Alberta built a factory that manufactures government software with agents. That factory stands on infrastructure: token production, trust, identity, oversight. The Velocity papers state those requirements in public. This document answers each one with what Cisco runs today, what is free to take, and what remains open.
Paper 11 of the Velocity White Papers closes with a request: Alberta is engaging industry on the security apparatus around agents, on agentic identity management, and on observing agent activity across the network. The papers around it add more: sovereign compute is being pursued, token ceilings of 25 to 50 million per minute will soon be exceeded, Red Hat OpenShift is under evaluation for the Ministry's own hardware, harnesses need auditing before use, claw agents arrive within a year, and oversight must move from the individual agent to the level of the system. This document registers those requirements, eleven in total, and answers each with the Cisco Secure AI Factory with NVIDIA, AI Defense and its open-source scanner family, Duo Agentic Identity, Splunk Agent Observability, and Cloud Control. The mapping is honest about status: most of it ships today, some of it is free, and the gaps are named. Appendix A turns the four decisions this raises into a half-day working session.
Alberta's papers name four infrastructure gaps in public: agent security, agent identity, agent observability, and sovereign compute. Cisco ships against all four today.
Of eleven registered requirements, seven are answered by products running now, two by open-source tools free to adopt before any contract, one by a platform already included in Cisco subscriptions Alberta holds, and the last by the partnership vehicle itself. The trust plane installs inline at Bifrost and the harness, so nothing about how Nexus works changes.
A first sovereign POD fits the existing data centres at 14 to 60 kW a rack and reaches validated deployment in weeks. Four decisions still need Alberta's data in the room; Appendix A closes them in one morning.
Everything below comes from the published papers. Where a requirement is implicit, the register says so. Each requirement appears in exactly one domain, and the five domains cover the full set: where agents run, what they may do, who they are, how they are watched, and how the estate is operated and the partnership run.
| ID | Requirement | Source | Domain |
|---|---|---|---|
| R1 | Sovereign compute for the most sensitive work; exclusive GoA control of health and security data | №11 §03 | A · Compute |
| R2 | Token throughput past the 25–50M/minute ceilings, diversified and load-balanced | №11 §06 | A · Compute |
| R3 | A supported platform for the Ministry's own hardware and data-centre capacity (OpenShift under evaluation) | №11 §02 | A · Compute |
| R4 | Audit of the agent supply chain: skill files, MCP servers, and open-source components before use | №11 §05 · №07 | B · Security |
| R5 | Defense beyond the model's own 95–98% injection resistance | №11 §04 | B · Security |
| R6 | Governance for self-directed claw agents (OpenClaw / Hermes), 6–12 months out | №09 §06 | B · Security |
| R7 | Cyber response at the attacker's new speed: exploits weaponized in hours, supply chain the primary target | №02 | B · Security |
| R8 | Agentic identity management: agents act in their own name, task-based and time-boxed | №11 §05 · №09 §03 | C · Identity |
| R9 | Observing agent activity across the network, with oversight at the level of the system | №11 §05 · №15 | D · Observability |
| R10 | Operating the rebuilt estate: every agent action observable and accountable to a named person | №05 §05 (implicit) | E · Operations |
| R11 | A partner model: strong companies tested against government workloads, through the Sovereign Compute process and RFPs | №11 §05 | E · Operations |
Paper numbers follow the homepage index at thevelocitywhitepapers.com. The papers are MIT-licensed; quotations and paraphrases are cited in place.
The papers describe what Alberta builds. This response is about the two layers underneath: the trust plane that watches and constrains the agents, and the plant floor that produces their tokens. Alberta has built pieces of both inside Nexus. The question the register poses is which pieces should stay bespoke and which should run on supported infrastructure.
This is Alberta's agent pipeline as papers 09 and 11 describe it: a Builder delegates to agents, agents mount skills and MCP servers from the harness, prompts route through Bifrost to models, tool calls route through Ent Tools, and finished work lands in the estate. In the first view, the red markers are the six open findings from the register, sitting exactly where they occur in the flow, and the red dot is a poisoned component travelling all the way to production. Switch to the second view: the pipeline is identical, the controls appear inline at those same points, every finding flips to closed, and the red dot now dies at the scanner. Nothing about how Alberta works changes. What changes is what survives the trip.
The register runs eleven requirements and the answers run to a dozen product names, so here is the whole Cisco side reduced to five things, each holding one domain. Everything after this section is detail on these five.
| Name | What it is | Holds |
|---|---|---|
| Secure AI Factory with NVIDIA | The plant floor: validated designs combining compute, AI networking, and partner storage, from a 32-GPU unit to sovereign-cloud scale, in Alberta's own facilities or anyone's | Domain A |
| AI Defense | The trust plane for models and agents: validate a model, generate its guardrails, enforce them inline, scan everything an agent mounts. Its scanner family is open source | Domain B |
| Duo Agentic Identity | Identity for a workforce that is not human: discovery, lifecycle, least-privilege access sized to the task | Domain C |
| Splunk | The system-level view, with AI Agent Monitoring scoring agent behaviour inside it: traces, tokens, risk, and containment in one plane | Domain D |
| Cloud Control | The operations platform for the agentic era, where operators and agents resolve issues together. Included with existing subscriptions | Domain E |
One survey number frames why this matters now. In Cisco's January 2026 survey of security and IT executives, 55 percent had agentic AI in pilot or production, 59 percent named security as the biggest barrier, and 4 percent were confident about full-scale deployment. Alberta is already past the 55 percent. The register is the path into the 4 percent.
Paper 11 says three things this domain must answer. The enterprise token ceilings of 25 to 50 million tokens per minute will likely be exceeded soon. A sovereign compute prequalification is in market, with exclusive GoA control of health and security data as a non-negotiable position. And Red Hat OpenShift is under evaluation for the Ministry's own hardware. Cisco's answer is the Secure AI Factory with NVIDIA: the same reference design at any scale, with the sovereignty question answered by geography instead of compromise.


Cisco Services runs the deployment on two named metrics. Time to first intelligence (TTFI) covers plan, design, implement, validate, knowledge transfer, optimize, and scale-out, with up to a 75 percent reduction in deployment time, three to four weeks in practice. Cost to true scale (CTTS) makes the expansion curve predictable. The reference cases: a 1,000+ GPU cluster validated in under a week, and a global travel platform that hit cost break-even after ten training runs.
| Architecture | Scale | Switching silicon | Status |
|---|---|---|---|
| Cisco ERA NVIDIA Enterprise RA compliant | Under 1,024 GPUs; enterprises | Cisco Silicon One (N9300), Spectrum-X license optional | Shipping |
| Cisco CRA NVIDIA Cloud Partner RA compliant | ~1,000 to 32,000 GPUs; neoclouds and sovereign clouds | Cisco Silicon One + Spectrum-X, or N9100 with NVIDIA Spectrum silicon | Shipping / orderable |
Cisco internal technical documentation names sovereign clouds as a segment the CRA is built for. Alberta would enter at ERA scale with a CRA-compatible design, so the ceiling is 32,000 GPUs away.
The smallest building block of the factory, sized against models Alberta already tests. Pick the GPU; figures are tokens per second and concurrent users for one 32-GPU unit.
| Model | Standard precision | Reduced precision (FP4) |
|---|
Estimates from Cisco internal technical documentation; production varies with implementation. Public benchmarks: mlcommons.org.
| Form factor | GPUs supported | Built for |
|---|---|---|
| Dense HGX servers | B300 NVL8, H200, H100 | Model training, heavy inference; data-centre core |
| MGX servers | RTX Pro 6000/4500, H200, H100, L40S | Optimization and inference |
| Modular and rack servers | RTX Pro 6000/4500, H200, H100, A16, L40S, L4 | Mixed enterprise workloads |
| Cisco Unified Edge | RTX Pro 6000/4500, L40S, L4 | Inference at regional sites, no data-centre latency |
One Intersight fleet manages all of it, one support contract stands behind the whole stack, and the network underneath carries outcomes Cisco documents by name: AI fabric templates and congestion scoring in Nexus Dashboard, intelligent packet flow with advanced load balancing, and lossless RoCEv2 from 10G to 800G. Ministry sites outside Edmonton get the same architecture at edge scale, which is how 27 ministries stay one estate.
Paper 11 puts the number on the problem: the best models resist prompt injection 95 to 98 percent of the time, and no model is immune. Paper 07 adds that skill files are software and can carry an attack. Paper 02 reports exploits weaponized in hours. Nexus already re-delegates agent access every few hours so that no grant is permanent. This domain covers the remaining distance: inline enforcement on every prompt and response, scanning of the components agents mount, and governance ready before the claws arrive.



Validation produces reports mapped to OWASP, NIST, and MITRE, then generates guardrails aimed at the specific weaknesses it found in the specific model under test. The guardrails run bi-directionally at runtime, and the same policy applies whether the model sits in Bedrock or on Alberta's own GPUs, because enforcement is hybrid: control and management stay in Security Cloud Control while runtime traffic never leaves the premises. Where NVIDIA NeMo Guardrails already run, AI Defense supplies the input and output rails through API disposition and shares one policy across both. One boundary belongs in the proof of value rather than in prose: runtime payloads stay on premises, while policies, events, and reports flow to the Security Cloud Control plane, and whether that management envelope meets Protected B handling, and what a fully offline Protected C posture looks like, are questions the PoV answers with evidence.
Validation is only credible if the results are published, so they are. The AI Defense leaderboard ranks frontier and open models against the same red-teaming suite this document proposes running against Alberta's fleet. The models in Alberta's stack are on it.
leaderboard.aidefense.cisco.com The AI Defense model security leaderboard → Frontier and open models, ranked against the same validation suite this document proposes. Opens in a new view; the site does not permit embedding, which is the right default for a security product.| AI Defense POD | Hardware | GPUs | Sustains |
|---|---|---|---|
| Small | 2 × UCS C845A | 4 × L40S each | 100 req/s · 20 applications |
| Medium | 2 × UCS C845A | 8 × L40S each | 200 req/s · 40 applications |
| Large | 3 × UCS C845A | 8 × L40S each | 300 req/s · 60 applications |
The Large configuration covers one rationalized ministry (16 modules) three times over. Source: Cisco internal technical documentation and the Design Zone reference architecture.
Paper 05 rests Government 3.0 on one premise: business rules written once, drawn straight from legislation and policy, so that when the law changes, every interaction follows the new rule the same day. Policy Studio is that premise applied to guardrails. A policy owner, a compliance officer rather than an engineer, works through a chat-and-review session: the assistant drafts a human-readable policy document, tests it against real conversations, and surfaces the judgment calls as questions. Textual insights flag gaps in the draft ("does hypothetical phrasing count as advice?"); behavioural insights show patterns from production data, thirty-one cases at a time, answerable with one decision. Ten distinct judgments cost about ten answers, whether the corpus is seventy conversations or seventy thousand.
The result is one artifact doing three jobs: compliance reads it, auditors read it, and the runtime classifier reads it to decide every request. The published research behind it shows a reasonably sized open-source model interprets such a policy almost as accurately as a frontier model, so the rule Alberta's policy owner writes can run on Alberta's own hardware, no hosted API in the loop. For a government whose regulatory content is already codified law, this is the shortest path from statute to enforcement anyone has shipped. It is also a working answer to the genie problem: the constitutions behind it run three hundred lines per technique, precise enough that different frontier models return the same decision on the same input, which is what taking the latitude out of language looks like in practice.

Paper 09's sandbox is Nexus policy; Isovalent enforces the same intent one layer down, in the kernel, where an agent cannot argue with it. Each example below is a working policy from the Cisco reference materials. This is what "the floor is load-bearing" means in practice, and it is the enforcement layer waiting for the claw phase.
kind: CiliumNetworkPolicy
metadata: { name: "agent-rule" }
spec:
endpointSelector: { matchLabels: { role: agent } }
ingress:
- fromEndpoints:
- matchLabels: { role: frontend } # allow, everything else dropsegress:
- toFQDNs:
- matchName: "*.aidefense.security.cisco.com"
toPorts: [ { ports: [ { port: "443", protocol: TCP } ] } ]kind: SandboxPolicyNamespaced
spec:
syscalls:
- list: [ sys_ptrace, sys_execve, sys_chmod, sys_mount ]
actions: [ Post, Block ] # log it, then refuse itkind: TracingPolicy spec: file_paths: [ "/models/llama.safetensors" ] matchOperations: [ FILE_WRITE, FILE_DELETE ]
Alberta published its work under MIT and asked industry to answer in kind. Every scanner and governance tool named in this domain is public, and adopting any of them requires nothing from Cisco.
The Secure AI Factory materials close with a secured document-processing assistant: OCR extraction, embedding, a vector database, retrieval, and an LLM, each stage carrying its control. Validation red-teams the model and informs the policy; guardrails police query and response; the runtime agent blocks a sys_mount from inside the embedding pod; the container network polices inter-service traffic at layer 7; confidential computing encrypts execution; the perimeter brokers access. Swap the sample documents for paper 11's fourteen million historical records and this is the 250-agent job, secured end to end with parts that exist.
Nexus already treats permanence as the enemy: access is re-delegated every few hours, so nothing an agent holds lasts. Paper 11 names the next step, agentic identity management, as something Alberta is taking to industry. Duo Agentic Identity is Cisco's answer, and it works the way Nexus already thinks. Every non-human identity is discovered, including the ones nobody registered. Authorization is task-based and time-boxed: an agent gets what this job needs, for as long as this job runs. And the agent acts in its own name, so the audit trail reads "the remediation agent did this at 03:00," with a named human accountable behind it, which is the exact condition paper 05 sets for Government 3.0. Because it lives inside Duo alongside Identity Intelligence, the human and non-human sides of the ledger share one lifecycle: agents are onboarded, enabled, and offboarded with named human oversight, the same way staff are.
Paper 15 argues that human oversight must move from the individual agent to the level of the system, because no reviewer can read the token streams of a thousand workers. Nexus solved the technical half: administrators can audit every agent on every machine, and Alberta built agents to audit the agents. The open question is the layer above, where activity from hundreds of environments becomes risk scores, patterns, and automatic containment, visible to people who never open a terminal.





Government 3.0 ends with agents operating the estate, every action observable and accountable to a named person (paper 05). Cisco runs its own version of that model today: Cloud Control is the unified operations platform for the agentic era, one login, one inventory, one live topology, with three agentic surfaces on top. AI Canvas is a multiplayer workspace where operators and agents resolve issues together, governed by organizational policy with auditability at each step. AI Assistant answers in plain language across domains. Cloud Control Studio connects third-party tools and builds custom agents grounded in the organization's own context, which is where Nexus, Ent Tools, and the Velocity game engine would plug in. Cloud Control and AI Canvas are included with existing Cisco subscriptions at no additional cost, which matters for a ministry at 1.4 percent IT spend.
The operational claims are specific, and each one lands on a sentence in the papers. A cross-domain fault, one user's device through access point, controller, and firewall to a VPN tunnel missing a route, resolves from a single natural-language question to a one-click remediation in minutes, and the whole sequence can be handed to an agent as trust accrues. That is paper 15's oversight gradient, moving from approval to delegation, implemented in a product. Security policy is written in natural language and enforced as mesh policy across every control point, which is paper 05's rules-as-code principle applied to infrastructure. Agent-level spend is a first-class metric: an agent that has quietly consumed $24,000 in tokens is a line on a screen with its full activity trace one click away, which is the runaway-token control paper 11 builds budgets for. Underneath sit purpose-built models for network, security, and time-series data rather than one general model for everything, the same purpose-built-over-frontier pattern Alberta applies to its own stack. Cloud Control is generally available in the United States, 52 partners publish into its marketplace, and Cloud Control Studio embeds Codex so a custom application or agent, the kind Alberta's Builders produce in Nexus, takes a prompt and minutes.


On the partnership itself, paper 11 commits Alberta to inviting strong companies to test tools against government workloads through the Sovereign Compute process and forthcoming requests for proposals. Cisco's position: the proof-of-value components ride whichever vehicle the Ministry prefers, the R&D relationship with Amii and the University of Alberta continues on its own track, and anything Cisco cannot cover gets named in the room so the Ministry can source it elsewhere. The scorecard below has open cells on purpose.
| Track | What it covers | Cadence |
|---|---|---|
| PoV | The Decision 2 scope, run against a live workstream | Four-week checkpoints |
| Sizing | The Decision 1 landing zone, priced as configurations per approach | One workshop, then a written design |
| Telemetry | The Decision 3 attach point, built with the Nexus team | Integration sessions as needed |
| R&D | Amii, U of A, and Cisco joint work, including RL on Cisco hardware | Quarterly, own governance |
| Community | What Alberta publishes, Cisco engineers respond to in the open, MCP Scanner and AGNTCY included | Continuous |
The Velocity papers earn their claims with receipts: 600 applications in three months, five months to four days, 185 into 16. The same standard applies in reverse. These figures are from Cisco IT running this stack on Cisco, published as case studies, before any of it was proposed to a customer.
Source: Cisco on Cisco case studies, AI-Ready Data Center series. The 1,000+ GPU week and cost-per-token services figures in Domain A come from Cisco internal technical documentation. The employee-agent rollout is reported by Entrepreneur; the AI-built-software prediction by SDxCentral.
Every requirement from the register, its answer, and its status, in one table. "Ships today" means a product Alberta can buy and deploy now. "Open source" means Alberta can take it without talking to us. "Session" means the answer needs Alberta's data in the room and is scoped as a decision in Appendix A.
| ID | Requirement (short) | Answered by | Status |
|---|---|---|---|
| R1 | Sovereign compute | AI PODs on GoA premises · confidential computing · Intersight | ships todaysiting is Decision 1 |
| R2 | Token throughput | Workload PODs, 32-GPU unit to 8k design · services priced per token | ships todaysizing is Decision 1 |
| R3 | Own-hardware platform | Secure AI Factory with Red Hat, a validated configuration | ships today |
| R4 | Supply-chain audit | Skill Scanner · MCP Scanner · A2A Scanner · AI BOM | open sourcetake now |
| R5 | Beyond 95–98% | AI Defense validation + runtime guardrails, on-prem POD option | ships todayPoV is Decision 2 |
| R6 | Claw governance | DefenseClaw, built for OpenClaw | open sourcetake now |
| R7 | Hours-to-weaponized | Talos intelligence · Live Protect on switch fleets · Hybrid Mesh Firewall | ships today |
| R8 | Agentic identity | Duo Agentic Identity + Identity Intelligence | ships todaymapping folds into Decision 2 |
| R9 | System-level observability | Splunk Agent Observability + Enterprise Security | ships todayattach point is Decision 3 |
| R10 | Operating the estate | Cloud Control · AI Canvas · Cloud Control Studio | includedwith existing subscriptions |
| R11 | Partner model | PoV under the Sovereign Compute process · Amii and U of A R&D track | sessionvehicle is Decision 4 |
What the scorecard does not cover, said plainly: Alberta's own platforms (Nexus, Bifrost, Ent Tools, the harness) stay Alberta's, and nothing here asks to replace them. Data platform choices, the Gemini and Bedrock relationships, and the sovereign-compute consortium question sit with other partners, and the mapping works alongside all of them. Paper 05 sets a rule for everything the Factory builds: no licence the government cannot exit. Held to the same rule, this stack exits cleanly. The scanners are open source, the telemetry is OpenTelemetry, the guardrails sit at the gateway instead of inside application code, and Bifrost keeps the model layer portable, so leaving is a migration rather than a rewrite.
This document raises exactly four decisions that need Alberta's data in the room. The session closes them in one morning. Each block ends when its decision is written into the log; the readback walks the log top to bottom and the room corrects it out loud.
| Time | Item | Closes with |
|---|---|---|
| 08:30 | Arrivals; frame at 08:45: the register and the four decisions | Agreement on scope |
| 09:00 | Domain A: siting and sizing the first sovereign POD | Decision 1 · landing zone & sizing |
| 10:00 | Domains B and C: the agent-security proof of value, scanners and identity included | Decision 2 · PoV scope & pass condition |
| 11:00 | Break | |
| 11:15 | Domain D: where telemetry attaches to Nexus, and the morning view | Decision 3 · attach point |
| 12:00 | Domain E: vehicle, sponsors, and three dates | Decision 4 · vehicle & dates |
| 12:30 | Readback; log circulated before lunch ends | Signed log |
Room rules: twelve people or fewer, one screen, one whiteboard, laptops open only for the scribe and demos. Pricing beyond rough sizing, contract terms, and anything touching citizen data stay out of scope. Attendees read papers 05, 09, 11, and 15 beforehand; this document covers the rest.
The scribe fills this table during the session. The download button produces the log as a Markdown file, which goes to every attendee before lunch ends.
| # | Decision | What was decided | Owner (GoA) | Owner (Cisco) | Date |
|---|---|---|---|---|---|
| 1 | Landing zone & sizing | ||||
| 2 | Agent security PoV scope | ||||
| 3 | Telemetry attach point | ||||
| 4 | Vehicle & dates | ||||
| + | Parked items |
Attendees read four papers and one response before the session. The papers take about an hour in total, and the narration on the Velocity site covers the same ground for anyone who prefers to listen. Cisco attendees read all five. Alberta attendees likely wrote the first four.
| # | Reading | Why it matters for the morning |
|---|---|---|
| 05 | The Four Approaches to AI Modernization | The frame for every block, and the source of the demand curve in figure 3 |
| 09 | The AI Factory: Orchestration and Observation (Nexus) | The platform every decision touches, including the claw roadmap |
| 11 | The Agentic Technology Stack | Names the open gaps this session closes, and the token ceilings behind Block 1 |
| 15 | The Compression Problem | The argument for system-level oversight that Block 3 turns into a design |
| — | This document, top to bottom | The register (§01), the canvas (§03), and the scorecard (§11) at minimum |
| Side | Seats |
|---|---|
| GoA | DM Technology and Innovation; ADM technology; CIO; Nexus platform lead; security lead; one Builder from the Level 3 cohort, because the people using the tools should hear the infrastructure argued |
| Cisco | Executive advisor for AI, Canada; account lead; solution architect; AI Defense technical lead; Splunk architect; compute architect (remote is fine for the last two) |
| Rules | Twelve people or fewer. Phones down during blocks. Laptops open only for the scribe and the demos. Anything off-scope goes to the parked row of the log. |
Pricing beyond rough sizing, contract terms, and anything touching citizen data. The morning decides architecture and next steps. Paper 16 argues the right measure of an AI program is capability built, and the session holds itself to the same standard: four decisions on the wall by lunch.