Execution authority

AI agent execution authority

Models propose actions. HELM is the layer that decides whether a consequential action may run, denies anything unknown or unapproved by default, and records a signed receipt for what happened.

No action without a verdict. No effect without a receipt. No receipt you can’t verify.

Run the execution risk test View on GitHub

The category

Models propose. Platforms route. HELM authorizes execution.

Agents are crossing from recommendation into execution. The moment an agent can change a record, move money, deploy code, or alter access, someone has to answer for the side effect. Execution authority is the layer that owns that decision and the evidence behind it.

Decide

Return ALLOW, DENY, or ESCALATE for a proposed action, before the effect runs.

Bind

Bind the permitted effect to the verdict that authorized it, with scope and policy.

Prove

Sign a receipt and EvidencePack that anyone can verify offline, later.

How the boundary works

A deterministic boundary between intent and effect.

Every proposed side effect takes the same path. Unknown or unapproved actions stop by default.

Step 1

Agent proposes

An agent or application proposes a consequential action.

Step 2

Policy is checked

HELM evaluates the action against policy and context.

Step 3

Verdict returns

ALLOW, DENY, or ESCALATE. Unknown or unapproved is denied by default.

Step 4

Effect is bound

An allowed effect is bound to the verdict that authorized it.

Step 5

Receipt is signed

The decision and effect are signed and recorded.

Step 6

Anyone verifies

The receipt and EvidencePack verify offline, outside any dashboard.

Side effects, not industries

Authority is defined per action class.

HELM governs what an agent can do, by side effect. Each action class carries a default verdict and the evidence HELM records when it runs.

Side effect Default verdict Risk Required evidence
Data export
Export a customer list, download records, push data to a destination		 ESCALATE Critical Data hash, principal, policy hash, destination, signed receipt
Database / record write
Change a CRM, ticket, or policy-admin record		 ALLOW High Before/after state hash, receipt, rollback semantics
IAM / access change
Grant a role, revoke a token, reset a password		 ESCALATE Critical Delegation-chain receipt, access-change EvidencePack
Deployment / infra change
Deploy a service, update infrastructure, restart production		 ESCALATE Critical Change receipt, CI evidence, rollback path
Code merge / PR action
Open a PR, modify code, merge a dependency bump		 ESCALATE High PR receipt, diff hash, reviewer disposition
Refund / credit
Issue a refund, apply a credit, waive a fee		 ESCALATE High Customer-action receipt, amount, policy, evidence
Customer communication
Send a support reply, an outbound email, or a notice		 ESCALATE Medium Message receipt, template version, approval where required
Incident response
Quarantine a host, revoke a token, escalate a ticket		 ESCALATE Critical Incident receipt, telemetry, disposition

Where HELM fits

Other layers decide and observe. HELM decides what may execute, and records the proof.

Agent frameworks

Decide what an agent should attempt.

Gateways

Route and observe tool and MCP traffic.

Identity

Prove who or what is acting.

Observability

Reconstruct what happened from logs.

Governance and risk

Organize policy and compliance records.

HELM

Decides whether the side effect may run, returns ALLOW / DENY / ESCALATE, and records a signed receipt.

Questions

Execution authority, in plain terms.

What is an execution-authority layer?

It is the layer that sits between an AI agent and the systems it can change. It decides whether a proposed side effect may run, denies anything unknown or unapproved by default, and records signed evidence of the decision and the effect.

How is this different from an AI governance dashboard?

A dashboard organizes policy and shows you records after the fact. An execution-authority layer returns a verdict before the side effect runs and binds a signed receipt to the action, so the control and the evidence live at the moment of execution.

Does HELM replace my identity, gateway, or observability tools?

No. Identity proves who is acting, gateways route traffic, observability reconstructs history. HELM decides whether a consequential action may execute and records proof that survives outside those tools.

What does "fail-closed" mean here?

If policy does not explicitly allow an action, HELM denies or escalates it. The default is to stop, not to proceed.

Keep reading

Follow the proof path.

Receipts vs logs Why a log is not proof an action was authorized. EvidencePacks Signed, offline-verifiable proof of what happened. HELM AI Kernel The open-source fail-closed execution boundary. Run the execution risk test Inspect what your agents can actually change.

Terms

Plain-language terms

EvidencePack

A small bundle of records used to verify one event or review path.

Use for replayable evidence slices.
ProofGraph

A record chain that helps replay and check what happened.

Use for HELM proof records and replay paths.
ALLOW

HELM lets the action run.

Use as a canonical verdict.
DENY

HELM blocks the action.

Use as a canonical verdict.
ESCALATE

HELM stops and asks for more facts, policy, or human approval.

Use as the canonical non-dispatch path for missing facts, policy hold, or approval.

Don’t trust your agents. Verify their execution.

Bring one consequential action to the boundary and see the verdict and the receipt.

Run the execution risk test Request an architecture review