Research / Execution substrate

Fail-Closed Execution

When authority cannot be verified, consequential work is denied or escalated.

CURRENT Intermediate Developer / CISO / Security

Current HELM AI Kernel relevance. This page separates current product relevance from thesis material.

PUBLIC

Diagram interlude

The boundary fails closed before the connector acts.

When authority is absent or ambiguous, the proposal stops at HELM and no connector call is dispatched.

Fail-Closed Execution FirewallMCPPOLICYRECEIPTAUDIT
A technical figure for MCP/tool-call requests: HELM checks policy before dispatch, denies unsafe actions, and emits receipt evidence.
Fail-Closed Execution FirewallAn AI agent proposes a tool call through MCP. HELM AI Kernel checks policy before execution, denies an unsafe SQL operation, emits a signed denial receipt, and records proof into ProofGraph and EvidencePack surfaces.HELM AI Kernelpublic execution boundaryMCPtool callpolicyreceiptauditFail-closed execution firewall for AI agentsPolicy is enforced before execution. Every allow, deny, or escalation emits a signed receipt.tool calldecisionProofGraphtamper-sensitive receipt historyEvidencePackoffline-verifiable packetstandards / verification / proofFigure: fail-closed agent execution path
Text description

Agent request: an AI agent proposes a tool call through MCP.

HELM gate: HELM AI Kernel checks policy before dispatch and fails closed when the action violates policy.

Decision and proof: the action is denied, no side effect is dispatched, and a signed receipt is written for later audit.

The Risk of Fail-Open AI

In traditional software development, “fail-closed” is a foundational security principle. If a system encounters an error, an unexpected state, or an authorization failure, it defaults to denying access or halting the operation.

However, many early AI agent frameworks implicitly operate on a “fail-open” paradigm. They are designed to retry, guess, or hallucinate a path forward when they encounter obstacles. While this persistence is valuable for creative tasks, it is disastrous for enterprise execution, where a “guess” might involve modifying a database or sending an unauthorized email.

HELM’s Fail-Closed Architecture

HELM enforces strict fail-closed execution at the boundary between stochastic intelligence (the model) and deterministic authority (the runtime).

1. Explicit Authorization

No action is executed unless it is explicitly authorized. If a model generates a spec that lacks the required credentials, violates a policy, or attempts to access a resource outside its bounded context, the request is immediately rejected. There is no fallback to “try something else.”

2. Deterministic State Machines

HELM models workflows as deterministic state machines. An agent can only transition a workflow from State A to State B if the conditions for that transition are perfectly met. If the model provides incomplete or malformed data, the transition fails, and the state machine remains securely in State A.

3. Human-in-the-Loop as a Hard Gate

For high-risk operations, HELM utilizes Human-in-the-Loop (HitL) approvals not as a suggestion, but as a cryptographic gate. If the human does not sign off, the execution path is permanently blocked. The model cannot bypass this requirement through clever prompting.

The Value of Predictable Failure

Fail-closed behavior changes the default outcome. If the check cannot pass, HELM blocks or escalates the action instead of guessing.

← Back to Research