Skip to content

Early Access opens June 28 · $99/mo · all 21 suites during the launch window · price locked through Q1 2027 · Join the waitlist →

Architecture for Guardian Agents · Regulated AI

The Defensible Agent Test — passed architecturally.

Four questions every AI agent action must answer. What it did, why, on whose authority, and where the evidence lives. acipta answers all four with cryptographic primitives — signed verdicts, capability tokens, byte-identically replayable evidence — not workflow audit trails.

Deterministic Precision. Experiential Intuition. Autonomous Agents.

Read the four questions → Send to your auditor →
The category is public now

Every AI agent action must answer four questions.

Industry analysts and GRC practitioners converge on a four-question test for any agent operating in a regulated environment. The questions are correct. The question for any platform is whether it answers them with workflow audit-trail records or with cryptographic guarantees.

QUESTION 01

What did the agent do?

A cryptographically signed manifest at write time — bound to the verdict, not appended to a log.

QUESTION 02

Why · what context drove the decision?

A structured signed consensus record — three frontier models voting, per-model confidence, sub-floor routing to human review.

QUESTION 03

Under whose authority?

Capability tokens at the API boundary — JWT-bound, scoped, time-limited, policy-validated.

QUESTION 04

Where is the evidence?

Byte-identically replayable five years out — via a standalone verifier with no acipta dependency.

If a vendor cannot answer all four against a live workflow in your environment, the pilot is the easy part. The audit is the hard part.
Why this matters now

A seven-times governance gap. A 2028 forecast. And 40% of CIOs about to demand the architecture.

82%

of organizations say they must adopt generative AI. OCEG, 2026.

12%

have a documented AI governance plan in place. OCEG, 2026.

15%+

of day-to-day work decisions made autonomously by 2028 — up from 0% in 2024. Gartner.

40%

of CIOs will demand Guardian Agents to track, oversee, and contain AI agent actions by 2028. Gartner.

The function expected to govern AI cannot credibly adopt it without architectural answers to the four questions. acipta is those answers.

The architectural answers

One question at a time.

Each answer is a structural property of the platform — not a logged record, not a workflow audit trail. Verifiable independently. Survives platform transitions. Replayable five years out.

QUESTION 01: WHAT DID THE AGENT DO?

Cryptographically signed manifest at write time.

Every verdict carries a signed manifest of the model vendor, model name, model version, temperature, prompt seed, per-model confidence scores, and consensus outcome. Signing uses hybrid Ed25519 plus ML-DSA-65 — the FIPS 204 post-quantum standard. Keys live in cloud KMS HSM at FIPS 140-2 Level 3. Timestamps come from an external authority via RFC 3161. Hash-chained per tenant.

The architectural difference: a workflow audit trail says "trust the log." A signed verdict says "verify it yourself." The "what did the agent do" question is byte-identically answerable five years later, against pinned model versions, using a standalone verifier with no acipta dependency.
QUESTION 02: WHY — WHAT CONTEXT DROVE THE DECISION?

Structured signed consensus record.

Every verdict carries the consensus story. Three frontier models vote at a 0.85 confidence floor. Per-model confidence scores are captured. The consensus outcome — whether the two-of-three agreement at the floor was met — is recorded. Below the floor, no PASS or FAIL emits; the case routes to a human reviewer instead of another model pass. Human reviewer decisions are signed and hash-chained. Editing any prior decision breaks every subsequent hash, making the trail tamper-evident.

Confident-wrong is the failure mode we engineer against, not inconclusive. The "why" isn't a hyperlink to the source paragraph the agent looked at. It's a cryptographic envelope containing the model votes, the consensus result, and the human escalation chain.
QUESTION 03: UNDER WHOSE AUTHORITY?

Capability tokens · cryptographic enforcement at the API boundary.

Every agent action is authorized by a capability token — a JWT-bound, scoped, time-limited credential validated against an OPA policy bundle at every cross-component call. Identity uses Auth0 with a separate license JWT. A confused-deputy tenant-binding guard refuses cross-tenant operations server-side. A boot-time fail-closed check refuses to start in production if escape hatches are set.

Workflow tools answer "whose name was on the form." acipta answers "which JWT was scoped to allow this exact operation, signed by whose key, validated by which policy." Authority is enforced cryptographically at the API boundary — not by policy plus naming convention.
QUESTION 04: WHERE IS THE EVIDENCE?

Five-year byte-identical replay · standalone offline verifier.

Evidence lives in a tamper-evident hash chain anchored by external timestamps. The hybrid post-quantum signature scheme survives a future quantum break of either Ed25519 or ML-DSA-65. A standalone verifier reproduces the chain with no acipta dependency — no network call, no proprietary viewer, no platform login.

If acipta is acquired, dissolved, or jurisdictionally captured in year four, your evidence still verifies in year five. The chain doesn't depend on acipta's continued existence. It depends on standard cryptographic tools you control.
The headline differentiation

Workflow platforms build defensibility into the audit trail.
acipta builds defensibility into the verdict.

Both are valid. One records the work in a workflow audit trail. The other binds the answer cryptographically to the verdict. The trade-off is real and worth naming. Workflow defensibility integrates faster with existing GRC tooling. Verdict defensibility survives platform transitions, regulator subpoenas five years out, and the simple question of whether the evidence still verifies when the original platform vendor is no longer in the picture.

Architecture that earns the test

Four commitments. Each makes one answer structural.

★ COMMITMENT 01

Trust Column

Hybrid post-quantum signing at write time, KMS HSM, RFC 3161 timestamps, 5-year byte-identical replay.

★ COMMITMENT 02

Control Mapping Catalog

One verdict projects to 21+ framework attestations from a single canonical control catalog.

★ COMMITMENT 03

Bounded Autonomy Engine

Three frontier models vote at the 0.85 confidence floor. Sub-floor routes to human review, not another model pass.

★ COMMITMENT 04

Conformance & Extensibility

Open adapter protocol. Bronze, Silver, Gold, Certified conformance ladder. Third-party adapters cannot break replay.

Run the test in your environment

The questions are right. The architectural answer is the work.

The Defensible Agent Test is correct. The architecture to actually pass it — cryptographically, not procedurally — is what we built.

Read the Platform overview See the STAR Registry mapping Get Early Access