Assurance Observatory (AO) · the governance half of the platform
Every action an agent takes enters the path and is checked — against its capability, your policy, the live system state, and the task context — then permitted, transformed, or denied, before it executes. In the path. Fail-closed. ~8 ms.
The gate, working
An agent moves to issue a $4,000 refund. Before a cent moves, the action is evaluated in the path — and because it’s over the agent’s approved limit, the gate transforms it into “needs a human’s sign-off” rather than letting it through. Permitted actions flow; risky ones are transformed or denied.
What every action is checked against
Capability (the outcomes this agent is authorized to produce), policy (what’s allowed right now), context (what’s known at this step), and live state (what’s happening across your systems this instant). Fail any one and the action stops.
Every agent action is evaluated across four dimensions. If it fails anywhere, the action stops.
What outcomes this agent is authorized to produce — not a tool list. A multi-tool chain that produces an unauthorized outcome is still a violation.
VerifiedOutcome within authorized scopeWhich business, security, compliance, and budget constraints apply to this action, right now.
VerifiedPolicy allows this actionWhat is known at this point in the workflow — evidence, priors, the agent's read of the task.
VerifiedContext supports the actionWhat is happening across shared systems before the action fires — close-freezes, locks, in-flight writes.
VerifiedSystem state is safeWhat makes it different
Plenty of products claim a “trust layer.” What matters is what the platform actually reasons over — three primitives an examiner can interrogate, and most agent stacks don’t have.
Every privileged operation declares an action class — mutates-state, sends-external, irreversible — and an aggregation rule. Detectors reason about aggregate effect across the call graph, not per agent, per tool.
Each agent declares the outcomes it's authorized to produce — not the tools it may call. The runtime checks whether the aggregated effect of a tool chain fits the profile, so composition violations get caught.
Every event stamps causal_parent_id and delegated_from_id, so the audit trail is a queryable directed graph, not a flat log. Structuring detection, conflict detection, and capability composition all need this.
each edge stamped with confidence delta + causal parent
One gate. Two payoffs.
Same checks, same path, same gate. What each team gets out of it is what differs — so here are both, side by side.
Each permit, transform, or deny the gate makes is cryptographically signed and appended to an immutable, replayable ledger — the attestation your risk, compliance, and audit teams actually need. Reconstruct any decision long after the fact: what the agent was authorized to do, the policy in force, the evidence it saw, and why the gate ruled as it did.
Your agent acts on what it’s confident about and checks with you the moment something falls outside what it knows or what you’ve okayed. It never quietly does the wrong thing — when it’s unsure, it stops and asks instead of guessing. You get an agent that runs on its own, without the worry that it’ll go off and act when it shouldn’t.
Same runtime, solo builder to regulated enterprise — the indie dev who needs their agent to ask before it acts, and the bank that needs every action signed and replayable. One gate, two payoffs.
Watch real actions hit AO in the path, get a verdict in milliseconds, and land in the oversight inbox.
AO governs. Keelson builds. Together they’re the platform.
