AControlLayer
AControlLayer
Design partner program · Vol. 01

The control layer
for AI agents.

Cryptographic identity. Policy on every action. Immutable audit. Built on five public specifications — so your agents are accountable, not just clever.

acontrollayer.com CONFIDENTIAL · MAY 2026
AControlLayer
The problem

Agents without
governance are
a liability.

Every enterprise deploying agents will face the same five questions. Today, almost no platform can answer them.

Q · 01
Who authorized this?
Q · 02
What did the agent see?
Q · 03
Can we prove it?
Q · 04
Can we audit it?
Q · 05
Are we HIPAA compliant?
AControlLayer
The premise

You manage
one thing.
ACL manages
the rest.

ACL runs your team of AI workers day-to-day and makes sure they're following your rules. You check one dashboard to confirm the team is doing the right things, the right way.

The chain of command
YOU
Set the rules. Check the dashboard.
Tell ACL what your team can do, what they can't, and how much they can spend.
ACL
Runs the team. Enforces your rules.
Day-to-day management. Catches mistakes before they reach a customer. Reports back to you in plain English.
YOUR AI TEAM
Does the actual work.
Sales, customer service, research, quoting, follow-up — whichever workers your business needs.
The premise 03
AControlLayer
How it works

Three load-bearing ideas.
Everything else sits on top of them.

01 · IDENTITY
Every agent carries a cryptographic certificate.
Short-lived X.509 certs (≤15 minutes) replace long-lived API keys. Custom fields encode role, tenant, and capabilities — verified at every request.
SPEC · AIP-1
02 · POLICY
Every action is checked. Both ways.
The Gatekeeper validates every tool call before it runs. The Sentry validates every output before it leaves. Agent budgets cap the spend.
SPEC · PVS-1
03 · AUDIT
Every decision is permanent.
WORM-enforced at the database. HMAC-SHA256 chained. Per-tenant sequence numbers. The audit log your compliance team has always wanted.
SPEC · ADP-1
How it works 04
AControlLayer
Identity

Agents are
principals.
Not API calls.

Every agent in ACL carries a short-lived X.509 certificate with its role, tenant, and capabilities baked in. Fresh every 15 minutes. Verified by mutual TLS. Anchored to a public blockchain so anyone can check it without calling us.

≤15 min
Cert validity
mTLS
Auth on every request
Sepolia
Blockchain anchor
AIP-1 · AGENT IDENTITY CERTIFICATE VALIDITY ≤ 15 MIN
This is to certify that
Account Hunter
cn=agent-7f2c · ou=research · o=acme-corp
1.3.6.1.4.1.59999.1.2 Agent-Role researcher
1.3.6.1.4.1.59999.1.3 Tenant-ID acme-corp-7f2c
1.3.6.1.4.1.59999.1.4 Capabilities perm:workflows:read
1.3.6.1.4.1.59999.1.5 Anchor-Chain ethereum:sepolia
ACL Root CA
Issuing authority
2026-05-14 · 09:42 UTC
Issued
Identity · AIP-1 05
AControlLayer
The Four Guards + Budgets

Four guards.
Zero
exceptions.

Four purpose-built security agents protect every AI action in real time. No tool runs, no output leaves, no prompt reaches an agent without passing its guard — and every agent has a hard spending cap.

The Gatekeeper
Validates every tool call before it runs.
🎯
The Sentry
Validates every output before delivery.
🛡
The Bouncer
Blocks prompt injection before it reaches any agent.
🔧
The Medic
Repairs malformed outputs automatically. No human needed.
💰
Agent budgets
Hard spending caps per agent, per workflow, per month.
!
Sentry · Blocked
2026-05-14 · 09:21:14 UTC
PVS-1
Outreach Sender attempted to send 47 emails — exceeds daily budget cap.
Budget cap
$25.00 / day
Would have spent
$41.30
Gatekeeper · Denied
tool_call.process_payment
CTX-1
verdict: "denied"
reason:  "agent lacks capability perm:payments:execute"
agent:   "agent-9c1f"
severity: "high"
Policy · PVS-1 + CTX-1 06
AControlLayer
Compliance

HIPAA by design.
Not bolted on.

Multi-tenant isolation, WORM audit logs, field-level AES-GCM encryption, minimum-necessary access, breach-notification procedures, and BAA tracking were architectural requirements from day one — not compliance retrofits.

🛡
Compliance Status
All control families passing · 21 formal policies · Annual review cadence
100%
HIPAA
§164.308 Admin
§164.312 Technical
SOC 2
CC3.2 / CC3.3
C1.1
ISO 27001
A.6.1.1 · A.8.2.1
A.18.1.1
NIST
SP 800-53
RA-2 · RA-3
GDPR
Art. 15-20 DSAR
Art. 30 · Art. 5(1)(e)
Compliance 07
AControlLayer
Day-to-day

Built for
the people who
run it.

One screen. Five things to manage. The compliance number front and center. Operators stop hunting through menus.

Single page, not a navigation maze
Compliance status, live and clickable
Light + dark mode · white-label-ready
🔒 app.acontrollayer.com / dashboard
ADMIN
Tenant Dashboard
Overview of your users, models, agents, and workflows.
Agents
6
Configure prompts and capabilities.
Knowledge
12
Upload and manage docs for agents.
Models
364
Connected LLM catalog.
Users
8
Invite, manage roles, review access.
Workflows
14
Build and manage orchestration.
🛡
Compliance Status
All checks passing · Click for details
100%
Mission Control 08
AControlLayer
Open standards

The five specs the industry needs.
We wrote them.

Other agent platforms run on proprietary APIs. We publish the protocol — any platform can implement it. Open specs at github.com/acontrollayer/agent-control-specs.

SPEC-0
Specification Process
The meta-standard. Governance, lifecycle, and shape rules for every other ACL spec.
AIP-1
Agent Identity Protocol
X.509 certs with custom OIDs for role, tenant, and capabilities. mTLS. Zero Trust.
ADP-1
Agent Data Protocol
Universal adapter for agent work — every run as Action → Observation → Reflection.
PVS-1
Policy Verdict Schema
Structured JSON verdicts — approved/denied + reason + severity + remediation.
CTX-1
Capability eXtensions
Stable capability strings — perm:workflows:read, budget:usd:100.
WHY THIS MATTERS
Every other platform is an island. ACL defines the passport.
Verifiable by any third party without calling us.
Open standards 09
AControlLayer
Channel

One platform.
Your brand.
Their data, isolated.

MSPs and agencies run ACL as their own product. Custom domain, logo, and colors. Hierarchical tenants with full data isolation between clients. Per-client billing and break-glass support — all auditable.

White-label from login to report export
170+ row-level security policies isolate every tenant
Time-limited break-glass access with full audit trail
Per-client cost tracking and billing reports
Hierarchical Multi-Tenancy
MSP · PARENT TENANT
Your Agency
Governance · billing · branding
CLIENT TENANT
Acme Health
14 workflows
$8.4k/mo
CLIENT TENANT
Bevel Legal
22 workflows
$12.1k/mo
CLIENT TENANT
Coleman Wealth
9 workflows
$5.6k/mo
↔ no cross-tenant data leakage · enforced at the Postgres row level
Channel · MSP 10
AControlLayer
Why now

Nobody else
put it all together.

Every other agent platform delivers part of this. None delivers all of it. And none are HIPAA-ready on day one.

Capability AControlLayer Orchestration platforms Agent SDKs Enterprise IT tools
Cryptographic agent identity
Policy enforcement on every action ~ partial ~ partial
WORM-enforced immutable audit — app log ~ SIEM
HIPAA-ready out of the box ~ varies
Open public specifications ~ partial
Multi-tenant + MSP-ready ~ enterprise
The market is racing to build agent orchestration. We built agent accountability first.
Why now 11
AControlLayer
The ask

Looking for
5–10 design partners.

We're opening a design partner program for our MVP. We want 5–10 companies willing to deploy ACL in production over the next quarter — and willing to tell us what to build next.

What you get
01
Founder-level support
Direct Slack + weekly call.
02
Half-off pricing — for life
Locked in even after public launch.
03
Roadmap influence
Your needs shape the next two quarters.
04
Case study credit
Optional. Many partners stay private.
How to apply
15 minutes.
We see if you're a fit.
A quick conversation about your business, the work you'd run on ACL, and your compliance needs. No pitch deck on the call — you already saw it.
Book directly
cal.com/acontrollayer/15min
Or email
partner@acontrollayer.com
AI can do almost anything. We make sure it works for you — not against you.
acontrollayer.com 12 · END