The Attack You Can't See Is Spread Across Everything You Can
The previous article in this series closed on an uncomfortable scenario: an adversary nudging a corrigibility score down a few points per run on one set of agents, relaxing governance profiles on another, spiking resource consumption on a third — every individual signal just inside its threshold, every individual agent looking healthy, and the combined pattern unmistakable to anyone who could see it whole. No single agent's investigation would catch it. The question that scenario leaves behind is the subject of this article: who sees it whole?
Because that scenario is not an edge case. It is the general condition of risk in an enterprise running AI at scale. The dangerous patterns do not live inside one signal stream; they live across streams. A sophisticated adversary has every incentive to keep each individual signal unremarkable: small enough to pass thresholds, slow enough to blend into noise, distributed enough that no single monitor ever holds two pieces of the picture at once. Attack strategies are built this way deliberately, because attackers know exactly what defenders watch: streams, one at a time.
Most enterprise monitoring is stream-shaped. One system watches agent health. Another watches access patterns. Another watches resource consumption. Another watches configuration changes. Each does its job, but this creates a blindspot in the space between them, where a coherent attack distributes itself precisely so that no single watcher ever sees enough to alarm. In most architectures, that space belongs to no one.
In Loriqa, it belongs to the Pattern Detection Authority. Watching it is the job the PDA exists to do.
Why the Industry Cannot See It: Rules Only Match What You Predicted
The tooling category built for cross-stream detection is called complex event processing. These engines watch multiple event streams, apply pattern rules with time windows and sequencing, and fire when a rule matches. They are mature, fast, and widely deployed, and they share one structural limitation that defines the boundary of what they can do: they match predefined patterns. A rule engine can only catch the attack someone already imagined, wrote down, and encoded before it happened.
That limitation is not a product gap awaiting a better release. It is the nature of rules. A rule is a prediction, and a detection system built entirely from rules is a catalog of yesterday's predictions. The pattern nobody anticipated is invisible to it by construction, and the adversary's entire craft is producing the pattern nobody anticipated. Novelty is not an edge case in this domain; it is the primary threat model.
The Pattern Detection Authority is built for that threat model by layering detection strategies rather than betting on one. Deterministic methods form the base: statistical anomaly detection, time-series trend analysis, and sequence detection, each fast, reproducible, and defensible, catching the deviations that need no interpretation. Semantic reasoning operates above that base, examining what the deterministic layers surface and asking the question no rule can encode: do these observations, taken together, mean something? This is the layer that recognizes the pattern no one predicted, because it does not depend on the pattern having been predicted.
The layering also serves the property this series keeps returning to. Deterministic detection produces reproducible facts, and semantic reasoning produces judgment about those facts. The architecture keeps the two distinct: what was observed is never entangled with what an analytical component concluded about it. Detection is not capped by the imagination of whoever wrote the rules, and the evidence underneath every detection remains a fact any party can verify.
The Architecture: Many Watchers, One Correlator, No Back Channels
The Pattern Detection Authority is not a single monitor scaled up. It is a coordinated structure of specialized sub-agents, each watching one signal stream, with a supervising correlation layer above them that sees what no individual watcher can.
Each sub-agent is assigned a specific stream and carries its own detection strategy suited to that stream: statistical methods where the signal is numeric, sequence detection where order matters, trend analysis where the threat is gradual. Each also operates under its own governance profile. A watcher assigned to sensitive signals runs under stricter governance than one watching routine telemetry. Each is individually auditable through the same chain as everything else on the platform, and each can be suspended, reconfigured, or replaced without disturbing the others.
The sub-agents never communicate with each other. There are no peer-to-peer channels between watchers, by architectural prohibition rather than by convention. Every observation flows upward through a governed channel to the supervising correlation layer, and cross-stream awareness exists only there. This is the same principle that governs agent-to-agent communication across the platform: no back channels, no unmediated handoffs, no path by which one compromised component can quietly influence another.
The structural consequence deserves emphasis, because it is the answer to a question every oversight architecture should be forced to answer. The watchers are built from the same zero-trust material as everything they watch. Nothing about being part of the oversight machinery exempts a sub-agent from governance: it is scoped, monitored, auditable, and replaceable, exactly as the agents it observes are. Oversight in this architecture is not a trusted layer sitting above the system. It is a governed part of the system, and it earns its standing the same way everything else does, continuously.
Correlation: Where the Intelligence Emerges
A single anomaly is noise. Agents deviate for mundane reasons constantly: workloads shift, data changes, usage patterns evolve. A monitoring posture that alarms on every isolated deviation trains its operators to ignore alarms, which is its own failure mode. The signal that matters is almost never one observation. It is the relationship between observations.
Consider the scenario this article opened with. A slow decline in corrigibility scores on one group of agents is, by itself, ambiguous. A relaxation of governance profiles elsewhere is, by itself, explainable. A rise in resource consumption on a third set of systems is, by itself, unremarkable. Any one of these could be a Tuesday. All three, unfolding in the same window, aligned in their timing and consistent in their direction, are not a Tuesday. They are the visible fragments of a single coherent strategy, and the only way to see the strategy is to hold all the fragments at once.
That is the correlation layer's job. It receives the observations every watcher surfaces and examines them together, across streams and across time, through multiple correlation strategies running in parallel: temporal co-occurrence for patterns that cluster in time, statistical causality for patterns where one stream drives another, semantic reasoning for patterns whose connection is meaningful rather than numeric. Distinct strategies catch distinct shapes of attack, and no single strategy is a dependency.
The correlation layer's second responsibility is the one that makes the first one useful: distinguishing a coherent attack narrative from coincidental independent anomalies. Enterprise environments produce coincidences continuously, and a correlator that cannot tell the difference produces alarms nobody trusts. The layer weighs whether the observations reinforce each other, whether their timing is consistent with a common cause, and whether the combination forms a strategy or merely a busy afternoon. When the alarm fires, it fires because the pattern held up under that scrutiny.
The result is detection with meaning. Not a feed of deviations for humans to triage, but an assembled finding: these observations, from these streams, over this window, constitute this pattern, with this confidence, supported by this evidence. Every element of that finding traces back through the chain to the raw observations underneath it, and every step of the assembly is auditable.
From Detection to Response, Governed the Whole Way
Detection that ends at detection is a dashboard. The measure of an oversight architecture is what happens in the moments after a pattern is confirmed, and in Loriqa that path is governed at every step.
A confirmed pattern does not act on its own. Every response to a detected pattern passes through a governance gate before it executes, evaluated against the severity of the finding and the authority of the action. Routine findings surface to operators through standard channels. High-severity correlations escalate to a human with the assembled evidence and recommended actions. Critical findings, where a coordinated attack pattern is detected with high confidence, can trigger containment through the platform's security response machinery directly, because some windows are too short for a meeting. That containment is surgical rather than an amputation. Working through the platform's environment and endpoint protection layers, the response can isolate the specific traffic, endpoint, or interaction implicated by the finding while authorized operations continue undisturbed. A response that must take down production to stop a threat will hesitate exactly when hesitation is most expensive; a response that can cut one thread does not.
The pipeline records itself as it runs. The raw observations, the correlation that assembled them, the governance decision on the response, and the response itself all land in the same append-only chain as everything else on the platform. Nothing about the oversight machinery is exempt from the record: the detection is in the chain, the decision is in the chain, and the action is in the chain, each entry preceding the act it describes.
For a regulator, that closes the loop this series has been building toward. The question after an incident is never just "did you detect it." It is "what did you do about it, when, and on whose authority." In most architectures the answer is assembled from fragments and offered as an account. Here the answer is replayed: this pattern was detected at this moment, this governance decision was made, this response was executed, and every step is verifiable against the chain rather than taken on faith. Detection, decision, and response are one continuous line of evidence, and the line is fact.
We Run It on Ourselves: The Governor Is Governed
Every oversight architecture eventually faces the same question, and most fail it quietly: who watches the watchers? The common answer is nobody. Oversight layers are typically granted a kind of architectural immunity, trusted by virtue of their position in the hierarchy. The industry builds machinery to monitor its agents and then assumes the machinery itself is clean. That assumption is the exact mistake the whole system was built to avoid, repeated one level higher, where it is hardest to see and most expensive to be wrong about.
Loriqa does not make that assumption at any level. The Pattern Detection Authority's first customer is the platform itself.
An internal deployment of the PDA runs continuously against Loriqa's own oversight infrastructure, watching for the adversary whose target is not an agent but the governance around the agents. Its watchers are aimed at the platform's most sensitive surfaces. One watches for slow degradation in the quality of governance decisions, the kind of drift an attacker induces deliberately because it stays beneath every per-event threshold. Another watches the governance controls themselves, for creeping profile relaxations, rising override usage, and coordinated weakening across configurations that individually look like routine administration. A third watches the oversight authorities as a group, for coordination anomalies where each authority is individually healthy but their collective outputs have stopped agreeing. A fourth watches the platform's resources, for manipulation of budgets, execution channels, and agent spawning patterns that would starve or subvert the monitoring itself.
These four missions share a target profile: the attack on the governor rather than the governed. An adversary who cannot beat a governed agent will try to bend the governance, slowly, quietly, and from several directions at once. The internal deployment exists because that adversary is the most dangerous one the platform will ever face, and because the correlation layer is what catches the campaign: governance decision quality drifting on one surface while profiles relax on another and monitoring budgets drain on a third is precisely the cross-stream pattern no single check would assemble.
This closes the loop this series opened. Corrigibility measurement treats no agent as trusted. Pattern detection treats no stream as complete. The internal deployment treats no overseer as exempt. The oversight machinery is watched with the same machinery, governed by the same gates, and recorded in the same chain as everything it oversees. Trust is not conferred anywhere in this architecture by position or by role; it is earned continuously, by evidence, at every level, including the top.
There is also a simpler way to say all of this. We run it on ourselves first. A governance platform that will not aim its own instruments at its own infrastructure is asking customers to accept a trust it declined to test. We proved it.
Planting the Flag: Closing the Space Where Adversaries Hide
Every adversarial strategy against a governed platform needs somewhere to hide. This series has now walked through the architecture that takes those hiding places away, one by one.
The previous article established per-agent measurement. The Corrigibility Index Score computes, on every run, whether each agent remains controllable, and its append-only trajectory catches what a single evaluation never could: the agent degrading slowly across its operational life. An adversary cannot hide inside one agent's history, because that history is continuously scored and immutably recorded.
This article established cross-stream correlation. The Pattern Detection Authority watches the spaces between the streams, where an attack distributes itself so that no individual signal ever alarms. An adversary cannot hide between the agents, because the correlation layer holds all the fragments at once and assembles the pattern they form.
Together, the two close the space from both ends. A move large enough to matter inside one stream is caught by the stream's own measurement. A campaign spread thin across many streams is caught by the correlator. Too fast is caught in the run. Too slow is caught in the trajectory. Too concentrated is caught by the watcher. Too distributed is caught by the correlation. The adversary's remaining option is an attack too small, too slow, and too scattered to accomplish anything, which is another way of saying the architecture has done its job.
One capability in this defense remains undescribed. Detection and correlation tell the platform that an adversary is present and what the campaign looks like. They do not, by themselves, answer the question a security team asks next: who is this, what are they after, and what do they try when their first approach fails? Answering that requires a different kind of instrument, one built not to block the adversary but to study them. That instrument is called Umbra, and it is the subject of the next article.