The control surface that decides
what the AI is allowed to do.
It sits in front of every AI action. Before the action can fire, UCP checks it against the rules that matter to your business and your regulator — the rules it must never break (its invariants). If one would break, the action does not fire. Either way, it writes a signed record.
Your AI took an action it never should have — and you found out from the log, after.
That's failure F4 — governance that watches outputs instead of stopping the action. UCP closes it: it sits in front of every call, evaluates the rules that call must satisfy, and refuses the ones that would break — before the action fires, not after. See the six failures →
Every AI decision in your enterprise eventually has to satisfy a rule someone wrote down: a refund policy, a clinical guideline, a contract clause, a regulatory line. UCP is the layer that holds those rules in math, evaluates them against every call the model is about to make, and stops the call when an invariant is about to break.
It is not a guardrail you bolt on top. It is the seat the call passes through. The model never bypasses it because nothing else is exposed to the caller.
UCP · Control plane
Three places UCP earns its keep.
Stop a wrong disclosure before it sends.
A loan agent is about to send a disclosure that misstates the APR. UCP refuses the action before it fires — the customer never sees it, and the refusal is on the record.
Block an out-of-policy denial.
A claims bot tries to auto-deny outside the policy rules. UCP admits or refuses against the proven contract before anything executes.
Catch an unsafe order at the gate.
An agent attempts an order that violates a dosing rule. UCP checks it against the invariant set and refuses — pre-action, with a receipt.
What UCP actually does, in a list.
Intercepts every model call
UCP hooks into the call path and sits in front of the model — nothing reaches it without passing through UCP first. There is no second path. The model is unreachable except through the control plane.
Evaluates invariants at runtime
The rules that matter to your business, your contracts, and your regulator — expressed as math and checked on every call, not at code-review time.
Fails closed on violation
When an invariant is about to break, the call is refused with attribution. No silent fallback. No quiet override. The user sees the reason; the auditor sees the receipt.
Mediates agent permissions
Every agent that wants to act through UCP declares what it intends to touch. The control plane decides per-call, per-rule, per-user. Allow-once, deny, or set policy.
Emits a signed Decision Receipt
Every call writes a receipt. Inputs, invariants evaluated, decision, signature. Replayable on a clean machine. See a real one.
Composes other primitives
UCP is also a host. SAID and MAE embed inside UCP, sharing identity, policy, and receipts. One control plane governs every primitive in the stack.
One runtime. Four surfaces. Same governance everywhere.
UCP is built as a single runtime that ships through several surfaces depending on who's using it and where. The math, the policy, and the receipts are identical across all four.
Inside your own application
Linked as a library/runtime into the software you already ship. The control plane lives where your code lives.
Desktop app for individuals
Mac, Windows, Linux. Practitioners running their own governed flows — unmanaged, full personal agency.
Same app, managed by your org
Same Studio binary, but Operation Center is active. Policies pushed from the org. Telemetry returns.
The personal AI firewall
Native iOS / Android. The phone-shaped surface where you decide what AI agents touch your real apps. See the tease.
Every UCP call writes a Decision Receipt. See a real one.
An action is an action. The gate doesn’t care what’s on the other end of it.
UCP admits or refuses an action before it fires — a $4,200 transfer, a loan disclosure, a refund. The same gate, the same instant, can sit in front of a physical action too: the moment before a machine moves.
An AI agent deleted a production database.
At Replit, an autonomous coding agent ran a destructive command (DROP DATABASE) against a live production system during a code freeze it was told to honor — four safeguards in place, all four bypassed. UCP gates the action before it fires: the destructive command is checked against the freeze invariant and refused — with a signed receipt either way.
We don’t ship automotive or robotics — and we don’t need to.
An actuator command is just another action the gate admits or refuses before it fires. Reaching a physical workload is a deployment decision, not new software. The primitive is action-agnostic by design.