Provable security
Provable Zero-Trust for AI agents.
Most agent security asks you to trust a dashboard. AxioRank turns enforcement and audit into things you can verify with math: untrusted data structurally cannot reach a dangerous action, and every governed action leaves a receipt anyone can check offline.
no TEE hardware · no ledger · no vendor in the loop
{
"decision": "hold -> allow",
"matchedPolicyId": "no-untrusted-egress",
"taintBlocked": true,
"authorizationChain": [
{ "kind": "agent", "agentId": "agent_7f3c" },
{ "kind": "operator",
"resolvedBy": "alice@corp",
"approverSignature": "…" }
],
"signedTreeHead": { "merkleRoot": "…" }
}Prevention
The first runtime integrity information-flow control in a commercial gateway.
Untrusted tool outputs are minted as value-level taint with token-level fingerprints, propagated across the trace, and enforced at egress and destructive sinks with deny, hold, or allow tiers. No agent rewrite, no framework migration, no special hardware: it is a gateway you put in front of the agents you already run. This is the integrity direction (where untrusted data came from), the lineage from the CaMeL and FIDES research, delivered in production.
Value-level taint
An attacker address buried in a fetched email is fingerprinted, so it is caught when it reappears as a send_email recipient.
Enforced at the sink
Taint reaching an egress or destructive call is denied or held by policy, synchronously, before the call leaves.
Critical means proven
A kill chain is marked critical only when value-level provenance confirms untrusted data actually reached an outbound call, not when steps merely co-occur.
Proof
One receipt proves the policy, the decision, and the human approval.
Every governed action can be issued as a self-contained receipt that binds three things into one signature: the information-flow policy the call was evaluated under, the enforcement decision itself, and the cryptographic signature of the human who approved any exception, bound into the delegation chain. Verify it with nothing but the receipt and a public key you pin once. No TEE hardware, no ledger, no vendor in the loop.
A transparency log, not a log
The audit log is a hosted RFC 6962 Merkle log with hourly Ed25519 signed tree heads and a public key endpoint. Membership is a proof, not a promise.
Offline, open-source verifier
@axiorank/audit-verify (TypeScript, Python, CLI) re-implements the checks with zero dependencies. Verification needs nothing of ours running.
The human's own signature
When a person approves a held call, their decision is signed under their own key and rides inside the receipt, verifiable after the fact.
Do not trust us
Verify it yourself, including against us.
Independent verification is the whole point. Pin our public key once, then verify any receipt offline, and run the open-source watchdog to continuously check that our log was never forked or rewritten.
Keep exploring
Continue across the control plane.
Stop trusting the dashboard. Start verifying the math.
Put AxioRank in front of the agents you already run, and turn every decision into something you can prove.