The three gates, in order
Input, POST /v1/gate/check. Screens what reaches the agent before it engages. Fast rules plus a light model check. Fail-open: the input gate never blocks a real action on its own.
Action, POST /v1/evaluate. The gate that matters. The agent emits a structured proposal: action, parameters, context. Our engine resolves your AOPs deterministically, no model on the path, and answers in well under ten milliseconds. Fail-closed: if our engine does not permit it, or cannot decide, the action does not run.
Response, POST /v1/validate/output. Checks the reply against what the agent may say: banned phrases, required disclaimers, your catalog. Hard rules fail closed; the grounding and tone model layer fails open.
The three verdicts
Permit proceeds. Hold waits for a person, in the review surface that matches your tenancy. Deny stops. The input and response gates return allow, escalate, and block, which map to the same rails.
The lifecycle: observe, capture, author, enforce
You run our shadow mode first. Our engine computes every decision and records it to your Shadow AOP Ledger without enforcing, so the ledger becomes two things: proof of what governance would have caught, and the raw material for your rules. You calibrate until the ledger shows our engine deciding the way you want, then you enforce. Hard limits first; judgment calls can stay in shadow longer.
Execution without keys
Agents hold zero credentials on our platform. A permit returns a decision identifier; a connector executes the action server side with credentials stored on our side, only against a valid permit, and an idempotency key keeps a retry from ever acting twice.
What about hallucinations
We do not claim to stop a model from hallucinating; no one honestly can. We make hallucination powerless. On the response path, every reply is checked against the owner's source of truth: the catalog, the allowed claims, the required disclaimers, deterministically first, then a model layer judging whether the reply is grounded in what the agent actually knows. An invented discount, a fabricated policy, a confident wrong answer: blocked or escalated before a person ever sees it. On the action path, a hallucinated act (the wrong amount, the wrong scope, the wrong system) hits deterministic limits and dies without a permit. Hallucinations happen. On our platform, they do not ship.
What trusting an agent actually requires
Trust here is structural, not emotional. Three properties make it possible to hand an agent real work: it holds zero keys, so it cannot act alone; every consequential act passes our gate, so the rules are enforced, not suggested; and our shadow mode gives you evidence from your own traffic before anything is enforced, so the decision to trust is made on a record, not a demo.
Why the check comes before the action
Recording what happened is observability. Deciding what may happen is governance. Both have a place; only one prevents. The full comparison: /pre-execution-vs-observability.
Where regulation is heading
Regulators on three continents are converging on the same demand: demonstrable control over automated decisions before they act, not forensic logs after. In the EU, high-risk obligations under the AI Act are being finalized through the Digital Omnibus amendments, with enforcement timing that may extend into late 2027. Across Latin America, AI bills and decrees are moving in Brazil, Peru, Colombia, Mexico, and Chile. Our compliance library exists so those obligations arrive as packs you enable, not projects you staff.