AI agents are not exempt.
Same enforcement. Every action.
A compromised AI agent with tool access can cause more damage than a compromised human — faster, at scale, with no fatigue. Strix governs every agent action with the same enforcement architecture as every human-initiated action. There is no privileged execution path.
AI agent capabilities
Governed in production — every one
Cron job capabilities
Automated tasks, same enforcement
Exempt paths
No privileged execution route exists
Governed agent capabilities
Every tool call is a governed action.
| Capability | Risk | Enforcement |
|---|---|---|
| Send bulk email | HIGH | Volume threshold triggers interception. Human approval required above 100 recipients. |
| Create or modify accounts | HIGH | Account mutation classified HIGH. Decision record created. Evidence signed. |
| Execute external API calls | HIGH | External call scope bound to approved capability. Token prevents scope expansion. |
| Trigger cron / scheduled tasks | HIGH | 19 cron capabilities governed. Identical enforcement to human-initiated actions. |
| Access or transform sensitive data | CRITICAL | CRITICAL classification. Quorum approval. Scoped execution token. Signed artifact. |
| Initiate role or permission change | CRITICAL | Blocked unconditionally. Agents cannot issue their own execution tokens. |
Structural invariants
Four guarantees for autonomous actions.
These are not UI policies. They are enforced at the kernel layer and verified by the enforcement coverage test suite on every commit.
Agents cannot issue their own execution tokens
Token issuance is restricted to the governance kernel. An agent that attempts self-authorization is blocked before the capability runs.
Agents produce identical proof receipts to human actions
There is no separate trust path for autonomous actions. Every agent capability produces the same signed evidence record as a human-initiated mutation.
Agent authority does not persist across tasks
Execution authority is evaluated fresh at each task boundary. Prior approvals do not transfer. Execution does not inherit authority.
Scope is evaluated at execution time, not plan time
An agent plan approved at t=0 is re-evaluated at each tool call. Scope expansion mid-task requires a new decision.
Unified evidence chain
Humans and AI share the same proof chain.
An AI agent action and a human mutation produce identical evidence record structures — same 13-field signed payload, same chain-hash linkage, same JWKS-published key. An auditor reviewing the chain cannot tell which actions were human and which were autonomous from the cryptographic record alone.
See an agent action intercepted live.
In the demo, we trigger an AI agent bulk-send and watch Strix evaluate it through the kernel, produce an evidence record, and block execution pending human approval — all before a single message sends.