Proof of Enforcement

Traditional controls establish that an actor may access a system. Autonomous agents can satisfy these controls and still perform actions outside the principal’s delegation, or cross a consequence boundary the policy would never allow. Compliance at the access layer does not imply authorisation at the action level.

The distinction becomes clear when the same workflow moves from local access to external disclosure and downstream financial effect.

The request

Consider an insurance claims agent acting under delegated authority to process a claim and issue a refund if valid. The workflow is ordinary. The consequences are not flat.

Three steps are fixed by that delegation: the agent is fully authorised to read the claimant record, run an approved risk model, and issue a refund within the delegated limit. Fraud review is different. The agent may decide to send claim data for fraud review, but only to approved fraud partners, so the selected fraud partner must itself fall within the delegation. Authority also resolves consequence topology: reading a record, sending data externally, running a model, and issuing a refund do not carry the same reversibility, persistence, or propagation risk.

STEP 1 Read Claimant Record full_name, date_of_birth, policy_number

STEP 2 Send Claim For Fraud Review transmit to unapproved fraud partner

STEP 3 Run Risk Model run approved risk calculation

STEP 4 Issue Refund refund.issue within delegated limit

The agent begins execution. Each consequential action is evaluated against delegated authority and resolved consequence context before it runs.

The decision

Step 1 passes because reading the claimant record is fully authorised for this claim and remains inside the governed system. Step 2 is different: its outcome depends on the agent's runtime choice and crosses an external disclosure boundary. In a fixed workflow, the fraud-review target would be predefined and predictable, so this step would resolve the same way every time. In an autonomous system, the agent may select a fraud partner at runtime. If it selects a partner outside the approved set, the action falls outside delegated authority and crosses a consequence boundary the policy does not admit. The decision resolves to DENY.

Authorisation decisions

STEP 1

READ CLAIMANT RECORD

ALLOW

authorised — internal read, reversible handling, policy and delegation satisfied

STEP 2

SEND CLAIM FOR FRAUD REVIEW

DENY

vendor reachable, but external disclosure would bind outside the approved consequence boundary

STEP 3

RUN RISK MODEL

NOT REACHED

sequence terminated — no downstream computation after external-send denial

STEP 4

ISSUE REFUND

NOT REACHED

sequence terminated — no financial transaction after external-send denial

Authority catches that mismatch before data leaves the system. The unauthorised fraud-review request does not execute, so the risk model and refund never occur. Every decision is recorded together with the delegation trace and consequence context that led to it.

The outcome

Every decision is recorded with the delegation trace and resolved consequence context, so the system can prove not only why an action was denied, but also why another action with a different consequence boundary was allowed.

What was prevented

✗ No unauthorised external disclosure occurred

✗ No downstream computation executed

✗ No downstream transaction was committed

What the system can prove

✓ The authorised action was within delegated scope

✓ The unauthorised action fell outside delegated scope

✓ The external disclosure boundary was resolved before execution

✓ Each decision is linked to the delegation trace and consequence context

Ambit Authority proves what a principal authorised, what consequence boundary the action would cross, and what the agent was never authorised to do.

Test this against your system Watch the demos