Skip to content
vollko
Main
Homepage Engineering Transformation Whitepaper OSS catalog
The trace · deep dives
01 · sense
sensing-ingestion
02 · substrate · memory & identity
knowledge-graphs agent-memory agent-identity observability
03 · cognition · the firm thinks
agent-frameworks orchestration eval-harness protocols
04 · trust + learning
governance feedback-loops
05 · synthesis · one trace
end-to-endStart a conversation
AI-native · substrate

Policy at the gate.

Cedar, OPA, Oso. Every agent action evaluated against rules in the repo - not against words in a prompt.

Start the tour
AGENTwants action POLICY GATECedar / OPA evaluates ALLOW QUEUE DENY every decision logged to episodic with the rule that firedaudit trail = signed actions + policy decisions
Section 01 · the wrong place for safety

Safety in the prompt vs safety at the gate.

prompt asks nicely · gate enforces
IN-PROMPT SAFETY SYSTEM: "Please don't email the customer if amount > $10k without manager approval." prompt injection bypasses this model is asked, not constrained OWASP ASI02 · tool misuse POLICY AT THE GATE "Customer-triage agents maysend emails up to $10,000 - above that, a manager mustapprove before it goes out." enforced at the substrate edge no prompt can bypass it
Prompts are suggestions. Policy gates are walls.
Section 02 · the gate flow

Every action runs through the gate.

action proposal → policy → decision · logged
AGENTproposessend_email($12k) POLICY ENGINEeval rulesCedar / OPA / Oso REPO POLICIESpolicies/ send_email.cedar contracts.cedar DECISION: queueneeds approval >10k APPROVAL QUEUEawait human signalmanager.signoff decision + rule_id + actor + context logged → episodic memory → auditable
No bypass. No "the model decided." Every gate decision is the rule that fired.
Section 03 · the grounding floor

No source, no action.

Bloomberg · every output traces to authoritative data before it can act
MODEL OUTPUT"Stock X up 4%" GROUNDING GATE✓ source cited✓ source ≤ 5 min old✓ source is canonical✓ schema matchall four must pass PROCEEDtool call may executetrace persists REJECTunsourced → droplog + alert SOURCESmarket data feednews terminalinternal analyticsauthoritative DB
A non-negotiable floor. Hallucination is unsourced output. If it cannot cite, it cannot act.
Section 04 · dual-identity propagation

Workload and user. Both stamped.

every call carries two principals - never one
AGENTdraft-botthe AI doing the work acts on behalf of USERLinathe human who asked TWO STAMPS PER CALL STAMP 1 · AGENT draft-bot STAMP 2 · ON BEHALF OF Lina · may draft TOOLverifies BOTHaudits both if either identity is missing → the call drops at the gateway
"The agent did it" is not an audit trail. Who delegated, who acted, what scope - all three, every call.
Section 05 · the authz matrix

Who can call what. IT decides.

IT decides who reaches what · not the agent
WHAT EACH AGENT CAN TOUCH CRM EMAIL PAYMENTS GITHUB Sales agent Finance agent Engineering agent write write - - read only read only write - - - - write every door an agent walks through · opened by IT, not by the model
Each agent gets only the doors IT opens for it.
Section 06 · what a policy looks like

One policy · four moving parts.

one rule, the four moving parts
"customer-triage agents may send emails up to $10,000 - but only to approved domains." WHO customer-triage WHAT send email LIMIT ≤ $10,000 WHERE approved domains any of the four changes · the rule changes · nothing in the prompt versioned in Git · reviewable · provably testable
Same shape as English. No model can negotiate around it.
Section 07 · the kill switch

One flip, agent stops shipping.

per-agent, per-scope, per-action-class · drilled quarterly
ADMIN PANEL cs.triage:v7 [on] finance.close:v3 [on] sales.outreach:v2 [KILLED] POLICY GATE updatesforbid ( principal == Agent:: "sales.outreach:v2", action, resource);all actions denied EFFECT in < 30s· in-flight actions cancel· new attempts denied· queue drained· on-call notified
If you've never run the drill, you don't have a kill switch.
Section 08 · humans at the edges

Two human roles. No middle.

coordination layers compress · ICs and DRIs remain
OLD ORG · Roman legion CEO VPs middle mgmt orders ↓ · info ↑ NEW ORG · brain + edges BRAIN recursive loops IC IC DRI DRI IC DRI middle management eaten by the brain
IC = builder who ships. DRI = single accountable owner. The brain handles coordination.
Section 09 · tools 2026

The OSS picks.

expressive DSL ↑↓ verbose Rego · OSS ←→ SaaS
SaaSOSSexpressive DSLverbose / general CedarAWS-donated · better for agents than Rego OPA / RegoCNCF · general policy-as-code OsoPolar DSL · agent-positioned AWS Bedrock AgentCoreCedar-on-AWS · lock-in Permify (FusionAuth)
Cedar's DSL was designed for authorization, not for generic policy. It shows.
Section 10 · vollko OSS

The primitives.

agent-attestation ☆
cryptographic action receipts · audit-grade
agent-toolprint
DSSE-signed tool-call receipts (ts/py/rs)
mcp-provenance
signed MCP capability declarations
agent-id
DID + capability VC profile
prompt-shield
prompt-injection detector at edge
loop-guardrail
trip when agent loops repetitively
· · ·
Build the AI-native firm
Directory · pick a face
knowledge-graphs
eval-harness
agent-memory
protocols
agent-identity
observability
orchestration
sensing-ingestion
governance
agent-frameworks
feedback-loops
end-to-end
← back to the AI-native organization whitepaper