· Reference Architecture ·
Enterprise AI deployment.
Multi-tenant. Multi-agent. Policy-controlled.
// THE PROBLEM
Stateless agents.
Every session starts from zero. Users re-explain context. Token costs spiral. The agent never gets smarter at its job.
Security veto.
Private data access plus untrusted content plus external API calls plus persistent memory equals the exact attack surface security teams are now blocking.
Vendor lock-in.
The wrong agent runtime, memory layer, or model provider today is the migration tax tomorrow. Architecture decisions compound.
// THE STACK
Every action crosses four security perimeters before it touches your network.
Private Network / VNet
Private endpoints at every boundary
Agent Runtime
L0
Brain
L1
Hands
L2
Heart
L3
Session
L4
Badge
L5
Mouth
L6
Library
L7
Manager
L8
Receipt
Private endpoints: model APIs, storage, secrets, databases, search, queues, telemetry.
// SPECIALIST ROLES
| Layer | Body Part | What It Does | Why It Matters |
|---|---|---|---|
| L0 | Brain | Reasoning and inference. Routes by data sensitivity. | The decision-maker. |
| L1 | Hands | Tool use, MCP servers, external APIs, functions. | Where the agent does things. |
| L2 | Heart | Agent loop. ReAct cycles, planning, tool selection. | The pulse. |
| L3 | Session | Short-term context, working memory. | The current conversation. |
| L4 | Badge | Agent identity, RBAC, scopes, capability policies. | The agent ID card. |
| L5 | Mouth | User-facing surfaces. Trust-boundary aware sessions. | How the agent talks to humans. |
| L6 | Library | Long-term memory with entity resolution. | Knowledge that compounds. |
| L7 | Manager | Multi-agent orchestration, queues, scheduled jobs. | The conductor. |
| L8 | Receipt | Per-agent observability and audit trail. | Every decision logged. |
// COMPONENT CHOICES
Each layer has multiple proven options.
Agent Runtime layer
- Vendor A: Letta
- Vendor B: OpenClaw
- TAG AI: JARVIS, 21 named agents
Specialist agents work as a coordinated team.
Sandbox and Policy layer
- Vendor A: NeMo Guardrails
- Vendor B: Custom hardening
- TAG AI: NemoClaw + OpenShell
Compromised prompts cannot escape the sandbox.
Memory Engine layer
- Vendor A: Mem0
- Vendor B: Supermemory
- TAG AI: Hindsight + Pinecone + Supabase
30-40% lower token costs.
Observability layer
- Vendor A: LangSmith
- Vendor B: Helicone
- TAG AI: Langfuse + Sentry
Every trace is replayable.
Model and Infrastructure layer
- Frontier: Claude, GPT, Gemini
- Local: Nemotron, Ollama
- TAG AI: Hybrid sensitivity routing
Sensitive data never leaves your network.
// HOW IT FLOWS
For your security review.
| 01 | User sends message | Mouth, L5 | Auth event |
| 02 | Identity validated | Badge, L4 | RBAC decision logged |
| 03 | Sandbox enforced | OpenShell | Network policy check |
| 04 | Context retrieved | Library, L6 | Query trace logged |
| 05 | Sensitivity classified | Brain, L0 | Model routing logged |
| 06 | Agent reasons and acts | Heart + Hands | ReAct trace captured |
| 07 | Response generated | Receipt, L8 | Full prompt logged |
| 08 | Memory updated | Library, L6 | Memory write logged |
// DEFENSIBILITY
Compliance
Every action crosses four trust boundaries. Every decision lands in your SIEM.
No lock-in
Every layer is swappable. The body metaphor is the abstraction that lets each part evolve.
Production tested
We run this on our own business: E-Rate, real estate, sales pipelines.
Architecture reviewed. Stack validated. Ship it.
Operator grade architecture. Production ready in weeks, not quarters.
Book an architecture review