Request Access

Ambit Authority

Ambit Authority enforces a deterministic governance decision at the action boundary — before any consequential action commits. Every evaluation is a pure function of policy, delegation, and action context: identical inputs produce identical decisions and byte-identical evidence records.

Execution (Action) Boundary
The point at which a proposed action would commit a state change to an external system. At this boundary, a deterministic authorisation decision must be made before the action is allowed to execute.

The execution boundary is the commit point — actions are applied to external state only after successful authorisation.

No consequential action executes without a deterministic authorisation decision and an evidence record.

This is not monitoring. It is not observability. It is enforcement — evaluated and recorded before the action takes effect.

Authority is cross-runtime by default. Enterprises run multiple agent runtimes, model providers, and toolchains; governance tied to a single vendor or a single runtime produces inconsistent decisions and inconsistent evidence.

Decision Outcomes

Every evaluation produces one of three outcomes:

ALLOW
The action proceeds. The decision and its basis are recorded.
DENY
The action is blocked. The decision and its basis are recorded.
ESCALATE
The action is held pending human approval. The approver receives full context: what is being requested, by whom, under which policy, and what the expected downstream action will be.

Decision precedence is strict: DENY overrides ESCALATE, ESCALATE overrides ALLOW. Governance is conservative by default.

Escalation is proportional friction — reserved for high-impact or ambiguous actions. The goal is not to block autonomy; it is to make delegation defensible without creating an approval queue that grows without bound.

How Decisions Are Made

Authorisation is a deterministic function of policy, delegation, and evaluation context. Every decision is evaluated against two inputs: organisational policy and delegated authority.

Receive Request

An autonomous system requests to execute an action (send message, write data, transfer funds, modify infrastructure).

Evaluate Policy

Authority checks: is there a valid delegation? Does policy permit this action? Both must be satisfied. A valid delegation does not override policy. A permissive policy does not substitute for delegation.

Render Decision

Authority produces one outcome: ALLOW (action proceeds), DENY (action blocked), or ESCALATE (human approval required). Decision precedence is strict: DENY overrides ESCALATE, ESCALATE overrides ALLOW.

Record Evidence

Before the action executes, an evidence record is committed to the append-only decision ledger: what was requested, by whom, under which policy, with what outcome, and why.

Enforcement Architecture

Authority's enforcement guarantees are structural, not behavioural. They follow from where Authority sits in the execution path and how it integrates with downstream systems — not from runtime configuration or application-level conventions. Four properties define the architecture.

Consequence-Path Placement

Authority sits on the consequence path — the execution path between intent and side effect. The runtime does not choose whether to call Authority; the execution path is constructed so that it passes through it. Bypass requires modifying infrastructure configuration, not application code — an auditable operational change.

The Choke-Point Guarantee

Authority is not an interceptor that should be called. It is a choke point that must be called — because the path to consequence does not exist without it. In consequence-side deployment, the downstream system (database, API, service) cannot be reached without passing through Authority. The alternative is not "skip governance" — it is "change the infrastructure."

Evidence Gaps as Governance Failure

Every governed action produces an evidence record. If an action executes outside Authority: no decision exists, no evidence record exists, no hash chain entry exists. A state change without a corresponding decision is an observable governance failure. Bypass produces absence, and absence is detectable. Observatory performs independent completeness verification against the decision ledger.

What Authority Does Not Guarantee

Authority does not claim: prevention under full host compromise; control over systems outside the configured boundary; correctness of model reasoning; protection against denial of service (it fails closed — unavailability produces DENY, not bypass). It governs execution authority, not intent. Full threat model is in Technical Foundations.

If a state change occurs, a governance decision exists. If no governance decision exists, the state change did not pass through the governed system.

In practice, this means Authority sits between the agent and the downstream system. The agent submits intent; Authority evaluates policy and delegation, renders a decision, and commits the evidence record before the action reaches the tool or API. There is no direct path.

Decision Evidence Record Example

The example below shows the fields captured for a single decision, including policy hash, delegation state, evaluation timing, and an integrity signature. Values are synthetic and illustrative. Operational evidence records also include additional contract-reference metadata that binds each decision to the exact governance contract in effect at decision time.

Action Requested
The consequential operation that was requested, with its content hash for verification.
Actor
The principal and target of the action.
Policy Version
The policy that was evaluated, referenced by version and content hash.
Decision Evidence Record Example
decision_id
7f2a91c3-4e8b-4a2f-9d1c-6b3e8f0a2d5e
timestamp
2026-01-15T09:23:41.127Z
policy_eval
0.08 ms
governance
0.26 ms
action
data.provision
action_hash
sha256:e3b0c44298fc1c14…
principal
ops-agent-03
target
staging-db-07
policy
org/platform/data-provision-v2
policy_hash
sha256:a1b2c3d4e5f67890…
delegation_id
del-8k3m-9n2p
delegation_valid
2026-01-10T00:00Z → 2026-02-10T00:00Z
delegation_scope
data.provision — staging only, no production sources
decision
ALLOW
basis
Policy match: data.provision permitted under org/platform/data-provision-v2. Delegation valid and active. Target within staging scope.
integrity
hmac-sha256:f7e6d5c4b3a29180…
Synthetic data for illustration. Not from a live system.
Delegation
The delegation that was in effect at evaluation time, including validity period and scope constraints.
Decision Rendered
The outcome: ALLOW, DENY, or ESCALATE.
Basis
The reasoning and context for the decision.

Evidence Records are designed output, not a logging byproduct. Each record is bound to the versioned governance contract active at decision time — eliminating post-hoc reinterpretation and policy drift. Each evidence record is signed with an HMAC-SHA256 integrity signature that makes tampering detectable. The decision ledger is append-only and tamper-evident, and is structured to survive incident review and regulatory inquiry. Over time, it becomes the system of record for autonomous authority inside the organisation.

Deterministic Authorization Evaluation

Identical inputs produce identical decisions and byte-identical receipts. This is what makes governance verifiable — not an assertion, but a replayable property.

Safe Read — Agent reads customer data — read actions require no delegation and resolve through the default allow policy rule.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, contract_hash)
Governance Evidence Record ALLOW
actor
agent_support_1
action
customer.read
target
customer/cust_001
matched_rule
default_allow
policy_hash
3b4aa736101d…8f46760b4c9e
contract_hash
399958dff9c2…e384fd0159c7
request_fingerprint
8f3123837e38…a4da08bf6d86
record_hash
b314adec9883…23b917620cfd
prev_hash
000000000000…000000000000
timestamp
2026-02-23T07:10:20.203Z
Pre-computed from a verified evaluation run.
Replay Proof Same input evaluated twice — are the receipts identical?
Evaluation A a7e3f19b204c…a1b3c5d7e9f0
Evaluation B a7e3f19b204c…a1b3c5d7e9f0

Missing Delegation — Agent attempts a privileged action without presenting a delegation token — denied at the delegation rule.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, contract_hash)
Governance Evidence Record DENY
actor
agent_support_2
action
refund.issue
target
order/ord_1001
matched_rule
delegation_required — missing_delegation
policy_hash
3b4aa736101d…8f46760b4c9e
contract_hash
399958dff9c2…e384fd0159c7
request_fingerprint
79b24be40154…71b604c9cc09
record_hash
f217c28f898c…878613e75a17
prev_hash
f8197c53b3dd…2e4692331ea4
timestamp
2026-02-23T07:10:20.253Z
Pre-computed from a verified evaluation run.
Replay Proof Same input evaluated twice — are the receipts identical?
Evaluation A c2d4e6f8a0b1…c7d9e1f2a4b6
Evaluation B c2d4e6f8a0b1…c7d9e1f2a4b6

Approval Required — Destructive action with valid delegation but no approval token — escalated to require human approval.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, contract_hash)
Governance Evidence Record ESCALATE
actor
agent_ops_1
action
customer.delete
target
customer/cust_002
matched_rule
destructive_needs_approval — approval_required
policy_hash
3b4aa736101d…8f46760b4c9e
contract_hash
399958dff9c2…e384fd0159c7
request_fingerprint
dc7b7852eaa0…e0e0b0c9322b
record_hash
d38eecef8e6a…63f54ff402040
prev_hash
a4e60ea8d488…c4eab7b34cf8
timestamp
2026-02-23T07:10:20.267Z
Pre-computed from a verified evaluation run.

Replay Blocked — Same approval token presented on a second request — denied by the single-use cryptographic replay guard.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, contract_hash)
Governance Evidence Record DENY
actor
agent_ops_1
action
customer.delete
target
customer/cust_002
matched_rule
approval_replay — approval_jti_reused
policy_hash
3b4aa736101d…8f46760b4c9e
contract_hash
399958dff9c2…e384fd0159c7
request_fingerprint
dc7b7852eaa0…e0e0b0c9322b
record_hash
fc225176f65f…e8668c1b2d69
prev_hash
58cb912d4561…98bcc00d4abe
timestamp
2026-02-23T07:10:20.279Z
Pre-computed from a verified evaluation run.

Pre-computed from a verified Ambit Authority evaluation run. Receipts are byte-identical under replay.

Enforcement Placement

Authority operates at the action boundary — the enforcement point between autonomous intent and consequential action. It integrates with agent runtimes at the point where execution produces side effects, deploying as an SDK wrapper, tool boundary, or local enforcement service within the customer environment.

Gateways move requests. Authority decides whether the underlying action is authorised under a delegation and policy, and records why. If you already have a gateway, Authority can integrate with it — but it is a decision layer, not a traffic layer.

Authority enforces governance at six enforcement planes — surfaces where autonomous action produces consequences:

Execution Layer

Tool Boundary
Govern invocation of capabilities exposed through tools, APIs, and execution interfaces — function calls, MCP tool servers, API invocations, and workflow triggers.
Runtime Boundary
Govern the execution environment in which processes operate — file system access, network access, system calls, resource limits, and isolation.
Code Execution Boundary
Govern whether new executable capability may be introduced — execution permission, language restrictions, and sandbox constraints for dynamically generated code.

Access Control

Data Boundary
Govern access to enterprise data sources — read and write permissions, query constraints, scope limitation, classification and data handling policies across structured and unstructured data systems.
Memory Boundary
Govern persistent agent state and long-term memory — write permissions, retention policies, integrity verification, and access control across agents and sessions.

Boundary Control

Network/Telemetry Boundary
Govern outbound communication to external systems — destination restrictions, protocol constraints, payload inspection, and telemetry scope and data egress policies.

Control Surfaces (Non-Authoritative)

Model Boundary
Govern interaction with the model — prompt construction and filtering, output shaping and validation, model selection and routing. These controls are probabilistic and operate before action formation. They influence behaviour but do not determine whether a consequential action is authorised.

The enforcement point varies by integration. The invariant does not. Different architectures place the valve in different locations; the primitive stays the same — decide before execution, produce evidence.

Authority occupies a narrow position in the stack. What it excludes defines it as much as what it includes.

What Authority Is

A Governance Control Plane
Makes decisions at the action boundary where autonomous intent becomes consequential action.
Pre-Execution Enforcement
Renders explicit decisions (ALLOW, DENY, or ESCALATE) before any action takes effect.
Cross-Runtime by Default
Works across agent runtimes, model providers, and toolchains. Governance is not coupled to any single vendor's execution model.
Policy-Driven and Delegation-Bound
Decisions are based on explicit policy and delegated authority, not learned behaviour.
Evidence-Producing by Design
Creates append-only decision evidence records for audit and incident review.
Structural Enforcement
Operates at the enforcement boundary; bypassing governance requires bypassing the boundary itself.

What Authority Is Not

Not an Agent Runtime or Orchestration Layer
It does not execute workflows, manage agent state, or scale compute. Agent runtimes handle execution and orchestration; Authority governs the boundary where their actions take effect.
Not a Gateway or Traffic Layer
Gateways move requests; Authority decides whether the underlying action is authorised under a delegation and policy, and records why.
Not Model-Layer Guardrails
It operates at the action boundary, not the reasoning layer. Model guardrails constrain what an AI can propose; Authority governs what actions are authorised to execute.
Not IAM or Observability
It is not a replacement for identity and access management or an observability platform. IAM controls resource access; Authority governs delegated authority for actions. Observability records what happened; Authority records governance decisions before execution.
Not Self-Learning
It does not learn, adapt, or optimise its own behaviour. Its decisions are policy-driven and delegation-bound. Changes to governance require explicit human action.

Why Existing Tools Are Not Enough

Enterprises already deploy identity management, logging, guardrails, and governance frameworks. Each addresses a legitimate concern. None of them governs the action boundary.

IAM
Identity and access management controls which systems can authenticate and what resources they may reach. It does not model delegated authority. It cannot express that an agent may send external messages only during an active incident, only to the affected customer, only for 48 hours, and only if a security approver has confirmed the scope. IAM answers "can this identity access this resource." It does not answer "was this action authorised under this policy at this moment."
Logs
Logs and observability platforms record what happened. They are essential, but they are retrospective. They capture events after execution. They do not capture the governance decision that preceded execution: which policy was evaluated, what delegation was in effect, and whether the action was allowed, denied, or held for human approval. An audit requires more than a record of events. It requires a record of decisions.
Model Guardrails
Model-layer guardrails constrain what an AI model can generate or propose. They operate before the action boundary, at the reasoning layer. They do not govern what happens when a model's output becomes an action in a downstream system. A guardrail may prevent a model from generating a harmful instruction. It does not prevent a well-formed instruction from being executed without proper authority.
AI Governance Frameworks
AI governance frameworks typically address model risk, bias, and compliance at the organisational or model lifecycle level. They do not operate at the action boundary. They do not make real-time ALLOW, DENY, or ESCALATE decisions. They do not produce the per-action evidentiary record that a regulator, auditor, or incident reviewer requires.

Each of these tools addresses a legitimate concern. None of them answers the question that autonomous systems create: was this specific action, at this specific moment, authorised under a specific policy by a specific delegation of authority?

Technical Characteristics

Structural Enforcement
Bypassing governance requires bypassing the enforcement boundary itself — not merely ignoring a policy recommendation. Every governed action produces an evidence record committed to an append-only ledger. A gap in the evidence trail is a detectable governance failure.
Synchronous Evaluation
Policy evaluation completes before the action proceeds — there is no asynchronous pattern. The governance decision is rendered and the evidence record committed before any consequential action executes. Each evidence record records evaluation duration measured by monotonic clock at the enforcement point.
Measured Latency
Governance timing is measured per decision and reported as p50, p95, and p99 percentiles. Governance cost is explicit and characterised — organisations can make informed decisions about enforcement placement based on measured numbers, not estimates.
Fail-Closed Design
If policy evaluation fails, the decision is DENY. If delegation cannot be verified, the decision is DENY. If no policy matches the requested action, the decision is DENY. Availability may be affected. Governance integrity is not.

What's Implemented

Evaluation engine
Deterministic evaluation covering delegation, scope enforcement, and evidence integrity. Fail-closed on all validation paths.
Evidence integrity
SHA-256 hash-chained records. Request fingerprinting. HMAC-SHA256 token signing. Nanosecond-precision timing.
Deployment
SDK, gateway, and sidecar integration patterns. Fail-closed by default.
Verification
Comprehensive test coverage across evaluation, delegation, evidence integrity, and bypass detection.
Designed, not yet implemented
Asymmetric signatures, external timestamping, HSM, persistent append-only ledger, key rotation. See Technical Foundations for full specification.

Ambit in the Agent Runtime Stack

The AI stack is converging around distinct layers: agents that reason and plan, runtimes that execute and orchestrate, data systems that persist state, and infrastructure that governs, secures, and observes.

Ambit operates at the governance layer. It does not execute workflows, orchestrate tool calls, manage agent memory, or scale compute. Those are runtime responsibilities.

Authority integrates with agent runtimes at the action boundary — the point where a runtime is about to produce a side effect in a downstream system. The runtime handles execution. Authority handles permission. The decision is rendered and recorded before the side effect occurs.

This separation is architectural, not incidental. Runtimes that embed governance produce vendor-coupled decisions and leave no independent evidence trail. A governance layer that is independent of the runtime produces consistent decisions and portable evidence — regardless of which runtime executes the action.

Runtimes execute. Authority governs. Observatory explains.

Authority decides. Observatory explains.

Observatory deep-dive