Loading…
Execution Protocol
A deterministic boundary the model cannot reach. A signed receipt for every outcome — including the ones that didn't happen.
Credentials never reach the agent. Boundary decisions are outside model control. Receipts are offline-verifiable and survive the systems that produced them.
Open specification · CC BY 4.0
Deterministic execution pipeline
8 steps
AGENT: Flight JFK → LAX
Authorized Limit $1,000
The gap
Agent execution layer
Natural language converted to a structured message
Pre-commit policy evaluated at the Authorization Boundary
Once-only execution; commit and authorization separated
Hash-chained, KMS-signed, verifiable offline
Capabilities
One structured intent in, one terminal outcome out. No multi-turn handshake, no session state, no orchestration framework wrapped around the request.
Natural language is converted to a structured message before policy evaluation. The LLM never reaches the authorization path.
Incomplete inputs receive a machine-readable completion response, not an error. The agent fixes and resubmits as a fresh interaction. No rejection path, no error-code maze.
Pre-commit policy evaluated against the structured request. Hard-deny list, scoped delegation bounds, approval-chain routing.
Execute, refuse, block — every terminal state ends with a hash-chained, KMS-signed receipt that any third party can verify offline against the public key.
PANs and CVVs are refused at the input boundary. Only tokenised payment-intent IDs from PSP-controlled flows cross. Whether this reduces a merchant’s PCI scope depends on the full payment architecture and the merchant’s QSA assessment.
Use cases
Every agent action falls into one of these. The demo walks through each with a concrete example.
Payment & commerce
An agent attempts a payment above the authorised cap. The boundary blocks before any provider call. One click lifts the cap and the action commits — both the block and the booking signed. Same shape for trades, transfers, refunds, payroll, invoice settlement.
Infrastructure actions
An agent attempts a privileged change. The boundary blocks pending admin grant. The admin approves out-of-band — narrow, time-bound, single-use. The change commits under that grant; everything signed. Same shape for config writes, deployments, IAM updates, secret rotation.
Content & communications
An agent attempts to send, publish, or modify content. The boundary blocks access outside the authorised scope — wrong recipient, wrong document, beyond a rate cap. Block and recovery are both signed. Same shape for emails, legal drafts, marketing copy, press releases, customer comms, regulatory filings.
Industries
Any industry where regulators require evidence, auditors require proof, or post-mortems require a chain of authority.
Finance
Trades, transfers, payments — signed evidence per transaction.
Insurance
Claims and coverage decisions — every denial signed and verifiable.
Healthcare
Clinical decisions and EHR writes — audit chain per agent action.
Legal
Contract drafts, filings, document review — attorney-traceable evidence.
Capital markets
Best-execution decisions, order routing — chain-walkable audit trail.
Pharma & clinical trials
Adverse-event recording, enrollment decisions — tamper-evident logs.
Cybersecurity
Incident response, credential revocation, isolation — post-mortem ready.
Identity & KYC
Verification decisions, sanctions screening — signed decision chain.
Tax & audit
Filing classifications, deduction decisions — evidence trail per action.
HR & people ops
Hiring, terminations, leave decisions — defensible evidence per decision.
Energy & carbon
Grid dispatch, carbon-credit trading — verifiable per-decision evidence.
Public sector AI
High-risk AI logs — tamper-evident, signed, offline-verifiable.
Every outcome leaves a record
The protocol committed the action. The receipt records the committed state, the full pipeline audit chain, and the signed proof of commitment.
The input did not satisfy the schema. The receipt records which fields were missing and the candidate values to complete them. The agent resubmits a corrected message in a fresh interaction — the protocol prohibits rejection.
A boundary or delegation rule fired before commit. The receipt is still signed and audit-chained — the proof that the gateway blocked, not lost the request.
Where it fits
Discovery and message-passing are solved problems. What happens between intent and outcome — authorization, policy, proof — is not.
This compares native protocol primitives, not what you can layer on top. A REST API can be wrapped in middleware that signs responses or enforces policy — that doesn’t make signing or policy a REST primitive. The question is what the protocol itself contracts for.
| Capability | Execution | A2A | MCP | ACP | REST |
|---|---|---|---|---|---|
| Pre-commit policy primitive | |||||
| Signed-receipt primitive | |||||
| Scoped-delegation primitive | |||||
| Hash-chain audit primitive | |||||
| Tool-discovery primitive | |||||
| Multi-agent-communication primitive | |||||
| Stateless-request constraint |
Architectural position
Models generate intentions. Execution Protocol turns intentions into actions, with proof.
Open specification, protected implementation. The message format, receipt schema, and verification rules are public. The gateway and policy engine that run them are built on filed patents covering deterministic agent authorization.
Why it matters
For CTOs
For CISOs and security teams
Read the spec. Run the sandbox. Ship safer agents in production.