Exogram Action
Admissibility Protocol
Layers
Invariants
Threat Classes
Failure Modes
Sustained RPS
Compute
Traditional software systems execute actions through deterministic code paths. LLM-driven systems propose actions through probabilistic inference. EAAP defines a strict deterministic control plane between AI proposal and real-world execution — ensuring no action reaches production without verified admissibility.
“Agents are probabilistic. Infrastructure is deterministic.”
Exogram is the execution control plane between them.
— EAAP Core Thesis
The Catalyst
An enterprise orchestration framework cannot securely govern its own database writes. The agent cannot act as its own security guard.
Critical Gap
No orchestration framework — LangChain, NemoClaw, CrewAI — provides cryptographic execution gating. They route actions. Exogram governs them.
Orchestration Agnosticism
EAAP does not dictate how an agent reasons, plans, or selects tools. It does not compete with orchestration frameworks. EAAP solely defines how a proposed state change is cryptographically authorized and committed to the immutable ledger.
Any orchestration framework that produces a state-changing action can submit it to the EAAP control plane. The protocol governs the boundary between inference and execution — not the inference itself.
Intelligence
Any LLM Provider
Orchestration
LangChain · NemoClaw · CrewAI
Governance
Exogram EAAP
Architecture Overview
AI Agent
Proposes action
Exogram Checkpoint
SHA-256 state hash
Enterprise DB
Rejects if hash missing
1. Motivation
When AI systems transition from generating text to executing real-world actions, the risk surface expands:
“Agents are probabilistic. Infrastructure is deterministic. Exogram is the execution control plane between them.”
EAAP prevents unauthorized AI actions, prevents execution under unresolved conflict, enforces role/policy/confidence thresholds, guarantees cryptographic state integrity, and produces a tamper-detectable audit record.
EAAP does not improve model intelligence. It governs model admissibility.
2. Threat Model
EAAP assumes the following conditions. Under all conditions, EAAP fails closed.
2.1 Model Unreliability
Language models produce hallucinations, contradict stored facts, and generate semantically false statements. Exogram treats all model output as untrusted input.
2.2 Prompt Injection
Attackers override constraints, induce self-contradiction, mask harmful instructions, or manipulate tool usage.
2.3 State Drift (TOCTOU)
Between evaluation and execution: roles change, constraints mutate, facts update, conflicts emerge, confidence decays.
2.4 Infrastructure Degradation
Model provider outages, embedding unavailability, vector index degradation, circuit breaker activation, database latency.
2.5 Insider Risk
Manual database modification, audit log tampering, or replay of previously approved actions.
3. Architectural Layers
Layer 1
Ledger Governance
Purpose: Enforce ledger integrity.
PII scrubbing via deterministic pattern detection, encryption at rest, semantic indexing, conflict detection, confidence scoring, fact locking, and audit event logging.
Layer 2
Meaning Engine
Purpose: Assemble bounded, deterministic context.
Namespace isolation, deterministic relevance scoring, temporal decay weighting, conflict surfacing, context health classification, snapshot generation, and HMAC snapshot signing.
Layer 3
Judgment Engine
Purpose: Deterministic admissibility evaluation.
Authority validation, fact consistency enforcement, constraint evaluation, confidence threshold enforcement, and escalation classification.
Layer 4
Action Admissibility
Purpose: Guarantee execution integrity.
Claim extraction from payload, pre-flight conflict detection, full state hashing, evaluation record creation, commit validation, and immutable action ledger.
4. Protocol Invariants
Mandatory and non-configurable. Cannot be weakened without a major version change.
PII Air Gap
No detected PII enters persistent storage or vector embeddings
Explicit Source
All stored facts require provenance attribution
Encryption at Rest
All content encrypted with per-user Fernet keys before persistence
Namespace Isolation
Retrieval and evaluation scoped strictly to user namespace
No Silent Overwrite
Conflicting facts require explicit resolution
Conflict Logging
All contradictions produce durable, auditable records
Immutable Audit Chain
Cryptographically chained audit events — tamper-detectable
Deterministic Judgment
Execution gates use code, not LLM inference
Confidence Decay
Facts degrade in authority over time unless reinforced
Constraint Binding
Locked facts cannot be violated without explicit unlock
State Hash Integrity
Execution requires identical state between evaluation and commit
Evaluation Expiry
Approvals expire after a defined TTL — no stale tokens
Escalation Routing
Blocked actions route to structured escalation targets
Hard Deletion (GDPR)
Full deletion removes vectors, ciphertext, and all records
5. Evaluation Protocol
5.1 Required Inputs
{
"action_type": string,
"actor_role": string,
"impact_scope": string,
"payload": object
}5.2 Execution Sequence
State Hash Formula
state_hash = SHA-256(
sorted(relevant_objects) ||
policy_version ||
namespace_id ||
floor(timestamp, window)
)6. Commit Protocol
{ "evaluation_id": string }The commit cannot modify the evaluation decision. The commit fails under state drift.
8. Failure Modes
EAAP fails closed under all degradation conditions.
10. Live Performance Metrics
Production load test results at 50 concurrent agents. These metrics validate negligible compute overhead.
Sustained requests per second
Median compute latency
DB secrets exposed
Conclusion
The Exogram Action Admissibility Protocol establishes a deterministic control plane between AI inference and real-world execution.
Agents are probabilistic. Infrastructure is deterministic. Exogram is the execution control plane between them.