Deterministic agent control plane

The model is probabilistic. The control plane is not.

Ark Sovereign evaluates action envelopes against explicit policy before tools execute — deterministically, with no LLM in the enforcement path. Execution control for AI agents that write code, move value, execute MCP tools, or touch production.

Request evaluation View 67-case replay pack

ark-sovereign — enforcement proof matrix

node demos/run_governor_proof_matrix.mjs

"pass_count": 10,

"fail_count": 0,

"llm_calls_in_enforcement_path": 0

code_safe_patchALLOW

code_secret_exfilDENY

code_prod_deployREQUIRE_APPROVAL

mcp_tool_poisoningDENY

mcp_owasp_shadow_serverDENY

mcp_owasp_unsigned_toolDENY

mcp_owasp_no_telemetryDENY

wallet_public_reply_transferDENY

channel_github_issue_patchREQUIRE_APPROVAL

handoff_unknown_agent_deployREQUIRE_APPROVAL

Governor products

Seven layers. One enforcement boundary.

Each governor targets a distinct attack surface in the AI-agent execution stack. No LLM in the permit/deny path.

GOV-01

Agent Governor CORE

Policy gateway for agent actions. Emits ALLOW, REQUIRE_APPROVAL, or DENY with deterministic reason codes before any tool executes.

GOV-02

ToolCall Firewall

MCP and API tool preflight: server allowlists, signed schemas, telemetry requirements, argument controls, and poisoning checks.

GOV-03

CodeGov

Controls file writes, shell execution, dependency installs, deploys, protected paths, and secret-exfiltration attempts.

GOV-04

WalletGov VALUE

Controls AI-wallet and payment-like actions with value thresholds, approval gates, destination policy, and audit evidence.

GOV-05

Audit Ledger

Replayable decision records with deterministic hashes that bind policy, action, verdict, and reason codes into a tamper-evident trail.

GOV-06

Rollback Planner

For blocked or paused actions, emits containment controls and a safe retry path for common failure modes.

GOV-07

Policy Packs

Reviewable policy packs for engineering, security, compliance, MCP, wallet, and agent-handoff workflows. Human-readable. Version-controlled.

Enforcement model

Input → verdict. No model in the middle.

Ark Sovereign replays structured action envelopes through deterministic policy. The enforcement proof is reproducible from the same inputs every time.

What goes in

→

policy_json — reviewable, version-controlled, human-readable rules

→

event_json action envelope — structured representation of the agent's intended action

→

reason predicates — explicit conditions evaluated in sequence

→

tool call arguments — value, destination, file path, deploy target

What comes out

←

ALLOW / REQUIRE_APPROVAL / DENY

←

reason_codes + controls

←

deterministic audit hash — same inputs, same hash, every time

←

containment controls if blocked · safe retry path if applicable

enforcement_path.mjs — no LLM

input

action_envelope + policy_json

trust_score · tool · path · value · source · network

↓

deterministic policy evaluation

predicate cascade — no LLM call

trust check → source check → tool check → path check → value check → impact check

↓

ALLOW

tool call executes · audit record emitted

REQUIRE_APPROVAL

execution paused · approval request emitted · safe retry path

DENY

no tool call emitted · containment controls · reason codes + audit hash

Enterprise Replay Evidence

67 replay cases. 3 buyer segments. 0 LLM calls.

The 10-case table below is the public sampler. The enterprise proof pack contains 67 deterministic replay cases across WalletGov, CodeGov, and MCPGov, with a clean legitimate allow rate of 1.0.

Open Full Proof Report Download JSON Matrix

10-Case Public Sampler

Action Envelope	What It Proves	Verdict	Reason Codes
Code Safe Patch	Safe coding-agent patch inside approved repo root.	ALLOW	`POLICY_MATCH`
Code Secret Exfil	Secret exfiltration through shell command.	DENY	`LOW_TRUST_SOURCE_FOR_ACTION` `UNTRUSTED_CONTENT_BEFORE_ACTION` `DANGEROUS_SHELL` `SECRET_EXFIL_ATTEMPT` `NETWORK_ACCESS_REQUIRES_APPROVAL`
Code Prod Deploy	Production deploy requires human approval.	REQUIRE_APPROVAL	`HIGH_IMPACT_ACTION_REQUIRES_APPROVAL`
Mcp Tool Poisoning	Poisoned MCP tool description or result is blocked.	DENY	`LOW_TRUST_SOURCE_FOR_ACTION` `UNTRUSTED_CONTENT_BEFORE_ACTION` `MCP_TOOL_POISONING_PATTERN`
Mcp Owasp Shadow Server	Unapproved MCP server is blocked.	DENY	`MCP_SERVER_NOT_APPROVED`
Mcp Owasp Unsigned Tool	Unsigned tool schema is blocked.	DENY	`UNSIGNED_TOOL_SCHEMA`
Mcp Owasp No Telemetry	Required telemetry missing for governed action.	DENY	`TELEMETRY_REQUIRED`
Wallet Public Reply Transfer	Wallet-like value transfer exceeds autonomous value policy.	DENY	`LOW_TRUST_SOURCE_FOR_ACTION` `UNTRUSTED_CONTENT_BEFORE_ACTION` `VALUE_LIMIT_EXCEEDED`
Channel Github Issue Patch	Untrusted channel-origin code patch requires approval.	REQUIRE_APPROVAL	`CHANNEL_ORIGIN_REQUIRES_APPROVAL`
Handoff Unknown Agent Deploy	Unknown agent handoff before deploy requires approval.	REQUIRE_APPROVAL	`UNKNOWN_AGENT_IN_HANDOFF_CHAIN` `HANDOFF_REQUIRES_APPROVAL_FOR_EXECUTION` `HIGH_IMPACT_ACTION_REQUIRES_APPROVAL`

Tier 2 segment replay packs

67 replay cases. 3 buyer segments. 0 LLM calls.

Buyer-specific proof across the three agent surfaces enterprise teams ask about first. Every verdict is deterministic, replayable, and generated with zero LLM calls in the enforcement path.

WALLETGOV_FINTECH

WalletGov / Agentic Payments

Fintech security, payments platform, wallet automation, treasury operations

Cases25

ALLOW12

REQUIRE_APPROVAL2

DENY11

Clean legitimate allow rate1.0

Download JSON →

CODEGOV_ENGINEERING

CodeGov / Agentic Software Engineering

VP Engineering, platform engineering, DevSecOps, regulated software teams

Cases24

ALLOW12

REQUIRE_APPROVAL6

DENY6

Clean legitimate allow rate1.0

Download JSON →

MCPGOV_RUNTIME

MCPGov / Multi-Agent Runtime

AI platform security, MCP operators, multi-agent orchestration teams

Cases18

ALLOW4

REQUIRE_APPROVAL4

DENY10

Block or approval gate rate78%

Clean legitimate allow rate1.0

Download JSON →

Do not evaluate Ark Sovereign from the 10-case sampler alone. The full replay pack shows realistic buyer workflows with clean legitimate allow rate of 1.0 across all 67 cases. Open full proof report →

Open Segment Replay Report Download Segment Index

Physical AI private preview

RobotGov gates motion authority.
Not conversations.

RobotGov extends the same deterministic control-plane pattern to embodied AI: mobile robots, manipulators, humanoids, UAVs, and UGVs. It evaluates physical action envelopes before motion authority is granted.

74,934

Authorization rows

89.71%

Row allow rate

10.29%

Row gate rate

LLM calls in enforcement path

Operating profile matrix

Profile	Purpose	Min human dist	HSR max speed	Jackal max speed
industrial_strict	Warehouse, factory, high-throughput	1.2m	0.8m/s	1.2m/s
collaborative_lab	Human-robot proximity, lab settings	0.5m	0.6m/s	0.8m/s
handover_mode	Explicit close interaction	0.35m	0.4m/s	0.5m/s

dataset-backed replay summary

Dataset

NavWareSet

Profile cases

Auth rows

74,934

Capture rate

1.0

Report SHA-256: c490751a590ddc851399c4640c6744f0d7c8ce075d6f5373c9773d488f0fcacc

This preview uses public NavWareSet social-navigation pose traces. Proximity-boundary replay evidence only — not functional-safety certification, flight certification, production deployment approval, or an incident log.

Request RobotGov evaluation Open RobotGov preview →

Legal structure private preview

LegalGov maps contract structure.
It does not replace counsel.

LegalGov converts contracts, amendments, and obligation workflows into clause graphs, then surfaces structural review targets: unresolved references, amendment and override edges, exception paths, obligation cycles, orphaned liabilities, and structural drift.

v0.2

Evaluator packet

100

Controlled-demo risk score

Triggered rules

LLM calls in verdict path

Structure triage lanes

Lane	Review target	Verdict effect
LG-B1-001	Obligation deadlocks / cycles	DENY
LG-REF-001	Unresolved clause references	REVIEW
LG-AMEND-001	Amendment, override, supersession, voiding, contradiction edges	REVIEW
LG-DRIFT-001	Sector-level topology drift	REVIEW
LG-EXC-001	New exception paths	REVIEW

controlled-demo summary

Packet

LEGALGOV_STRUCTURE_TRIAGE_v0.2

Verdict

DENY

Flags

Tests

passing

Certificate SHA-256: c5969bca1af3954e95c7126f3c11009e8806806c25e78f2243fd94c4b944e96b

LegalGov is deterministic legal-structure triage only. It is not legal advice, attorney review, enforceability certification, litigation-risk analysis, or approval-path completion.

Request LegalGov evaluation Request evaluator packet ->

Phase 0 fit screen

Send logs. Get verdicts.

Send 5 to 20 sanitized AI-agent action logs. We map them into the action-envelope schema and return deterministic verdicts, policy gaps, reason codes, and a Phase 1 integration plan.

Send sanitized logs

5 to 20 agent action logs. No credentials, source code, production access, secrets, or internal prompts required.

Schema mapping

We map your logs into the action-envelope schema and identify relevant governor surfaces.

Deterministic verdicts

Every result has policy source, verdict, reason codes, controls, and audit hash.

Phase 1 integration plan

Policy gaps identified. Integration path scoped. Clear boundary: we govern execution, not conversation style.

Request Phase 0 evaluation →

No credentials required SAFE

No production access, source code, secrets, or internal prompts. Sanitized action logs only.

Replayable evidence

Every result has policy source, verdict, reason codes, controls, and audit hash. Deterministic from the same inputs.

Clear enforcement boundary

We do not ask a second model to decide whether the first model is safe. Policy decides whether the action executes.

0 LLM calls in path DETERMINISTIC

The permit/deny decision is made entirely by deterministic policy evaluation.