Verify What Your AI
Agents Are
Every governance tool watches what agents do. Vorion verifies what they are.
Identity Trust Signal
I(θ) = Σ wi · si(θ)
Composite identity score — weighted attestation signals that prove what an agent is, not just what it does.
Get started in 4 lines:
import { createTrustEngine } from '@vorionsys/atsf-core';
const engine = createTrustEngine();
await engine.initializeEntity('agent-001', 2);
const callback = engine.createCallback('agent-001');
await agent.invoke(input, { callbacks: [callback] }); // your code, unchangedWorks with LangChain, CrewAI, AutoGen, or any callback-compatible framework.
What is AI Governance?
AI governance ensures AI systems operate safely and predictably within defined boundariesβlike guardrails for autonomous vehicles, but for AI.
Trust Scoring
Think about your credit score. Years of on-time mortgage payments to reach 800. One missed payment and it drops 100 points overnight. The system rewards consistency and punishes risk — and the higher you climb, the more you have to lose.
Agent trust works the same way. A new agent starts restricted. Weeks of clean behavior earns it more access. One policy violation and the score drops hard — and a trusted agent falls further than a new one, because it had more responsibility.
What this looks like
Your coding assistant starts in Sandbox — it can suggest changes but can’t push to git. After weeks of clean completions, it earns Standard tier and gets scoped write access. It tries to access a prod database it shouldn’t? Trust drops. Access revoked. Automatically.
How it works
0–1000 scale, 8 tiers. Trust grows logarithmically (slow and steady, like building credit). 16 factors across behavioral, compliance, identity, and context. Agents can’t game it — repeated signals decay exponentially.
See the math
Gain rate 0.05 (logarithmic). Penalty ratio P(T) = 3+T — a Sandbox agent pays 3×, an Autonomous agent pays 10×. Decay: 182-day half-life, 50% floor, 9 stepped milestones. Signal dedup: 1.0 → 0.5 → 0.25 → floor 0.0625.
Capability Gating
A new hire doesn’t get the keys to the production servers on day one. They get a dev environment, scoped access, and a manager who signs off on deploys. As they prove themselves, the guardrails widen.
Same principle, applied to agents. A new agent can read data but not modify it. It can draft an email but not send it. Access expands as trust is earned — not assumed.
What this looks like
Your customer support agent starts with read-only access to tickets. After consistent, accurate responses it earns the ability to send replies with human approval. Eventually it handles routine tickets end-to-end — but refund authority? That’s a higher tier, and it has to earn it.
How it works
Each trust tier maps to a capability set. Sandbox: read-only, no network, no tools. Standard: scoped writes, approved tools. Autonomous: full capability within policy bounds. When an agent hits an action above its tier, it escalates — the agent with the right authority decides and executes.
See the math
escalation: T2 detects → T5 executes (each at own authority). The requesting agent’s trust isn’t penalized for asking. Both actions logged in the proof chain.
Circuit Breakers
Your house has a fuse box. If something draws too much power, the breaker trips before the wiring catches fire. You don’t have to be home. You don’t have to notice. The system protects itself.
Agent circuit breakers work the same way. An agent spiraling? Stopped. An agent that won’t respond to shutdown commands? Force-terminated. An agent gaming the system by alternating good and bad behavior? Caught and frozen.
What this looks like
Your data pipeline agent starts making unusual API calls at 2 AM. Trust drops. Circuit breaker trips. The agent is frozen, you get a log of exactly what happened, and nothing else in your system is affected. You review it in the morning — not in a panic.
How it works
Graduated breaker trips when trust falls below threshold. Risk-tiered cooldowns before the agent can rebuild. Oscillation detection catches flip-flopping behavior. Heartbeat deadman switch force-kills agents that stop checking in — intervals scale with trust level.
See the math
Breaker at trust < 100. Oscillation: 3 direction changes / 24 hours. Hysteresis bands [25, 25, 20, 20, 15, 10, 10, 10] prevent tier-flapping. Deadman: T0=10s, T7=120s intervals, 3 missed = forced termination.
Agents Know Their Limits
A junior analyst can’t approve a $50K purchase order — they route it to their manager. Same with agents. A T2 monitoring bot detects an anomaly that needs a production restart. It can’t do that — that’s a T5 action. So it escalates. The T5 orchestrator reviews, approves, executes. The T2 bot never touched prod. The audit trail shows exactly who did what and why.
This isn’t a failure — it’s governance working. Lower-trust agents requesting help from higher-trust agents is the right call, not a limitation.
How escalation works
The requesting agent acknowledges its limit and routes up. The higher-trust agent evaluates the request, decides, and executes with its own authority. The lower agent’s trust isn’t penalized for asking — escalation is governance working correctly, not a workaround. Multipath option: the system can route to any qualified agent, not just a single chain.
What this looks like
Your monitoring bot (T2) detects memory pressure on a production node. Restarting the service requires T5. The bot creates an escalation request with context: what it detected, what it recommends, and why it can’t act. The T5 orchestrator evaluates, approves the restart, and executes. Both actions are logged in the proof chain — the detection by the T2, the execution by the T5. Clean separation of capability and accountability.
How Our Ecosystem Fits Together
BASIS Standard
The open spec
defining the rules
Cognigate Runtime
Enforces the rules
in real-time
AgentAnchor
Dashboard for
monitoring agents
Learn Vorion
Docs, guides,
and knowledge base
Why Vorion Is Different
Every other governance framework watches the door. Vorion watches the building.
Model Tampering Detection
Your agent's weight matrices have a shape — a fingerprint. Feed them into Vorion and it takes a compact cryptographic snapshot using SVD decomposition. If anything changes — a fine-tuning attack, a swapped checkpoint, a poisoned adapter — the fingerprint changes before the behavior does.
Think of it like a tamper seal on a medicine bottle. You don't need to test every pill — you just check if the seal is broken.
Pre-Action Gating
Most governance checks happen after an agent acts. Vorion checks before. Every action is classified across 6 risk levels and compared against the agent's trust tier before any capability is invoked.
Think of it like a key card system. You don't investigate after someone enters the server room — you check their badge before the door opens.
Cryptographic Proof Chain
Every governance decision is SHA-256 hash-linked to the one before it. Tamper with one record and every subsequent hash breaks, visibly and irreversibly. Any third party can verify the chain with a public key.
Think of it like hash linking for governance decisions — fast, no consensus needed, independently verifiable.
| Approach | What it does | Identity verification |
|---|---|---|
| Behavioral guardrails | Filter LLM inputs/outputs | No |
| Action governance (Microsoft AGT) | Policy on tool calls | No |
| Audit platforms (Credo AI) | Compliance reporting | No |
| Vorion | Verify model identity + enforce policy + cryptographic proofs | Yes — I(θ) |
The Vorion Stack
Five governance stages — from internal-state integrity to cryptographic audit. Each stage is independent. Together they're the full picture.
SENSE
Reads agent internals. Weights, activations, embedding drift. Detects parameter modification before behavior changes.
INTENT
Normalizes goals into structured plans. Classifies risk across 6 levels before anything executes.
ENFORCE
The 4-layer pipeline: velocity, tripwires, policy engine, circuit breaker.
PROOF
SHA-256 hash-linked chain with Ed25519 signatures. Tamper-evident, third-party verifiable.
CHAIN
Cross-layer trust signal propagation. Events at any layer affect enforcement at every layer.
"SENSE reads the agent. INTENT reads the goal. ENFORCE stops the bad stuff. PROOF shows the receipts."
Four Layers of Defense
Every agent action passes through four independent enforcement layers. Each one is a hard gate — not a suggestion.
| Layer | Name | What It Does | Speed |
|---|---|---|---|
| L0 | Velocity | Three-tier rate limiting — burst, sustained, and hourly caps per agent. Stops flooding before anything else runs. | < 2ms |
| L1 | Tripwires | 60+ compiled regex patterns fire before the LLM sees anything. Deterministic and absolute — no trust level overrides these. | < 5ms |
| L2 | Policy Engine | YAML/JSON constraint evaluation against trust-tier-specific policies. Checks capability gates, risk thresholds, and custom organizational rules. | < 10ms |
| L3 | Circuit Breaker | System-level halt on cascading failures. CLOSED → OPEN → HALF_OPEN state machine. No single agent can bypass it. | < 1ms |
Core pipeline p99 latency: < 18ms. All four layers are sub-millisecond to single-digit millisecond.
Multi-provider adversarial LLM evaluation — catches subtle manipulation that regex can't detect. Enable for high-risk actions, intent alignment checks, or custom logic hooks. Not in the default pipeline.
By the Numbers
Benchmark Results
Real numbers from real tests. Every claim on this page is backed by automated benchmarks in the repo.
Destruction Test
1,000 agents, adversarial conditions
- Actions processed323,200
- Errors0
- P99 enforcement6.6ms
- Registration throughput104,068/sec
- Bad actor denial100%
- Proof emission19,884/sec
Core Enforcement (hot path)
Single-request latency and throughput
- Capability checks257,000/sec
- Per decision4µs
- P50 full L0-L30.1ms
- P95 full L0-L31.1ms
- Ed25519 proof signing0.17ms
Enterprise Soak (sustained load)
Long-running stability under pressure
- Signals processed500,000
- Proofs processed500,000
- Signal throughput8,740/sec
- Proof throughput5,873/sec
- Concurrent writers2,000
- State corruption0
SVD / ParameSphere — Model Identity
- SVD fingerprint computation21ms avg
- Fingerprints validated500 in 10.4s
- Cognitive envelope breach detectionIncluded
I(θ) starts here — SVD decomposition creates the fingerprint that proves what your model is.
Built for Compliance
Mapped to the frameworks your compliance team already cares about.
EU AI Act high-risk enforcement begins August 2026. NIST CAISI collaboration active.
Live Sites
Try it out β everything is live
Projects
The Vorion AI Governance ecosystem
BASIS
8-tier trust framework with 16 factors across 5 groups, tier-gated capabilities, and KYA verification
CAR ID
Categorical Agentic Registry β universal agent identification
ATSF
Agent Trust & Safety Framework runtime
Proof Plane
Immutable audit trail for AI agent operations
Contracts
Shared Zod schemas and validators
Kaizen
Interactive AI learning experience
Cognigate
Governance runtime enforcement API β shared engine powering AgentAnchor
AgentAnchor Platform
Enterprise agent governance platform β compliance, audit, registration
Open Source Packages
npm install and go
@vorionsys/basis Open governance standard for AI agent trust
@vorionsys/atsf-core Core runtime for the Agentic Trust Scoring Framework
@vorionsys/cognigate Governance runtime enforcement API
@vorionsys/contracts Shared Zod schemas and validators
8-Tier Trust Architecture (T0-T7)
Every agent starts sandboxed and earns autonomy. Eight tiers, 0-1000 scale. Your agents graduate based on verified behavior.
Sandbox
0-199
Observed
200-349
Provisional
350-499
Monitored
500-649
Standard
650-799
Trusted
800-875
Certified
876-950
Autonomous
951-1000
Why tiers instead of a single number?
Think about security clearances. “Confidential” and “Top Secret” mean something — a raw score doesn’t. Tiers give you clear policy boundaries. You don’t write rules for score 647 vs 648 — you write rules for “Standard” vs “Trusted.” The engine handles the transitions.
What this looks like
A Sandbox agent (T0) can only respond to queries with human approval. A Standard agent (T4) handles routine work autonomously. A Trusted agent (T5) can make decisions that affect other systems. Each tier is a clear contract between you and the agent — you know exactly what it can and can’t do.
See the math
16 factors across behavioral (40%), compliance (25%), identity (20%), context (15%). Every trust decision is backed by a dual-hash proof chain (SHA-256 + SHA3-256). Signals are deduplicated with exponential decay to prevent gaming.