AI Agent Runtime Governance Platform

Short answer: SovereignClaw is an AI agent runtime governance platform that treats the LLM as untrusted input and gates execution. The model proposes an action; the runtime canonicalizes the intent, derives risk facts independently, evaluates deterministic policy, requires threshold approvals at elevated tiers, and emits a signed Authority Receipt before any side effect reaches a system of record.

AI agents are moving from chat to action. SovereignClaw governs the execution boundary by verifying intent, applying policy, requiring approvals when risk demands it, and issuing signed receipts before any side effect reaches a system of record. The governing thesis is simple: the LLM is untrusted input, and execution is gated. The model proposes; the runtime decides.

Why prompt-side controls are not runtime governance

Most AI agent safety still lives on the language side of the boundary: system prompts, output filters, and behavioral fine-tuning that try to steer what a model generates. These methods influence text, but they do not sit in the path of execution. A persuasive input, an injected instruction, or a confidently wrong tool call can still produce a real side effect — a database write, a fund transfer, a PHI read — because nothing structurally separates what the model said from what the system does.

Runtime governance moves the control point. SovereignClaw separates AI-generated intent from executable authority so that an action only runs when a deterministic kernel has authorized it. This is what we mean by execution-boundary governance: the boundary is not a filter that can be argued past, it is a gate with no path around it. Unauthorized actions are not blocked after the fact — they receive no execution path, because the adapter is unreachable without a valid gate artifact. The model complied; the kernel did not.

How the runtime governs each action

Every agent action flows through a deterministic seven-stage execution path before it can touch a system of record. Each stage narrows what is permitted and adds verifiable structure:

• Intake — the model proposes an action.
• Canonicalization — the action is frozen into a byte-stable SovereignIR using SHA3-256 over normalized JSON, so identical intents always produce identical hashes.
• Independent fact inference — the tier-driving facts are derived from the operation's own semantics; LLM-supplied facts are never trusted, and any mismatch escalates risk.
• Policy evaluation — deterministic policy returns allow, deny, escalate, or approval, and any deny is final and monotonic.
• Risk-tier classification — the action is placed at T0 observe, T1 standard, T2 elevated, or T3 sovereign.
• Authorization & approval — T2 and T3 actions require threshold signatures, such as 2-of-3, from verified operators; insufficient quorum is a denial.
• Bound execution — the permitted action runs through an adapter cryptographically bound to the IR hash, policy bundle, adapter identity, and nonce, and emits a signed Authority Receipt.

This pipeline is the substrate for AI agent policy enforcement: policy is not advisory documentation, it is code that executes between canonicalized intent and adapter access, where allow, deny, escalate, and approval outcomes are actually enforceable.

What guarantees the boundary holds

The runtime is built around nine formal security properties (S1 through S9), implemented in a Rust kernel and verified across 20 crates with 829+ tests. They are not aspirations — they are the invariants the kernel enforces on every execution:

• S1 Execution Boundary — no operation reaches the adapter without a valid gate artifact bound to IR hash, policy bundle, adapter identity, and nonce.
• S2 Frozen Input — inputs are canonicalized and byte-frozen before any risk computation.
• S3 Independent Fact Verification — tier-driving facts come from operation semantics, never from the model.
• S4 Monotonic Policy — any deny is final; there is no downgrade path.
• S5 Nonce Uniqueness — each execution has a unique nonce, so replay and TOCTOU attacks are rejected.
• S6 Adapter Binding — artifacts are bound to a specific adapter identity.
• S7 Threshold Authorization — T2 and T3 require quorum signatures.
• S8 Receipt Verifiability — every permitted execution emits a signed, externally verifiable Authority Receipt.
• S9 Skill Publication Binding — artifacts carry the published skill digest, tenant scope, and correlation IDs.

The full statements and their relationships are documented in the nine formal security properties. Signing uses Ed25519, canonical hashing uses SHA3-256, and policy bundles are versioned and cryptographically hashed so a decision can always be traced to the exact policy that produced it.

The evidence each governed action produces

Governance that leaves no trace cannot be audited. Every permitted execution emits a signed Authority Receipt anchored in an append-only Merkle ledger, which is externally verifiable without access to private keys. Each receipt records:

• the intent, expressed as the canonical IR hash;
• the policy version that governed the decision;
• the decision and its rationale;
• the assigned risk tier and the approval state;
• the adapter identity and tenant scope;
• the correlation ID and the execution outcome.

Because receipts are portable and independently verifiable, they form a verifiable AI agent audit trail that auditors, regulators, and downstream systems can confirm without trusting the platform that produced it. This work is published on SSRN (ID 6290760) and DOI-registered on Zenodo (10.5281/zenodo.18521539), with patent applications pending: USPTO 76395580 · 74981727 · 74483691 · 73809451 · 72763061.

Where runtime governance applies

The same execution-boundary model maps to the obligations of regulated and high-stakes environments. SovereignClaw supports, maps to, and helps operationalize framework requirements through runtime authorization, deterministic policy, approval gates, and signed receipts — it provides evidence for compliance work rather than replacing it. See compliance for the detailed control mappings. Representative domains include:

• Healthcare — PHI access governance and clinical workflow enforcement, with tier-classified, receipt-verified access aligned to HIPAA and AB 489.
• Finance — fiduciary enforcement and audit trails for autonomous financial workflows, with threshold approvals on elevated operations and AIGP 2026 alignment.
• Government & DOD — IL4 through IL6 classification and air-gapped deployment for sovereign and classified environments.
• Enterprise agent systems — consistent runtime authority across many agents and adapters operating at scale.

For high-risk obligations under the EU AI Act — risk management, data governance, technical documentation, record-keeping and logging, transparency, human oversight, accuracy, robustness, and cybersecurity — the same primitives apply: deterministic policy, approval gates, execution logs, and signed receipts help operationalize the requirements without standing in for the broader compliance program.

Evaluation checklist for runtime governance

When comparing platforms, the distinction that matters is whether control lives in the execution path or only around it. A useful test for any candidate AI agent runtime governance platform:

• Is intent frozen into a canonical, hash-stable form before any risk decision is made?
• Are risk-driving facts derived independently of the model, or taken from what the model asserts?
• Is policy deterministic, versioned, and positioned between intent and adapter access — and is a deny final?
• Do elevated actions require threshold approvals from verified operators rather than a single key?
• Does every permitted action emit a signed receipt that a third party can verify without private keys?
• Can unauthorized actions reach an adapter at all, or do they receive no execution path?

For a category-level view of how prompt-side guardrails compare with a gated, deterministic runtime, the execution-boundary governance page walks through the structural difference rather than the marketing one.