Runtime trust for AI agents
The agent economy
runs on proof.
AI is starting to act on its own — approving claims, writing notes, calling tools. Glacis sits in the path, enforces the controls that matter, and turns each action into proof an auditor, insurer, or the next agent can verify.
§ The Gap In The Wall
Asserted compliance was a promise. Autonomy calls the bluff.
Even today, your SOC 2 proves a policy existed — not that the control ran on the inference that mattered. Autonomy makes that gap unbounded, and increasingly the next reviewer is another agent moving at machine speed. We close it: every inference produces proof the control ran.
- ×SOC 2 documents a policy — not the inference that mattered.
- ×Guardrails sit beside the model and get talked around.
- ×Auditors get screenshots; insurers get a questionnaire.
- ×The next agent has no way to verify any of it.
- ✓Every inference produces a signed, witnessed receipt.
- ✓The Arbiter sits in the call path — nothing routes around it.
- ✓Auditors and insurers verify offline against a signed tree head.
- ✓The next agent reads the receipt and decides whether to proceed.
§ Why We Win
Everyone else observes, asserts, or finds.
We prove.
The market splits in two — design-time posture that asserts, and runtime tools that observe. No feedback between them; the customer is the glue. We close the loop.
| Glacis | XBOW | Vanta | Lakera | Datadog | ServiceNow GRC | |
|---|---|---|---|---|---|---|
| In the inference path | ✓ | — | — | filter | — | — |
| Enforces in real time | ✓ | — | — | blocks | — | — |
| Proves cryptographically | ✓ | — | — | — | — | — |
| Continuous (every inference) | ✓ | point-in-time | point-in-time | runtime | logs | point-in-time |
| Zero data egress | ✓ | varies | — | — | $/GB ingest | — |
| Output | signed receipts | a report | compliance automation | allow / block | dashboards | control register |
XBOW finds a hole in March; we prove the control holds on every inference. We don’t replace GRC — we make it honest.
§The Endpoint Moves
Antivirus died. Guardrails are dying. We live in the wire.
Every era of defense follows the same arc: the attacker moves down a layer, and the gate has to move with it. AI inference is the new endpoint — and tool-use is the new output. The blast radius moved from a wrong sentence to a wrong action.
Scanned signatures on disk. Bypassed the moment the malicious code stopped touching a file.
Moved into kernel telemetry, watching behavior in-line. Made the file scanner obsolete.
In the inference path. Every call clears the gate, sub-millisecond. The guardrail you can’t talk around.
§ How It Works
One gate in the path. A signed receipt for every inference.
Three pieces, one path — nothing routes around the gate.
§ Asserted, Or Proven
Don’t trust us. Verify.
Your GRC stores a control someone asserted was met. This is the control cryptographically proving it ran — on this inference, just now.
An auditor verifies it offline against the signed tree head. So do your insurer, your customer, and the next agent in the chain. You don’t have to trust us, or even your own team.
§ Moat · The Standard, Live Today
Receipts need a gauge.
OVERT is the gauge — open, royalty-free, witnessed. Live today.
§Moat · Proof As A Financial Asset
Your proof has a market price.
Insurers can’t price what they can’t measure. Testudo — a Lloyd’s cover holder — has a distribution MoU out for redlines, underwriting against five truth-gated, privacy-preserving telemetry markers — values that report only when signed evidence backs them. When the market prices your proof, governance stops being a cost and becomes an asset.
§ Why Now
Proof just became a buying criterion.
Regulation is phasing in, insurers are excluding black-box AI liability, and enterprise buyers now ask for evidence in the security review. The first vendor to hand over cryptographic proof wins the contract — the rest hand over a PDF and a promise.
§ Go To Market
Land a sprint. Become the standard.
A paid 30-day proof sprint lands beside the incumbent — no rip-and-replace. Receipts compound into a ledger that’s costly to leave.
Drop the Arbiter beside one AI workflow in observe mode — watching, not blocking. First signed receipts within the week. Priced to fit one budget line — no procurement cycle.
Switch from observe to enforce — now in-line, blocking in real time. Wire the second and third system. Receipts feed GRC; the ledger becomes the system of record.
Every receipt clears the Witness Network and the OVERT log. Insurer prices it via Testudo. The ledger is the moat — auditable, portable, costly to leave.
§ Momentum
Customers, standards, insurers, regulators
— converging on one thesis.
Commercial deals in contracting, diligence-grade names in late-stage pipeline, a Lloyd’s cover holder and a standards body at the table — the same pitch, pulling the same way: proof is becoming the buying criterion.
- nVoq — agreement out for redlines, pricing includedAmbient clinical documentation.
- Serval — rules of engagement out for signature: pen-test & hardeningSequoia-backed unicorn.
Within 24 hours of one engagement going live, Glacis surfaced two previously-unknown critical vulnerabilities in the partner’s API.
- Cognoa — late-stage prospectingFirst FDA-authorized autism diagnostic.
- Thalamus · MedConnect — late-stage prospectingGraduate medical education AI.
The same pitch, repeated — now in diligence with names that carry regulatory weight.
- CHAI — co-stewardship MoU in draftingJoint steward of the OVERT open standard.
- Testudo — Lloyd’s distribution MoU out for redlinesLloyd’s of London cover holder.
- AIGovOps — signed founding-partner agreement
- Utah Office of AI — first step in procurement
- MHRA AI Airlock — engaging, with Wellcome
- APA — engaging
Runtime control plane live · ~40 ms attestation · OVERT v1.0 published · 70+ patent claims filed.
The market is pulling, not being pushed.
§ Leadership
Built scale. Navigated regulators.
A founding exec from a $250M consumer-AI exit. A leader on the first FDA De Novo authorization for an autism diagnostic. The architect of a $2B Azure security line.
Joe Braidwood
SwiftKey · Vektor Medical
SwiftKey founding exec (300M+ users, MSFT acquisition). Won regulatory clearance and reimbursement for Vektor’s clinical cardiac AI. Cambridge Law.
Dr. Jennifer Shannon
FDA AI Pioneer · CHAI
Helped lead the first De Novo authorization for an autism diagnostic device through the FDA, at Cognoa. CHAI working-group member.
Rohit Tatachar
Microsoft Azure AI Foundry
Architected and incubated Azure security products to a $2B ARR line. Trusted engineer wired into Azure’s top enterprise accounts.
§ The Ask
Fund the trust layer for the autonomous economy.
Autonomous AI is already acting on money, medicine, and infrastructure — and it can’t scale without proof. We’re raising to build the layer it clears through.
§ The Swing
OVERT becomes the default
The clearing layer for the agent economy
§ Appendix A1 · Independence
Why you don’t have to trust us.
Most vendors collapse the thing being governed and the thing doing the governing into one box. OVERT holds them apart by construction — self-attestation is non-conformant.
- The standardDefines what implementations shall prove. Open, royalty-free, patron-governed — overt.is.
- Arbiter · the AttesterOperator-side, in the call path, sees plaintext. Generates receipts — but cannot vouch for itself.
- Notary · the Verifier (IAP)Structurally independent of the operator. Derives the Arbiter’s binary identity itself; counter-signs t‑of‑n.
- Transparency logPublic, append-only. Anyone audits consistency — no operator trust required.
AAL‑4 requires a notary run by an entity independent of the operator. Run your own and you cap at AAL‑3.
- … swaps the Arbiter binaryIdentity is notary-derived from a hardware-rooted measurement — not a client-supplied claim.
- … games which calls get sampledThe epoch nonce is CSPRNG-generated, committed before the epoch and revealed after.
- … colludes with notariest‑of‑n agreement; no entity controls t nodes, shares a parent, or a jurisdiction.
- … equivocates on the log≥ 2 independent monitors gossip Signed Tree Heads; split views are detected.
- … narrows mediation scopeScope is published to the log; coverage is computed against independent ingress counts.
§ Appendix A2 · Construction
A receipt you can verify offline.
Three constructions do the work. None of them require the verifier to see your data — or to trust your logs.
Co-epoch binding
Every receipt is bound to the Arbiter’s binary identity and network-isolation state inside a bounded epoch (~300 s). A strict current-epoch rule (≤ 2 s skew) makes stale or replayed receipts fail.
binary id · net state · epoch → bound
Transparency log
An append-only Merkle tree (RFC 6962). Inclusion proofs show a receipt exists; consistency proofs show the log was never rewritten; split-view detection catches equivocation.
STH · inclusion · consistency
Non-egress commitments
Only keyed commitments cross the boundary — HMAC‑SHA256 over a canonical encoding, keys derived via HKDF and held in the operator’s KMS. Raw content, and even raw digests, never leave the VPC.
HMAC‑SHA256 · HKDF · tenant-scoped
Crypto-agile by mandate: after 2031, pure-classical signatures are non-conformant — hybrid post-quantum constructions are required.
§ Appendix A3 · Statistical rigor
Safety claims carry confidence intervals.
S3P — the operator can’t choose which interactions get measured.
- Deterministic samplingA PRF over the request commitment and a secret epoch nonce decides membership. No cherry-picking favourable traffic.
- Commit, then revealThe nonce is hashed and published at epoch start, revealed at close — so an auditor replays every sampling decision from public data.
- Exact intervalsClopper–Pearson binomial bounds — no distributional assumptions. n_total, n_sampled, n_violations recorded per policy, per epoch.
- Behavioural driftSequential analysis (CUSUM / EWMA) per dimension against a pinned baseline; response escalates log → alert → block.
§ Appendix A4 · Scope & crosswalk
What we don’t claim.
Precision about limits is how an attestation layer earns its credibility. OVERT proves that controls executed — not that a model told the truth.
- ×attest the truthfulness of outputs, or the absence of hallucination.
- ×prove the absence of compromise, or a successful prompt injection.
- ×replace endpoint, cloud, network, or model security.
- ×guarantee legal compliance, regulatory approval, or insurability.
- ✓prove declared controls ran, under a known config, in a bounded epoch.
- ✓produce content-free evidence any third party can verify.
- ✓carry statistical safety signals with exact confidence intervals.
- ✓preserve a tamper-evident, offline-verifiable record.
§ Appendix A5 · Insurance signal
Five vital signs an underwriter can recompute.
The actuarial telemetry report, built with a Lloyd’s cover holder. Every marker is truth-gated and carries receipt IDs — so an underwriter verifies it in their own tooling, with zero trust in Glacis.
| Signal | Method | Today |
|---|---|---|
| drift_delta_wilson | Wilson 95% CI · CUSUM breach | ✓ ready |
| violation_frequency_24h | honest count · 24h | ✓ ready |
| judge_disagreement_rate | Wilson 95% CI | ✓ ready |
| redteam_penetration_rate | Wilson 95% CI · pen / attempts | collecting |
| binary_tamper_state | baseline + heartbeat | not instrumented |
+ supporting — adherence_nonconformity, a second independent read on alignment.
GET /api/v1/actuarial/telemetry · scope: actuarial:read
- 1 · Fetch the STHThe tenant’s signed tree head, from a public path.
- 2 · Check the proofRFC 6962 inclusion proof per receipt — in the carrier’s own tooling.
- 3 · RecomputeRebuild every marker from the included receipts.
Glacis never states premium impact — these are readiness signals; the carrier sets the price. No raw data leaves: only counts, rates, hashes, and receipt IDs.