Registry
Catalogs the agents, tools, and connectors in play.
MINDBURN LABS
Inspect surfaceControl plane vs execution authority
AI agent control plane vs execution authority
A control plane catalogs your agents and routes their traffic. Execution authority decides whether a consequential action may run, denies the unknown by default, and records a signed receipt.
A control plane organizes. Execution authority rules. One of them binds proof to the effect.
The category
The control plane keeps agents organized and routed.
As agent fleets grow, teams want one place to see what is deployed, route each request, and hold shared configuration. The control-plane framing is a reasonable answer to that problem. It tells you what exists and where traffic goes.
Routing
Sends each request to the right model, tool, or service.
Configuration
Holds keys, limits, and per-agent settings in one place.
Observability
Collects traces and metrics for what agents did.
The difference
Routing a request is not the same as authorizing an effect.
A control plane can deliver a request to the right tool and never decide whether the resulting side effect should happen. Execution authority owns that decision and the evidence behind it.
The control plane
- Catalogs agents, tools, and connectors.
- Routes each request to the right destination.
- Holds keys, limits, and per-agent configuration.
- Collects traces of what agents did.
HELM execution authority
- Returns ALLOW, DENY, or ESCALATE before the effect runs.
- Denies anything unknown or unapproved by default.
- Binds the permitted effect to the verdict that authorized it.
- Signs a receipt and EvidencePack that verify offline.
A consequential action
Where the verdict lands.
A control plane would route this request. HELM decides whether the side effect may run and records proof either way.
Agent proposes
Agent proposes to revoke an access token in production
HELM checks policy
Checks policy, principal, and scope before the change
Verdict
ESCALATE
Proof
Access-change receipt + signed EvidencePack
Questions
Control plane and authority, in plain terms.
What is an AI agent control plane?
It is the management layer that catalogs your agents, tools, and connectors, routes requests to the right place, and holds shared configuration. It answers what is deployed and where each request goes.
How is execution authority different from a control plane?
A control plane organizes and routes. Execution authority decides whether a proposed side effect may run, denies anything unknown or unapproved by default, and binds a signed receipt to the action. One catalogs traffic; the other rules on each consequential effect.
Do I need both?
They sit at different points. A control plane keeps agents organized and routed. HELM sits at the moment of execution and rules on the side effect. You can run a control plane and still have no answer for who authorized a given action.
Does HELM replace my routing or registry layer?
No. HELM checks a proposed action against policy before the effect runs and records a receipt. It does not catalog or route your agents; it decides what they may execute and proves what happened.
Keep reading
Follow the proof path.
Terms
Plain-language terms
- EvidencePack
-
A small bundle of records used to verify one event or review path.
Use for replayable evidence slices. - ProofGraph
-
A record chain that helps replay and check what happened.
Use for HELM proof records and replay paths. - ALLOW
-
HELM lets the action run.
Use as a canonical verdict. - DENY
-
HELM blocks the action.
Use as a canonical verdict. - ESCALATE
-
HELM stops and asks for more facts, policy, or human approval.
Use as the canonical non-dispatch path for missing facts, policy hold, or approval.
Route your agents. Then prove what they executed.
Bring one consequential action to the boundary and see the verdict and the receipt.