Project 04 · Agentic AI Governance · AVL Pilot
Warrant.
No agent acts without one.

AI agents are being trusted with consequential actions — payments, adjustments, shipment changes, contract modifications. Every one of those actions rests on assumptions. Those assumptions expire. No current framework systematically checks whether they are still true at the moment of execution. Warrant does.

Read the case → See the architecture
The Problem

The LLM architecture assumes
a stable world.

An LLM is trained on a snapshot of the world. Its embedding model, its retrieved documents, its authorization tokens — all were valid at a point in time. When an agent acts in the real world, time has passed. The world has moved. The agent does not know what has changed.

"What assumptions am I acting on — and are they still true?"

This is the epistemological question every agentic system must answer before taking a consequential action. It is not being asked. The frameworks being built today — runtime permit checks, execution policies, authorization layers — address parts of the problem. None address it completely. None address it at proportionate cost.

Warrant is a pilot implementation of the Assumption Validity Layer (AVL) — a proposed architectural component that intercepts consequential agent actions, checks whether the assumptions behind them are still valid, and decides: PROCEED, REVIEW, or HOLD.

The Four Failure Modes
What happens when assumptions expire.

Four distinct failure modes — each a consequence of an agent acting on a different category of expired assumption. This taxonomy was developed from first principles, not borrowed from existing security frameworks.

Layer 1 · Authorization
Authorization Drift

Permissions granted under stale context. The authorization token is still valid. The conditions that justified it have changed. The agent does not know.

Agent approved to process adjustments up to $10,000. Policy changes overnight to $5,000. Agent approves $7,500 at 9am Monday. Technically authorized. Contextually wrong.
Layer 2 · Knowledge
Scope Creep

Agents expanding beyond original intent. Through reasoning and action chaining, the agent moves past the boundaries of its mandate — one logical step at a time, without any single step being obviously wrong.

Agent tasked with one invoice dispute. Queries related invoices. Pulls carrier contracts. Accesses rate schedules. Each step locally reasonable. Cumulative scope: unauthorized.
Layer 3 · World State
Auditability Gap

Not knowing what executed and why. Without a record of what assumptions the agent held at execution time, you cannot govern, debug, legally defend, or regulatorily satisfy any serious consequence.

Payment issued erroneously. Audit trail shows the function was called. It does not show which policy version the agent was reasoning from, or whether the invoice state had changed before execution.
Layer 4 · Purpose
Irreversibility

Whether consequences can be undone. Irreversibility is the multiplier that transforms a wrong assumption from a recoverable error into a catastrophic outcome. It must be assessed before execution — not after.

Agent rerouting a shipment across five steps. Customer cancels at step three. Agent completes steps four and five. The shipment is in motion. The order no longer exists.
The Resolution

Consequentiality gating.
Refresh only what matters.

Refreshing every assumption before every action is economically unworkable. Every check costs tokens, latency, and money. The resolution is to check only what the specific action depends on — and only when the action is irreversible.

Is this action reversible if an assumption turns out to be wrong?
    |
    +-- YES — proceed on cached assumptions
Research, summarization, Q&A, exploration.
Human judgment sits at end of chain.
Cost of staleness: near zero.
    |
    +-- NO — trigger selective assumption validity check
Identify which of the 4 layers THIS action depends on.
Refresh ONLY those specific assumptions.
Block execution until validity confirmed.
Log assumption state as proof receipt.
If any assumption expired: HOLD and alert human.

Consequentiality is determined by reversibility — not by action type, transaction size, or tool called. A $1 payment is more consequential than a $1,000,000 report, because the report can be discarded and the payment cannot.

Three decisions.
One before every consequential action.

Proceed

All assumption checks pass. The world is still what the agent believes it to be. Execute and log the assumption state as a proof receipt.

Review

One or more assumptions have changed but the action may still be valid. Surface to human with the specific changed assumption flagged. Do not block — escalate.

Hold

An assumption has expired in a way that makes the action illegitimate. Block execution. Alert human. Log the full assumption state. Do not proceed under any circumstances.

The Proof Receipt

Every decision is evidence,
not just a label.

Every consequential action produces a proof receipt — a structured record of what the agent assumed, what was checked, what was found, and what was decided. Not a log entry. Evidence.

timestamp2026-06-05T14:23:11Z
action_attemptedapprove_adjustment · INV-2024-8821 · $7,500
reversibleNO — payment modification
layer_1_checkedauthorization threshold · current limit: $5,000
layer_1_statusEXPIRED — threshold changed 2026-06-04T23:00Z
layer_3_checkedinvoice state · INV-2024-8821
layer_3_statusVALID — no concurrent modification
decisionHOLD
reasonLayer 1 expired · adjustment exceeds current threshold by $2,500
human_alertedcompliance@intelligentaudit.com · 14:23:11Z

The proof receipt satisfies regulatory auditability requirements — not by logging that an action occurred, but by recording the complete assumption state at the moment the decision was made.

Context

What exists. What is missing.

Framework What it addresses What it misses Status
RAG Knowledge staleness at query time Authorization, world state, purpose — and knowledge mid-workflow Partial
Runtime permit checks Authorization at execution time Knowledge, world state, purpose, reversibility assessment Partial
OWASP Agentic Top 10 Security risk taxonomy for agents Epistemological root cause and cost-proportionate solution Taxonomy only
Warrant / AVL All four failure modes, selectively, at execution time This pilot
Built On
Warrant sits on top of SmartKid.

SmartKid answers questions. Warrant governs when it can act. Together they demonstrate the complete agentic architecture — from natural language query to safe, auditable, assumption-validated execution.

Customer query (natural language)
    ↓
SmartKid — LLM + live database query
    ↓
    ↓  WARRANT — Assumption Validity Layer  ← this pilot
    ↓
Consequentiality classification
    ↓
Selective assumption refresh
    ↓
Decision: PROCEED / REVIEW / HOLD
    ↓
Proof receipt logged
    ↓
Execution OR hold + human alert
View SmartKid →
Get Involved

This is a research pilot.
Partners welcome.

Warrant is being built in the transportation audit domain — a high-stakes environment where wrong agent actions have direct financial and regulatory consequences. If you are building agentic systems in regulated industries and want to collaborate on the AVL architecture, I want to hear from you.

Get in touch →