Founder Note · edited web version

I built an execution-boundary governance layer for agentic AI.

ZLAR is a deterministic external gate between an agent's cognition and consequential action. It is a consent boundary for artificial agency.

See a sample receipt Read the Open Memo
Boundary diagram
Agent cognition

Plans, code, requests, tool calls.

->
signed deterministic authority
->
Consequence

Action in the world.

I built ZLAR as execution-boundary governance for autonomous AI: a deterministic external gate between an agent's cognition and consequential action.

The core idea is simple:

An agent may generate plans, code, messages, edits, requests, and tool calls. Consequence crosses into the world through a separate, signed, deterministic authority.

ZLAR is a consent boundary for artificial agency.

What ZLAR Is

ZLAR intercepts AI-agent tool calls before they reach operational systems: shell commands, file writes, API calls, MCP tool calls, deployment steps, and other consequential actions.

It evaluates each routed action against signed policy, allows routine actions, routes consequential actions to a human when required, and produces cryptographic receipts showing that governance occurred.

The gate is deny-first, fail-closed, and deterministic. Its authority comes from signed human policy, independent key custody, and records that can be verified outside the agent's runtime.

As AI becomes persistent, embodied, and operational, the governing question is: where is the lawful boundary between cognition and consequence?

ZLAR's answer is: at the execution boundary.

The Category

Security teams will recognize parts of ZLAR: policy enforcement, auditability, human approval, sandboxing, key custody, and tamper-evident logs.

The category is larger than any one security control. ZLAR is execution-boundary governance for autonomous AI. It can be described as proof-carrying governance for agentic systems, external authorization infrastructure for AI agents, a deterministic control plane for autonomous AI action, or governed agency.

The name can evolve. The object is clear: a governed path from AI intention to world action.

The Proof Artifact

The flagship artifact is the Governed Action Receipt.

A receipt shows that a specific action was attempted, which policy evaluated it, which decision authority applied, whether a human approved or denied it, whether the record remains intact, and how the receipt connects to the audit chain.

Every consequential AI action should produce a verifiable governance receipt.

The receipt turns AI governance into something inspectable. It gives operators, auditors, affected people, and outside verifiers a record they can test.

The Demo

The first priority is one unforgettable demo.

The demo should show an AI agent attempting consequential work in a real developer environment. ZLAR applies policy at the action boundary. Routine actions pass. High-risk actions are denied or escalated. A human approves or denies on a separate channel. A verifiable receipt is produced. A third party verifies the receipt.

The five-minute experience should be simple: a user starts an agent, the agent attempts a governed action, ZLAR blocks or escalates the action, the human approval flow appears, and a receipt is generated and verified.

That first success should feel immediate: the user sees governed execution, human authority, and verifiable evidence in one run.

Honest Scope

ZLAR governs actions routed through it.

A strong deployment pairs the ZLAR gate with surrounding controls: sandbox profiles, OS permissions, filesystem allowlists, network egress controls, sealed policy files, external key custody, and controlled access paths around shell and MCP surfaces.

That combination is ZLAR Sealed Mode.

ZLAR Sealed Mode

Sealed Mode combines the ZLAR gate, sandbox profile, network egress controls, filesystem allowlist, controlled shell access, proxied MCP access, read-only policy and gate files, external key custody, and receipt witnessing or external log anchoring.

Sealed Mode makes the execution boundary visible, enforceable, and reviewable in deployment.

Affected-Person Pathway

The receipt is designed to be legible to advocates acting for affected people: patients, claimants, tenants, borrowers, workers, developers, and customers. The person affected by an AI action deserves a record even when they were outside the approval loop.

If an AI agent affected you, ask for the receipt.

The affected person should be able to ask: who authorized this action, under what policy, at what time, and can the record be verified?

ZLAR gives that question an artifact.

Why This Matters

Autonomous agents need external authorization, durable policy, and records people can contest.

Accountable agency has four minimum conditions: the action boundary is defined, the policy authority is external to the agent, consequential actions produce receipts, and affected people have a path to understand and challenge the action.

ZLAR governs the boundary where AI intention becomes world action.

First Markets

Developer agents already edit files, change configuration, run commands, touch secrets, and push code. The pain is concrete and visible. The demo is obvious. The adoption path is fast.

Enterprises need auditability, approvals, policy enforcement, and contestability as agentic workflows enter real business processes. The sales path is slower, but the value is high.

Final Claim

I built a boundary between artificial cognition and worldly consequence.

As AI becomes persistent, embodied, agentic, and socially integrated, the live governance question is: who or what is allowed to turn cognition into action?

ZLAR gives the answer a working form.

As AI agents enter the world, ZLAR governs the moment thought becomes action.

Disclosure

This founder note uses founder voice. The claim boundary remains precise: ZLAR governs routed/intercepted action surfaces only.