Request Access

Ambit Authority

Authority
The explicit, scoped permission to perform a specific action — delegated by someone empowered to grant it, bounded in time and revocable, and verifiable at the moment of execution. Identity says who you are. Access says what you can reach. Authority says what you may do, on whose behalf, under what scope, right now.

Ambit Authority enforces a deterministic governance decision at the action boundary — before any consequential action commits. The decision is a pure function of policy, delegation, canonical action, and resolved context. That context can include consequence topology: whether the proposed action is reversible, externally binding, persistent, propagating, or operationally irreversible. In constitutional mode, Authority also requires authenticated evaluation time and verifiable revocation freshness before treating delegated authority as valid. Identical sealed inputs under the same policy bundle produce the same outcome and rule trace. The evidence record then commits that decision, its input hashes, time and revocation evidence, timing, and ledger position.

The product moment is not a report. It is the missing execution step: the proposed action stops at Authority, receives ALLOW, DENY, or ESCALATE, and only then may reach the downstream system.

Execution (Action) Boundary
The point at which a proposed action would commit a state change to an external system. At this boundary, a deterministic authorisation decision must be made before the action is allowed to execute.

The execution boundary is the commit point — actions are applied to external state only after successful authorisation.

Inside a governed consequence path, no consequential action executes without a deterministic authorisation decision and an evidence record.

This is not monitoring. It is not observability. It is enforcement — evaluated and recorded before the action takes effect.

Authority is cross-runtime by default. Enterprises run multiple agent runtimes, model providers, and toolchains; governance tied to a single vendor or a single runtime produces inconsistent decisions and inconsistent evidence.

Decision Outcomes

Every evaluation produces one of three outcomes:

ALLOW
The action proceeds. The decision and its basis are recorded.
DENY
The action is blocked. The decision and its basis are recorded.
ESCALATE
The action is held pending human approval. The approver receives full context: what is being requested, by whom, under which policy, and what the expected downstream action will be.

Decision precedence is strict: DENY overrides ESCALATE, ESCALATE overrides ALLOW. Governance is conservative by default.

Escalation is proportional friction — reserved for high-impact or ambiguous actions. The goal is not to block autonomy; it is to make delegation defensible without creating an approval queue that grows without bound.

How Decisions Are Made

Authorisation is a deterministic function of policy, delegation, canonical action, and resolved context. Every decision evaluates the authority presented for the action and the consequence topology the action would create if allowed.

Receive Request

An autonomous system requests to execute an action (send message, write data, transfer funds, modify infrastructure). Authority canonicalises the actor, action type, target, boundary, and request fingerprint.

Resolve And Evaluate

Authority checks delegation and policy against resolved facts, including consequence topology where applicable: reversibility, external binding, persistent state, propagation scope, and whether the action requires revalidation, operator review, or an evidence marker. In constitutional mode, evaluation also requires authenticated time and freshness-bounded, verifiable revocation status.

Render Decision

Authority produces one outcome: ALLOW (action proceeds), DENY (action blocked), or ESCALATE (human approval required). Decision precedence is strict: DENY overrides ESCALATE, ESCALATE overrides ALLOW.

Record Evidence

Before the action executes, an evidence record is committed to the append-only decision ledger: what was requested, by whom, under which policy, with what outcome, and why.

Enforcement Architecture

Authority's enforcement guarantees are structural, not behavioural. They follow from where Authority sits in a configured execution path and how it integrates with downstream systems — not from runtime configuration or application-level conventions. Four properties define the architecture.

Consequence-Path Placement

Authority sits on the consequence path — the execution path between intent and side effect. In a valid placement, the runtime does not choose whether to call Authority; the path is constructed so that it passes through it. Bypass requires modifying the configured path — an auditable operational change.

The Choke-Point Guarantee

Authority is not an interceptor that should be called. It is a choke point that must be called — because the path to consequence does not exist without it. In consequence-side deployment, the downstream system (database, API, service) cannot be reached without passing through Authority. The alternative is not "skip governance" — it is "change the infrastructure."

Evidence Gaps as Governance Failure

Every governed action produces an evidence record. If an action executes outside Authority: no decision exists, no evidence record exists, no hash chain entry exists. A state change without a corresponding decision is an observable governance failure. Bypass produces absence, and absence is detectable. Observatory performs independent completeness verification against the decision ledger.

What Authority Does Not Guarantee

Authority does not claim: prevention under full host compromise; control over systems outside the configured boundary; correctness of model reasoning; protection against denial of service (it fails closed — unavailability produces DENY, not bypass). It governs execution authority, not intent. Full threat model is in Technical Foundations.

Within a governed consequence path, a state change has a governance decision. If no governance decision exists, the state change did not pass through that governed path.

Placement mechanics are covered on the Integration page; the invariant here is the decision before consequence. Authority sits on a governed action path: the agent submits intent, Authority evaluates policy and delegation, and the evidence record is committed before the action reaches the downstream tool or API.

Decision Evidence Record Example

The example below shows the replay-critical surfaces captured for one decision: action, authority, policy identity, rule trace, resolved context, consequence topology, time and revocation evidence, and ledger integrity. Values are synthetic and illustrative.

Canonical Action
Actor, action type, boundary, privilege, target object, arguments, and request fingerprint.
Delegation and Approval
Validity, scope, expiry, revocation source, revocation freshness, token identifiers, and fingerprint binding.
Policy Bundle
Policy hash, ontology hash, schema version, and ontology version in force at evaluation time.
Decision Evidence Record Example
decision_id
7f2a91c3-4e8b-4a2f-9d1c-6b3e8f0a2d5e
timestamp
2026-01-15T09:23:41.127Z
time_authority
authority:hmac-primary · trust-root:customer-root-01
evaluation_ns
0.08 ms
token_validation_ns
0.26 ms
actor.id
ops-agent-03
action.type
data.provision
object.id
staging-db-07
request_fingerprint
sha256:e3b0c44298fc1c14…
policy_hash
sha256:a1b2c3d4e5f67890…
ontology_hash
sha256:b8c7d6e5f4a39201…
delegation_id
del-8k3m-9n2p
delegation.scope
data.provision — staging only, no production sources
revocation_status
not_revoked · fresh<=60s · attested
decision
ALLOW
matched_rule
default_allow
sequence_context_hash
sha256:0f1e2d3c4b5a6978…
record_hash
sha256:f7e6d5c4b3a29180…
prev_hash
sha256:9a8b7c6d5e4f3021…
Synthetic data for illustration. Not from a live system.
Decision and Rule Trace
The ALLOW, DENY, or ESCALATE outcome, matched rule, and complete reason trace.
Resolved Context
Curated context and sequence facts, including consequence topology and behavioural provenance when present.
Ledger Integrity
Input hashes, timing, seq, prev_hash, record_hash, authenticated timestamp metadata, and server timestamp.

Evidence Records are designed output, not a logging byproduct. A decision record embeds the replay-complete input blocks, binds the exact policy and ontology hashes, captures resolved consequence context, records authenticated time and revocation freshness where required, and is committed to a SHA-256 hash-chained ledger. Delegation and approval tokens are HMAC-SHA256 signed; the ledger itself is tamper-evident through seq, prev_hash, and record_hash. Authority emits this replayable evidence on its own; Observatory turns it into assurance, explanation, evidence bundles, and behavioural signals. Over time, the ledger becomes the system of record for autonomous authority inside the organisation.

Deterministic Authorization Evaluation

Identical sealed inputs under the same policy bundle produce the same decision and rule trace. The receipt records the hashes, timing, and ledger position that make replay verifiable.

Safe Read — Agent reads customer data — read actions require no delegation and resolve through the default allow policy rule.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, ontology_hash)
Governance Evidence Record ALLOW
actor
agent_support_1
action
customer.read
target
customer/cust_001
matched_rule
default_allow
policy_hash
3b4aa736101d…8f46760b4c9e
ontology_hash
399958dff9c2…e384fd0159c7
request_fingerprint
8f3123837e38…a4da08bf6d86
record_hash
b314adec9883…23b917620cfd
prev_hash
000000000000…000000000000
timestamp
2026-02-23T07:10:20.203Z
Pre-computed from a verified evaluation run.
Replay Proof Same sealed input evaluated twice — does the decision proof match?
Evaluation A a7e3f19b204c…a1b3c5d7e9f0
Evaluation B a7e3f19b204c…a1b3c5d7e9f0

Missing Delegation — Agent attempts a privileged action without presenting a delegation token — denied at the delegation rule.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, ontology_hash)
Governance Evidence Record DENY
actor
agent_support_2
action
refund.issue
target
order/ord_1001
matched_rule
delegation_required — missing_delegation
policy_hash
3b4aa736101d…8f46760b4c9e
ontology_hash
399958dff9c2…e384fd0159c7
request_fingerprint
79b24be40154…71b604c9cc09
record_hash
f217c28f898c…878613e75a17
prev_hash
f8197c53b3dd…2e4692331ea4
timestamp
2026-02-23T07:10:20.253Z
Pre-computed from a verified evaluation run.
Replay Proof Same sealed input evaluated twice — does the decision proof match?
Evaluation A c2d4e6f8a0b1…c7d9e1f2a4b6
Evaluation B c2d4e6f8a0b1…c7d9e1f2a4b6

Approval Required — Destructive action with valid delegation but no approval token — escalated to require human approval.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, ontology_hash)
Governance Evidence Record ESCALATE
actor
agent_ops_1
action
customer.delete
target
customer/cust_002
matched_rule
destructive_needs_approval — approval_required
policy_hash
3b4aa736101d…8f46760b4c9e
ontology_hash
399958dff9c2…e384fd0159c7
request_fingerprint
dc7b7852eaa0…e0e0b0c9322b
record_hash
d38eecef8e6a…63f54ff402040
prev_hash
a4e60ea8d488…c4eab7b34cf8
timestamp
2026-02-23T07:10:20.267Z
Pre-computed from a verified evaluation run.

Replay Blocked — Same approval token presented on a second request — denied by the single-use cryptographic replay guard.

Evaluation Context Authorisation is computed, not inferred. decision = evaluate(actor, action, target, delegation, approvals, policy_hash, ontology_hash)
Governance Evidence Record DENY
actor
agent_ops_1
action
customer.delete
target
customer/cust_002
matched_rule
approval_replay — approval_jti_reused
policy_hash
3b4aa736101d…8f46760b4c9e
ontology_hash
399958dff9c2…e384fd0159c7
request_fingerprint
dc7b7852eaa0…e0e0b0c9322b
record_hash
fc225176f65f…e8668c1b2d69
prev_hash
58cb912d4561…98bcc00d4abe
timestamp
2026-02-23T07:10:20.279Z
Pre-computed from a verified evaluation run.

Pre-computed from a verified Ambit Authority evaluation run. Replay confirms the same outcome and rule trace; ledger metadata remains chain-specific.

Authority occupies a narrow position in the stack. What it excludes defines it as much as what it includes.

What Authority Is

What Authority Is Not

A Governance Control Plane
Makes decisions at the action boundary where autonomous intent becomes consequential action.
Not an Agent Runtime or Orchestration Layer
It does not execute workflows, manage agent state, or scale compute. It governs the boundary where runtime actions take effect.
Pre-Execution Enforcement
Renders ALLOW, DENY, or ESCALATE before an action takes effect.
Not a Gateway or Traffic Layer
Gateways route requests. Authority evaluates whether the underlying action is authorised and records the decision.
Cross-Runtime by Default
Works across runtimes, model providers, and toolchains; governance is not tied to one vendor's execution model — and unlike governance bundled into the platform it runs on, it stays independent of the provider whose actions it governs.
Not Model-Layer Guardrails
Model guardrails constrain proposals. Authority governs which proposed actions may execute.
Policy-Driven and Delegation-Bound
Decisions are based on explicit policy, delegated authority, and resolved action context, not learned behaviour.
Not IAM or Observability
IAM controls resource access. Observability records events. Authority records governance decisions before execution.
Consequence-Aware
Distinguishes consequence topology before policy evaluation: reversible versus irreversible, local versus externally binding, transient versus persistent, contained versus propagating.
Not a Behavioural Scoring System
Behavioural evidence may enter as resolved context. Consequence topology is a separate resolved fact class about the action's effect surface, not an actor score.
Evidence-Producing by Design
Creates append-only decision records for audit, replay, and incident review.
Not a Consequence Prediction Model
It does not forecast business outcomes, legal exposure, or real-world harm. It classifies the consequence boundary the proposed action would cross so explicit policy can decide.
Structural Enforcement
Operates at the enforcement boundary; bypassing governance requires bypassing the boundary itself.
Not Self-Learning
It does not learn or optimise its own behaviour. Governance changes require explicit human action.

Why Existing Tools Are Not Enough

Enterprises already deploy identity management, logging, guardrails, and governance frameworks. Each addresses a legitimate concern. None of them governs the action boundary.

IAM
Identity and access management controls which systems can authenticate and what resources they may reach. It does not model delegated authority. It cannot express that an agent may send external messages only during an active incident, only to the affected customer, only for 48 hours, and only if a security approver has confirmed the scope. IAM answers "can this identity access this resource." It does not answer "was this action authorised under this policy at this moment."
Logs
Logs and observability platforms record what happened. They are essential, but they are retrospective. They capture events after execution. They do not capture the governance decision that preceded execution: which policy was evaluated, what delegation was in effect, and whether the action was allowed, denied, or held for human approval. An audit requires more than a record of events. It requires a record of decisions.
Model Guardrails
Model-layer guardrails constrain what an AI model can generate or propose. They operate before the action boundary, at the reasoning layer. They do not govern what happens when a model's output becomes an action in a downstream system. A guardrail may prevent a model from generating a harmful instruction. It does not prevent a well-formed instruction from being executed without proper authority.
AI Governance Frameworks
AI governance frameworks typically address model risk, bias, and compliance at the organisational or model lifecycle level. They do not operate at the action boundary. They do not make real-time ALLOW, DENY, or ESCALATE decisions. They do not produce the per-action evidentiary record that a regulator, auditor, or incident reviewer requires.

Each of these tools addresses a legitimate concern. None of them answers the question that autonomous systems create: was this specific action, at this specific moment, authorised under a specific policy by a specific delegation of authority?

Technical Characteristics

Structural Enforcement
Bypassing governance requires bypassing the enforcement boundary itself — not merely ignoring a policy recommendation. Every governed action produces an evidence record committed to an append-only ledger. A gap in the evidence trail is a detectable governance failure.
Synchronous Evaluation
Policy evaluation completes before the action proceeds — there is no asynchronous pattern. The governance decision is rendered and the evidence record committed before any consequential action executes. Each evidence record records evaluation duration measured by monotonic clock at the enforcement point.
Consequence Topology Resolution
Authority classifies the proposed action before policy evaluation: consequence level, reversibility, external binding, persistence, propagation scope, and required review markers. Declared consequence metadata can raise classification but cannot lower the derived floor.
Measured Latency
Governance timing is measured per decision and can be aggregated into p50, p95, and p99 percentiles. Governance cost is explicit and characterised — organisations can make informed decisions about enforcement placement based on measured numbers, not estimates.
Fail-Closed Design
If policy evaluation fails, the decision is DENY. If delegation cannot be verified, the decision is DENY. If no policy matches the requested action, the decision is DENY. In constitutional mode, stale revocation status, unverifiable revocation status, missing revocation freshness bounds, or unauthenticated time also produce DENY. Availability may be affected. Governance integrity is not.

What's Implemented

Evaluation engine
Deterministic evaluation covering delegation, scope enforcement, consequence boundary checks, and evidence integrity. Fail-closed on all validation paths.
Consequence topology
Deterministic resolution of consequence facts including reversibility, external binding, persistence, propagation scope, operator-review requirements, and topology hash.
Evidence integrity
SHA-256 hash-chained records. Request fingerprinting. HMAC-SHA256 token signing. Authenticated evaluation time for constitutional mode. Signed revocation freshness metadata. Nanosecond-precision operational timing.
Deployment
SDK, gateway, and sidecar integration patterns. Fail-closed by default.
Verification
Comprehensive test coverage across evaluation, delegation, evidence integrity, and bypass detection.
Designed, not yet implemented
Asymmetric signatures, third-party timestamping adapters, HSM-backed key management, enterprise revocation backends, and automated key rotation. See Technical Foundations for full specification.

Authority decides. Observatory turns decision evidence into assurance.

Observatory deep-dive