Execution Authority for AI

The Control Plane for AI Actions

Fail-closed execution. Human approvals for risky actions. Cryptographic evidence for every decision. HELM is the deterministic boundary between your agents and production.

Apply for Founding Cohort See How It Works

No policy → no execution

Every action signed into an EvidencePack

One URL change to adopt

Why now

The risk is no longer bad answers. It is uncontrolled execution.

AI moved from chat to action

Agents now deploy code, approve payments, and modify infrastructure. The attack surface is the execution path, not the prompt.

Guardrails watch. They don't govern.

Prompt guardrails and tracing tell you what happened after the fact. Neither can prevent a bad action before it executes.

The gap is the execution boundary

Between 'the model decided' and 'the system did it' there is no deterministic authority. HELM closes that gap.

How HELM governs

Three invariants. Zero exceptions.

Every agent action passes through a deterministic authorization gate. No shortcuts, no fallback to permissive defaults.

Fail-closed execution boundary

Guardian + CEL policy engine

No policy means no execution. Every action is evaluated against a deterministic policy before any side effect. Deny is the default.

Human approval before impact

Action Inbox + Zero-Standing Privileges

Risky actions route to the right human. Agents earn task-scoped permission — never standing broad access.

Signed evidence for every decision

EvidencePacks + Ed25519 + ProofGraph

Every allow or deny produces a cryptographic EvidencePack. Replay, export, and verify offline — no running instance needed.

Proof surfaces

Claims backed by mechanism, not marketing

Governed Pipeline

Every agent action passes through a deterministic boundary before execution.

Agent proposals enter the HELM proxy, pass through the Guardian (CEL policy engine), and reach the Executor only after explicit allow. Denied actions never execute.

Run the Gate demo

Trust Boundary

Probabilistic AI and deterministic execution never share a trust domain.

The Trusted Computing Base (TCB) is a hard enclave: Guardian, Executor, and receipt generation live inside. Agent reasoning, model calls, and prompt engineering live outside. No cross-contamination.

View architecture docs

Evidence Anatomy

Every decision — allow or deny — produces verifiable, tamper-evident evidence.

An EvidencePack contains: the original proposal, the policy context, the verdict, a timestamp, and an Ed25519 signature. Packs chain into a hash-linked ProofGraph — evidence survives log rotation.

Verify an EvidencePack

Conformance Ladder

Start open-source. Scale governed. Same execution boundary at every tier.

HELM OSS provides the fail-closed kernel. Studio adds the shared control plane (Action Inbox, approvals, dashboards). Enterprise adds jurisdiction-aware execution and policy federation. The boundary contract is identical at every tier.

Product

One boundary. Three scopes.

Start with the OSS execution kernel. Scale into shared control and enterprise policy federation.

Open source

HELM OSS

Fail-closed execution kernel

For developers securing local agents, CI/CD pipelines, MCP tool calls, and individual execution boundaries.

View on GitHub

Control plane

HELM Studio

Shared control for teams

Action Inbox, human approvals, evidence dashboards, and company-wide operational oversight for every governed workflow.

Request a walkthrough

Enterprise

HELM Enterprise

Enterprise execution control

Jurisdiction-aware execution, policy federation, audit-ready evidence export, and control across teams and regions.

Who this is for

Built for teams that ship AI into production

For builders

Move from prototype to governed production. Ship higher-autonomy workflows with tighter execution control.

Adoption path

Install HELM OSS. Point one agent at the proxy. Write policy for your highest-risk action. Deploy.

python

from openai import OpenAI

client = OpenAI(
    base_url="http://localhost:8420/v1",
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Deploy to staging"}],
)

LangGraphCrewAIOpenAI Agents SDKAutoGenVercel AI SDK

Platform & security teams

Centralize execution control without rewriting every agent wrapper. See what was proposed, what was blocked, and why.

Adoption path

Deploy Studio. Connect existing agent pipelines. Configure approval routes and ZSP policies company-wide.

Enterprises

Secure heterogeneous agent ecosystems with continuous evidence and federated policy control across business units.

Adoption path

Start with one team on Studio. Federate policies across regions. Export evidence to existing compliance and audit tooling.

Founding cohort

We want your hardest workflow

The best first deployment is the workflow you care about most — not the safest one you could have chosen.

Founding cohort

7 of 10 spots remaining

Get a tighter first deployment plan

We want the risky workflow, the policy edge cases, and the operator questions you cannot answer with tracing alone.

Design help for your first governed workflow

Joint policy modeling for high-impact actions

Direct feedback loop into runtime and proof UX

Revisit the problem

Founding cohort

Apply with the workflow you care about most

Tell us who you are and what you want to govern first.

Frequently asked questions

How is HELM different from prompt guardrails or tracing?

Guardrails shape model I/O. Tracing records what happened after the fact. HELM sits on the execution path and decides whether actions can run before they execute — then signs the decision into an EvidencePack.

What does adoption look like?

What happens when a policy is violated?

Can I verify EvidencePacks offline?

Do I need to replace my current AI framework?

What is the difference between HELM OSS and Studio?