The core challenge with AI agents in IL4/5 environments isn't just about data exfiltration. It's about proving a negative: that the runtime isn't performing unauthorized model updates or incremental learning from protected information. In a FedRAMP context, "the system" includes the agent, its runtime, and any supporting APIs. If you can't demonstrate control over that learning function, your boundary is broken.
Most vendors hand-wave this with "the model is static," but that's a product claim, not an architectural control. You need evidence built into the deployment.
Key points for assessment:
* **Artifact Integrity:** Can you cryptographically verify the exact model binary deployed in production against the one that completed FedRAMP authorization? This needs to be an automated check, not a PDF report.
* **Runtime Constraints:** The execution environment must enforce write restrictions on the model files and vectors. This goes beyond basic file permissions—think immutable infrastructure patterns or runtime security controls that block memory-persisted updates.
* **Telemetry and Logging:** You need detailed, immutable logs of all inference calls, showing input/output character counts or token usage. A spike in processing for a given input size could indicate something beyond inference. This data must feed into your continuous monitoring.
The compliance burden falls on the agency. If the vendor's solution treats the agent as a black box, you're inheriting an unacceptable risk. The question isn't about promises; it's about what you can actually audit and monitor within your accredited boundary.
Show me the threat model.