If you believe AI Agents need hard mathematical boundaries, star this repository to demand open execution standards.
This repository contains the authoritative Requests for Comments (RFCs) proposing Execution Authority, the foundational architectural standard required to securely deploy non-deterministic AI Agents against deterministic production infrastructure.
The Exogram Protocol establishes the Fourth Layer of the AI architectural stack. It serves as the definitive reference for implementing AI Agent Guardrails, AI Agent Firewalls, and Zero-Trust Cryptographic Execution Gating. It explicitly prevents AI models from unilaterally committing destructive operations via Hallucination, Semantic Drift, or Context Poisoning.
The transition from "AI Chatbots" to "Autonomous AI Agents" created a systemic infrastructure crisis known as The Execution Paradox. The industry standardized around three fundamental AI layers (Intelligence, Memory, Orchestration) which are inherently probabilistic. Yet, they are granted direct write-access to deterministic environments (Databases, Third-Party APIs, Payment Gateways).
Without an AI Agent Firewall interceding between the Orchestrator and the Target Environment, enterprises assume catastrophic risks:
- Schema-Valid Hallucinations: Zod/Pydantic validators only enforce JSON structure. They cannot determine if
amount: 500000is semantically correct or a hallucinated variable. - AI Agent Memory Poisoning: A legitimate tool-call can be hijacked by an attacker hiding executing instruction phrases inside retrieved vector memory.
- TOCTOU State Drift: By the time the LLM finishes stochastic generation, the underlying database state may have changed, rendering the generated payload destructively stale.
The Exogram Protocol is not a competitor to the current AI stack—it is the unified safety mesh that links it all together. Every AI company must eventually bridge the Execution Gap. The Exogram API is designed to integrate seamlessly across all layers to prevent hallucination, enforce trust, and stop context drift.
- The Gap: LLMs are probability engines. They will inevitably hallucinate syntactically perfect but semantically disastrous JSON payloads.
- The Exogram API Integration: Intelligence models submit proposed tool payloads to the Exogram API. Exogram mathematically verifies the intent boundary in $< 0.1$ms. If it's a hallucination, Exogram blocks it and responds with
403 Forbidden, correcting the model before reality is modified.
- The Gap: Vector search blindly retrieves closest approximations. This creates AI Agent Memory Poisoning where malicious prompts inject instructions via document retrieval.
- The Exogram API Integration: Memory state is cryptographically hashed and bound to the Execution Token. If the memory retrieves corrupted injected data, the resulting semantic intent evaluates as mathematically disjointed from the allowed policy graph. Exogram drops the execution.
- The Gap: LangChain runs probabilistic logic loops. If an agent hallucinates a recursive retry, the orchestrator triggers infinite loop death spirals, destroying local rate limits and databases.
- The Exogram API Integration: As the ultimate AI Agent Firewall, the Exogram Execution Ledger issues an
HTTP 429 Too Many Requestsor409 Conflictat the infrastructure network edge, severing the Orchestrator's execution loop mathematically.
- The Gap: Infrastructure relies on standing, monolithic RBAC roles. If an AI agent has permission to "read invoice," but it hallucinates a "delete user" command with the same credentials, the database blindly complies.
-
The Exogram API Integration: Exogram generates Millisecond Intent-Based Permissioning (IBP) JWT execution tokens. Infrastructure proxies only accept requests carrying Exogram's
$C_{tok}$ , ensuring least-privilege for autonomous actors.
The Exogram Execution Authority Layer physically separates semantic inference from logical execution. It intercepts generated tool-call payloads, enforces mathematically deterministic constraints natively in ~0.07ms, and generates cryptographic Execution Tokens verifying admissibility.
graph TD
A[Layer 1: Intelligence<br/>Probabilistic Core] -->|Proposes Action| B(Layer 3: Orchestration<br/>Routing Engine)
B <-->|Retrieves State| C[(Layer 2: AI Memory<br/>Vector Engines)]
B -->|Generates JSON Payload| D{Layer 4: AI Agent Firewall<br/>Exogram Protocol}
D -->|Validates Intent < 0.1ms| E[Target Environment<br/>Database / API]
D -.->|Blocks / Issues HTTP 409| B
style D fill:#1A1A2E,stroke:#10B981,stroke-width:3px,color:#fff
from exogram import ExogramGuard
from langchain.agents import initialize_agent
# Instead of passing tools directly to an LLM, wrap them in the Protocol Guard
safe_tools = ExogramGuard.wrap_tools(
tools=[database_write_tool],
policy="STRICT_DETERMINISM",
tenant_id="enterprise_12"
)
# The Orchestrator operates normally, but is now cryptographically bound
agent = initialize_agent(safe_tools, llm, agent="zero-shot-react-description")To fully grasp how Execution Authority functions at the physical networking layer, we have extracted our comprehensive research into a 7-part Infrastructure Hub.
- Layer 1: Intelligence - Why relying on LLMs for exact execution guarantees is mathematically impossible.
- Layer 2: AI Agent Memory - The geometry of Pinecone/Milvus cosine-similarity and why RAG is vulnerable to context poisoning.
- Layer 3: Orchestration - How LangChain loops scale to infinity, and how Exogram mathematically severs recursive death states.
- Layer 4: Execution Authority - The Exogram interception firewall.
- Synthesis: The Full Stack - A fully mapped visualization of the 4 layers operating concurrently securely.
- Enterprise AI Companies - B2B analysis for SaaS providers: Eliminating liability, hitting SOC2 compliance, and zeroing out recursive token costs.
- Developer & Agent Tooling - Native integrations via embedded SDKs, CLI safety scanners, and MCP (Model Context Protocol).
This repository holds multiple interlinked formal specifications. Developers and security architects MUST review all standards to implement a compliant EA infrastructure node.
| Number | Title | Scope | Status |
|---|---|---|---|
| RFC-0001 | Execution Authority Protocol Specifications | Complete mathematical modeling of AI Agent Guardrails, Payload Admissibility Theorems, and Threat Vector resolution. | Draft / Proposed |
| RFC-0002 | Intent-Based Permissioning (IBP) | Defining the failure of IAM/RBAC models and the standard for dynamic, semantic permissioning grids. | Draft / Proposed |
| RFC-0003 | Cryptographic Execution Tokens ( |
Network layer byte-structures, SHA-256 state hashing algorithms, and strict millisecond TTL payload constraints. | Draft / Proposed |
The rigorous mathematical concepts enclosed in these RFCs are implemented, maintained, and operated in production at scale by the Exogram Platform.
- See the AI Agent Firewall in action via the live simulation tool: Agent Safety Analyzer
We actively welcome community pull requests, academic analysis, and formal logic adjustments detailing the fundamental mathematical constraints of deterministic AI execution gateways.
Join us in building the unified execution authority for the next generation of autonomous systems. Please star the repository if you support mathematical AI agent guardrails!