The Operating System
for AI Agents
Cryptographic identity, policy on every action, immutable audit — built on open standards.
The Control Layer Every AI Stack Needs
ACL is not another chatbot wrapper. It is a full governance layer — identity, policy, audit, orchestration, and observability — for autonomous AI agents running in production.
Cryptographic Agent Identity
Every agent carries a short-lived X.509 certificate (≤15 min) with custom OIDs encoding its role, tenant, and capabilities. Anchored on Ethereum Sepolia blockchain.
Policy-Gated Execution
The Gatekeeper validates every tool call before it executes. The Sentry evaluates every output before it is delivered. No agent action escapes the policy layer.
Immutable Audit Trail
WORM-enforced, HMAC-SHA256 chained audit logs. Every action signed, every actor identified, every event permanent. Designed for HIPAA, SOC2, and forensic investigation.
Multi-Agent Orchestration
Sequential and parallel workflow execution with typed data contracts between agents. Human-in-the-loop gates, shadow mode, self-healing, and auto-retry built in.
Multi-Tenant SaaS
Complete tenant isolation enforced at the Postgres data layer with 170+ Row-Level Security policies. Hierarchical MSP structure with white-label branding support.
Mission Control Observability
Real-time health score, execution traces, cost breakdown, security event feed, and SLA-tracked escalation queue. Full visibility into every agent action.
5 Public Specifications. One Reference Implementation.
ACL publishes the specifications it runs on. Any platform can implement them. ACL is both the proof they work and the company that built them.
Why open standards? An agent on Platform A needs to prove its identity and capabilities to an agent on Platform B. Without a standard, every platform is an island. ACL defines the passport. The blockchain anchor enables trustless verification without depending on ACL's infrastructure.
Specification Process
Governance, lifecycle, and document-shape rules for every ACL-owned specification. The meta-standard that gives all other specs their structure and authority.
Agent Identity Protocol
Cryptographic identity via short-lived X.509 certificates (≤15 min validity) with custom OIDs encoding role, tenant, capabilities, and blockchain anchor. Mutual TLS. Zero Trust.
Agent Data Protocol
Universal adapter for agent work: every run structured as Action → Observation → Reflection. Links to AIP identity so every step is attributed. The common language for agent output.
Policy Verdict Schema
Structured JSON output from The Sentry policy engine. Defines the approved/denied verdict, reason, severity, and remediation fields so policy decisions are machine-readable everywhere.
Capability & Trust eXtensions
Stable, readable capability strings used in AIP-1 certificates and ADP-1 records. Format: prefix:name[:qualifier] — e.g., perm:workflows:read, budget:usd:100, agent:coach. Maps cleanly onto ACL's RBAC model while remaining platform-neutral for cross-framework interoperability.
AIP-1: X.509 Custom OID Extensions
Every agent certificate embeds these fields — no lookup table required, no central registry call
| OID | Name | Example Value | Purpose |
|---|---|---|---|
| 1.3.6.1.4.1.59999.1.1 | AIP-Version | 1 | Protocol version |
| 1.3.6.1.4.1.59999.1.2 | Agent-Role | researcher | Semantic role |
| 1.3.6.1.4.1.59999.1.3 | Tenant-ID | uuid-of-tenant | Owner tenant isolation |
| 1.3.6.1.4.1.59999.1.4 | Capability-Set | ["perm:workflows:read"] | Authorized CTX-1 capabilities |
| 1.3.6.1.4.1.59999.1.5 | Anchor-Chain | ethereum:sepolia | Blockchain root trust |
| 1.3.6.1.4.1.59999.1.6 | AIP-Audience | api.acme.com | Intended verifier |
| 1.3.6.1.4.1.59999.1.7 | AIP-Environment | production | Deployment environment |
Blockchain anchor: 0x9349d41f0c92d128cbc07e8d4697a92fa7d107b2468c1f2fc0e9a3bc6c74a33a on Ethereum Sepolia — time-stamped proof of Root CA existence, verifiable without ACL infrastructure.
Agents Are Not API Calls
- ✕Agent identity = an API key (static, long-lived, shared across instances)
- ✕No capability enforcement — agent can attempt any tool call it knows about
- ✕Audit log = application log (mutable, no chain, no attribution)
- ✕Cross-platform agent collaboration requires platform-specific integration
- ✕Prompt injection can cause agents to take any action in their configuration
- ✓Agent identity = short-lived X.509 cert (≤15 min), issued fresh per session, mTLS
- ✓Gatekeeper enforces capability set from cert OIDs before every tool call executes
- ✓Audit log = WORM ledger with HMAC-SHA256 chain — tamper-evident, permanent
- ✓Open AIP-1 standard: any platform can verify an ACL agent cert without calling home
- ✓3-layer prompt injection defense: Bouncer + Sentry block unauthorized actions
Certificate Authority
ACL operates an internal Root CA. The fingerprint is anchored on Ethereum Sepolia for trustless, infrastructure-independent verification by any third party.
Capability Enforcement
CTX-1 capability strings in the cert OID define exactly what an agent may do. The Gatekeeper reads the cert — it does not call a database — before permitting any tool execution.
Authentication Paths
Four distinct principal types: Human (Supabase session + MFA), Agent (mTLS certificate), Service Account (machine JWT with purpose binding), API Key (HMAC-hashed with IP allowlist).
Per-Action Attribution
Every tool call and LLM invocation is attributed to a specific agent cert, recorded in ADP-1 format with action → observation → reflection, and cryptographically signed in the audit chain.
Five Layers Between the Internet and Your Data
Defense-in-depth: a single boundary defeat does not produce tenant data exfiltration. Multiple layers must fail simultaneously for data to be at risk.
Pre-Built Security Guards
Validates and approves or denies every tool call before execution. Reads agent cert capabilities. Cannot be bypassed by agent instruction.
Policy evaluation on all agent outputs before delivery. Returns PVS-1 structured verdicts — approved or blocked with reason and severity.
Real-time prompt injection firewall. Layer 1 regex scoring (>50 = BLOCK), Layer 2 LLM analysis for edge cases. Two-layer defense that cannot be overridden by agent instructions.
5-agent coordinated adversarial security testing using OWASP vectors. On-demand or scheduled adversarial testing; findings logged to audit trail.
Autonomous self-healing for agent failures. Catches malformed outputs, JSON parse failures, and transient tool errors. Diagnoses and regenerates valid output automatically.
Audit Log — Immutable by Design
Write-Once-Read-Many enforced at the Postgres layer. Not a soft “do not delete” convention — a hard database constraint. Admins cannot delete history.
Each record includes a pointer to the previous record and a cryptographic chain hash. Any tampering breaks the chain verification on the next record.
Sequence gaps are detectable — if a record is deleted by any means, the sequence is broken and the integrity check fails.
HMAC keys rotate without breaking existing records. Each record stores which key version signed it. Historical records remain verifiable after rotation.
RBAC with Grant Guards
5 roles: Owner, Admin, Editor, Viewer, Guest. Fine-grained per-entity permissions. canGrantPermissions check prevents privilege escalation — you cannot grant permissions you don't hold.
Zero-Downtime Key Rotation
API keys HMAC-hashed at rest. IP allowlisting per key. Granular permission scoping and per-key rate limits. Rotation completes without any service interruption.
Circuit Breaker
Automatic failure isolation for external service calls. Prevents cascading failures when third-party integrations degrade. Status monitored in real time via Mission Control.
HIPAA by Design — Not Bolted On
PHI handling informed every architectural decision from the start. ACL has 21 formal written security policies mapped to HIPAA, SOC2, ISO 27001, NIST, and GDPR.
ACL was designed for HIPAA from the ground up. Multi-tenant isolation, WORM audit logs, field-level AES-GCM encryption, minimum-necessary access enforcement, breach notification procedures, and BAA tracking were architectural requirements, not compliance retrofits. The platform handles PHI in production today.
21 Formal Security Policies
Published 2026-04-14 · Annual review cadence · Mapped to control gaps in Security Evidence Manifest
| Policy | Scope | Framework Coverage |
|---|---|---|
| Risk Assessment | Annual HIPAA risk assessment procedure, first-pass register, remediation SLA matrix | HIPAA §164.308 · SOC2 CC3.2 · ISO A.6.1.1 · NIST RA-3 |
| Incident Response Plan | Incident phases, on-call, escalation, tabletop exercises | HIPAA §164.308 · SOC2 · ISO A.18.1.1 |
| Breach Notification | HIPAA 60-day / HHS / media notice + GDPR 72-hour authority notice | HIPAA · GDPR Art. 33-34 |
| Data Classification | PHI / PII / Confidential / Internal / Public schema + per-class handling and retention | HIPAA · SOC2 C1.1 · GDPR Art. 5 |
| Vendor Management | Subprocessor inventory, BAA tracking, due diligence, breach SLA, termination/return | HIPAA §164.308 · SOC2 · ISO A.15 |
| DSAR Procedure | Access, amendment, erasure workflow under HIPAA §164.524/§164.526 and GDPR Art. 15-20 | HIPAA · GDPR Art. 15-20 |
| Separation of Duties | Privileged actions, approvals, and reviews matrix for small-team context | SOC2 CC6 · ISO A.6.1.2 |
| Workforce Screening | Tiered pre-access screening for workforce members | HIPAA §164.308 · ISO A.7.1 |
| Termination Procedures | Offboarding runbook: Supabase, Vercel, GitHub, Infisical, secret rotation | HIPAA · ISO A.7.3 |
| Contingency Plan | Backup, disaster recovery, emergency mode, criticality analysis, annual testing | HIPAA §164.308 · SOC2 A1 |
| + 11 more | Workstation security, access agreements, sanction policy, session lifecycle, security awareness training, physical facility, privacy notice, minimum necessary, de-identification, security officer designation, policy maintenance | Full HIPAA administrative + technical + physical safeguards |
Mission Control — Full Visibility into Every Agent
Real-time health scoring, execution traces, cost breakdown, and security event feed. Operators know exactly what is happening, what it costs, and whether anything needs attention.
Workflow Metrics
Total runs, success rate, average duration, cost, and state breakdown (running / paused / completed / failed). Trend lines over configurable time windows.
Agent Leaderboard
Execution count, success rate, cost, and top-performing agents ranked. Identify which agents deliver the most value and which need attention.
Security Event Feed
Real-time feed of all security events: severity breakdown, active alerts, cross-tenant access events, permission denials, and audit chain verification status.
Cost Breakdown
Total spend by workflow and agent with trend lines. LLM token costs attributed per agent execution. Budget alerts and per-tenant rate limiting.
SLA-Tracked Escalations
Human-in-the-loop queue with SLA tracking. Know which approvals are pending, overdue, or blocked. Full escalation audit trail per item.
Full Execution Traces
Per-agent traces: tool calls, inputs/outputs, LLM usage, cost, timing, and error logs with stack traces. Everything needed for debugging or compliance review.
Orchestrate Any Business Process with AI
Multi-agent workflows with typed contracts, human oversight gates, governance charters, shadow mode testing, and self-healing — all with an immutable audit trail.
Multi-Agent Orchestration
Sequential and parallel agent execution. Asynchronous job queuing with priority support. Configurable concurrency limits per engine. Idempotency key support for replay safety.
Human-in-the-Loop Gates
Workflows pause at configurable checkpoints for human review, feedback, approve, reject, or escalate. Webhook-based resume. SLA tracking on pending items. The agent waits — it does not proceed without authorization.
Governance Charters
Define the rules every agent in a workflow must follow — permitted actions, data access scope, escalation triggers, and output constraints. Agents cannot override their charter.
Immutable Step Audit
Every workflow step — input, output, tool call, LLM invocation, human decision — is recorded in the WORM audit ledger. Complete, tamper-evident history of every execution.
Shadow Mode
Run a new agent or workflow version in parallel with production without affecting live operations. Compare outputs side-by-side before promoting the change.
Self-Healing (The Medic)
Automatic detection and correction of agent failures — malformed outputs, parsing errors, transient tool failures. The Medic agent autonomously diagnoses and repairs. Auto-retry with exponential backoff.
WorkflowSmith
Coming SoonAI generates workflow definitions from natural language descriptions. Describe your business process; WorkflowSmith produces a deployable workflow graph with appropriate agent assignments and gates.
Typed Data Contracts
Strict schemas enforced at every agent boundary. Agent B cannot receive malformed output from Agent A — the contract layer rejects it before it propagates. Agent-to-agent event bus (publish/subscribe) for decoupled coordination.
AI BDR — 6-Agent Outbound Sales Pipeline
A production-ready, end-to-end Business Development pipeline. From campaign brief to sent email in a single workflow, with human review gates at every critical decision point.
This is not a demo. This pipeline runs in production. It demonstrates every ACL capability: cryptographic agent identity, Gatekeeper policy enforcement, typed data contracts between agents, human-in-the-loop gates, and full WORM audit trail — in a single workflow.
Translates a campaign brief into targeting criteria, qualification rubric, and outreach sequence plan. Defines the ideal customer profile that all downstream agents work from.
Searches 70M+ B2B contacts for decision-makers matching ICP criteria. Scores each prospect 0–100 against the rubric. Uses Apollo, Hunter.io, People Data Labs, ZoomInfo integrations.
Deep research per prospect: company news, pain points, tech stack, hiring signals, recent funding, personalization hooks. Grounds every outreach in specific, current intelligence.
BANT scoring (Budget, Authority, Need, Timeline). Classifies each lead as Hot, Warm, Nurture, or Disqualified with reasoning. Routes to human review before any outreach is drafted.
Writes personalized emails citing specific research from Account Intelligence. 150-word cap. Soft call-to-action. Each email references the prospect's actual situation — not a mail-merge template.
Sends approved emails via SendGrid or SMTP with domain reputation management. Tracks delivery, manages follow-up sequences, handles bounces. Stops all sequences when a reply comes in on any channel.
70M+ Contact Database
Apollo, Hunter.io, People Data Labs, Enrich.so, ZoomInfo, Clearbit — all unified behind a single search_prospects tool with consistent scoring.
Multi-Channel Follow-Up
Email, Voice (TalkwAI), SMS (Twilio), LinkedIn-ready. Reply on any channel stops all sequences. Cross-channel coordination is automatic.
Full Audit Trail
Every prospect scored, every email drafted, every approval granted, every message sent — permanently recorded in the WORM audit ledger with attribution to the agent that made the decision.
70+ Integrations — One Unified Platform
Every integration is available to every agent as a type-safe tool call, governed by the same Gatekeeper policy enforcement and recorded in the same audit trail.
Provider routing with automatic failover — if one LLM provider fails, the next in the configured chain is used automatically. No code change required. No manual intervention. The circuit breaker isolates the failure and routes around it.
18 Native Tools — Available to Every Agent
Ground Every Agent in Real, Tenant-Specific Knowledge
Upload anything. Agents search it. Responses cite sources. PII detected at ingestion. Every document is tenant-isolated at the database layer.
Any Format
PDF, DOCX, PPTX, XLSX, TXT, web URLs, images, audio, video, code. Automatic extraction, chunking, and embedding at ingestion time.
Hybrid Search
Vector search + keyword search combined with query enhancement and reranking. Agents receive the most relevant chunks, not just the most similar ones.
PII Detection & Isolation
PII detected during ingestion. All documents isolated to the uploading tenant's RLS scope — no cross-tenant RAG contamination possible.
Run ACL as Your Own Platform
Managed Service Providers can brand, manage, and bill for ACL as their own product. Complete white-label with full audit trail for every support interaction.
Custom Branding
Custom domain, logo, and color branding. Your clients see your product, not ACL. Full white-label from login screen to report exports.
Child Tenant Management
Manage all client tenants from a single admin view. Bulk creation, maintenance window scheduling with client notification, and tenant transfer between MSPs with approval workflow.
Break-Glass Access
Time-limited support access tokens with full audit trail. Every break-glass entry is logged — who accessed, when, which tenant, what they did. Required for HIPAA BA agreements.
Per-Client Cost Tracking
Detailed cost breakdown by client, workflow, and agent. Generate billing reports per tenant. Know exactly what each client's agents are costing and billing accordingly.
Hierarchical Structure
Parent-child tenant hierarchy. MSP parent has governance visibility into all child tenants. Child tenants operate independently with full isolation from each other.
Marketplace Access
Publish agent templates and workflow templates to the marketplace. Share across your client tenants or make available to the broader ecosystem with version control.
Complete Isolation — Not Convention, Enforcement
Tenant isolation is not enforced by application code alone. It is enforced at the Postgres row level, on every table, on every query, by the database engine itself.
170+ Row-Level Security Policies
Every table with a tenant_id column carries a RESTRICTIVE RLS policy. Queries that bypass application-layer auth still cannot read another tenant's rows — the database enforces the boundary on every access.
Permission-Tier RLS
Sensitive tables carry a second tier of RLS policies. Not only must the row's tenant match — the querying principal must hold the specific permission required for that table. Two independent RLS checks on every sensitive read.
UPDATE Smuggling Prevention
WITH CHECK clauses on all UPDATE policies prevent rows from being moved between tenants via an UPDATE statement. A tenant admin cannot reassign another tenant's row to their own namespace.
Tenant Provisioning
New tenant creation copies default templates atomically. Per-tenant configuration: LLM provider selection, rate limits, feature flags, and integration credentials — all isolated.
Operator Cross-Tenant Access
Support operators hold an is_operator claim in their JWT — but the claim is verified live on every request. Revocation is immediate; stale JWTs are rejected. Every cross-tenant access is logged in the audit trail.
System Tenant Isolation
Platform-admin privileges are confined to the System Tenant by a database trigger. No code path can escalate from tenant-admin to platform-admin without an explicit, audited operator grant.
250+ API Endpoints — Build Anything on Top of ACL
Full programmatic access to every platform capability. Service accounts, webhook triggers, and JWT-based service-to-service authentication for deep integrations.
250+ REST Endpoints
Every platform action exposed via API. Workflow management, agent configuration, audit log export, tenant provisioning, and more — all accessible programmatically.
Service Accounts
Machine identities with purpose binding and granular permission scoping. JWT-based authentication. Purpose-bound tokens prevent lateral movement if a service account is compromised.
Webhook Triggers
External systems can trigger workflow execution, inject events, and receive completion callbacks via webhooks. Every inbound webhook is validated and attributed in the audit trail.
Invite AI to Your Board Meetings
Coming SoonAI that doesn't just assist in meetings — AI that participates. Board of Directors brings structured AI agents as named participants in your strategic meetings, contributing research, analysis, and recommendations with the same accountability and audit trail as every other ACL action.
Named AI Board Members
AI agents join your board as named participants with defined roles: Chief Research Officer, Devil's Advocate, Risk Analyst, Market Intelligence. Each has a specific charter and perspective.
Pre-Meeting Intelligence Briefs
Board members prepare independently before each session. Every agenda item arrives with research, analysis, and position papers — authored by AI, audited by ACL, attributed to the agent.
Accountable Participation
Every AI contribution is attributed to a specific agent cert, recorded in the WORM audit ledger. The minutes are complete, permanent, and auditable. Who said what — including the AI.
Governance by Charter
Each AI board member operates under a Governance Charter defining their scope, permitted data access, and escalation triggers. They cannot go off-script. Their role is fixed until you change it.
Board of Directors ships immediately after MVP launch. Design partners get early access.
Become a Design Partner →Agents without governance are a liability. Agents with governance are a competitive advantage.
Every enterprise that deploys AI agents faces the same questions: Who authorized this action? What did the agent see? Can we prove it? Can we audit it? Can we comply with HIPAA? ACL is the only platform that answers all of them — with cryptographic proof, not convention.