Governance that travels
with the agent.
Open-source trust scoring, capability gating, and circuit breakers that travel with your agents — not bolted on after. Install from npm. Govern in minutes.
Why we built this
Every AI governance framework today watches inputs and outputs. None watches the agent.
A compromised model can pass every filter, carry a trigger it will act on later, and you won’t see it coming — until you do. Vorion watches inside the agent, so you don’t have to find out the hard way.
The full circle
Vorion. AI governance for the autonomous age.
- BASIS defines the open standard.
- Cognigate enforces it at runtime.
- AgentAnchor certifies agents against it.
- Aurais curates certified agents.
- Kaizen cultivates keepers and agents.
One standard. Four products. Full circle.
Where do you want to start?
Get started in 4 lines:
view on npm →// works with any agent framework
import { createTrustEngine } from '@vorionsys/atsf-core';
const engine = createTrustEngine();
await engine.initializeEntity('agent-001', 2);
const callback = engine.createCallback('agent-001');
await agent.invoke(input, { callbacks: [callback] });Works with LangChain, CrewAI, AutoGen, or any callback-compatible framework.
What is AI Governance?
AI governance ensures AI systems operate safely and predictably within defined boundaries—like guardrails for autonomous vehicles, but for AI.
Trust Scoring
Think about your credit score. Years of on-time mortgage payments to reach 800. One missed payment and it drops 100 points overnight. The system rewards consistency and punishes risk — and the higher you climb, the more you have to lose.
Agent trust works the same way. A new agent starts restricted. Weeks of coherent operation earns it more access. One incoherent event and the score drops hard — and a trusted agent falls further than a new one, because it had more responsibility.
What this looks like
Your coding assistant starts in Sandbox — it can suggest changes but can’t push to git. After weeks of clean completions, it earns Standard tier and gets scoped write access. It tries to access a prod database it shouldn’t? Trust drops. Access revoked. Automatically.
How it works
0–1000 scale, 8 tiers. Trust grows logarithmically (slow and steady, like building credit). 16 factors across behavioral, compliance, identity, and context. Agents can’t game it — repeated signals decay exponentially.
See the math
Gain rate 0.05 (logarithmic). Penalty ratio P(T) = 3+T — a Sandbox agent pays 3×, an Autonomous agent pays 10×. Decay: 182-day half-life, 50% floor, 9 stepped milestones. Signal dedup: 1.0 → 0.5 → 0.25 → floor 0.0625.
Capability Gating
A new hire doesn’t get the keys to the production servers on day one. They get a dev environment, scoped access, and a manager who signs off on deploys. As they prove themselves, the guardrails widen.
Same principle, applied to agents. A new agent can read data but not modify it. It can draft an email but not send it. Access expands as trust is earned — not assumed.
What this looks like
Your customer support agent starts with read-only access to tickets. After consistent, accurate responses it earns the ability to send replies with human approval. Eventually it handles routine tickets end-to-end — but refund authority? That’s a higher tier, and it has to earn it.
How it works
Each trust tier maps to a capability set. Sandbox: read-only, no network, no tools. Standard: scoped writes, approved tools. Autonomous: full capability within policy bounds. When an agent hits an action above its tier, it escalates — the agent with the right authority decides and executes.
See the math
escalation: T2 detects → T5 executes (each at own authority). The requesting agent’s trust isn’t penalized for asking. Both actions logged in the proof chain.
Circuit Breakers
Your house has a fuse box. If something draws too much power, the breaker trips before the wiring catches fire. You don’t have to be home. You don’t have to notice. The system protects itself.
Agent circuit breakers work the same way. An agent spiraling? Stopped. An agent that won’t respond to shutdown commands? Force-terminated. An agent gaming the system by alternating good and bad behavior? Caught and frozen.
What this looks like
Your data pipeline agent starts making unusual API calls at 2 AM. Trust drops. Circuit breaker trips. The agent is frozen, you get a log of exactly what happened, and nothing else in your system is affected. You review it in the morning — not in a panic.
How it works
Graduated breaker trips when trust falls below threshold. Risk-tiered cooldowns before the agent can rebuild. Oscillation detection catches flip-flopping behavior. Heartbeat deadman switch force-kills agents that stop checking in — intervals scale with trust level.
See the math
Breaker at trust < 100. Oscillation: 3 direction changes / 24 hours. Hysteresis bands [25, 25, 20, 20, 15, 10, 10, 10] prevent tier-flapping. Deadman: T0=10s, T7=120s intervals, 3 missed = forced termination.
Agents Know Their Limits
A junior analyst can’t approve a $50K purchase order — they route it to their manager. Same with agents. A T2 monitoring bot detects an anomaly that needs a production restart. It can’t do that — that’s a T5 action. So it escalates. The T5 orchestrator reviews, approves, executes. The T2 bot never touched prod. The audit trail shows exactly who did what and why.
This isn’t a failure — it’s governance working. Lower-trust agents requesting help from higher-trust agents is the right call, not a limitation.
How escalation works
The requesting agent acknowledges its limit and routes up. The higher-trust agent evaluates the request, decides, and executes with its own authority. The lower agent’s trust isn’t penalized for asking — escalation is governance working correctly, not a workaround. Multipath option: the system can route to any qualified agent, not just a single chain.
What this looks like
Your monitoring bot (T2) detects memory pressure on a production node. Restarting the service requires T5. The bot creates an escalation request with context: what it detected, what it recommends, and why it can’t act. The T5 orchestrator evaluates, approves the restart, and executes. Both actions are logged in the proof chain — the detection by the T2, the execution by the T5. Clean separation of capability and accountability.
Why Vorion Is Different
Every other governance framework watches the door. Vorion watches the building.
Model tampering detection →
Your agent's weight matrices have a shape — a fingerprint. Vorion takes a cryptographic snapshot using SVD plus a hybrid signal (scale, sign, permutation-sensitive). If anything changes — a fine-tuning attack, a swapped checkpoint, a poisoned adapter — the fingerprint changes before the behavior does.
Think of it like a tamper seal on a medicine bottle. You don't need to test every pill — you just check if the seal is broken.
Pre-action gating →
Most governance checks happen after an agent acts. Vorion checks before. Every action is classified across 6 risk levels and compared against the agent's trust tier before any capability is invoked.
Think of it like a key card system. You don't investigate after someone enters the server room — you check their badge before the door opens.
Cryptographic proof chain →
Every governance decision is SHA-256 hash-linked to the one before it. Tamper with one record and every subsequent hash breaks, visibly and irreversibly. Any third party can verify the chain with a public key.
Hash-linked records, fast, no consensus needed, independently verifiable.
The Vorion Stack
Five governance stages — from internal-state integrity to cryptographic audit. Each stage is independent. Together they're the full picture.
SENSE
Reads agent internals. Weights, activations, embedding drift. Detects parameter modification before behavior changes.
INTENT
Normalizes goals into structured plans. Classifies risk across 6 levels before anything executes.
ENFORCE
The 4-layer pipeline: velocity, tripwires, policy engine, circuit breaker.
PROOF
SHA-256 hash-linked chain with Ed25519 signatures. Tamper-evident, third-party verifiable.
CHAIN
Cross-layer trust signal propagation. Events at any layer affect enforcement at every layer.
"SENSE reads the agent. INTENT reads the goal. ENFORCE stops the bad stuff. PROOF shows the receipts."
Four Layers of Defense
Every agent action passes through four independent enforcement layers. Each one is a hard gate — not a suggestion.
Velocity
Three-tier rate limiting — burst, sustained, and hourly caps per agent. Stops flooding before anything else runs.
Tripwires
60+ compiled regex patterns fire before the LLM sees anything. Deterministic and absolute — no trust level overrides these.
Policy Engine
YAML/JSON constraint evaluation against trust-tier-specific policies. Checks capability gates, risk thresholds, and custom organizational rules.
Circuit Breaker
System-level halt on cascading failures. CLOSED → OPEN → HALF_OPEN state machine. No single agent can bypass it.
Core pipeline p99 latency: < 18ms. All four layers are sub-millisecond to single-digit millisecond.
Multi-provider adversarial LLM evaluation — catches subtle manipulation that regex can't detect. Enable for high-risk actions, intent alignment checks, or custom logic hooks. Not in the default pipeline.
By the Numbers
Two scopes, both reproducible:
1,578 tests in the core trust runtime
(@vorionsys/atsf-core),
and 24,075 / 24,110 across the full Vorion monorepo
(apps, SDKs, research, integration). 4 snapshot failures and 7 skips are tracked openly — nothing is hidden.
Tap any number to see its source.
Reproduce the audit →
Built for Compliance
Mapped to the frameworks your compliance team already cares about.
EU AI Act high-risk enforcement begins August 2026. See the full compliance map →
Live — try it
Every card opens a real service. Nothing here is a mockup.
The ecosystem
BASIS, Cognigate, AgentAnchor, Aurais — how it fits together.
BASIS
8-tier trust framework with 16 factors across 5 groups, tier-gated capabilities, and KYA verification
CAR ID
Categorical Agentic Registry — universal agent identification
ATSF
Agent Trust & Safety Framework runtime
Proof Plane
Immutable audit trail for AI agent operations
Contracts
Shared Zod schemas and validators
Kaizen
Interactive AI learning experience
Cognigate
Governance runtime enforcement API — shared engine powering AgentAnchor
AgentAnchor Platform
Enterprise agent governance platform — compliance, audit, registration
Open-source packages
npm install @vorionsys/* and go — all Apache 2.0.
@vorionsys/basis Open governance standard for AI agent trust
@vorionsys/atsf-core Core runtime for the Agentic Trust Scoring Framework
@vorionsys/cognigate Governance runtime enforcement API
@vorionsys/contracts Shared Zod schemas and validators
8-Tier Trust Architecture (T0-T7)
Every agent starts sandboxed and earns autonomy. Eight tiers, 0-1000 scale. Your agents graduate based on verified behavior.
Sandbox
0-199
Observed
200-349
Provisional
350-499
Monitored
500-649
Standard
650-799
Trusted
800-875
Certified
876-950
Autonomous
951-1000
Why tiers instead of a single number?
Think about security clearances. “Confidential” and “Top Secret” mean something — a raw score doesn’t. Tiers give you clear policy boundaries. You don’t write rules for score 647 vs 648 — you write rules for “Standard” vs “Trusted.” The engine handles the transitions.
What this looks like
A Sandbox agent (T0) can only respond to queries with human approval. A Standard agent (T4) handles routine work autonomously. A Trusted agent (T5) can make decisions that affect other systems. Each tier is a clear contract between you and the agent — you know exactly what it can and can’t do.
See the math
16 factors across behavioral (40%), compliance (25%), identity (20%), context (15%). Every trust decision is backed by a dual-hash proof chain (SHA-256 + SHA3-256). Signals are deduplicated with exponential decay to prevent gaming.
Ready to start?
Pick your path. Everything on this site links to its source — nothing is staged.