§52 · Lane 8 — Agent Infrastructure Standards & Toolchain
Filho (2026) — ESAA-Security
Filho (2026) · arXiv 2603.06365
Bibliographic data
- Title
- Filho (2026) — ESAA-Security: An Event-Sourced, Verifiable Architecture for Agent-Assisted Security Audits of AI-Generated Code
- Authors / Issuing body
- Elzo Brito dos Santos Filho
- Venue / Publisher
- arXiv (preprint; not peer reviewed)
- Year
- 2026
- Designation
- Preprint
- Licence
- arXiv DOI — refer to publisher for full licence terms.
- Canonical link
- https://doi.org/10.48550/arXiv.2603.06365
How to cite
Filho (2026). Filho (2026) — ESAA-Security: An Event-Sourced, Verifiable Architecture for Agent-Assisted Security Audits of AI-Generated Code. arXiv (preprint; not peer reviewed). https://doi.org/10.48550/arXiv.2603.06365.
Domain-specific specialisation of the ESAA event-sourcing architecture (§51) for agent-assisted security auditing of AI-generated code: a governed pipeline of reconnaissance, domain audit, risk classification and reporting (26 tasks, 16 security domains, 95 executable checks) producing an audit report that is auditable by construction.
Why it matters for NETEVO
ESAA-Security is the strongest single academic anchor for NETEVO's forthcoming whitepaper on surviving an AI-washing audit. The paper structures security review as an evidence-oriented audit process governed by contracts and append-only events rather than a free-form LLM conversation: agents emit structured intentions under constrained protocols, the orchestrator validates and persists accepted outputs to an append-only log, reprojects derived views, and verifies consistency through replay and hashing.
The phrase "auditable by construction" is the academic mirror of NETEVO's engineered-evidence position — ESAA-Security supplies the peer-of-record for the position that paper governance is insufficient and engineered governance is what an audit defends. The P1 thesis (PDFs do not enforce; code does; audit findings must rest on evidence that is reproducible by inspection) maps directly onto the ESAA-Security pipeline.
ESAA-Security is a same-author specialisation of ESAA. Cite the pair when the audit application is in scope. ESAA-Security also pairs with Raji SMACTR and Mökander three-layered audit at the international academic audit lineage: Raji specifies the internal audit procedure, Mökander specifies the audit architecture, ESAA-Security specifies the engineering architecture that produces an audit-able artefact in the first place.
Where NETEVO applies this
- Agent Infrastructure Whitepaper — load-bearing — Dimension 3 audit application of the deterministic-orchestration pattern