Solution
Runtime governance for AI systems — enforced at execution time, not after.
Strix intercepts every state-changing action an AI agent or autonomous system attempts. Each action is evaluated against capability, policy, and intent, and either allowed, denied, or held for human approval — with cryptographically signed evidence produced on every path.
Answers the question: “What is runtime governance for AI systems and how does it work?”
Why post-hoc audit logs fail AI systems
Logging tells you what an AI agent did after it ran. By the time the log is reviewed, the resource is already deleted, the email is already sent, and the audit window is closed. AI systems generate decisions thousands of times faster than humans can review them — governance has to move into the execution path itself.
RBAC was built for humans making conscious decisions. AI agents don't have intent — they have prompts, and prompts can be manipulated.
Audit logs are an autopsy report. They explain how the incident happened; they don't prevent it.
Approval workflows that live outside the execution path can be bypassed by any caller that knows the right API.
Evidence stored in mutable databases is not evidence — it's a claim. Auditors need cryptographic, third-party verifiable proof.
What runtime governance actually requires
Five invariants. Strix enforces all of them at the kernel level. None of them are configurable.
| Capability | How Strix delivers it |
|---|---|
| Pre-execution interception | Every state-changing action is wrapped in a single function call. The mutation handler does not run until the governance kernel has issued a decision. There is no alternate code path. |
| Capability + intent evaluation | Permissions ask 'who can act?' Strix asks 'should this specific action, with this intent, against this resource, at this moment, execute?' RBAC allows 'admin can delete'; Strix evaluates 'admin deleting 47 active records right now.' |
| Three-state decisions | Every evaluation resolves to ALLOW, DENY, or INTERCEPT (block until human-approved). No ambiguity. No partial approvals. No defaults to allow. |
| Single-use execution tokens | When an action is approved, a single-use token authorizes one specific execution. Tokens expire (5 min default), can be revoked mid-flight, and cannot be replayed. Atomic redemption guarantees no double-spend. |
| Cryptographically signed evidence | Every decision — allow, deny, or intercept — produces an Ed25519-signed evidence record with a 13-field canonical payload. Verifiable by any third party against the public JWKS. No Strix tooling required. |
| Tenant isolation at the database | Row-level security enforced via app.current_tenant_id. Cross-tenant queries return 404, never 403 — no existence leak. Even if application code has a bug, the database returns zero rows. |
Proof, not promises
Every claim Strix makes is backed by an artifact you can independently verify.
Verify any record yourself
Every evidence record carries an Ed25519 signature. Fetch the public JWKS, recompute the canonical payload hash, verify the signature. The math doesn't require trust in Strix.
GET /.well-known/strix-jwks.jsonExternal verifier on npm
Run npx @strixgov/verifier against any decision ID. Fetches the record, the public key, the canonical payload, and tells you VERIFIED, UNSIGNED, or COMPLIANCE_VIOLATION.
npx @strixgov/verifier@1.9.0 approval <id>Open public verification API
/api/public/verify accepts any evidence ID and returns the cryptographic verdict — no auth, rate-limited at 20 req/min/IP. Auditors can wire it into their own pipelines.
GET /api/public/verify?id=<evidenceId>Frequently asked questions
How is runtime governance different from RBAC or policy-as-code?+
RBAC and policy-as-code answer 'is this actor allowed?' They evaluate before execution but they don't intercept it — once allowed, the action runs and there's no mechanism to hold it for human approval, revoke it mid-flight, or produce signed evidence. Strix is the execution boundary itself: nothing executes without an evaluation, and every evaluation produces a verifiable artifact.
What does 'cryptographically signed evidence' actually mean?+
Every governance decision produces an evidence record with a canonical 13-field payload (schemaVersion, evidenceId, evidenceHash, proofChainHash, capabilityId, action, actorId, actorRole, createdAt, signingKeyId, environment, tenantId, regulatoryContext). The payload is signed with Ed25519. The public key is published at /.well-known/strix-jwks.json (RFC 7517). Any third party can verify the signature using standard cryptographic primitives — no Strix tooling required.
Does Strix slow down AI execution?+
The kernel evaluates deterministically with zero network dependency. Decisions are made in-process. The optional cloud SDK adds dynamic rules but degrades gracefully to the local evaluator — baseline enforcement continues even when the external evaluator is unavailable.
What happens when an AI agent tries to execute without authorization?+
The action is intercepted before any mutation logic runs. The decision is recorded as evidence with the denial reason. The actor receives a forbidden error. There is no path that bypasses the kernel — every irreversible route in the platform is registered in tests/gate-j/irrev-boundaries.json and CI fails the build if any handler is unguarded.
How does this map to EU AI Act compliance?+
Article 12 (record-keeping), Article 14 (human oversight), and Article 28 (provider obligations) are derived from verification outcomes — never asserted. The signed evidence record carries a regulatoryContext block that binds the compliance flags into the cryptographic payload. Altering or removing the block invalidates the signature.
Can governance decisions be overridden by an admin?+
No. The five core invariants — nothing executes without evaluation, execution does not inherit authority, admissibility at execution time, runtime enforcement, bounded and revocable execution — are non-negotiable. There is no admin override flag, no debug bypass, no 'allow all' mode. In production, even break-glass is a governed capability that requires its own approval and produces its own signed evidence.
See runtime governance running in production.
127 governed capabilities. Every decision signed. Every action verifiable. Book a 15-minute walkthrough.
Currently in private beta — limited spots available.
npx @strixgov/verifier@latest 5686