Add architectural note to C9.6: evaluation-only policy components

[emmanuelgjr]

Summary

• Adds architectural note in C9.6 clarifying that policy decision components for agent authorization should be evaluation-only: they evaluate proposed actions and return permit/deny decisions, but do not execute actions, invoke tools, or modify resources
• References NIST SP 800-207 control-plane/data-plane separation principle

Rationale

The original proposal (#675) suggested a standalone verifiable control requiring governance components to not possess execution ability. Reviewer feedback identified two issues: (1) the constraint is not clearly verifiable as a standalone control (an auditor cannot reliably enumerate all execution pathways), and (2) it is not AI-specific — control-plane/data-plane separation is a general NIST SP 800-207 principle.

The existing C9.6.4, C5.6.4, and C5.2.6 already push implementers toward purpose-built evaluation components. An architectural note makes this design expectation explicit without creating a control that is hard to audit independently.

Test plan

• Verify the architectural note is consistent with C9.6.4, C5.6.4, C5.2.6
• Confirm NIST SP 800-207 reference is appropriate

Closes #675

[RicoKomenda]

After thinking about it... @ottosulin / @jmanico do we need an architectural note for a section? Or would that be too much for the people using the AISVS?

[RicoKomenda]

I think we should keep an eye out for a scope note rather than an architectural note, even if it was my first intent to do that. For now, I would close this PR and this issue, and we'll see if this reqs are still there after the reduction pass of C9.