From Proxy.Me: Agentic AI Digital Apprentices, Appendix B
Apprentice governance separates two concerns that are usually conflated: governing what a Proxy thinks, and governing what it can touch.
Chapter 10 introduced the distinction between what a Proxy knows and what it can touch. This distinction is the foundation of apprentice governance. It separates two concerns that are often conflated in discussions of AI safety but require entirely different mechanisms to address them.
A Proxy's reasoning is composed of its lenses, points of view, veto lenses, scenario recognition, escalation rules, and the accumulated patterns it has absorbed from observing its human steward. This is what makes the Proxy useful. It is also what makes the Proxy fragile, because reasoning can drift.
Drift happens slowly. A lens that was appropriate six months ago may no longer reflect current priorities. A point of view that worked well during a period of stability may produce poor judgments during a crisis. An escalation rule that once matched the organization's risk appetite may have become too permissive as conditions changed. The Proxy does not know its reasoning has drifted. It applies what it has learned with the same confidence it always has. Only the human steward can detect the gap between what the Proxy believes and what the Role now requires.
Governing reasoning is therefore an act of curation. The human steward must periodically review how the Proxy interprets situations, which lenses it prioritizes, how it forms points of view, and where its judgments diverge from those the steward would make. This is not a compliance exercise. It is the same kind of mentorship a senior professional provides to a junior colleague: examining the reasoning behind decisions, not just the decisions themselves.
Practically, this means the organization needs mechanisms for reasoning review. These might include regular audits of the Proxy's decision logs, structured comparisons between the Proxy's recommendations and the steward's actual choices, periodic recalibration of lenses and points of view, and explicit review triggers when the Proxy encounters scenarios it has not seen before. The Work Graph provides the raw material. The human steward provides the judgment about whether the Proxy's reasoning still serves the Role.
A Proxy's reach is composed of every system it connects to, every tool it can invoke, every data source it can read, every channel it can communicate through, and every action it can take in the world beyond its own reasoning. Reach is what transforms reasoning into motion. Without it, the Proxy is an advisor. With it, the Proxy is an operator.
The governance challenge with reach is that it compounds. A Proxy that connects to a project management system has a certain scope of impact. Add an email connection, and the scope expands. Add a connection to the financial system, and it expands again. Each new connection is individually justifiable, often essential for the Proxy to do its job. But the combined effect of all connections creates an authority surface that is larger than any single connection implies.
This is why zero standing privileges matters so much for digital apprentices. Because a Proxy is persistent, it could accumulate connections over time, the way employees accumulate access badges. Without active governance, a Proxy that started with narrow, well-justified connections might gradually acquire access to systems far beyond its original scope, not through malice but through the natural expansion of what the Role requires.
Governing reach requires structural mechanisms. Connections should be granted for specific purposes, with clear justification. They should be time-limited where possible, requiring periodic re-authorization rather than persisting indefinitely. The organization should be able to see, at any moment, exactly what systems each Proxy can access and why. When a Proxy's role changes or its human steward changes, its connections should be reviewed and re-scoped rather than inherited automatically.
The critical insight is that reasoning and reach interact but must be governed independently. A Proxy with excellent reasoning and excessive reach can cause harm through competent overreach: doing the right thing in the wrong place. A Proxy with appropriate reach but drifted reasoning can cause harm through contained incompetence: doing the wrong thing within its authorized scope. Effective governance addresses both.
A Proxy that cannot be trusted with the knowledge it draws on cannot be trusted with the work that depends on it. Memory captures what happens, notes distil what is reusable, a knowledge base indexes what can be found again, and the whole becomes the ground learning compounds on. The pipeline is a governance object in its own right, and any organization that wants Proxies that stay honest about what they know must build a capability to manage it.
The Proxy uses seven verbs to manage its knowledge base. Each one is a discipline, and each one is curated.
A Proxy captures what it learns from its own work. Observations that were useful, source links worth keeping, patterns that recurred, candidate premises that might matter later, all written down as navigable notes so they can be found and reused, not just carried in session memory. Build is bottom-up, from live experience. It is where the Proxy's own voice accumulates.
A Proxy extracts usable knowledge from trusted bodies: regulations, policies, manuals, textbooks, internal references, licensed corpora, and research literature. Distilling turns a five-hundred-page reference into the atomic, linked notes a Proxy can actually reason from, with source attribution preserved so each note can be re-checked against the original. Distill is top-down, from authoritative material at scale. It is also how new and revised sources of knowledge enter the graph: when a regulation changes, a policy is updated, or a study is published, the Proxy's reasoning reflects the new state of the world rather than the old one.
Distill pairs naturally with synthetic data generation, the inverse operation, where validated knowledge is expanded back into worked examples, edge cases, counter-examples, and practice scenarios useful for training other Proxies, for evaluation sets, and for simulation. Where distill compresses, generation expands.
A Proxy establishes that a note deserves its place. Claims are cross-checked against independent sources, computations are re-run, assumptions are tested, and peer or human review is applied where the stakes require it. Validation occurs at intake, before a note becomes load-bearing, and periodically thereafter, because a note that was valid last quarter may no longer be valid. This is the verb that distinguishes a knowledge base from a dumping ground.
A Proxy keeps its knowledge current. Sources get re-checked, stale entries get flagged, superseded notes are handed off to the archive or forgotten, and drift from the underlying world is detected rather than absorbed. Refresh is about freshness; validate is about truth. The two are complementary but not the same. A stale premise and a false premise are different failures, and a Proxy that treats them identically will miss one of them.
A Proxy tends its knowledge base as a living collection: merging duplicates, sharpening imprecise notes, promoting battle-tested patterns, and surfacing anything that has lost its reason to exist. Curation is how the collection stays useful under its own weight. Without it, a knowledge base becomes a landfill that looks, to a search, like a library.
A Proxy moves material out of active use without losing the historical trace. A policy that has been superseded, a pattern that has been replaced by a better one, a premise whose underlying assumptions no longer hold, a note retained for reference but no longer cited in live reasoning: all of these are archived rather than destroyed. Archived notes stay searchable when a reviewer needs to reconstruct a past decision, but they do not feed new reasoning by default. Archive is the counterpart to build; it is how a base gets lighter without losing its memory.
A Proxy removes material entirely when the organization has an obligation to make it gone. Data subject to a right-to-be-forgotten request must be found and deleted. Content drawn from an expired license must be removed when the license ends. Sensitive material must come down on the schedule the organization has agreed to.
Forget differs from archive in that the note itself is destroyed, not just retired from active use. A good forget still leaves a controlled trace: the fact that a note was removed, when, by whom, and under what authority, so decisions that cited the note while it was live can still be defended even though the underlying content is no longer in the base.
A knowledge base that cannot forget cleanly is a compliance liability. A knowledge base that forgets without a trace is an audit liability. The discipline is to do both at once.
A Proxy does not have to carry the whole world on its back. Its knowledge can come from any of four sources, and governance differs for each.
Knowledge bases attach and detach like mounted volumes. A Proxy working a Regulatory Examination scenario attaches the compliance library for the duration and detaches when finished. The act of attaching carries governance consequences: the Proxy now has read access, potentially write access, and whatever it uses from the base now sits inside its attestation footprint.
The shape worth leaning on for the knowledge base itself is the networked notebook, a pattern now familiar from modern personal and team knowledge systems. Notes are atomic: each one holds a single idea, not a report's worth. Links between notes are explicit and bidirectional, so a reader can follow a reference from one note to see what it depends on, or follow back-references to see what depends on it.
Metadata and tags travel with the notes, carrying freshness dates, sources, confidence, scope, and tier. The whole collection is explorable as a graph of related ideas rather than a list of documents, and the format is plain and portable, so the knowledge belongs to the organization, not to any particular tool.
A Proxy reaches into an attached knowledge base in one of two ways, and both have governance consequences.
Search returns a ranked list of matching notes. Attribution is direct: each hit is a specific note with a specific version, and the Proxy cites what it actually opened. Search is the right mode when nuance matters and the underlying text is the evidence.
Question and answer returns a synthesized answer drawn from across the base. The convenience is real, but the attestation discipline matters more, because the answer is a composite. The Proxy, or the service it queried, must carry the citation trail back to the underlying notes, their versions, their sources, and their tiers, so the decision record can still point at the load-bearing premises. Q&A is the right mode for routine lookups, for orientation, and for breadth. But a Q&A answer that feeds a consequential decision still must resolve to specific notes, or the attestation breaks down.
Knowledge bases are also a mesh-level concern. A Proxy can publish into a shared base governed by the mesh, subscribe to notes from a peer's base with curation and trust tiers applied, attach to an organizational library that is read-only by default and authored through a controlled pipeline, or federate with knowledge bases on adjacent meshes through the same bridge pattern used elsewhere for cross-mesh work. Who can author, who can approve, who can retire, and which surfaces inherit centrally versus curating locally: all apply.
When multiple Proxies learn together, in debate, in retrospectives, in shadowing, the group's work must have a shape too. Rounds mark where a conversation started and ended. The roster lists who was at the table and what they contributed. These are the artifacts that will allow multi-party learning to be cited later. Without them, a retrospective produces a feeling of alignment and nothing a future Proxy can point at.
Active curation is continuous. Both the memory store and the knowledge base need tending: pruning stale content, promoting validated patterns, and retiring deprecated ones. A knowledge base is not a project with an end date. It is a running system, and the rhythm of curation is what keeps it honest over time. A mesh that shares learning artifacts across Roles inherits the curation weight of whichever member is doing the work; governance must decide whether curation is centralized, distributed, or tiered.
Every verb a Proxy performs on its knowledge, building a note, distilling a source, validating a claim, refreshing a page, cross-checking a premise, searching the base, synthesizing an answer, consumes tokens. Tokens are a budget the organization actually pays for. A Proxy that attempted to keep every note perpetually fresh, every claim triply corroborated, and every corner of its base in immaculate order would burn through its budget before it did any of the work it was hired to do. Token awareness is part of being a competent apprentice.
The practical effect is that knowledge management is risk-tiered like everything else. High-consequence domains get the full discipline: frequent refreshes, deep distillation, aggressive cross-checking, thorough validation. Low-consequence domains get lighter treatment: notes carried on trust until they are needed, validation performed on demand, and refreshes spaced out. The same eight veracity dimensions apply everywhere, but how hard the Proxy works on each of them scales with the value of the decision. Perfection of knowledge management is a ceiling, not a floor, and the Role is responsible for choosing where along that ceiling the token budget actually lands.
Stewardship is not a separate function. It is the Role's responsibility. The Role, which is the human accountability container the Proxy operates within, is responsible for supervising what the Proxy learns and how it learns, just as the Role supervises what the Proxy decides and how it decides. A Proxy without a Role exercising stewardship is not an autonomous apprentice; it is an unsupervised one, and the distinction matters.
The learning pipeline has several decision points where the Role's stewardship is exercised explicitly. The Role approves promotions: a hypothesis that the Proxy believes is ready to be treated as a validated premise, especially on a load-bearing claim, does not promote itself. The Role signs off on new canonical knowledge that the Proxy has built from its own work before exposing it to peers on the mesh. The Role decides when notes are retired, either because the underlying material is obsolete or because retention policy requires removal. The Role arbitrates disagreements that the Proxy cannot resolve on its own, escalating them to a panel when the matter goes beyond the immediate decision.
The Role also sets posture. How aggressive the Proxy's curation should be, how much of the token budget is spent on validation versus work, when to formalize the attestation, and whether a new knowledge base is safe to attach are not decisions the Proxy should make on its own. Governance assumes the Role is paying attention, and the Role's standing is what makes that attention load-bearing.
An organization that measures its Proxies only by the attestations they produce misses an important question: Is the Proxy actually learning, or is it only accumulating? Evaluation is the counterpart to learning, and several signals help with it.
Periodic competence tests, administered on the same cadence as continuing education for humans, confirm that the Proxy's handling of representative cases is still within standard. Sampled peer review, conducted by another Proxy or by a human reviewer in the Role, catches drift that the Proxy itself would not flag.
Drift metrics on the note graph, such as the rate at which stale notes are being refreshed, the fraction of premises that fail re-validation, and the density of cross-checks, reveal whether the base is being tended or accreting without discipline. Pattern analysis across attestation records shows whether the Proxy's reasoning is improving along the veracity dimensions that matter most to the work.
A Proxy whose numbers drift in the wrong direction is a Proxy whose training, coaching, or curation regime needs attention. Evaluation is how the organization finds that out in time to act.
The last connection worth making explicit is the one to attestation. The notes a Proxy keeps are where its premises come from. The freshness of those notes is what tells whether a premise has decayed. The tier of a source sets the trust weight. When a decision record cites a premise, it should be able to point at the specific note, its version, and its state at the moment of decision.
"Knowledge management is how a Proxy stays ready for the next question. Attestation is how the Proxy stays honest about what it actually knew when the last one was answered. The two halves depend on each other, and neither works alone."
Appendix C operationalises the mesh layer. Appendix D walks the apprentice lifecycle.
Appendix C About the Book