Reference Architecture
A role-specific AI agent model must be architecture-first. Agents are execution components, not policy owners. Policies, boundaries, and decision rights remain human-owned.
Required Architecture Layers
| Layer | Purpose | Owner |
|---|---|---|
| Intent Layer | Captures business intent, scope, and risk tier | Product Manager + Solution Architect |
| Orchestration Layer | Routes work between role-specific agents and human checkpoints | Platform Engineer |
| Execution Layer | Runs role-specific agents within constrained scopes | Role owners |
| Governance Layer | Enforces policy, approvals, and risk controls | Governance Lead + Security |
| Evidence Layer | Stores traceability artifacts, approvals, and audit records | Compliance Officer |
Role-Agent Topology
Each role SHOULD have one primary agent profile with a narrow charter:
developer-agent: implementation and unit-test draftingqa-agent: risk-based test matrix and regression proposalssecurity-agent: secure-code findings and remediation checksplatform-agent: pipeline and gate policy updatesproduct-agent: story hardening and acceptance criteria qualityscrum-agent: sprint risk and capacity recalibrationdev-manager-agent: quality and enablement oversight synthesiscto-agent: architecture and tooling strategy optionsexecutive-agent: board-level risk and ROI synthesiscompliance-agent: audit evidence completeness checkssolution-architect-agent: cross-agent architecture conformance and handoff integrity
Non-Negotiable Constraints
- Agents MUST NOT merge code directly into protected branches.
- Agents MUST execute with least privilege and scoped credentials.
- Agents MUST attach prompt and output references to each handoff.
- Agents MUST route through Governance Gate before production.
Architecture Review Cadence
| Review | Frequency | Participants |
|---|---|---|
| Agent contract review | Bi-weekly | Solution Architect, Platform, Security |
| Pattern drift review | Monthly | Solution Architect, CTO, Tech Leads |
| Governance evidence review | Monthly | Compliance, Security, Platform |
| Executive risk review | Quarterly | Executive, CTO, Compliance |
For governance controls, use PRD-STD-009.