Cryptographic Runtime Governance
For Agentic AI
Enforce behavior at execution.
Prove every decision cryptographically.
Verify anywhere, offline and air-gapped.
Policy without proof
is just a suggestion.
Architecture
Seal. Enforce. Prove.
01
Seal
Policy Artifact
Ed25519 + ML-DSA-65 signatures · SHA-256 integrity
Bind approved behavior to a signed, immutable policy object at build time. The sealed hash is the single source of truth for what the agent is authorized to do.
02
Enforce
Portal Runtime Boundary
Launch Gate · Drift Detection
The Portal validates policy before execution, monitors continuously, and executes enforcement actions autonomously. The agent holds no keys and cannot self-authorize.
Private runtime component
03
Prove
Evidence Bundle
Merkle proofs · Hash-linked receipts
Export a portable, tamper-evident proof package. Every receipt is signed and hash-linked. Any third party can verify offline - 8-step verification with independent decision re-derivation.
01
Seal
Policy Artifact
Ed25519 + ML-DSA-65 signatures · SHA-256 integrity
Bind approved behavior to a signed, immutable policy object at build time. The sealed hash is the single source of truth for what the agent is authorized to do.
02
Enforce
Portal Runtime Boundary
Launch Gate · Drift Detection
The Portal validates policy before execution, monitors continuously, and executes enforcement actions autonomously. The agent holds no keys and cannot self-authorize.
Private runtime component
03
Prove
Evidence Bundle
Merkle proofs · Hash-linked receipts
Export a portable, tamper-evident proof package. Every receipt is signed and hash-linked. Any third party can verify offline - 8-step verification with independent decision re-derivation.
Standard cryptographic primitives. No special hardware. Fully offline-capable. See the full walkthrough
Agentic AI Governance at the Execution Boundary
Autonomous agents create action risk: unauthorized tool invocations, state modifications, and financial transactions that content filters cannot address. Current approaches stop at observation. None produce cryptographic proof of enforcement.
Learn more about agentic AI governance.
Autonomous Action Without Confirmation
Agentic AI systems invoke tools, modify state, and execute transactions without human approval at each step. Governance must operate at the speed of execution, not after the fact.
Frameworks Define Intent
Every major governance framework calls for enforceable runtime controls. Frameworks define what should happen. Proving what actually happened requires cryptographic enforcement at the execution boundary.
Monitoring Watches After Execution
Log aggregation and anomaly detection watch behavior after execution. Cryptographic proof of enforcement requires a mandatory runtime boundary operating at the speed of execution.
AGA Closes the Gap
Attested Governance Artifacts seal policy before execution, enforce at a mandatory runtime boundary where the agent holds no keys, and produce signed receipts that verify offline.
Where Existing Systems Stop
Existing tools cover fragments of the governance problem. AGA closes the gaps they leave open.
| Layer | Provides | Gap |
|---|---|---|
| Logging / SIEM | Event capture, anomaly alerts | Logs can be altered or deleted; no enforcement |
| Policy-as-Code | Declarative rules, drift alerts | Advisory only; no runtime binding |
| TEE / SGX | Hardware-isolated execution | No offline verification; vendor-locked |
| Blockchain Audit | Immutable ledger, timestamping | No runtime enforcement; latency constraints |
| AGA (this system) | Sealed policy, runtime enforcement, portable cryptographic proof | Extends all layers above |
Logging / SIEM
Provides: Event capture, anomaly alerts
Gap: Logs can be altered or deleted; no enforcement
Policy-as-Code
Provides: Declarative rules, drift alerts
Gap: Advisory only; no runtime binding
TEE / SGX
Provides: Hardware-isolated execution
Gap: No offline verification; vendor-locked
Blockchain Audit
Provides: Immutable ledger, timestamping
Gap: No runtime enforcement; latency constraints
AGA (this system)
Provides: Sealed policy, runtime enforcement, portable cryptographic proof
Gap: Extends all layers above
What AGA Adds
Sealed Reference Hashes
An immutable, signed snapshot of authorized behavior. A cryptographic commitment that cannot be revised after the fact.
Mandatory Runtime Boundary
The Portal enforces policy before execution begins. The subject holds no signing keys and cannot self-authorize.
Signed Enforcement Receipts
Every enforcement action produces a signed receipt, hash-linked into an append-only chain. Each receipt is independently verifiable.
Offline-Verifiable Evidence
Evidence bundles contain everything needed to verify compliance. No network, no callback, no trust in the producing system.
AGA extends attestation with runtime enforcement
and portable cryptographic proof.
What Becomes Possible
Prove exactly which policy was enforced, when, and by whom
Verify compliance offline in air-gapped or contested environments
Detect drift between authorized and actual behavior at runtime
Export tamper-evident evidence that any third party can audit
What Becomes Impossible
A sealed policy artifact cannot be modified without invalidating its cryptographic signature
A valid receipt cannot be produced without the Portal's signing key
A receipt cannot be deleted or reordered without breaking the hash-linked chain
A tampered evidence bundle cannot pass independent cryptographic verification
Built for Environments Where
Logging Is Not Enough
Defense & DoD
Autonomous systems, drones, agents
Sealed policy artifacts and cryptographic chain of custody from build to deployment to mission execution. Verifiable in disconnected and contested environments.
- Autonomous fleets
- Contested ops
- Air-gapped systems
SCADA / ICS
Critical infrastructure
Tamper-evident, cryptographic audit trails for industrial control systems. Deterministic resource bounds and offline-verifiable evidence bundles designed for real-time OT environments.
- Energy grids
- Water & utilities
- Pipeline control
Regulated
Finance, healthcare, legal
Governance enforcement where regulatory compliance requires cryptographic proof. Immutable audit trails built for examiner scrutiny.
- Trading oversight
- HIPAA AI systems
- EU AI Act
Enterprise AI
Agentic AI governance at scale
Cryptographic proof that only authorized models ran within enforced operational parameters. Immutable, independently portable audit trails that no one can alter or silently delete.
- Multi-agent ops
- Model governance
- MCP enforcement
AI Systems Are
Operating Without Proof
Every day, critical infrastructure runs on AI systems with no cryptographic guarantee they have not been compromised. Compliance teams demand verifiable evidence. Current solutions provide neither.
Model Poisoning
Adversaries poison models during training, fine-tuning, or deployment. No cryptographic proof of origin means no way to verify what is actually running in production.
Silent Drift
Models change behavior post-deployment through prompt injection, weight modification, or gradient attacks. Current monitoring cannot detect subtle manipulation until it is too late.
Forensic Evidence Gap
When incidents occur, there is no audit trail that survives scrutiny. Investigations rely on logs that can be tampered with. Auditors need tamper-evident evidence.
Paper Governance
Contracts define what AI should do. Nothing enforces it at runtime. Legal language cannot govern machine behavior. Enforcement requires cryptographic constraints, not contractual ones.
Architecture designed for environments requiring:
Architectural design alignment. Not certification or compliance advice.
Active Enforcement Architecture
Active Enforcement
Mandatory runtime boundary.
The agent holds no signing keys and cannot self-authorize. Static policy blocks unauthorized tools. Behavioral detection catches pattern shifts. Phantom execution captures bypass attempts.
Standard Cryptography
No proprietary protocols.
Ed25519, ML-DSA-65, SHA-256, BLAKE2b-256, Merkle trees. Post-quantum hybrid signatures available. Auditable by anyone, anywhere, offline.
Offline Verification
No callback required.
Evidence bundles are fully self-contained. 8-step verification with independent decision re-derivation. Verify in air-gapped, classified, or contested environments.
Independent Proof
Third-party verifiable.
The entity being governed cannot produce independent proof of its own governance. The rules, the enforcement, and the audit must be cryptographically independent.
Local-First
No cloud dependency
Real-Time Safe
Constant-time ops
Privacy-First
No payload disclosure
Provider-Agnostic
Any model or platform
MCP-Ready
Native MCP integration
Tamper-Evident
Hash-linked chain
From Evaluation to Integration
Evaluate
Download the standalone demo. Run the independent verifier. Inspect the evidence bundle and receipt chains.
See the WalkthroughExplore
Read the protocol specification. Review the reference implementation. 1,227 automated tests. Full documentation.
View TechnologyIntegrate
Language-agnostic protocol with a TypeScript/Node.js reference. Build in whatever stack you use.
Read the SpecificationCollaborate
Interested in deploying AGA for defense, critical infrastructure, or enterprise AI governance? Let's talk.
Request Info