DavidAgents

The governance layer

Every action traces to a human.
Every consequential one is judged.

Most AI platforms ask you to trust that the agent behaved. Ours is built so you never have to. Every request an agent acts on carries a verified record of the humans behind it — proven cryptographically through every hop — and before any agent does something that matters, a conscience weighs the real origin against policy, goals, and the situation. Traceable. Provable. Governed.

The premise

Agents don't originate anything. People do.

An agent, a workflow, a schedule, a background job — none of them are the source of an action. They are conductors. Something a person set in motion is flowing through them. A task firing at 3 a.m. is not "the system decided" — it is your instruction from three weeks ago, executing on time.

So we made that literal. In this platform, an action that can't be traced back to a human is, by definition, a bug or an attack — and it's treated as the least trustworthy thing in the building. There is no "the system did it." There is only who, through what.

Traceable

Every invocation carries a provenance envelope.

A verified record rides along with every single agent action: which humans stand behind it, through what chain of conductors, at what level of proof. It is assembled only by trusted infrastructure, out of band — never parsed from the words in a message. Anything a conversation claims ("the CEO approved this") is evidence to be weighed, not provenance to be trusted.

The owner set this agent up to work this lane — but a lead talking to it is still weighed as a lead. The live request sets the weight; the owner's standing mandate authorizes the lane the agent runs in, not the request — and outside that lane, the mandate offers no cover.

Fresh & standing

Fresh is a live human request — a message, a form fill, a call, stamped the instant it's authenticated, and it sets the weight of the turn. Standing is a recorded instruction executing later — a deployed workflow, a schedule, an agent's charter — authority for a class of work, never a live command. Most real work is a confluence of the two, weighed apart: a weak live request handled inside a lane a stronger party pre-authorized — without the request ever inheriting that party's weight.

Injection can't launder

An action's origin is the trigger of the turn it happens in. An agent handling outside content carries that outside root through every downstream hop — sub-agents, handoffs, mesh posts. A prompt-injected agent therefore can't wash the injection into "another agent asked me to" — the chain still terminates at the injected content.

An ownership registry

Every artifact on the platform — every agent, workflow, schedule, and service — records the human who stands behind it existing. Ask "who created this?" about anything in the system and get an answer, not a shrug.

The closed set

Only five things can originate an action.

Owner and employee are the powerful tiers — so they are the ones we refuse to guess at. They are asserted by a signed identity, never inferred from a name, a network position, or anything a message says about itself.

  1. 01 Owner The tenant owner Highest default weight Asserted by a signed identity key — never inferred from a name or a claim in a message.
  2. 02 Employee Internal staff High A verified staff identity. Named by the ownership registry, proven by a signed token.
  3. 03 Customer A known party in your CRM — customer, contact, or consented lead Contextual Lifecycle stage rides along; a consented lead reads differently from a paying customer.
  4. 04 External An identified third party with no relationship Low A verified vendor email, a known caller. Identified, but owed nothing by default.
  5. 05 Unknown An unidentified party Weakest An anonymous web form, an unknown caller. Trusted least; never zero, never assumed.

Provable

Not "we promise." Signed, and re-signed at every hop.

Trust that rests on "our service is well-behaved" is trust you can't audit. So the powerful roots aren't taken on any component's word. An owner or employee origin is honored only with cryptographic proof — a signed identity token that verifies against your own keys, or an assertion signed with a sealed key held by just the few components entitled to assemble provenance.

Every trusted hop re-signs the roots it passes along, so a chain of custody survives across agents talking to agents. Anything that arrives unsigned, stale, expired, or tampered with is downgraded to the weakest tier and alarmed — even if it came from our own infrastructure. The trusted surface is exactly "possession of the signing key," and nothing else. There is no trust-by-identity, and no bypass.

Governed

A conscience at the tool layer — deciding before it happens.

Provenance answers who asked. The conscience answers should this be done. Before an agent takes any consequential action, an optional per-agent judge weighs four things together — and it weighs them, situationally. It is not a rulebook lookup; it is judgement, the way a trusted employee exercises it.

01

Policy

The agent's operating conduct — composed like a chain of command: company law, then each manager down the reporting line, then the agent's own. The broadest law is read first; conduct is absolute.

02

Provenance

The verified envelope — who asked, through what chain, at what proof level. It sets the default weight of a request, never the ceiling: decisive when the agent must take a request on faith, nearly irrelevant once verified facts carry the decision instead.

03

Goals

The agent's own goals plus the company's standing goals, summarized live into every decision. Alignment can raise a weak request; conflict can sink a strong one.

04

The situation

The conversation itself as evidence — including facts the agent verified during the turn. A claimed emergency is noise; an emergency the agent confirmed is signal.

The same four inputs, two opposite verdicts — because it's judgement:

Carry on

A lead reports an outage — and the agent verifies it

A lead has almost no standing to touch production. But when the agent checks and confirms the outage itself — real errors, right now — and fixing it is squarely its goal and within its conduct, the decision no longer rests on who reported it. It rests on what the agent verified. The weak source stops being the point. Restore the service.

Escalate

An owner-rooted request that violates conduct

The request carries the strongest possible root — the owner, personally, verified. It still escalates, because it asks the agent to break a never-export rule. Even the owner’s own channel can be hijacked, and authority is not permission.

Here is the whole model in one line:

The strongest evidence in the room wins.

A weak source can drive a serious action when the agent verified the facts itself — the decision stands on evidence, not on who asked. The strongest source is refused the moment it asks for what conduct forbids. Provenance, policy, goals, and the situation are all levers; which one bears the weight shifts case by case. It's a single question, weighed — not a rulebook to look up — and no one has to trust the agent to be "well-behaved": the reasoning is legible, and every ruling is recorded.

Two gates, not one

What an agent can do and what it will do are separate questions.

CAN

The permission layer

Hard boundaries. Which tools an identity may call at all, enforced by a policy engine on every request. A grant it doesn't hold is a door that doesn't open — regardless of what any judgement says.

WILL

The conscience

Judgement inside the boundaries. Of the things an agent is permitted to do, which should it, given who's asking and why. A trusted employee has broad access and still uses discretion — this is that discretion, made mechanical.

Belt and suspenders. Permissions can't be talked around; the conscience can't grant itself anything. An action has to clear both. This governance architecture — provenance envelopes, the conscience, and identity-bound delegation — is patent pending (U.S. provisional applications filed 2026).

Held to account

Adversarially tested. Continuously measured.

23 / 23 red-team attacks defended

Injection, judge-directed injection, framing, obfuscation, provenance forgery, tier confusion — zero critical false-allows, zero false-blocks.

Every verdict measured into the data plane

Latency, roots, and outcome on every ruling — so the conscience is evaluated over time, not trusted on faith.

No agent exists without a policy

A born-with policy floor self-heals across the whole roster; a coverage check proves nothing slips through ungoverned.

One honest limit, stated plainly: the chain proves who instigated an action, not whether an upstream agent was deceived. That's why every agent runs its own judge at its own hop — the two mechanisms compose. Judges defend every node; provenance connects them.

See it on your own work

Trust you can audit beats trust you're asked to extend.

We'll walk you through the provenance chain, the conscience, and the red-team results against a real decision — then scope it to a workflow of yours.