Threat Model

Threat Model | Corevexa Docs
CVX Corevexa Docs
Home Getting Started Architecture API Roadmap FAQ

Threat Model
Governance Failure & Attack Surfaces

Governance systems must assume bypass attempts, identity compromise, policy manipulation, and ledger tampering. This page defines the primary threat surface for Layer-7 and the mitigation posture that preserves enforceability, traceability, and accountability under pressure.

Threat Categories Attack Surface Fail-Closed Break-Glass
No silent bypass Deterministic recovery Audit survivability
If a governance system cannot describe how it fails, it cannot claim to be secure.

Threat Model Objective

The Layer-7 threat model is designed to protect a single invariant: execution must not bypass governance. Everything else—availability, performance, convenience—must remain subordinate to enforceability and audit integrity.

What we defend

  • Authority integrity — approvals cannot be forged or impersonated.
  • Policy integrity — policies cannot be silently modified or rolled back.
  • Ledger integrity — events cannot be deleted, mutated, or replayed without detection.
  • Gateway enforceability — tools cannot execute without governance confirmation.

What we assume

  • Internal actors can be adversarial or negligent.
  • Execution systems may attempt bypass for speed.
  • Policy drift is inevitable without strict versioning.
  • Audits occur under time pressure and incomplete information.
Threat modeling is not paranoia. It is the minimum bar for deploying governance infrastructure.

Primary Threat Categories

Authority Compromise

Stolen credentials, impersonation, forged approvals, compromised approver devices.

Impact: illegitimate approvals and uncontrolled execution

Policy Manipulation

Unauthorized edits, “rollback to permissive policy,” unsigned policy injection.

Impact: governance gates silently weakened

Ledger Tampering

Deletion, mutation, truncation, or replay of historical decision events.

Impact: audit failure and loss of reconstruction

Execution Bypass

Direct tool invocation that avoids the gateway or governance engine decision path.

Impact: “ungoverned execution” becomes possible

Risk Model Poisoning

Manipulating inputs to downgrade risk bands, hide action class severity, or mask context.

Impact: high-risk actions routed as low-risk

Denial of Governance

Taking the engine/ledger offline to force shadow execution or bypass controls.

Impact: pressure to “ship anyway” without governance
Most governance failures are not exotic. They are bypasses, drift, and “temporary exceptions” that become permanent.

Attack Surface Mapping

Attack surfaces are categorized by Layer-7 boundaries: identity, policy, ledger, gateway, and network. Mitigations must be structural, not “best effort.”

Surface Representative vectors Structural mitigations
Identity Credential theft, session hijack, impersonation, replay MFA, short-lived tokens, device binding, approval signatures
Authority Forged approvals, delegated approvals without trace, “rubber-stamp” behavior Role-based routing, explicit approver identity, structured approval reasons, approval TTL
Policy Store Unauthorized edits, version rollback, unsigned policy injection Signed bundles, immutable versions, hash addressing, controlled release workflow
Governance Engine Parameter tampering, config drift, disabled gates Config attestation, policy hash requirements, runtime integrity checks
Decision Ledger Event deletion/mutation, truncation, replay Append-only design, hash-chained events, periodic anchoring, restricted writes
Execution Gateway Direct tool calls, bypass routes, “shadow endpoints” Network segmentation, gateway-only tool access, deny on missing governance confirmation
Network MITM, lateral movement, exposed services mTLS, least-privilege networking, private service planes, IP allowlists
Observability Missing logs, altered metrics, blind spots Ledger as truth source, export chain-of-custody, integrity alerts
“Logging” is not a mitigation if logs can be deleted or rewritten. The ledger must be immutable.

Fail-Closed Enforcement

Layer-7 is designed to fail closed for governed actions. If governance cannot be confirmed, execution must not proceed. This protects against denial-of-governance attacks and “temporary bypass” behavior.

Fail-closed triggers

  • Ledger unavailable — cannot write state transitions.
  • Policy unavailable — cannot confirm the governing ruleset.
  • Identity degraded — cannot validate approver or requestor.
  • Gateway cannot confirm — execution outcome not verifiable.

Expected system behavior

  • Low-risk: queue or deny per policy (configurable).
  • High/critical: deny with required remediation steps.
  • All actions: emit an incident-ready event.
  • No silent publish: “assumed execution” is disallowed.
/* Gateway enforcement contract (concept) */ if (!governanceConfirmed) { denyExecution(“governance_unconfirmed”); }
Availability is important. Integrity is mandatory. Fail-open turns governance into a suggestion.

Common Bypass Scenarios

The most common governance failures are operational, not theoretical. This section documents known bypass patterns and the structural countermeasures required to prevent them.

Shadow tooling

Teams call tools directly outside the gateway “just this once.”

Counter: network segmentation + gateway-only access

Policy drift

Different environments run different policy versions without detection.

Counter: policy hash checks + drift detection

Approval dilution

Approvals become routine, fast, and unreasoned—high risk slips through.

Counter: structured reasons + thresholds + TTL

Ledger gaps

Decisions execute but ledger write fails; history becomes incomplete.

Counter: fail-closed on ledger write failure

Risk downgrading

Inputs are shaped to reduce risk band classification.

Counter: immutable context capture + audit review

Rollback attack

System is forced onto older permissive policy versions.

Counter: signed bundles + disallow unsigned rollbacks
Governance is not defeated by hackers first. It is defeated by convenience first.

Break-Glass Protocol

Break-glass is an emergency override mechanism. It is permitted only under strict constraints and must be fully recorded in the decision ledger. Break-glass is not a “skip approval” feature.

Break-glass constraints

  • Time-limited — expires automatically (TTL).
  • Scope-limited — only specific action classes allowed.
  • Identity-bound — cannot be shared or delegated.
  • Reason-required — structured reason code + free text.

Mandatory follow-up

  • Post-event review within defined window.
  • Policy remediation if override indicates systemic misfit.
  • Executive visibility in the Executive Panel.
  • Audit export readiness with chain-of-custody.
Break-glass is a governance exception — not a convenience feature.

Compromise Scenarios & Deterministic Response

Layer-7 compromise response must be deterministic: when integrity is threatened, behavior becomes more restrictive, not more permissive. The goal is to preserve audit survivability and prevent silent bypass.

Scenario Detection signal System response
Ledger integrity failure Hash chain mismatch / missing anchor / write errors Enter restricted mode; deny high-risk; queue low-risk; alert owners
Policy store compromise Unsigned policy detected / version drift / rollback attempt Reject unsigned bundles; rollback to last signed version; halt governed execution if unresolved
Authority breach Anomalous approvals / impossible travel / token misuse Revoke sessions; require re-auth; freeze approvals until identity validated
Gateway bypass detected Tool invocation without ledger-confirmed governance Block tool access; trigger incident; require remediation before re-enable
Denial of governance attempt Repeated engine outages correlated with high-risk execution Fail closed; force manual executive review path; disable break-glass if abused
“Degraded mode” must not become “unguarded mode.” Degradation increases restriction.

Scope & Non-Goals

In scope

  • Governance integrity under adversarial conditions
  • Bypass prevention at execution boundaries
  • Immutable decision reconstruction
  • Authority and approval integrity

Out of scope

  • Solving all endpoint security for downstream tools
  • Replacing enterprise IAM systems
  • Guaranteeing model correctness or truth
  • Preventing all social engineering (only reducing blast radius)
Layer-7 is not a substitute for security. It is the governance enforcement layer that security can rely on.
Next: Governance Principles Back: Security Model Decision Ledger Back to Top
Corevexa Docs — Layer-7 Governance Infrastructure
© Corevexa Labs