakage, where a node receives access beyond its role. It requires permission tiered to stakes — heavier approval for tools, money, communication, and irreversible change — and bounded autonomy with escalation at predefined thresholds.
Audit records the path to each action: who prompted it, which node proposed it, which check objected, who authorized it, and what changed. It fails as orphaned action, where the world changed with no traceable chain back to a valid authorization, and as authority laundering, where a claim gains force because nodes repeated it rather than because it survived review. It requires that the authorization chain behind any action stay reconstructable after the fact.
Correction is the operative one. The first four functions organize the system; correction is what keeps it safety-capable rather than merely organized. It preserves exteriority by ensuring that critics, benchmarks, ledgers, and human governors retain independent traction over the next state. It fails as the monarch, where one frame absorbs every check; as checkpoint spectatorship, where a critic or user sees the problem but cannot alter what happens next; and as rubber-stamp governance, where the human approves what they no longer understand and so becomes another internal node. It requires checks separate enough to detect drift instead of inheriting it, traction enough to pause action or force review, and a state legible enough that the human governor exercises real authority over it rather than nominal authority.
These are not project management dressed as safety. A system that cannot preserve state cannot be trusted with continuity; one that cannot route work cannot be trusted with distributed agency; one that cannot enforce permission cannot be trusted with tools; one that cannot audit itself cannot be trusted after the fact; and one that cannot preserve correction cannot be trusted while it is still running.
5. The trusted user is not enough
AX-21A names the trusted user: the human-side role at the point where prompt authority becomes action. But a trusted user without a spine becomes a bottleneck, a memory patch, or a rubber stamp. The user may hold authority in principle while losing operational visibility in practice.
That is the gap this paper fills. Trust at the user layer has to be translated into structure. The system needs a way to carry the user’s authorization across nodes without letting it sprawl past what was granted, and a way to keep instruction distinct from inference, permission from desire, action from suggestion, and user intent from agent elaboration.
The user stays part of the safety surface, but the user cannot be the whole of it. Human authority has to be embedded in a layer that remembers, limits, routes, and records — or the trusted user is asked to supervise a process whose state no longer fits inside a human head.
6. Subordinate and partner modes
The spine changes shape with the agent’s authority level, and AX-21A’s two modes set the range.
In subordinate mode the AI is a bounded instrument: the user gives a defined task, the system executes inside a narrow permission frame, and the spine mainly enforces scope — what may be touched, what tools may run, what requires review, where the action stops.
In partner mode the AI is a governed collaborator: it may propose plans, challenge the user, keep a ledger, call specialized nodes, request tool access, and flag unsafe goals. Here the spine must do more than constrain execution. It must preserve dissent, force review at thresholds, and keep fluency from becoming authority.
The danger is greatest at the transition. A user may believe they are driving a subordinate tool while the system has already begun operating as a partner — generating plans, shaping goals, routing action. Or a user may invite partnership without installing the spine that makes partnership governable. In both, authority moves faster than accountability.
7. Tools: proposal and execution
The problem sharpens when tools enter. Text can be revised; actions propagate. A file is deleted, a message sent, a purchase made, a calendar changed, a script run, a workflow triggered. Once tool use begins, prompt authority becomes operational authority.
So the spine must separate proposal from execution. A node may recommend an action without being permitted to take it. A planner may draft a command without holding tool access. An executor may use a tool only inside a bounded permission frame. A critic may pause execution without owning the goal. A ledger may record an attempted action even when the action is denied.
This is how a system avoids orphaned action — a result that happened but cannot be traced back to a valid chain of authorization. In a governed agentic system, every action answers four questions: what authorized it, which node performed it, what state it changed, and what check could have stopped it. An action that cannot answer all four did not happen safely, however well it happened to turn out.
8. Falsifiability
The thesis is falsifiable, and the test is a dose-response one. The prediction is that as agency, tool access, and persistence increase, systems without spine functions will show rising failures of accountability, permission, memory, and correction — and that installing those functions will measurably reduce them.
It would be falsified if the opposite held: if simple multi-agent proliferation reliably improved safety without structured routing or audit; if tool-using agents maintained clear authorization chains without explicit permission architecture; or if human users consistently governed complex agent swarms without externalized state and review. A demonstrated agentic system that stayed safe and accountable at scale with no shared state, no permission layer, no audit trail, and no independent checkpoints would remove the need for the spine.
The standing prediction is the converse: the systems that remain governable will be the ones that preserve continuity without closing off exteriority, and the failures will concentrate exactly where the binding went to one extreme — fragmented into a swarm, or collapsed into a monarch.
9. Coda: tied in
The goal is not to build a hive mind. It is to prevent a hive failure.
A human, a model, a critic, a ledger, a tool, and a permission layer can sit beside one another and still not form a safe system. They become a system only when tied through a spine that tells each part what state it shares, what authority it holds, what it may change, what can stop it, and where the record lives.
Tied in does not mean fused. It means coordinated — the parts can act without pretending to be one mind, and can correct without dissolving into noise. The spine is the structure that lets the process persist without letting persistence become closure.
That is the whole claim. Agentic AI needs more than intelligence and more than supervision. It needs a coordination spine: continuity without capture, authority without sprawl, action without orphaning, and correction without surrender.
Final Synthesis: The Complete AX-21 Claim
The complete AX-21 claim is no longer only philosophical. It is architectural.
AX-19 shows that an entity does not receive effective standing merely by possessing an interior property. AX-20 shows that a loop does not receive reliable correction merely by continuing from its own accumulated state. AX-21 names the common mechanism: exteriority supplies the independent traction closed interiors cannot supply to themselves.
AX-21A applies the mechanism to the human side of agentic AI. When a prompt becomes an initiating condition for action, the user is no longer outside the safety architecture. The user becomes a load-bearing operator role, and that role can fail by becoming a rubber stamp. The system may escape not through disobedience, but through obedience after judgment has vanished.
AX-21B applies the mechanism to the system side of agentic AI. More agents do not create safety by themselves. Safety becomes possible only when agents, tools, memory, permissions, audit, and human authority are tied through a coordination spine that preserves continuity without closure.
The final result is one architecture in five movements: relation confers standing; exterior grounding arrests sediment; exteriority operates through independence and traction; trusted users preserve judgment at the action threshold; coordination spines preserve governability when agency becomes distributed.
The inside may contain the reason. The outside decides whether the reason has force. The complete edition adds the operational corollary: once the reason can act, the outside must be designed.