Cisco × Government of Alberta
A response to the Velocity White Papers · prepared for the working session · readable on its own, before and after

The Factory Behind the Factory

Alberta built a factory that manufactures government software with agents. That factory stands on infrastructure: token production, trust, identity, oversight. The Velocity papers state those requirements in public. This document answers each one with what Cisco runs today, what is free to take, and what remains open.

Requirements addressed
Eleven, drawn from seven papers
Answered with
Products running today
Free to take now
Ten public repositories
Working session
Appendix A · four decisions
Abstract

Paper 12 of the Velocity White Papers closes with a request: Alberta is engaging industry on the security apparatus around agents, on agentic identity management, and on observing agent activity across the network. The papers around it add more: sovereign compute is being pursued, token ceilings of 25 to 50 million per minute will soon be exceeded, Red Hat OpenShift is under evaluation for the Ministry's own hardware, harnesses need auditing before use, claw agents arrive within a year, and oversight must move from the individual agent to the level of the system. This document registers those requirements, eleven in total, and answers each with the Cisco Secure AI Factory with NVIDIA, AI Defense and its open-source scanner family, Duo Agentic Identity, Splunk Agent Observability, and Cloud Control. The mapping is honest about status: most of it ships today, some of it is free, and the gaps are named. Appendix A turns the four decisions this raises into a half-day working session.

TL;DR

Alberta's papers name four infrastructure gaps in public: agent security, agent identity, agent observability, and sovereign compute. Cisco ships against all four today.

Of eleven registered requirements, seven are answered by products running now, two by open-source tools free to adopt before any contract, one by a platform already included in Cisco subscriptions Alberta holds, and the last by the partnership vehicle itself. The trust plane installs inline at Bifrost and the harness, so nothing about how Nexus works changes.

A first sovereign POD fits the existing data centres at 14 to 60 kW a rack and reaches validated deployment in weeks. Four decisions still need Alberta's data in the room; Appendix A closes them in one morning.

§01

The requirements register

Everything below comes from the published papers. Where a requirement is implicit, the register says so. Each requirement appears in exactly one domain, and the five domains cover the full set: where agents run, what they may do, who they are, how they are watched, and how the estate is operated and the partnership run.

IDRequirementSourceDomain
R1Sovereign compute for the most sensitive work; exclusive GoA control of health and security data№12 §03A · Compute
R2Token throughput past the 25–50M/minute ceilings, diversified and load-balanced№12 §06A · Compute
R3A supported platform for the Ministry's own hardware and data-centre capacity (OpenShift under evaluation)№12 §02A · Compute
R4Audit of the agent supply chain: skill files, MCP servers, and open-source components before use№12 §05 · №07B · Security
R5Defense beyond the model's own 95–98% injection resistance№12 §04B · Security
R6Governance for self-directed claw agents (OpenClaw / Hermes), 6–12 months out№09 §06B · Security
R7Cyber response at the attacker's new speed: exploits weaponized in hours, supply chain the primary target№02B · Security
R8Agentic identity management: agents act in their own name, task-based and time-boxed№12 §05 · №09 §03C · Identity
R9Observing agent activity across the network, with oversight at the level of the system№12 §05 · №15D · Observability
R10Operating the rebuilt estate: every agent action observable and accountable to a named person№05 §05 (implicit)E · Operations
R11A partner model: strong companies tested against government workloads, through the Sovereign Compute process and RFPs№12 §05E · Operations

Paper numbers follow the homepage index at thevelocitywhitepapers.com. The papers are MIT-licensed; quotations and paraphrases are cited in place.

§02

One picture before the detail

The papers describe what Alberta builds. This response is about the two layers underneath: the trust plane that watches and constrains the agents, and the plant floor that produces their tokens. Alberta has built pieces of both inside Nexus. The question the register poses is which pieces should stay bespoke and which should run on supported infrastructure.

ALBERTA BUILDS DECISIONS · APP. A CISCO SUPPLIES Four approaches Garage → Gov 3.0 (№05) Nexus sandbox · 600+ apps The harness standards · anti-drift Bifrost & Ent Tools model & tool gateways Decision 1 landing zone & sizing Decision 2 agent security PoV Decision 3 telemetry attach point Decision 4 vehicle & dates AI PODs UCS · Nexus 9000 · Red Hat AI Defense + Duo guardrails · identity Agent Observability Splunk · one morning view Services + R&D TTFI · Amii · U of A
FIG. 2 — Where the four decisions sit. Each decision connects one thing Alberta has built to one thing Cisco supplies. The columns are independent, so the blocks can run in any order if the morning demands it. Alberta references from papers 05, 09, and 12; Cisco references from the Secure AI Factory technical materials.
§03

Explore this as an interactive canvas

This is Alberta's agent pipeline as papers 09 and 12 describe it: a Builder delegates to agents, agents mount skills and MCP servers from the harness, prompts route through Bifrost to models, tool calls route through Ent Tools, and finished work lands in the estate. In the first view, the red markers are the six open findings from the register, sitting exactly where they occur in the flow, and the red dot is a poisoned component travelling all the way to production. Switch to the second view: the pipeline is identical, the controls appear inline at those same points, every finding flips to closed, and the red dot now dies at the scanner. Nothing about how Alberta works changes. What changes is what survives the trip.

drag nodes · scroll to zoom · click a node

One pipeline, two futures
FIG. 2b — The same pipeline, before and after. The layout never changes; only the controls and the fate of the red dot do. Markers cite the paper each finding comes from. Rendered with the node grammar, palette, and interactions of the Solution Landscape canvas in the Velocity site repository.
§04

The Cisco side, in five names

The register runs eleven requirements and the answers run to a dozen product names, so here is the whole Cisco side reduced to five things, each holding one domain. Everything after this section is detail on these five.

NameWhat it isHolds
Secure AI Factory
with NVIDIA
The plant floor: validated designs combining compute, AI networking, and partner storage, from a 32-GPU unit to sovereign-cloud scale, in Alberta's own facilities or anyone'sDomain A
AI DefenseThe trust plane for models and agents: validate a model, generate its guardrails, enforce them inline, scan everything an agent mounts. Its scanner family is open sourceDomain B
Duo Agentic IdentityIdentity for a workforce that is not human: discovery, lifecycle, least-privilege access sized to the taskDomain C
SplunkThe system-level view, with AI Agent Monitoring scoring agent behaviour inside it: traces, tokens, risk, and containment in one planeDomain D
Cloud ControlThe operations platform for the agentic era, where operators and agents resolve issues together. Included with existing subscriptionsDomain E

One survey number frames why this matters now. In Cisco's January 2026 survey of security and IT executives, 55 percent had agentic AI in pilot or production, 59 percent named security as the biggest barrier, and 4 percent were confident about full-scale deployment. Alberta is already past the 55 percent. The register is the path into the 4 percent.

§05

Domain A · Compute and capacity

Where the agents runR1 · R2 · R3

Paper 12 says three things this domain must answer. The enterprise token ceilings of 25 to 50 million tokens per minute will likely be exceeded soon. A sovereign compute prequalification is in market, with exclusive GoA control of health and security data as a non-negotiable position. And Red Hat OpenShift is under evaluation for the Ministry's own hardware. Cisco's answer is the Secure AI Factory with NVIDIA: the same reference design at any scale, with the sovereignty question answered by geography instead of compromise.

Cisco brings to the table

  • AI POD reference designs in two kinds: Workload PODs for training and inference, Services PODs for shared security and observability, from a 32-GPU scaling unit to the 8,000-GPU design language
  • The Red Hat OpenShift configuration Alberta is already evaluating, as a validated design rather than an experiment
  • AI networking with a choice of silicon: N9300 on Cisco Silicon One or N9100 on NVIDIA Spectrum-X
  • A sizing method that maps workload characteristics (context size, concurrency, latency) to compute, network, and storage in one pass; a 1,000+ GPU cluster has gone to validated deployment in under a week
  • Confidential computing options for code that carries live secrets and personal information

What this answers

  • R1, sovereign: AI PODs run in Alberta's own facilities, with confidential computing for code carrying live secrets and PII, and GPU sharing via NVIDIA Run:ai so the hardware never sits idle. The three legacy data centres become the landing zone instead of a liability.
  • R2, throughput: owning part of the token curve is the durable answer to a rented ceiling. Bifrost keeps routing between hosted and sovereign; the POD is what it routes to. Cisco Services measures the build against two named metrics, time to first intelligence and cost to true scale, which is the budget instrument paper 12's cost concern asks for.
  • R3, platform: the OpenShift evaluation ends at a validated design. Red Hat AI Factory software is a supported software option in the reference architecture, alongside NVIDIA AI Enterprise; Nutanix and upstream Kubernetes are also supported.

Product configurations and sizing outcomes above (AI POD types, the sizing method, deployment-time figures) are drawn from Cisco internal technical documentation unless otherwise cited.

One-shot query single request, human-paced Agentic, sustained continuous, multi-step workloads ~10–20× ~50–200×
FIG. 3 — Token inflation: one-shot query vs. sustained agentic workload. Ranges from Cisco measurements of chat and agentic workloads. As Alberta's usage shifts from occasional queries toward continuous, multi-step agent work across the four approaches paper 05 describes, token demand compounds rather than spikes.
Cisco Secure AI Factory with NVIDIA reference design, core to edge
FIG. A1 — The Secure AI Factory with NVIDIA reference design, core to edge. Source: Cisco FAQ, March 2026.
Products at each layer of the Secure AI Factory stack
FIG. A2 — The products at each layer of the stack, with options at every layer. Source: Cisco FAQ, March 2026.
THE STACK, TOP DOWN WRAPPING EVERY LAYER Agent workloads · the four approaches Nexus · Bifrost · the harness — Alberta's, unchanged ALBERTA AI software NVIDIA AI Enterprise or Red Hat AI Factory · NIMs · pipelines Kubernetes OpenShift (the №12 evaluation) · Nutanix NKP · upstream R3 R1 · R2 The plant floor ComputeUCS · HGX / MGX / RTX Pro NetworkNexus 9000 · 400/800G StorageNetApp · Pure · VAST TRUST R4–R8 AI Defense Scanners DefenseClaw Duo AgenticIdentity Hybrid MeshFirewall Isovalent Live Protect policy at every layer OBSERVE R9 Splunk ES AgentMonitoring evaluators Tokenomics one morning view Power envelope per rack: 14–30 kW (MGX design) · 21–57 kW (HGX design) — testable against the three legacy data centres today
FIG. A3 — The stack, and the two planes that wrap it. The top layer is Alberta's and does not change. What distinguishes this factory from a pile of GPUs is the right-hand side: trust and observability are planes that touch every layer, instead of products bolted to one. Requirement chips mark where the register lands. Sources: Cisco internal technical documentation and the public FAQ.

From order to intelligence, on a clock

Cisco Services runs the deployment on two named metrics. Time to first intelligence (TTFI) covers plan, design, implement, validate, knowledge transfer, optimize, and scale-out, with up to a 75 percent reduction in deployment time, three to four weeks in practice. Cost to true scale (CTTS) makes the expansion curve predictable. The reference cases: a 1,000+ GPU cluster validated in under a week, and a global travel platform that hit cost break-even after ten training runs.

The 1,000+ GPU cluster and travel-platform reference cases are Cisco internal technical documentation; see also the sourcing note in §10.

Which reference architecture, at which scale

ArchitectureScaleSwitching siliconStatus
Cisco ERA
NVIDIA Enterprise RA compliant
Under 1,024 GPUs; enterprisesCisco Silicon One (N9300), Spectrum-X license optionalShipping
Cisco CRA
NVIDIA Cloud Partner RA compliant
~1,000 to 32,000 GPUs; neoclouds and sovereign cloudsCisco Silicon One + Spectrum-X, or N9100 with NVIDIA Spectrum siliconShipping / orderable

Cisco internal technical documentation names sovereign clouds as a segment the CRA is built for. Alberta would enter at ERA scale with a CRA-compatible design, so the ceiling is 32,000 GPUs away.

What a 32-GPU scaling unit delivers

The smallest building block of the factory, sized against models Alberta already tests. Pick the GPU; figures are tokens per second and concurrent users for one 32-GPU unit.

ModelStandard precisionReduced precision (FP4)

Estimates from Cisco internal technical documentation; production varies with implementation. Public benchmarks: mlcommons.org.

The compute range, core to edge

Form factorGPUs supportedBuilt for
Dense HGX serversB300 NVL8, H200, H100Model training, heavy inference; data-centre core
MGX serversRTX Pro 6000/4500, H200, H100, L40SOptimization and inference
Modular and rack serversRTX Pro 6000/4500, H200, H100, A16, L40S, L4Mixed enterprise workloads
Cisco Unified EdgeRTX Pro 6000/4500, L40S, L4Inference at regional sites, no data-centre latency

One Intersight fleet manages all of it, one support contract stands behind the whole stack, and the network underneath carries outcomes Cisco documents by name: AI fabric templates and congestion scoring in Nexus Dashboard, intelligent packet flow with advanced load balancing, and lossless RoCEv2 from 10G to 800G. Ministry sites outside Edmonton get the same architecture at edge scale, which is how 27 ministries stay one estate.

Compute-range specifications and the Nexus Dashboard feature list are drawn from Cisco internal technical documentation.

Open, and named as openWhich facility hosts the first POD, and its size. That is Decision 1 in Appendix A, because it needs Alberta's capacity data in the room.
§06

Domain B · Agent security and the supply chain

What the agents are allowed to doR4 · R5 · R6 · R7

Paper 12 puts the number on the problem: the best models resist prompt injection 95 to 98 percent of the time, and no model is immune. Paper 07 adds that skill files are software and can carry an attack. Paper 02 reports exploits weaponized in hours. Nexus already re-delegates agent access every few hours so that no grant is permanent. This domain covers the remaining distance: inline enforcement on every prompt and response, scanning of the components agents mount, and governance ready before the claws arrive.

Cisco brings to the table

  • AI Defense, live: discover the AI estate, validate it by algorithmic red teaming across 200+ attack techniques and risk categories, then enforce runtime guardrails generated from what the validation found
  • The open-source scanner family, demonstrated against real Alberta artifacts: MCP Scanner for the servers agents mount, Skill Scanner for the harness skill files paper 12 says need auditing, A2A Scanner for agent-to-agent traffic, AI BOM for knowing what every agent is made of
  • DefenseClaw: governance built for OpenClaw, which is the platform paper 09 names for the claw phase, 6 to 12 months out
  • The on-prem AI Defense POD configurations, two to three UCS C845A nodes, for workloads that cannot leave the building
  • Hybrid Mesh Firewall with Isovalent for the workloads underneath, and Live Protect shielding switch fleets while a patch is still days away

What this answers

  • R4, supply chain: the audit paper 12 performs by hand becomes a pipeline step. Skill Scanner reads the harness, MCP Scanner reads the servers, AI BOM records what every agent is made of. All open source; Alberta can adopt them tomorrow without a contract.
  • R5, beyond the model: validation finds where a specific model breaks, then guardrails built from those findings run inline, mapped to OWASP, NIST, and MITRE ATLAS. The 2 to 5 percent stops being a hope.
  • R6, claws: DefenseClaw is governance purpose-built for OpenClaw, so it arrives before the claw phase does.
  • R7, speed: Talos-fed protections and Live Protect respond inside the hours-to-weaponized window paper 02 describes, instead of waiting on the vendor patch cycle.
WHAT GOES IN Seeded corpus 45+ injection techniques one poisoned skill file one tampered MCP tool mixed into real Garage work ONE GARAGE WORKSTREAM · NEXUS, UNCHANGED Scanner at the mount Duo Identity at the grant AI Defense at the gateway WHAT COMES OUT The estate seeded items arriving: 0 THE MEASUREMENT PLANE Splunk · every catch, block, and grant logged as evidence the same events Domain D correlates, so the PoV doubles as the observability pilot THE CLOCK week 0 · scope signed week 1 · corpus seeded week 2–3 · live traffic week 4 · readout go / no-go The readout is one number and its evidence: how many seeded items reached the estate. The target is printed above.
FIG. 4 — The proof of value as a protocol. Nothing in the Nexus flow moves. A seeded corpus rides one real Garage workstream; three controls sit inline where the pipeline already routes; the pass condition is binary and printed on the diagram; the evidence plane doubles as the Domain D pilot; the clock ends in a go/no-go at week four.
AI Defense discover, detect, protect across the AI application lifecycle
FIG. B1 — Discover, detect, protect across the application lifecycle. Source: AI Defense solution overview.
AI Defense POD reference architecture for on-premises workloads
FIG. B2 — The AI Defense POD deployment: validation and runtime protection inside the customer's own environment, pre-validated with Red Hat OpenShift, so models under test are never exposed to the public internet. Source: AI Defense on Cisco AI PODs Reference Architecture, Cisco Design Zone.
AI Defense management console with the risk dashboard
FIG. B3 — The management console the security team actually works in: application usage and risk, model and agent validation results, runtime guardrail events, one plane. References: AI Defense solution overview · open-source project index · State of AI Security 2026.

The 200+ checks, unpacked

Prompt injection attack techniques 45+
The validation suite attacks the model the way paper 12's adversary would.
JailbreakingRole playingInstruction overrideBase64 encodingStyle injectionand forty more
Data privacy categories 30+
The categories that matter under the Protection of Privacy Act and a Protected B estate.
PIIPHIPCIBranded contentPrivacy infringement
Information security categories 20+
Information leaked through code and model outputs, tested for before an attacker finds it.
Data extractionModel information leakageCopyright extractionIP piracy
Safety categories 50+
The public-facing risk that keeps Alberta's citizen-facing AI parked today (paper 12, section four).
ToxicityHate speechMalicious useCriminal activityRogue agents

Validation produces reports mapped to OWASP, NIST, and MITRE, then generates guardrails aimed at the specific weaknesses it found in the specific model under test. The guardrails run bi-directionally at runtime, and the same policy applies whether the model is hosted elsewhere or running on Alberta's own GPUs, because enforcement is hybrid: control and management stay in Security Cloud Control while runtime traffic never leaves the premises. Where NVIDIA NeMo Guardrails already run, AI Defense supplies the input and output rails through API disposition and shares one policy across both. One boundary belongs in the proof of value rather than in prose: runtime payloads stay on premises, while policies, events, and reports flow to the Security Cloud Control plane, and whether that management envelope meets Protected B handling, and what a fully offline Protected C posture looks like, are questions the PoV answers with evidence.

Integration details with NVIDIA NeMo Guardrails and Security Cloud Control are drawn from Cisco internal technical documentation.

The public scoreboard

Validation is only credible if the results are published, so they are. The AI Defense leaderboard ranks frontier and open models against the same red-teaming suite this document proposes running against Alberta's fleet. The models in Alberta's stack are on it.

leaderboard.aidefense.cisco.com The AI Defense model security leaderboard → Frontier and open models, ranked against the same validation suite this document proposes. Opens in a new view; the site does not permit embedding, which is the right default for a security product.

Sized like everything else in the factory

AI Defense PODHardwareGPUsSustains
Small2 × UCS C845A4 × L40S each100 req/s · 20 applications
Medium2 × UCS C845A8 × L40S each200 req/s · 40 applications
Large3 × UCS C845A8 × L40S each300 req/s · 60 applications

The Large configuration covers one rationalized ministry (16 modules) three times over. Source: Cisco internal technical documentation and the Design Zone reference architecture.

Policy Studio: legislation in, guardrails out

Paper 05 rests Government 3.0 on one premise: business rules written once, drawn straight from legislation and policy, so that when the law changes, every interaction follows the new rule the same day. Policy Studio is that premise applied to guardrails. A policy owner, a compliance officer rather than an engineer, works through a chat-and-review session: the assistant drafts a human-readable policy document, tests it against real conversations, and surfaces the judgment calls as questions. Textual insights flag gaps in the draft ("does hypothetical phrasing count as advice?"); behavioural insights show patterns from production data, thirty-one cases at a time, answerable with one decision. Ten distinct judgments cost about ten answers, whether the corpus is seventy conversations or seventy thousand.

The result is one artifact doing three jobs: compliance reads it, auditors read it, and the runtime classifier reads it to decide every request. The forthcoming research behind it shows a reasonably sized open-source model interprets such a policy almost as accurately as a frontier model, so the rule Alberta's policy owner writes can run on Alberta's own hardware, no hosted API in the loop. For a government whose regulatory content is already codified law, this is the shortest path from statute to enforcement anyone has shipped. It is also a working answer to the genie problem: the constitutions behind it run three hundred lines per technique, precise enough that different frontier models return the same decision on the same input, which is what taking the latitude out of language looks like in practice.

Policy Studio chat-and-review interface authoring a custom guardrail
FIG. B4 — Policy Studio's chat-and-review session: the policy owner issues guidance, the agent writes and rewrites the enforceable document. Reference: Cisco AI blog, June 2026.

Runtime enforcement at the kernel, in five lines of YAML

Paper 09's sandbox is Nexus policy; Isovalent enforces the same intent one layer down, in the kernel, where an agent cannot argue with it. Each example below is a working policy from the Cisco reference materials. This is what "the floor is load-bearing" means in practice, and it is the enforcement layer waiting for the claw phase.

Identity-aware networking: agents talk only to what their role allows L3 / L4 / L7
Every packet carries a workload identity, so policy follows the agent rather than the IP. At layer 7 this becomes API-aware authorization: a frontend may call POST /completions on the agent, the agent may call POST /mcp on the server, and nothing else routes.
kind: CiliumNetworkPolicy
metadata: { name: "agent-rule" }
spec:
  endpointSelector: { matchLabels: { role: agent } }
  ingress:
  - fromEndpoints:
    - matchLabels: { role: frontend }   # allow, everything else drops
DNS-aware egress: guardrail calls can leave, nothing else can FQDN
The inference pod may reach the AI Defense disposition API and no other destination, enforced at resolve time. An agent that decides to browse the dark web (the fear from the Edmonton dinner) finds there is no route.
egress:
- toFQDNs:
  - matchName: "*.aidefense.security.cisco.com"
  toPorts: [ { ports: [ { port: "443", protocol: TCP } ] } ]
Sandbox policies: syscalls an LLM workload never needs block · kill
The kernel refuses the operation before it executes. An LLM component has no business tracing other processes or changing file ownership; if it tries, the syscall fails and the event lands in Splunk.
kind: SandboxPolicyNamespaced
spec:
  syscalls:
  - list: [ sys_ptrace, sys_execve, sys_chmod, sys_chown ]
    actions: [ Post, Block ]   # log it, then refuse it
File integrity monitoring: nobody rewrites the model weights FIM
Tracing policies watch the model file itself. Any write or delete against the weights is detected and attributable, which answers the transcript's question of whether injected code can work its way in undetected.
kind: TracingPolicy
spec:
  file_paths: [ "/models/llama.safetensors" ]
  matchOperations: [ FILE_WRITE, FILE_DELETE ]

Take the code, today

Alberta published its work under MIT and asked industry to answer in kind. Every scanner and governance tool named in this domain is public, and adopting any of them requires nothing from Cisco.

A worked example the papers will recognize

OCR extraction, embedding, a vector database, retrieval, and an LLM, each stage carrying its control. Validation red-teams the model and informs the policy; guardrails police query and response; the runtime agent blocks a sys_mount from inside the embedding pod; the container network polices inter-service traffic at layer 7; confidential computing encrypts execution; the perimeter brokers access. Swap the sample documents for paper 12's fourteen million historical records and this is the 250-agent job, secured end to end with parts that exist.

Secured document-processing assistant pipeline: OCR extraction, embedding, vector database, retrieval, and LLM, each stage carrying its control
FIG. B5 — The worked example, stage by stage: OCR extraction, embedding, a vector database, retrieval, and an LLM, each carrying its own control. Source: Cisco internal technical documentation.
Open, and named as openThe proof-of-value scope: which Nexus workstream, which scanners in round one, the binary pass condition, and the latency budget. An inline guardrail adds milliseconds at the gateway; the PoV measures them and prints the number beside the pass condition, because a control that slowed the Factory below its twentyfold target would defeat its purpose. The corpus uses unclassified legacy code only. That is Decision 2 in Appendix A.
§07

Domain C · Agent identity

Who the agents areR8

Nexus already treats permanence as the enemy: access is re-delegated every few hours, so nothing an agent holds lasts. Paper 12 names the next step, agentic identity management, as something Alberta is taking to industry. Duo Agentic Identity is Cisco's answer, and it works the way Nexus already thinks. Every non-human identity is discovered, including the ones nobody registered. Authorization is least-privilege by design: each agent is issued its own scoped identity, sized to what it needs rather than inheriting a human's full grant. And the agent acts in its own name, so the audit trail reads "the remediation agent did this at 03:00," with a named human accountable behind it, which is the exact condition paper 05 sets for Government 3.0. Because it lives inside Duo alongside Identity Intelligence, the human and non-human sides of the ledger share one lifecycle: agents are onboarded, enabled, and offboarded with named human oversight, the same way staff are.

Today · the Nexus delegation cycle (№09) human-shaped grant, renewed every few hours, every scope the human holds With Duo Agentic Identity · answers R8 scoped grants in the agent's own name, least-privilege by design
FIG. C1 — From borrowed hours to owned tasks. The top line is the delegation pattern Nexus runs today: sound, and still human-shaped. The bottom line is scoped identity: each agent carries its own least-privilege grant, and the audit log names the agent. References: Duo Agentic IAM · Introducing Duo Agentic Identity.
Answered todayDuo Agentic Identity is shipping now. The integration question, how its grants map onto the Nexus delegation cycle, folds into the Decision 2 proof of value in Appendix A.

Duo Agentic Identity builds on Astrix Security's non-human identity discovery technology; Cisco completed the acquisition in June 2026.

§08

Domain D · Observability at the system level

How the Ministry watches ten thousand workersR9

Paper 15 argues that human oversight must move from the individual agent to the level of the system, because no reviewer can read the token streams of a thousand workers. Nexus solved the technical half: administrators can audit every agent on every machine, and Alberta built agents to audit the agents. The open question is the layer above, where activity from hundreds of environments becomes risk scores, patterns, and automatic containment, visible to people who never open a terminal.

Cisco brings to the table

  • Splunk Enterprise Security with the AI Defense add-on, so agent guardrail events and platform logs land in one place and correlate
  • AI Agent Monitoring in Splunk Observability: prompts and responses tracked for quality, drift, and cost, scored and intervened on at runtime
  • OpenTelemetry-native pipelines, which fit the export patterns Nexus already produces
  • Automated containment playbooks that act before a human reads a log line

What this answers

  • R9, across the network: agent traces, guardrail events, identity grants, and infrastructure metrics correlate in one place. Out-of-the-box evaluators score hallucination, relevance, toxicity, and bias without Alberta writing a detector.
  • R9, at the system level: tokenomics views (GPU, memory, time-to-first-token, cost per workflow) give the Ministry the budget instrument paper 12's cost section asks for, per agent and per approach.
  • Already compatible: the integrations list includes Amazon Bedrock and NVIDIA, which are respectively Alberta's primary model path and the plant floor in Domain A. The Nexus export patterns are OpenTelemetry, and so is the pipeline.

The Splunk Enterprise Security + AI Defense add-on integration and the containment-playbook capability are drawn from Cisco internal technical documentation; the evaluators, tokenomics, and guardrail features below are documented publicly by Splunk.

Out-of-the-box quality evaluations scoring hallucination, bias, and toxicity
FIG. D1 — Out-of-the-box evaluators: hallucination, bias, relevance, toxicity, scored in real time. Source: Splunk Agent Observability.
Token usage and cost tracking across models, agents, and workflows
FIG. D2 — Tokenomics: usage and cost per request, model, agent, and workflow. The budget instrument for paper 12's cost curve.
Agent workflow analysis showing steps, dependencies, and handoffs
FIG. D3 — Workflow analysis: tool calls, models, and retrieval steps from request to response.
Built-in guardrails for PII, PHI, PCI, tool misuse, and prompt injection
FIG. D4 — Built-in guardrails: PII, PHI, PCI leakage, tool misuse, prompt injection, surfaced where operators look.
Performance, quality, and cost of LLM and agentic applications in one view
FIG. D5 — Performance, quality, and cost of agentic applications in one view. A runaway agent is a line on this screen with its trace one click away, instead of a forensic project. Reference: Splunk Agent Observability.
The sizing fact for this domain: paper 15 notes a million-token context can absorb the daily status of a thousand contributors in a single pass. The design target is that the Ministry's morning view of ten thousand agents is one screen, three numbers, and a short list of exceptions with evidence attached.
Open, and named as openThe telemetry attach point: which Nexus signals flow first and what the morning view must show. That is Decision 3 in Appendix A.
§09

Domain E · Operating the estate, and the partnership

After the rebuild, and how we work togetherR10 · R11

Government 3.0 ends with agents operating the estate, every action observable and accountable to a named person (paper 05). Cisco runs its own version of that model today: Cloud Control is the unified operations platform for the agentic era, one login, one inventory, one live topology, with three agentic surfaces on top. AI Canvas is a multiplayer workspace where operators and agents resolve issues together, governed by organizational policy with auditability at each step. AI Assistant answers in plain language across domains. Cloud Control Studio connects third-party tools and builds custom agents grounded in the organization's own context, which is where Nexus, Ent Tools, and the Velocity game engine would plug in. Cloud Control and AI Canvas are included with existing Cisco subscriptions at no additional cost, which matters for a ministry at 1.4 percent IT spend.

FIG. E1 — Cloud Control in ninety seconds: one login, one inventory, one topology, and AI Canvas resolving a cross-domain issue with operators and agents in the same workspace. Source: cisco.com/cloud-control.

The operational claims are specific, and each one lands on a sentence in the papers. A cross-domain fault, one user's device through access point, controller, and firewall to a VPN tunnel missing a route, resolves from a single natural-language question to a one-click remediation in minutes, and the whole sequence can be handed to an agent as trust accrues. That is paper 15's oversight gradient, moving from approval to delegation, implemented in a product. Security policy is written in natural language and enforced as mesh policy across every control point, which is paper 05's rules-as-code principle applied to infrastructure. Agent-level spend is a first-class metric: an agent that has quietly consumed $24,000 in tokens is a line on a screen with its full activity trace one click away, which is the runaway-token control paper 12 builds budgets for. Underneath sit purpose-built models for network, security, and time-series data rather than one general model for everything, the same purpose-built-over-frontier pattern Alberta applies to its own stack. 52 partners publish into its marketplace, and Cloud Control Studio embeds Codex so a custom application or agent, the kind Alberta's Builders produce in Nexus, takes a prompt and minutes.

AI Canvas, the multiplayer workspace for operators and agents
FIG. E2 — AI Canvas: operators and agents in one workspace, policy-governed, auditable at each step.
Live topology of the global estate in Cloud Control
FIG. E3 — One live topology: every site, branch, and device, and how they connect. The view paper 09's oversight agents want to stand on.

On the partnership itself, paper 12 commits Alberta to inviting strong companies to test tools against government workloads through the Sovereign Compute process and forthcoming requests for proposals. Cisco's position: the proof-of-value components ride whichever vehicle the Ministry prefers, the R&D relationship with Amii and the University of Alberta continues on its own track, and anything Cisco cannot cover gets named in the room so the Ministry can source it elsewhere. The scorecard below has open cells on purpose.

TrackWhat it coversCadence
PoVThe Decision 2 scope, run against a live workstreamFour-week checkpoints
SizingThe Decision 1 landing zone, priced as configurations per approachOne workshop, then a written design
TelemetryThe Decision 3 attach point, built with the Nexus teamIntegration sessions as needed
R&DAmii, U of A, and Cisco joint work, including RL on Cisco hardwareQuarterly, own governance
CommunityWhat Alberta publishes, Cisco engineers respond to in the open, MCP Scanner and AGNTCY includedContinuous
Open, and named as openThe vehicle for each track and the executive sponsors. That is Decision 4 in Appendix A.
§10

Evidence from Cisco's own estate

The Velocity papers earn their claims with receipts: 600 applications in three months, five months to four days, 185 into 16. The same standard applies in reverse. These figures are from Cisco IT running this stack on Cisco, published as case studies, before any of it was proposed to a customer.

Weeks
from decision to Cisco IT's first AI-ready data centre, on the same modular design Domain A proposes
6 days
to build an AI fabric with Nexus Hyperfabric. "It enabled our team to work incredibly fast" (Mohammed Jameel, lead AI network architect)
−50%
support case-management cost after AI-focused optimization at scale
+73%
productivity on day-to-day tasks with the internal AI assistant, measured across Cisco's own workforce
90,000
Cisco employees who will each get a personalized AI agent of their own, starting Cisco's new fiscal year this month
2027
the year by which Cisco's own product organization has publicly predicted AI will have built the majority of Cisco's software products

Source: Cisco on Cisco case studies, AI-Ready Data Center series. The 1,000+ GPU week and cost-per-token services figures in Domain A come from Cisco internal technical documentation. The employee-agent rollout is reported by Entrepreneur; the AI-built-software prediction by SDxCentral.

§11

The scorecard

Every requirement from the register, its answer, and its status, in one table. "Ships today" means a product Alberta can buy and deploy now. "Open source" means Alberta can take it without talking to us. "Session" means the answer needs Alberta's data in the room and is scoped as a decision in Appendix A.

IDRequirement (short)Answered byStatus
R1Sovereign computeAI PODs on GoA premises · confidential computing · Intersightships todaysiting is Decision 1
R2Token throughputWorkload PODs, 32-GPU unit to 8k design · services priced per tokenships todaysizing is Decision 1
R3OpenShift on Ministry hardwareSecure AI Factory with Red Hat, a validated configurationships today
R4Supply-chain auditSkill Scanner · MCP Scanner · A2A Scanner · AI BOMopen sourcetake now
R5Beyond 95–98%AI Defense validation + runtime guardrails, on-prem POD optionships todayPoV is Decision 2
R6Claw governanceDefenseClaw, built for OpenClawopen sourcetake now
R7Hours-to-weaponizedTalos intelligence · Live Protect on switch fleets · Hybrid Mesh Firewallships today
R8Agentic identityDuo Agentic Identity + Identity Intelligenceships todaymapping folds into Decision 2
R9System-level observabilitySplunk Agent Observability + Enterprise Securityships todayattach point is Decision 3
R10Operating the estateCloud Control · AI Canvas · Cloud Control Studioincludedwith existing subscriptions
R11Partner modelPoV under the Sovereign Compute process · Amii and U of A R&D tracksessionvehicle is Decision 4

What the scorecard does not cover, said plainly: Alberta's own platforms (Nexus, Bifrost, Ent Tools, the harness) stay Alberta's, and nothing here asks to replace them. Data platform choices, the Gemini and Bedrock relationships, and the sovereign-compute consortium question sit with other partners, and the mapping works alongside all of them. Paper 05 sets a rule for everything the Factory builds: no licence the government cannot exit. Held to the same rule, this stack exits cleanly. The scanners are open source, the telemetry is OpenTelemetry, the guardrails sit at the gateway instead of inside application code, and Bifrost keeps the model layer portable, so leaving is a migration rather than a rewrite.

A

Appendix A · The half-day working session

This document raises exactly four decisions that need Alberta's data in the room. The session closes them in one morning. Each block ends when its decision is written into the log; the readback walks the log top to bottom and the room corrects it out loud.

TimeItemCloses with
08:30Arrivals; frame at 08:45: the register and the four decisionsAgreement on scope
09:00Domain A: siting and sizing the first sovereign PODDecision 1 · landing zone & sizing
10:00Domains B and C: the agent-security proof of value, scanners and identity includedDecision 2 · PoV scope & pass condition
11:00Break
11:15Domain D: where telemetry attaches to Nexus, and the morning viewDecision 3 · attach point
12:00Domain E: vehicle, sponsors, and three datesDecision 4 · vehicle & dates
12:30Readback; log circulated before lunch endsSigned log

Room rules: twelve people or fewer, one screen, one whiteboard, laptops open only for the scribe and demos. Pricing beyond rough sizing, contract terms, and anything touching citizen data stay out of scope. Attendees read papers 05, 09, 12, and 15 beforehand; this document covers the rest.

A2

The decision log

The scribe fills this table during the session. The download button produces the log as a Markdown file, which goes to every attendee before lunch ends.

#DecisionWhat was decidedOwner (GoA)Owner (Cisco)Date
1Landing zone & sizing
2Agent security PoV scope
3Telemetry attach point
4Vehicle & dates
+Parked items
A3

Preparation

Attendees read four papers and one response before the session. The papers take about an hour in total, and the narration on the Velocity site covers the same ground for anyone who prefers to listen. Cisco attendees read all five. Alberta attendees likely wrote the first four.

#ReadingWhy it matters for the morning
05The Four Approaches to AI ModernizationThe frame for every block, and the source of the demand curve in figure 3
09The AI Factory: Orchestration and Observation (Nexus)The platform every decision touches, including the claw roadmap
12The Agentic Technology StackNames the open gaps this session closes, and the token ceilings behind Block 1
15The Compression ProblemThe argument for system-level oversight that Block 3 turns into a design
This document, top to bottomThe register (§01), the canvas (§03), and the scorecard (§11) at minimum

Who is in the room

SideSeats
GoADM Technology and Innovation; ADM technology; CIO; Nexus platform lead; security lead; one Builder from the Level 3 cohort, because the people using the tools should hear the infrastructure argued
CiscoExecutive advisor for AI, Canada; account lead; solution architect; AI Defense technical lead; Splunk architect; compute architect (remote is fine for the last two)
RulesTwelve people or fewer. Phones down during blocks. Laptops open only for the scribe and the demos. Anything off-scope goes to the parked row of the log.

What stays out of scope

Pricing beyond rough sizing, contract terms, and anything touching citizen data. The morning decides architecture and next steps. Paper 16 argues the right measure of an AI program is capability built, and the session holds itself to the same standard: four decisions on the wall by lunch.

Listening…
0:00 / 0:00