The control surface that decides what the AI is allowed to do.
It sits in front of every AI action. Before the action can fire, AICP checks it against the rules it must never break, the invariants. If one would break, the action does not fire. Either way, it writes a signed Decision Receipt.
Solves the problem that keeps agents in pilot: the action already fired before anyone could stop it.
Your agent asks. The math answers. Then it fires — or it doesn’t.
AICP sits between your AI agents and the systems they can touch. Nothing the agent does reaches a real system until it has passed a rule you proved in advance.
Your agent tries to take an action — move money, write to a database, call an API.
AICP checks that exact action against the rule you set, proven in math beforehand.
If it would break the rule, it is refused before it runs. If it’s allowed, it fires.
Either way, a signed receipt records what happened and which rule decided it.
Everyone else watches the output after the model produces it — a second AI scoring the first, or a dashboard that alerts after the action already fired. A guess checking a guess.
AICP decides before the action fires, and the check is math — a proven rule, not another model’s opinion. The same action always gets the same verdict.
Why it’s better: A refused action never happens, so there’s nothing to clean up; the decision is deterministic; and the proof is portable — your auditor re-verifies it without us. See how we build it →
One plane. Every agent, every tool.
AICP brokers every connection between your agents and the systems they reach. See the estate at a glance — then watch one call get gated: requested, checked against rules proven in math, refused, corrected, and admitted, with a signed receipt. Swap the agent; the governance does not change.
Need your single hardest capability locked to a proven, deterministic runtime? That is MGR.
Your AI took an action it never should have. You found out from the log, after.
It's governance that watches outputs instead of stopping the action. AICP closes it. It sits in front of every call, evaluates the rules that call must satisfy, and refuses the ones that would break — before the action fires, not after.
Intercepts every action
The model is reachable only through AICP. There is no second path, so nothing fires without passing the gate first.
Evaluates invariants at runtime
The rules that matter to your business, your contracts, and your regulator, expressed as math and checked on every call.
Fails closed on violation
When an invariant would break, the action is refused with attribution. No silent fallback, no quiet override.
Mediates agent permissions
Every agent declares what it intends to touch. AICP decides per call, per rule, per user. Allow once, deny, or set policy.
Emits a signed Decision Receipt
Every call writes a receipt: inputs, invariants checked, verdict, signature. Replayable on a clean machine. See one.
Hosts the other operators
SAGE and MAE embed inside AICP, sharing identity, policy, and receipts. One control plane governs the whole stack.
One runtime. Four surfaces. Same governance everywhere.
AICP ships through several surfaces depending on who is using it and where. The math, the policy, and the receipts are identical across all four.
Inside your own application
Linked as a library into the software you already ship. The control plane lives where your code lives.
Desktop app for individuals
Mac, Windows, Linux. Practitioners running their own governed flows, unmanaged, full personal agency.
The same app, managed
Same Studio binary with Operations Center active. Policies pushed from the org, telemetry returns.
The personal AI firewall
Native iOS and Android. The surface where a person decides what AI agents may touch their real apps.

Author a rule in plain language. AICP turns it into a proven constraint and gates every action against it.
They do not take our word for it. Each admitted or refused action carries a signed receipt they can re-derive on their own machine, without us.
Put the gate in front of your hardest action.
An action is an action. The gate does not care what is on the other end of it.