How It Works
The TAO Protocol
Every write to a system of record passes through the same mandatory pipeline. No stage is bypassable. No stage is probabilistic. The pipeline is the architecture.
Proposal
Any actor — AI agent, human operator, automated pipeline, script, batch job — proposes a write to a system of record. The proposal is structured: actor identity, role, target resource, intended action, timestamp. A proposal is not an authorization.
Authorization Decision
The Governance Plane evaluates the proposal. Actor credentials, role binding, and authorization scope are checked against the declared action. The decision is deterministic mathematics, not inference: a fixed pass/fail computation with no confidence score to calibrate.
TAO Issued
If authorized, a Typed Authorization Object is issued: cryptographically signed, single-use, carrying identity, role, scope, and timestamp. If not authorized, nothing proceeds — there is no retry path that bypasses this stage. The TAO is the pre-execution certificate.
Gate Verification
The actor presents the TAO at the persistence gate. The gate operates below ordinary application policy — below the agent, below the pipeline. It verifies the authorization artifact and checks that the write matches the approved scope.
Write and Consumption
The TAO is consumed in the same atomic transaction as the write. Replay is structurally impossible. If the write fails for any reason, the TAO is voided. No partial state is left behind. No TAO can authorize two writes.
Receipt Anchored
A tamper-evident receipt is appended to the audit ledger. The receipt is not a log of what happened — it is an artifact proving that authorization preceded the action. It exists before the write completes.
The pipeline above reflects the current production implementation. The architecture is extensible — additional verification, escrow, or multi-party authorization stages can be inserted without altering the invariant: no TAO, no write.
The Mathematics
Authorization is not inference. It is proof.
Steward and Sync's governance layer uses deterministic finite mathematics to decide whether a proposed write is structurally authorized before it reaches a system of record. The result is not a confidence score, classifier output, or policy guess. It is an exact computation with a fixed pass/fail outcome.
The underlying theorem establishes a provable separation property for the authorization structure. That separation property — that the authorization structure cannot collapse to a self-certifying loop — has been verified by exhaustive computation across 13.8B+ cases. Every case that could theoretically produce a violation was evaluated.
This work has been submitted for peer review at IEEE Transactions on Information Theory and Elsevier Finite Fields and Their Applications.
A 110-page open-access monograph covering the mathematical foundations is available on Zenodo under CC BY 4.0 — DOI 10.5281/zenodo.20473485 ↗
No model confidence. No probabilistic guardrail.
A deterministic mathematical gate: authorization is either proven before execution, or the write does not proceed.
Authorization Theory
Why the gate must stand outside.
The system that generates an action has no standing to evaluate its own action. Authorization is defined outside the system — or it is not authorization at all. There are four ways organizations try to solve AI governance. Only one works in a regulated environment.
The system validates its own output. Attestation, not verification. "The system talking to itself through you." Fails because the same weights that generated the action generate the evaluation.
Similar systems check each other — constitutional AI, LLM-as-judge, secondary model review. Shares the same training distribution and blind spots. Finds errors the generator would find. Misses errors it wouldn't.
An architecturally separated verifier evaluates against external criteria. Cannot be influenced by the generator — different trust domain, different policy authority. This is where STS-001 operates.
Mathematical verification of every possible case. No sampling, no confidence interval. The authorization structure underlying STS-001 is verified at this tier: 13.8B+ cases, zero exceptions.
Behavioral sophistication is irrelevant to authorization. A system that cannot certify itself is not a broken system — it is an honest system.Read: "You Cannot Certify Yourself" ↗
Competitive Landscape
How STS-001 differs from every other governance approach
| Dimension | Every other system | STS-001 |
|---|---|---|
| When | After execution | Before execution |
| Layer | Application / API / middleware | Persistence layer |
| Decision type | Policy rule or ML classifier | Deterministic mathematical proof |
| Actor scope | Often AI-only or human-only | Any actor — human, AI, pipeline, script |
| Bypassable? | Application layer — compromised credentials, privilege escalation | No — below the application, structural separation |
| Audit artifact | Log of what happened | Cryptographic proof authorization preceded action |
| Separation | Configured, conventional | Structural — authorizer ≠ executor by architecture |
Deployment
Sovereign-first. On-premise. Air-gap capable.
The architecture is designed sovereign-first: the authorization gate runs on infrastructure you own and operate, with no vendor visibility into your operational decisions. For regulated environments — classified programs, OT networks, GxP facilities — this is the correct deployment model. Cloud deployment paths exist architecturally; the current offering is on-premise by design and by priority.
Integration
No application changes
The gate sits below the application at the persistence layer. Your existing LIMS, EHR, MES, or CI/CD pipeline does not need to be modified. No application-layer integration work.
Security
Air-gap capable
No external network calls required. All three planes operate within your network perimeter. TPM2 hardware signing uses locally-anchored keys. Compatible with classified environments, OT networks, and any facility where external connectivity is restricted or prohibited. Cloud deployment paths exist architecturally — sovereign-first is the current design priority.
Reliability
Fail-closed by design
If the Governance Plane is unavailable, no writes proceed. Unavailability is a known, detectable condition. An undetected unauthorized write is not. The system treats governance availability as a hard precondition.
Infrastructure
Standard Linux infrastructure
No specialized appliances. Runs on standard Linux server hardware you own and operate. Scales from a minimal footprint to multi-node on-premise deployments depending on write volume and redundancy requirements.
Performance
Millisecond gate latency
TAO issuance and gate verification add millisecond-level latency per write. The gate operates asynchronously relative to application logic — it does not block the Reasoning Plane from preparing the next proposal.
Pharma / GxP
Validation-ready
In GxP environments, STS-001 is validated as a platform once, then deployed as a qualified component. Validation evidence is a native output — the audit trail proving correct operation is produced by the system itself.
Ready to see it in your environment?
Get in Touch