Provably compliant
autonomous actions.
A consensus enforced, dual authority certification gate with freshness bound per action proofs. The full write up of the method, the six gate invariants, the threat model, the evaluation evidence, and the honest limitations. Offline PDF below; readable summary inline.
Full PDF. Offline, self contained.
The paper is shipped alongside this microsite. The download is the same byte stream the operator deposits on Zenodo when the embargo lifts. No network call leaves your machine.
WHITEPAPER.pdf
Provably Compliant Autonomous Actions · v1.0 (DRAFT) · 2026-06-07
The problem. The method. The evidence.
Autonomous artificial intelligence agents and automated pipelines increasingly take real world actions in regulated industries: outbound calls, written communications, transactional commitments, regulated data disclosures. The operating organisation must be able to prove, after the fact and to a regulator or counterparty, that each such action conformed to the applicable rules. Existing answers either trust the operator (centralised audit logs, application layer policy gateways) or fail to bind the proof to the action at consensus time (single authority on chain attestations, transparency logs without policy co residency).
We present a method by which an autonomous action is made structurally incapable of execution unless, at the moment of admission and on a distributed ledger substrate, it carries valid role typed attestations from a regulator aligned certifier and from the tenant’s own controlled certifier, against a deterministically composed ruleset whose version is currently active for that tenant, within an open validity window. The consensus rule of the ledger refuses to admit any action lacking these bindings.
We define six gate invariants (three decision time: non bypass, hash binding, composed policy admissibility; three holding over time: refusal code completeness and soundness, consensus time non admit, and freshness bound temporal admissibility) and demonstrate a four validator Byzantine fault tolerant reference embodiment in which the structural invariants reproduce across 26 scenarios.
We evaluate adversarial robustness against three independent red teams (43 findings: 10 critical, 12 high, 13 medium, 8 low) and benchmark the augmenting large language model evaluator at 98.86% joint label accuracy and 99.16% refusal precision and recall on n=700. The freshness binding invariant closes the gap between compliant at decision and compliant at action and provides a formal answer to the practical question “verify a subject is not self excluded without a real time lookup”.
Three decision time. Three holding over time.
The decision time set establishes what the gate does at the moment of admission. The holding over time set establishes what the record continues to mean as time passes and as the world changes around it.
Decision time (at admission)
The properties that hold at the moment the gate decides admission.
- Non bypass. No block is admitted that contains an action whose canonical descriptor hash is not bound to a valid quorum attestation against the active composed ruleset for the named tenant.
- Hash binding. Every signature, every per action proof, and every violation record references
H(d). Changing any byte of the descriptor breaks the binding. - Composed policy admissibility. A block is admitted only under a ruleset whose
ComposedRulesetHashis the deterministic composition of a regulator baseline and a tenant overlay, both co signed by their respective role typed signers.
Holding over time (across history)
The properties that hold of the record after admission, across the ledger’s history.
- Refusal code completeness and soundness. Every gate refusal carries a code from a stable published taxonomy. Every named code is reproducible from on chain state by any third party; the gate does not fail silently or with an opaque code.
- Consensus time non admit. A block refused at height
Hcannot be retroactively admitted at any later height against the same descriptor and ruleset. Admissions are independently verifiable by any third party from on chain state. - Freshness binding (temporal admissibility). Every permit is bound to the freshness of the reference data it relied on. Outside the named validity window, the permit is non admissible. A self exclusion registered between pre certification and send is honoured.
Nine sections. What each one covers.
The full paper is in the PDF above. Each section is summarised below in two lines so a reader can pick the section they care about and jump to the corresponding page or jump straight to the PDF.
§1 Introduction
The regulatory proof problem. Three failure modes of the current generation of answers (training, centralised logs, application layer gateways). What the method establishes. What this paper does and does not disclose.
§2 Related work
Deterministic policy languages (OPA, Cerbos, Oso family). BFT consensus engines and ledgers. Public transparency logs (RFC 6962). AI agent runtime governance (recent prior art) and GRC platforms.
§3 Architecture
The canonical action descriptor. The dual authority composed ruleset. The role typed certifier quorum with a mandatory client signer. The consensus enforced gate. The per action proof.
§4 Security properties
The six gate invariants. Decision time vs holding over time. The freshness binding answer to “without a real time lookup”. The structural consequences of each invariant.
§5 Threat model
Attribute and certification swapping, insider gaming, black box generators, stale reference data, collusion against the ledger, compromised hosts, AI nondeterminism abuse, policy tampering. Structural defences and honest residuals.
§6 Evaluation
26 testnet scenarios reproducibly pass on the BFT reference cluster. 196 of 196 active rule set rows pass. Independent red and blue review: 43 findings prioritised. AI evaluator benchmark at 98.86% on n=700.
§7 Deployment
Observe mode (out of band) and Enforce mode (inline). The worked retrofit example (gambling CRM). Mirror to an external public transparency log for public verifiability. Validator topology at pilot and mature tiers.
§8 Limitations
What the bounded claim does not assert. The AI evaluator caveat. Which properties are structural in the consensus layer today, and which still depend on operational configuration. What is out of scope (rule authorship attacks, denial of service).
§9 Conclusion
Five elements together give the buyer a position they could not otherwise have: canonicalised descriptor, dual authority composition, role typed quorum, consensus enforced gate, freshness bound per action proof. Check us, do not trust us.
Published. DOI 10.5281/zenodo.20601300.
The paper was deposited on Zenodo on 2026-06-08 and carries the
DataCite DOI 10.5281/zenodo.20601300. The same DOI is the
concept DOI; future versions will mint their own version DOI while
the concept DOI continues to resolve to the latest.
How to cite (text)
Duke, J., 2026. Provably Compliant Autonomous Actions: A
Consensus Enforced, Dual Authority Certification Gate with
Freshness Bound Per Action Proofs. Kronaxis Limited, United
Kingdom. Version 1.0, 2026-06-08. DOI:
10.5281/zenodo.20601300.
BibTeX
@techreport{duke2026provablycompliant,
author = {Duke, Jason},
title = {Provably Compliant Autonomous Actions: A Consensus
Enforced, Dual Authority Certification Gate with
Freshness Bound Per Action Proofs},
institution = {Kronaxis Limited},
address = {United Kingdom},
year = {2026},
month = jun,
type = {White Paper},
version = {1.0 (DRAFT)},
doi = {10.5281/zenodo.20601300},
url = {https://doi.org/10.5281/zenodo.20601300},
language = {en-GB},
note = {Paper text under CC BY 4.0; product, source code, and
rule set content remain closed.}
}
Plain BibLaTeX file
The full references.bib bibliography for the paper
(27 entries) ships alongside the PDF and the markdown source.
Entries cover the relevant standards, the foundational primitive
families (deterministic policy languages, BFT consensus engines,
public transparency logs), the related agent runtime governance
work, and the regulator publications cited in the paper.
Eight subjects. Treated in depth.
The paper is written for a technical reader who wants to verify the claims for themselves. The section summary above is the table of contents. The eight cards below describe, in reader value terms, what the paper delivers on each subject.
A complete architecture description
The canonical action descriptor, the dual authority composed ruleset, the role typed certifier quorum, the consensus enforced gate, and the per action proof. The five design elements together, with diagrams, and a protocol description complete enough for an independent reimplementation.
Six gate invariants stated formally
Three at decision time (non bypass, hash binding, composed policy admissibility) and three holding over time (refusal code completeness and soundness, consensus time non admit, freshness binding). Each invariant stated with the structural consequence and the failure mode it closes. The freshness binding invariant is the answer to “verify a subject is not self excluded without a real time lookup”.
A full threat model
Eight named attack categories: attribute and certification swapping, insider gaming, black box generators, stale reference data, collusion against the ledger, compromised hosts, AI nondeterminism abuse, policy tampering. For each: the structural defence the gate gives, and the honest residual exposure where no defence is yet structural.
Independent red and blue review
Three independent red teams stress tested the design. A blue team adjudicated the findings. 43 prioritised findings are listed in the paper with their remediation status: the items required before pilot are closed, the longer running operational items are named and tracked openly.
AI evaluator measured
The augmenting language model evaluator (qwen-coder-32b AWQ on locally hosted vLLM) measured on n=700. 98.86% joint label accuracy and 99.16% refusal precision and recall, with the two failure modes the authors found in their own results named openly.
Prior art surveyed; novelty stated plainly
Recent agent runtime governance work catalogued: Open Agent Passport, Attested Intelligence, OpenPort, Microsoft AGT, Salesforce Agentforce, IBM watsonx.governance, OneTrust, ServiceNow, Credo, Holistic AI. The new combination of design elements not present in any single existing system, stated explicitly.
Deployment shapes with a worked example
Observe mode (out of band, no traffic impact) and Enforce mode (inline). A worked retrofit on an existing gambling CRM showing three deployment shapes (no gate, Observe, Enforce) where the send handler is byte identical across all three and only the wiring changes.
Public verifiability
The per action proof, the transparency log mirror, and the third party verification path. How a regulator, an auditor, or a counterparty can verify a single decision from public artefacts on their own machine, without depending on the operator’s cooperation.
Check us. Don’t trust us.
The system runs, the consensus property is structural, the dual authority composition is structural, and the reference embodiment exercises the invariants reproducibly. The next layer of trust hardening (hardware backed signing keys, hardware attested signers, a client hosted layer one signer, reproducible builds, multi party validator distribution, a public transparency log mirror, persistent state, M of N governance, a hardened reference data subsystem, and a biometric mobile signer for human sign off) is named openly in the paper, with the substitution point stated for each.
Every external statement in the paper is paired with which property holds today. The honest one line positioning is the same as it has been since the project began: check us, don’t trust us.