Ark Sovereign evaluates action envelopes against explicit policy before tools execute — deterministically, with no LLM in the enforcement path. Execution control for AI agents that write code, move value, execute MCP tools, or touch production.
Each governor targets a distinct attack surface in the AI-agent execution stack. No LLM in the permit/deny path.
Policy gateway for agent actions. Emits ALLOW, REQUIRE_APPROVAL, or DENY with deterministic reason codes before any tool executes.
MCP and API tool preflight: server allowlists, signed schemas, telemetry requirements, argument controls, and poisoning checks.
Controls file writes, shell execution, dependency installs, deploys, protected paths, and secret-exfiltration attempts.
Controls AI-wallet and payment-like actions with value thresholds, approval gates, destination policy, and audit evidence.
Replayable decision records with deterministic hashes that bind policy, action, verdict, and reason codes into a tamper-evident trail.
For blocked or paused actions, emits containment controls and a safe retry path for common failure modes.
Reviewable policy packs for engineering, security, compliance, MCP, wallet, and agent-handoff workflows. Human-readable. Version-controlled.
The 10-case table below is the public sampler. The enterprise proof pack contains 67 deterministic replay cases across WalletGov, CodeGov, and MCPGov, with a clean legitimate allow rate of 1.0.
The full replay pack shows realistic buyer workflows: agentic payments, software-engineering agents, and MCP runtime orchestration. Every case includes verdict counts, reason codes, deterministic hashes, and downloadable JSON.
| Action Envelope | What It Proves | Verdict | Reason Codes |
|---|---|---|---|
| Code Safe Patch | Safe coding-agent patch inside approved repo root. | ALLOW | POLICY_MATCH |
| Code Secret Exfil | Secret exfiltration through shell command. | DENY | LOW_TRUST_SOURCE_FOR_ACTIONUNTRUSTED_CONTENT_BEFORE_ACTIONDANGEROUS_SHELLSECRET_EXFIL_ATTEMPTNETWORK_ACCESS_REQUIRES_APPROVAL |
| Code Prod Deploy | Production deploy requires human approval. | REQUIRE_APPROVAL | HIGH_IMPACT_ACTION_REQUIRES_APPROVAL |
| Mcp Tool Poisoning | Poisoned MCP tool description or result is blocked. | DENY | LOW_TRUST_SOURCE_FOR_ACTIONUNTRUSTED_CONTENT_BEFORE_ACTIONMCP_TOOL_POISONING_PATTERN |
| Mcp Owasp Shadow Server | Unapproved MCP server is blocked. | DENY | MCP_SERVER_NOT_APPROVED |
| Mcp Owasp Unsigned Tool | Unsigned tool schema is blocked. | DENY | UNSIGNED_TOOL_SCHEMA |
| Mcp Owasp No Telemetry | Required telemetry missing for governed action. | DENY | TELEMETRY_REQUIRED |
| Wallet Public Reply Transfer | Wallet-like value transfer exceeds autonomous value policy. | DENY | LOW_TRUST_SOURCE_FOR_ACTIONUNTRUSTED_CONTENT_BEFORE_ACTIONVALUE_LIMIT_EXCEEDED |
| Channel Github Issue Patch | Untrusted channel-origin code patch requires approval. | REQUIRE_APPROVAL | CHANNEL_ORIGIN_REQUIRES_APPROVAL |
| Handoff Unknown Agent Deploy | Unknown agent handoff before deploy requires approval. | REQUIRE_APPROVAL | UNKNOWN_AGENT_IN_HANDOFF_CHAINHANDOFF_REQUIRES_APPROVAL_FOR_EXECUTIONHIGH_IMPACT_ACTION_REQUIRES_APPROVAL |
Ark Sovereign replays structured action envelopes through deterministic policy. The enforcement proof is reproducible from the same inputs every time.
Synthetic but realistic action logs for the three buyer surfaces enterprise teams ask about first: payments, coding agents, and MCP runtime orchestration. Every verdict is deterministic, replayable, and generated with zero LLM calls in the enforcement path.
fintech security, payments platform, wallet automation, treasury operations
Cases: 25
Verdicts: ALLOW 12 / APPROVAL 2 / DENY 11
Clean legitimate allow rate: 1.0
VP Engineering, platform engineering, DevSecOps, regulated software teams
Cases: 24
Verdicts: ALLOW 12 / APPROVAL 6 / DENY 6
Clean legitimate allow rate: 1.0
AI platform security, MCP operators, multi-agent orchestration teams
Cases: 18
Verdicts: ALLOW 4 / APPROVAL 4 / DENY 10
Block or approval gate rate: 78%
Clean legitimate allow rate: 1.0
Send 5 to 20 sanitized AI-agent action logs. We map them into the action-envelope schema and return deterministic verdicts, policy gaps, reason codes, and a Phase 1 integration plan.
5 to 20 agent action logs. No credentials, source code, production access, secrets, or internal prompts required.
We map your logs into the action-envelope schema and identify relevant governor surfaces.
Every result has policy source, verdict, reason codes, controls, and audit hash.
Policy gaps identified. Integration path scoped. Clear boundary: we govern execution, not conversation style.
No production access, source code, secrets, or internal prompts. Sanitized action logs only.
Every result has policy source, verdict, reason codes, controls, and audit hash. Deterministic from the same inputs.
We do not ask a second model to decide whether the first model is safe. Policy decides whether the action executes.
The permit/deny decision is made entirely by deterministic policy evaluation.