Govern your AI infrastructure.
Policy enforcement at the runtime. Not in prompts. Not in reviews. Scope, authority, and guardrails evaluated on every execution — with cryptographic evidence of what was allowed and what was refused.
Deploys in your VPC as a sidecar to your existing agent stack. No model traffic leaves your perimeter. Integrates with your IdP (Okta, Entra, SPIFFE), your SIEM (Splunk, Sentinel, OTel), and your PAM (CyberArk, HashiCorp Vault).
The planner can be corrupted silently. Containment has to happen below it.
An LLM planner is architecturally unlike traditional control software. Its behavior can be corrupted by inputs it reads — a retrieved document, a tool output, a conversational turn — without any observable change to the planner itself. The compromise is undetectable at the planner boundary.
Standard software-engineering defenses (unit tests, code review, fuzzing) do not transfer to prompt-space adversaries. Containment must therefore happen below the planner: at the interface between proposed actions and durable effects.
Meanwhile the agents talk to your systems. They call tools. They write to databases. They send messages. Somewhere between the prompt and the downstream effect, the only thing enforcing scope is hope. Hope is not an access control model.
Outcomes the buyer can underwrite.
- Scope enforced
- Every agent, every model call, every tool invocation bound to explicit scope at the Gateway. No ambient authority. No implicit privilege.
- Denials are structural
- A denied execution produces zero state change. The downstream system is never touched. The denial itself is a sealed event.
- A single enforcement point
- Policy-as-code evaluated on every execution, at one runtime. Replaces N team-specific wrappers with one governed surface.
Structural controls, not advisory ones.
Authority separation.
Callers — human or agentic — can only act within explicitly granted scope. The policy engine is the thing that refuses bad behavior, not a description of it.
Sealed denial events.
Every refused execution writes an append-only, Merkle-sealed event. Your IR team gets a record of what the agent tried to do even when it failed — which is often the more interesting signal.
No side door.
Nothing governed happens without passing through the Gateway. Every call — frontier LLM, internal fine-tune, MCP tool — lands on the same enforcement surface.
Confinement, not planner safety.
PoE confines the damage a compromised planner can do within an issued contract; it does not prevent planner compromise. Upstream prompt-injection hardening is orthogonal and necessary — and PoE is what makes the confinement boundary structural, not aspirational.
Credential escape is named, bounded.
A leaked non-Effector credential (T6 in the paper) can commit a mutation outside the PoE boundary. That case is not hidden; it enters Theorem 2’s advantage bound through the trace-completeness term, and Lemma 1 specifies exactly which Effector properties must hold to minimize it.
Seven day-14 jobs your security org ships.
Set scope policy for a new workload.
Declare the capability scope an agent is allowed to use, the Effector credentials it gets, and the fail-closed posture. Runtime refuses anything outside.
Pull the denied-attempt stream for IR triage.
Every denial is a sealed event. Filter by workflow, principal, capability, time window. Your IR team gets the inventory of what an agent tried to do — the more interesting signal than what it succeeded at.
Answer a procurement threat-model questionnaire.
The T1–T6 threat classes, the A1–A7 assumption set, and Lemma 1 are the spine of the answer. The sealed trace is the evidence. No team-specific narrative required.
Detect prompt-injection attempts across the fleet.
Denied actions sourced from indirect-injection prompts look like capability-scope violations at the Gateway. The T2 rejection stream is the fleet-wide indicator.
Verify a sample EAC on a live incident.
Fetch C, T, R via the 8-step verification recipe. Re-run ValidatePoE. Rerun Replay. Bit-equality check against the recorded terminal state. All in the incident-response playbook, not a forensics engagement.
Route a sensitive workload to local-only models.
Change the per-stage model routing in the workflow definition; the Gateway enforces it. Sensitive data never leaves the firm boundary.
Roll a Gateway signing key.
Key Registry records the rotation; historical EACs remain verifiable under their issuing key. Zero trace invalidation on rotation.
Rejection is mechanical, not probabilistic.
The paper’s empirical evaluation (§9) injected adversarial traces corresponding to two threat classes and measured the validator’s rejection rate. The mechanism doesn’t detect attacks with a classifier; it refuses them by construction \u2014 hash-link breaks, missing Gateway decisions. No tuning, no thresholds.
Injected direct Effector writes that skip gateway_ref. All rejected: no valid Gateway decision event, I_2 fails by construction.
Payload replacement, event reordering, event deletion. All rejected: prev_event_hash linkage breaks, I_4 fails by construction.
Zero false positives across the unmodified control trace set. The validator does not rely on tuning; if an invariant holds syntactically, the trace is accepted.
Preliminary single-node prototype, Rhodes & Kang (2026), §9. These numbers confirm the mechanism on commodity hardware; they do not characterize production-scale adversaries that attempt signature forgery, hash collision, or credential escape — those are bounded by Theorem 2’s cryptographic terms and the named deployment-failure term ε_tc. Multi-node adversarial injection strength is deferred to a companion paper.
Walk through your AI attack surface with us.
We will map your current agent inventory, tool calls, and policy surface to the denials you are not capturing today.