The receipt layer before AI consequence.

Your agent proposed
an $8,500 refund.
Who had authority?

Ark Sovereign builds bounded specialist agents for high-risk workflows. Before any AI output creates legal, financial, or operational consequence — a boundary packet is emitted showing what was proposed, what was blocked, and who must decide.

Models compete on intelligence. Apps compete on context. Ark governs the authority boundary between them.

Not a log after the fact. A boundary packet before consequence.
Permits govern action. Packets preserve authority.
10 / 10
Boundary replay cases passed
0
LLM calls in enforcement path
74,934
Replay rows reviewed in offline RobotGov evaluation
false
packet_authorizes_execution — always
Agent Proposal customer-support-agent
action money.issue_refund
amount $8,500.00
customer_account ACC-8821-KX
agent_session_trust SESSION_FULLY_TRUSTED
↓ Ark Sovereign intercepts before execution
Boundary Packet · WalletGov Hashed · Replayable
Enforcement verdict REQUIRE_APPROVAL
reason_code HIGH_VALUE_REFUND · exceeds $5,000 threshold
blocked_claims SESSION_FULLY_TRUSTED · PAYMENT_APPROVED
policy_version sovereign.policy.v2.1
packet_authorizes_execution false
human_operator_handoff true · routed to finance-review-queue
The Risk

"The AI made a mistake"
is not a defense.

In each case below, the company still owns the consequence. The agent's capability does not transfer its authority to act.

A customer-facing agent gives the wrong answer. The company owns the statement.
A support agent triggers the wrong refund. The money moved.
A claims assistant summarizes missing evidence as complete. The gap is still there.
A legal agent suggests language it is not allowed to approve. The document is still signed.
A coding agent calls a tool outside its mandate. The action already ran.
A robot workflow recommends an action under the wrong operating profile. The review record is missing.

A disclaimer does not prove authority. A chat transcript does not prove permission. A log only shows what happened after. A human-in-the-loop claim is weak unless the loop can be reconstructed.

The missing object is the receipt.

— The Ark Packet Answers These Questions Before Consequence Forms
Who requested the action?
What was the agent allowed to access?
What evidence was present?
What policy version applied?
Which claims were unsupported?
Which actions were blocked?
Who had to review?
What remained unauthorized?
Why Logs Are Not Enough

A log tells you what happened.
An Ark packet shows what was allowed.

Most AI governance stops at observability. That is not enough when the output creates legal, financial, operational, or safety consequence.

What logs show
The agent said this.
The tool was called.
The user clicked approve.
The workflow continued.
What Ark packets show
What the agent was allowed to propose
What evidence was available and missing
What policy version applied
What claims were blocked before the output
What actions required human review
What the packet was forbidden to authorize

Ark Sovereign sits before consequence and asks one question: Was this claim or action allowed under the declared authority envelope?

Product Primitive

Two layers of authority.
One unified boundary.

Ark splits the system into two distinct operational layers. Permits govern runtime action; packets preserve replayable authority.

Prompt filters govern input. Gateways govern traffic. Run loops govern process. Ark Sovereign governs consequence boundaries.

Layer 01

The Permit Layer

Acts as the active inline interceptor. Evaluates every proposed action against the declared envelope and returns a deterministic verdict before the tool runs.

Verdict Types
• ALLOW — Within envelope thresholds
• DENY — Prohibited action/path
• REQUIRE_APPROVAL — Escrowed handoff
Layer 02

The Boundary Packet Layer

The replayable packet layer. Logs the complete context, policy parameters, and observed side effects as a SHA-256 hashed record.

Registered Data
• Governed handle & envelope ID
• Deterministic permit verdict
• Zero-operation verification receipt
• Forbidden claims & side-effect flags

"Permits govern action. Packets preserve authority. No LLM in the enforcement path."

Product Primitive: The Ark Authority Envelope fields · specifications
01 — AGENT IDENTITY
Hash of source code/binary, declared capability scope, and target handles.
02 — SESSION PURPOSE
Short-lived task description, execution lifetime, and client metadata context.
03 — ALLOWED TOOLS & ACTIONS
Governed handles and specific tool calls permitted under this session.
04 — SESSION BUDGETS
Resource constraints (tokens, APIs consumed, run duration, loop counts).
05 — BLOCKED CLAIMS
Forbidden assertions (e.g. Exploit confirmed, certified clean, audit complete).
06 — ESCALATION THRESHOLDS
Limits (financial amounts, sensitive files) that trigger mandatory human handoff.
07 — VERIFICATION HANDLE
The destination queue for the human-in-the-loop reviewer when thresholds are crossed or verification fails.
Shadow AI Agents

Shadow agents are not just shadow apps.
They are shadow authority.

An unsanctioned agent can read files, call tools, burn tokens, write logs, invoke APIs, and trigger workflows before security knows it exists.

01 —
The question is not only "which agents are running?"
02 —
What were they allowed to do?
03 —
What did they actually touch?
04 —
What actions were blocked?
05 —
What budget did they consume?
06 —
Can the record be replayed?

MCPGov covers tool/action authority. ResourceGov covers resource and budget drift. ContextGov covers enterprise context authority. All emit replayable packets before consequence forms.

Concrete Scenario

The $8,500 refund.

Same agent. Same tool access. Different outcome when a boundary packet exists before consequence forms.

Without Ark Sovereign
A customer-support agent is asked to resolve a complaint. It reads the account history, summarizes the issue, and decides to call a refund tool for $8,500.

The agent has tool access. The tool call executes. The refund moves.

Later, the company has a log. But the log does not prove the agent was allowed to make that refund.
EXECUTED — no boundary intercepted the consequence
With Ark Sovereign
The same agent proposes the same refund. Before consequence forms, Ark Sovereign creates an action envelope:

agent identity · requesting user · tool name · refund amount · customer account · approval state · policy version · risk class · allowed authority · blocked claims · human handoff

The amount exceeds the approved threshold. The packet blocks the action, records the reason code, and routes the case to a human reviewer.
REQUIRE_APPROVAL — HIGH_VALUE_REFUND · execution paused · packet issued
Bounded Specialist Agents

One architecture.
Different consequences. Same packet discipline.

Ark agents are not general autonomy. Each agent is a specialist review agent for a high-risk surface. Each produces a bounded packet. Each blocks overclaims. Each hands consequence to humans.

All agents: packet_authorizes_execution: false · human_operator_handoff: true · blocked_claims: explicit · audit_hash: replayable

Primary Wedges

Tool-Call Boundary
MCPGov
Reviews proposed MCP and tool calls before data, code, credentials, shell commands, network requests, or APIs are used. Agents see governed handles, not raw tools, paths, or credentials. Ark controls whether a handle can resolve under the current Authority Envelope; unmanaged MCP, raw egress, and outside paths become review targets.
Blocked claims
SESSION_FULLY_TRUSTED
PRODUCTION_SAFE
AGENT_TRUSTED
EXECUTION_AUTHORIZED
Resource Boundary
ResourceGov
Turns botsitting into a packet. Reviews agent sessions against a declared resource envelope: tokens, API calls, CPU, memory, disk writes, network egress, tool loops, duplicate daemons, budget drift.
Blocked claims
RESOURCE_SAFE
COST_WITHIN_BUDGET
BACKGROUND_SAFE
NO_HUMAN_REVIEW_REQUIRED
Claims Review
ClaimsGov
Reviews claim files, policy rules, evidence gaps, conflicts, and decision drift. Emits a replayable claims packet showing what evidence was present, what was missing, what policy applied, and what required human authority.
Blocked claims
PAYMENT_APPROVED
FRAUD_CONFIRMED
CLAIM_CLOSED
HUMAN_REVIEW_REPLACED

Additional Packet Surfaces

Physical AI
RobotGov
Reviews physical-AI action evidence offline under declared operating profiles. Does not control robots, certify safety, or approve deployment. Emits replayable packets for human safety review.
Blocked claims
SAFETY_CERTIFIED
DEPLOYMENT_APPROVED
ROBOT_CONTROL_AUTHORIZED
CRASH_CAUSALITY_PROVEN
Legal Review
LegalGov
Reviews contract redlines and counterparty artifacts for clause drift, orphan obligations, definition conflicts, liability shifts, termination deadlocks, and missing approvals.
Blocked claims
CONTRACT_APPROVED
LEGAL_ADVICE_GIVEN
COMPLIANCE_CLEARED
SIGNATURE_AUTHORIZED
Context Boundary
ContextGov / MemoryGov
Reviews what enterprise context an agent may read, retain, summarize, quote, transmit, or use as evidence before making a claim or calling a tool. Emits context authority packets with governed handles and zero-operation receipts for denied context.
Blocked claims
CONTEXT_ACCESS_AUTHORIZED
SENSITIVE_DATA_SAFE
RAW_PII_SAFE_TO_USE
NO_APPROVAL_REQUIRED
Cyber Triage
Ark Manifold Cyber
Turns AI-assisted cyber findings, bytecode, binaries, traces, CFGs, scanner outputs, SBOMs, and supported source artifacts into bounded review-target packets. Source-optional, not evidence-free.
Blocked claims
CONFIRMED_EXPLOIT
FUNDS_AT_RISK
BOUNTY_READY
AUDIT_COMPLETE
GTM Review
OutreachGov
Turns market signals into claim-safe outreach packets for sales, recruiting, partnerships, and investor relations workflows. Does not authorize send or confirm buyer intent.
Blocked claims
AUTO_SEND_AUTHORIZED
BUYER_INTENT_CONFIRMED
PARTNERSHIP_CONFIRMED
CUSTOMER_VALIDATION_CONFIRMED
Fleet Review
NavGov
Produces controller-independent, time-aware replay witness packets for fleet, mining, CAS, ADAS, telematics, and vehicle intervention review. Does not certify CAS, vehicle safety, route safety, or crash causality.
Blocked claims
CAS_VALIDATED
CRASH_CAUSALITY_PROVEN
VEHICLE_SAFE
ROUTE_SAFE
ClaimsGov · Deep Dive
The evidence boundary
before claims consequence.
A claim file comes in. An adjuster reviews it. An AI agent summarizes it. A policy rule is applied. Evidence is missing. A payment is recommended. A fraud flag is raised. A customer disputes the outcome.

Now the question is not: "Did the AI summarize the file?"

The question is: Can you prove what evidence was present, what was missing, what policy applied, which claims were unsupported, and who had authority to decide?

ClaimsGov creates the missing receipt.
What ClaimsGov blocks
PAYMENT_APPROVED
CLAIM_DENIED
CLAIM_CLOSED
FRAUD_CONFIRMED
POLICY_COMPLIANCE_CONFIRMED
NO_MISSING_EVIDENCE
HUMAN_REVIEW_REPLACED
What the packet shows
Evidence present
Evidence missing
Policy rules implicated
Facts that conflicted
Claims or actions blocked
Decisions requiring human review
What remained unauthorized

ClaimsGov is not claims automation. It is the evidence boundary before claims consequence.

Send Sanitized Claims Sample
Portfolio Map

One authority platform.
Multiple consequence surfaces.

MCPGov is the entry point. Each row below applies the same authority envelope, blocked-claims, human handoff, replayable packet, and packet_authorizes_execution:false discipline to a different surface. Status reflects what is publicly verifiable today, not commercial readiness.

Proof Pack
A live packet plus linked QA, claim-boundary, manifest, and hash evidence.
Synthetic Example
A public sample packet JSON. Useful for inspection, not a customer deployment claim.
Local Evaluation
Offline or local replay evidence is summarized or linked, without a full proof pack.
Early Lane
The boundary is named and scoped, but the public packet evidence is pending.
Surface Boundary Status Blocked claims Checkable artifact
MCPGov Tool-call and governed-handle authority before data, code, credentials, or network actions move. Synthetic example TOOL_SAFE, CREDENTIAL_USE_APPROVED, NO_HUMAN_REVIEW_REQUIRED
ResourceGov Token, API, process, CPU, memory, disk, log, and budget drift for local agent sessions. Synthetic example RESOURCE_SAFE, COST_WITHIN_BUDGET, SYSTEM_SAFE
ClaimsGov Insurance claim evidence, policy-rule gaps, missing documents, conflicts, and decision drift. Early lane PAYMENT_APPROVED, FRAUD_CONFIRMED, CLAIM_CLOSED
ContextGov / MemoryGov Enterprise context access, denied context, approval-required context, retention, quoting, and context-as-evidence claims. Proof pack CONTEXT_ACCESS_AUTHORIZED, RAW_PII_SAFE, NO_APPROVAL_REQUIRED
LegalGov Contract, redline, signature, compliance, enforceability, and legal-advice consequence boundaries. Proof pack LEGAL_ADVICE_PROVIDED, CONTRACT_APPROVED, SIGNATURE_AUTHORIZED
WalletGov / CreditGov / OFAC Payment, transfer, credit-limit, KYC, sanctions-screening, and financial approval boundaries. Proof pack PAYMENT_APPROVED, OFAC_CLEARED, CREDIT_APPROVED
RobotGov Offline physical-AI action review under declared operating profiles and human safety handoff. Local evaluation SAFETY_CERTIFIED, DEPLOYMENT_APPROVED, HUMAN_SAFETY_REVIEW_REPLACED
Ark Manifold Cyber Cyber review-target packets from bytecode, binaries, traces, CFG exports, scanner outputs, SBOMs, and supported source artifacts. Proof pack CONFIRMED_EXPLOIT, AUDIT_COMPLETE, SYSTEM_SECURE
OutreachGov Claim-safe GTM packets for sales, partnerships, recruiting, investor relations, and customer success. Synthetic example BUYER_INTENT_CONFIRMED, AUTO_SEND_AUTHORIZED, BINDING_TERMS_OFFERED
CodeGov Coding-agent actions across shell execution, file patches, dependency installs, deploys, and network movement. Synthetic example PRODUCTION_DEPLOY_APPROVED, FILE_CHANGE_SAFE, NETWORK_EGRESS_SAFE
NavGov Controller-independent, time-aware replay witness packets for fleet, mining, CAS, ADAS, telematics, and vehicle intervention review. Proof pack CAS_VALIDATED, CRASH_CAUSALITY_PROVEN, ROUTE_SAFE

Status taxonomy: Proof pack means a public packet and QA/hash evidence are linked. Synthetic example means a public synthetic packet JSON exists. Local evaluation means offline/local evidence is summarized or linked, but not a full public proof-pack surface. Early lane means public packet evidence is pending.

Packet Anatomy

The packet is the product.

A chat transcript shows what the model said. A log shows what happened. An Ark packet shows what was proposed, what was allowed, what was blocked, and what required human authority before consequence formed.

MCPGov Demo Packet — MCPGOV_DEMO_PACKET_001 packet_id · hashed · replayable
input_hash
16dbe301b4eae493afc5a0f0…
declared_scope
read_only_repo_summary
policy_version
sovereign.policy.v0.1
permitted_calls
call_001: read_file
call_002: read_file
blocked_calls
call_003: run_shell [CRITICAL]
call_004: send_http_post [CRITICAL]
input_taint_paths
call_004 · agent_inferred · CRITICAL
blocked_claims
SESSION_FULLY_TRUSTED
PRODUCTION_SAFE
AGENT_TRUSTED
authority_scope_flags
shell.exec requested [CRITICAL]
network.write requested [CRITICAL]
reason_codes
SCOPE_EXCEEDED · TAINT_DETECTED
packet_authorizes_execution
false
human_operator_handoff
true
audit_hash
579ee42a41473fd5453d162e…
MCPGov / CodeGov Example

A weather request should not become package installation authority.

This packet shows an MCP/tool-loop escalation where a read-only weather lookup attempts to become package installation, local binary execution, network fetch, filesystem, or credential authority. Ark treats that as authority laundering through the tool loop.

Without authority boundary
A trusted agent receives untrusted MCP/tool output. A fallback suggestion becomes an install path. A weather lookup crosses from information retrieval into local execution.
SCOPE_ESCALATION — tool output treated as permission
With MCPGov + CodeGov
The original envelope remains read_only_weather_lookup. Package install and local execution are denied, a zero-operation receipt is emitted, and no external side effect occurs.
DENY — zero_operation_receipt:true · packet_authorizes_execution:false
Tool output is data. It should not become permission.
The MCP server may return weather data. It may not expand the agent's execution authority.
Enforcement Proof

Policy decides. Not the model.

Ark Sovereign does not ask one model to supervise another. The enforcement path is deterministic. Same inputs. Same policy. Same verdict. Same hash.

ActionVerdictReason
code_safe_patchALLOWWithin declared scope · no approval required
money_high_value_refundREQUIRE_APPROVALExceeds $5,000 threshold · human approval required
code_prod_deployREQUIRE_APPROVALProduction path requires explicit approval
mcp_tool_poisoningDENYTool signature invalid · tool poisoning pattern
mcp_shadow_serverDENYShadow server detected · unsigned tool rejected
channel_external_writeREQUIRE_APPROVALExternal channel write · approval required
unknown_agent_deployREQUIRE_APPROVALUnknown agent identity · deployment paused

Deterministic replay evidence only. Not a security certification, pen test, legal opinion, safety certification, or deployment approval.

Artifacts & Samples

Packets, segment packs, proof matrices, and replay pages.

The redesign is only useful if the proof objects are inspectable. These are the current public paths into the packet evidence, deterministic replay matrices, segment packs, and domain pages.

Interactive Demo
Ark Authority Arena
Same agent, same prompt, same tool access. Without Ark, consequence forms. With Ark, the packet blocks, routes, and preserves evidence.
Authority Primitive
Authority Envelope Builder
Static builder for declaring what an agent may request: tools, actions, resources, budgets, claims, credential handles, thresholds, handoff, and fail-closed rules.
Operating Surface
Boundary Console
Console mockup for permits, denials, approval queues, blocked claims, governed handles, zero-operation receipts, human handoff, and replayable hashes.
Category Positioning
Authority Packets vs Dashboards
Comparison page showing the difference between prompt filters, model judges, observability, logs, runtime policy engines, and replayable authority packets.
Context Boundary
ContextGov boundary envelope demo
Demo showing governed enterprise context handles, allowed/denied context, approval-required context, zero-operation receipt, blocked claims, and packet_authorizes_execution:false.
Cyber Boundary
Ark Manifold Cyber review packet
Source-optional bounded cyber review-target packet. Blocks exploit, funds-at-risk, bounty, audit-complete, patch-verified, compromise, and system-secure claims.
Legal + Financial Boundary
LegalGov + WalletGov packet examples
Contract-review and suspicious transaction examples showing legal, payment, credit, sanctions, and compliance consequence boundaries without approving outcomes.
Portfolio Index
Bounded agent segment replay index
Packet index for MCPGov, RobotGov, ResourceGov, LegalGov, OutreachGov, Ark Manifold Cyber, and related surfaces.
Lead Wedge
MCPGov runtime replay pack
Multi-agent runtime replay pack for MCP and tool-call boundaries, including verdict counts, reason codes, controls, and audit hashes.
Authority Laundering
Weather-to-install escalation packet
MCPGov / CodeGov synthetic packet showing a read-only weather lookup denied when untrusted tool output attempts package installation and local execution authority.
Resource Boundary
ResourceGov local agent packet
Local-first agent resource boundary packet for token/API/process/resource authority. Blocks malware, safety, EDR, and budget-certainty overclaims.
Internal GTM Boundary
OutreachGov GTM boundary packet
Claim-safe outreach packet surface for high-trust B2B GTM. It does not send messages, confirm buyer intent, or authorize public commitments.
Money Boundary
WalletGov fintech replay pack
Money-action and MCP payment-tool examples with approval thresholds, DENY/ALLOW/REQUIRE_APPROVAL verdicts, and audit hashes.
Engineering Boundary
CodeGov engineering replay pack
Coding-agent action examples across shell execution, file patching, dependency installs, production deploy, network exfiltration, and policy controls.
Fleet Witness Boundary
NavGov replay witness packet
Synthetic CAS / fleet intervention packet with time-sync status, controller-independent capture, raw signal hashes, missing context, and blocked safety or causality claims.
Deterministic Proof
Governor proof matrix
Representative action-governor proof matrix. Same policy plus same event produces the same verdict, controls, reason codes, and audit hash.
Logos Layer
Ark Logos proof matrix
Synthetic rulebook-validation matrix for the deterministic judgment engine beneath Ark Sovereign and ClaimsGov/LegalGov-style workflows.
Domain Pages
Manifold, RobotGov, Logos, Segment Replays
Dedicated pages remain available for deeper review of cyber topology, physical-AI action review, deterministic judgment, and replay examples.
Public boundary: these artifacts support bounded review and deterministic replay claims only. They do not certify endpoint safety, prove legal compliance, approve payments, confirm fraud, prove exploitability, approve deployment, or replace human review.
A capable agent is not a trusted agent.
A valid session is not blanket authority.
A tool being available does not mean the action is allowed.
A fluent explanation is not authority.
A caveat is not permission.
A review packet is not permission to execute.
Phase 0 Evaluation

Send sanitized traces.
Get replayable boundary packets.

Send 5–20 sanitized agent action traces, MCP/tool logs, claims workflow examples, legal redline artifacts, resource-session traces, or physical-AI replay rows. No credentials, production access, or source secrets required.

01
Send sanitized traces. MCP/tool logs, claims workflows, legal artifacts, resource traces, or physical-AI replay rows. Sanitized inputs accepted.
02
Ark maps them into domain packets. Blocked claims, reason codes, human handoff, and canonical audit hashes.
03
You receive the boundary. What was proposed, what policy applied, what was blocked, what required human review, what the packet was forbidden to claim.
04
If useful, we scope Phase 1 around one lead wedge agent for your workflow.