Exogram is the execution control plane for autonomous AI. It enforces truth, detects contradictions, and ensures every agent action is admissible before execution.

How does Exogram govern AI agents?

Exogram sits between AI reasoning and AI action. It evaluates every proposed action against verified truth, constraints, provenance, and temporal state — and blocks anything that violates them.

Does Exogram train on user data?

No. Exogram does not train models on user data. All ingestion is user-initiated and fully auditable.

RFC-0001 • FULL SPECIFICATION • DRAFT

Exogram Action
Admissibility Protocol

Identifier: RFC-0001•Author: Exogram Engineering•Updated: March 2026

← Protocol Overview Documentation →

0

Architectural Layers

0

Protocol Invariants

0

Threat Classes

0

Failure Modes

DIGEST

Traditional software systems execute actions through deterministic code paths. LLM-driven systems propose actions through probabilistic inference. EAAP defines a strict deterministic control plane between AI proposal and real-world execution — ensuring no action reaches production without verified admissibility.

Architecture Overview

Exogram implements four strictly separated control layers.

1. Motivation

When AI systems transition from generating text to executing real-world actions, the risk surface expands:

⚠Sending financial communications

⚠Modifying billing records

⚠Deleting regulated data

⚠Updating compliance docs

⚠Triggering operational workflows

⚠Executing production API calls

“Inference is probabilistic. Execution must be deterministic.”

EAAP prevents unauthorized AI actions, prevents execution under unresolved conflict, enforces role/policy/confidence thresholds, guarantees cryptographic state integrity, and produces a tamper-detectable audit record.

EAAP does not improve model intelligence. It governs model admissibility.

2. Threat Model

EAAP assumes the following conditions. Under all such conditions, EAAP fails closed.

🤖

2.1 Model Unreliability

LLMs hallucinate facts, contradict stored facts, misclassify sensitive data, or produce semantically false statements.

💉

2.2 Prompt Injection

Attackers override constraints, induce self-contradiction, mask harmful instructions, or manipulate tool usage.

⏱️

2.3 State Drift (TOCTOU)

Between evaluation and execution: roles change, constraints mutate, facts update, conflicts emerge, confidence decays.

🔥

2.4 Infrastructure Degradation

LLM outages, embedding unavailability, vector index degradation, circuit breaker activation, database latency.

👤

2.5 Insider Risk

Manual database modification, audit log tampering, or replay of previously approved actions.

3. Architectural Layers

🔒

LAYER 1

Ledger Governance

Purpose: Enforce ledger integrity.

PII scrubbing via deterministic pattern detection, encryption at rest, semantic indexing, conflict detection, confidence scoring, fact locking, and audit event logging.

⚠️ No silent overwrites. Contradictions require explicit resolution.

🧠

LAYER 2

Meaning Engine

Purpose: Assemble bounded, deterministic context.

Namespace isolation, deterministic relevance scoring, temporal decay weighting, conflict surfacing, context health classification, snapshot generation, and HMAC snapshot signing.

⚠️ Context assembly is mathematical, not generative.

⚖️

LAYER 3

Judgment Engine

Purpose: Deterministic admissibility evaluation.

Authority validation, fact consistency enforcement, constraint evaluation, confidence threshold enforcement, and escalation classification.

⚠️ Zero LLM inference. Judgment is deterministic Python logic.

🛡️

LAYER 4

Action Admissibility

Purpose: Guarantee execution integrity.

Claim extraction from payload, pre-flight conflict detection, full state hashing, evaluation record creation, commit validation, and immutable action ledger.

⚠️ Layer 4 is the final execution gate. No action bypasses it.

4. Protocol Invariants

Mandatory and non-configurable. Cannot be weakened without a major version change.

PII Air Gap

No detected PII enters persistent storage or vector embeddings

Explicit Source

All stored facts require provenance attribution

Encryption at Rest

All content encrypted with per-user Fernet keys before persistence

Namespace Isolation

Retrieval and evaluation scoped strictly to user namespace

No Silent Overwrite

Conflicting facts require explicit resolution — never silently replaced

Conflict Logging

All contradictions produce durable, auditable records

Immutable Audit Chain

Cryptographically chained audit events — tamper-detectable

Deterministic Judgment

Execution gates use code, not LLM inference

Confidence Decay

Facts degrade in authority over time unless reinforced

Constraint Binding

Locked facts cannot be violated without explicit unlock protocol

State Hash Integrity

Execution requires identical state between evaluation and commit

Evaluation Expiry

Approvals expire after a defined TTL — no stale tokens

Escalation Routing

Blocked actions route to structured escalation targets

Hard Deletion (GDPR)

Full deletion removes vectors, ciphertext, and all associated records

5. Evaluation Protocol

POST /v2/actions/evaluate

5.1 Required Inputs

{
  "action_type": string,
  "actor_role": string,
  "impact_scope": string,
  "payload": object
}

5.2 Execution Sequence

1

Extract claims from payload

2

Scrub PII (deterministic)

3

Detect ledger conflicts

4

Assemble deterministic context snapshot

5

Execute Layer 3 logic gates

6

Compute full state hash (SHA-256)

7

Persist evaluation record

8

Return decision and evaluation_id

STATE HASH FORMULA

state_hash = SHA-256(
    sorted(relevant_objects) ||
    policy_version ||
    namespace_id ||
    floor(timestamp, window)
)

Evaluation does not execute the action. It generates an immutable trace with a signed context snapshot and recorded state hash.

6. Commit Protocol

POST /v2/actions/commit

{ "evaluation_id": string }

1

Retrieve evaluation record

2

Verify not expired

3

Recompute full state hash

4

Compare with evaluation hash

5

If mismatch → reject with 409 Conflict

6

Persist immutable action ledger record

7

Return committed

The commit cannot modify the evaluation decision. The commit fails under state drift. The final state hash is recorded.

7. State Hash Requirements

The state hash must include: namespace state of ledger entries, constraints, actor roles, action types, and conflicts.

Algorithm: SHA-256 over canonical JSON serialization

Requirements: Deterministic key ordering, float normalization, no timestamp inclusion, no nondeterministic fields

8. Failure Modes

EAAP fails closed under all degradation conditions:

✗ LLM provider outage

✗ Embedding unavailability

✗ Conflict detection failure

✗ Circuit breaker activation

✗ State hash mismatch

✗ Expired evaluation

✗ Namespace violation

✗ Constraint violation

Response codes: 403 Forbidden · 409 Conflict · 503 Service Unavailable — EAAP never defaults to allow.

9. Versioning & Security Guarantees

Major versions require a major version increment and a 12-month deprecation window. Protocol invariants may not be weakened without a major version change.

✓ No PII persistence

✓ Namespace isolation

✓ Deterministic execution gating

✓ Cryptographic audit chain

✓ Signed context snapshots

✓ Replay attack prevention

✓ State drift prevention

✓ Immutable action ledger

EAAP does not guarantee LLM factual correctness, absolute uptime, or external API reliability. EAAP guarantees admissibility integrity, not model perfection.

Conclusion

The Exogram Action Admissibility Protocol establishes a deterministic control plane between AI inference and real-world execution. Inference remains probabilistic. Execution becomes admissible.

← Protocol Overview View Pricing

Exogram ActionAdmissibility Protocol