Interpose
Sit between the agent and its tools, so every consequential action passes through one boundary.
MINDBURN LABS
Inspect surfaceHELM AI Kernel · Apache-2.0
The open-source execution firewall for AI agents.
HELM AI Kernel is a fail-closed boundary between your AI agents and the systems they can change. It checks each proposed action against policy before the side effect runs, denies the unknown by default, and records a signed receipt.
No action without a verdict. No effect without a receipt. No receipt you can’t verify.
The boundary
A firewall for actions, not packets.
Agents are crossing from suggestion into execution. The moment an agent can change a record, move money, deploy code, or alter access, something has to decide whether the side effect may run. HELM AI Kernel is that boundary: it interposes between the agent and its tools, checks each action against policy, and stops anything that is not explicitly allowed.
Decide
Return ALLOW, DENY, or ESCALATE before the effect runs. Unknown is denied by default.
Prove
Sign a receipt and EvidencePack that anyone can verify offline, later.
How it works
A deterministic path between intent and effect.
Every proposed side effect takes the same route. Unknown or unapproved actions stop by default.
Step 1
Interpose
The firewall sits between the agent and the systems it can change. Tool calls and MCP traffic pass through it.
Step 2
Check policy
Each proposed side effect is checked against policy and context before it runs.
Step 3
Return a verdict
ALLOW, DENY, or ESCALATE. Anything unknown or unapproved is denied by default.
Step 4
Bind the effect
An allowed effect is bound to the verdict that authorized it, with scope and policy.
Step 5
Sign a receipt
The decision and the effect are signed into a receipt and an EvidencePack.
Step 6
Verify offline
Anyone can verify the receipt and the pack later, outside any dashboard.
What you get
An open boundary you can run and read.
HELM AI Kernel is Apache-2.0 and self-hostable. The decision path is in the open, and so is the proof it produces.
Fail-closed
If policy does not explicitly allow an action, the firewall denies or escalates it. The default is to stop.
Open source
HELM AI Kernel is Apache-2.0. Read the code, run it yourself, and inspect every decision path.
Self-hostable
Run the boundary inside your own environment. The execution decision stays where your systems are.
Signed receipts
Every consequential decision and effect produces a signed, content-hashed record.
Offline verification
Receipts and EvidencePacks verify with a public key, with no live service.
Side-effect model
Authority is defined per action class, by what an agent can do, not by industry.
Side effects, not industries
Authority is defined per action class.
The firewall governs what an agent can do, by side effect. Each action class carries a default verdict and the evidence HELM records when it runs.
| Side effect | Default verdict | Risk | Required evidence |
|---|---|---|---|
| Data export Export a customer list, download records, push data to a destination | ESCALATE | Critical | Data hash, principal, policy hash, destination, signed receipt |
| Database / record write Change a CRM, ticket, or policy-admin record | ALLOW | High | Before/after state hash, receipt, rollback semantics |
| IAM / access change Grant a role, revoke a token, reset a password | ESCALATE | Critical | Delegation-chain receipt, access-change EvidencePack |
| Deployment / infra change Deploy a service, update infrastructure, restart production | ESCALATE | Critical | Change receipt, CI evidence, rollback path |
| Code merge / PR action Open a PR, modify code, merge a dependency bump | ESCALATE | High | PR receipt, diff hash, reviewer disposition |
| Refund / credit Issue a refund, apply a credit, waive a fee | ESCALATE | High | Customer-action receipt, amount, policy, evidence |
| Customer communication Send a support reply, an outbound email, or a notice | ESCALATE | Medium | Message receipt, template version, approval where required |
| Incident response Quarantine a host, revoke a token, escalate a ticket | ESCALATE | Critical | Incident receipt, telemetry, disposition |
Questions
The execution firewall, in plain terms.
What is an AI agent execution firewall?
It is a fail-closed boundary that sits between an AI agent and the systems it can change. It checks each proposed side effect against policy before the effect runs, returns ALLOW, DENY, or ESCALATE, and records a signed receipt of the decision and the effect.
How is this different from a network firewall or a gateway?
A network firewall filters packets and a gateway routes and observes traffic. HELM AI Kernel decides whether a consequential action may execute, denies the unknown by default, and binds a signed receipt to the action it allowed.
Is HELM AI Kernel open source?
Yes. HELM AI Kernel is Apache-2.0. You can read the source, run it locally, self-host it, and inspect how each verdict is reached.
What does fail-closed mean here?
If policy does not explicitly allow an action, the firewall denies or escalates it. An empty or unknown policy means deny, not proceed.
Keep reading
Follow the proof path.
Terms
Plain-language terms
- EvidencePack
-
A small bundle of records used to verify one event or review path.
Use for replayable evidence slices. - ProofGraph
-
A record chain that helps replay and check what happened.
Use for HELM proof records and replay paths. - ALLOW
-
HELM lets the action run.
Use as a canonical verdict. - DENY
-
HELM blocks the action.
Use as a canonical verdict. - ESCALATE
-
HELM stops and asks for more facts, policy, or human approval.
Use as the canonical non-dispatch path for missing facts, policy hold, or approval.
Put a fail-closed boundary in front of your agents.
Read the source, run it yourself, or test one consequential action against the boundary.