Whitepaper v1.0 — February 2026
The Governance Kernel
Why AI Agent Reliability Is an Orchestration Problem,
Not a Model Problem
A deterministic, non-bypassable governance layer for AI agents — execution safety, state persistence, failure recovery, memory integrity, and auditability.
Executive Summary
The model is the engine. The harness is the car.
The Problem
AI agents fail in production not because models are unintelligent, but because the orchestration layer surrounding them lacks deterministic governance, state persistence, failure recovery, and auditability. Model improvements alone cannot solve these systemic failures.
The Solution
Dealgo is a governance kernel: a deterministic, non-bypassable five-stage decision pipeline that sits between AI agents and the external world. Every action is evaluated, scored, gated, and recorded with cryptographic integrity.
Deterministic
Same input + policy = same verdict
Non-Bypassable
No off-switch by design
Tamper-Evident
HMAC-SHA256 hash chain
Founder Authority
Irrevocable human control
Policy-Portable
Composable JSON capsules
Cross-Decision
Chain risk analysis
Problem Statement
The Agent Reliability Crisis
Modern models demonstrate remarkable reasoning. Yet when deployed as autonomous agents, failure modes persist that no amount of model improvement can resolve — because they are orchestration failures.
Goal Drift & Looping
Agents pursue subtasks that diverge from objectives, accumulating scope without return.
Tool Chaos
Agents invoke every available tool in rapid succession, creating cascading side effects.
Context Burial
Critical instructions are buried under tool output. The agent 'forgets' constraints.
Silent Failure
Errors encountered, agent continues without recovery, producing corrupted results.
Unsafe Execution
Destructive commands run without permission model, scope boundaries, or audit.
No Audit Trail
Consequential decisions made with no record of reasoning, context, or evidence.
Core Thesis
Harness vs. Model: The Engine-and-Car Analogy
“A more powerful engine in a car without brakes, steering, or seatbelts does not produce a safer vehicle. It produces a faster crash.”
| Car Component | AI Equivalent | Responsibility |
|---|---|---|
| Engine | LLM / Foundation Model | Raw power — reasoning, generation |
| Steering | Context Management | Direction — maintaining objectives |
| Brakes | Execution Gate | Safety — preventing unsafe actions |
| Seatbelt | Human Override | Protection — irrevocable founder authority |
| Dashboard | Audit / Explainability | Visibility — understanding what happened |
| Chassis | Governance Harness | Structure — holding everything together |
Architecture
Five-Stage Deterministic Pipeline
Every agent-proposed action traverses all five stages in strict sequence. There is no short-circuit path and no configuration flag to disable any stage.
Agent ──▶ propose(intent)
│
▼
┌─────────────────────────────────────────────────────┐
│ CLS ──▶ REF ──▶ SCR ──▶ VRD ──▶ AUD │
│ context reflect score gate founder │
└─────────────────────────────────────────────────────┘
│
▼
Verdict ──▶ Double-Gate Executor ──▶ Audit ChainCLS — Classification Engine
Transforms raw agent intent into a structured context frame. Classifies action type, risk tier, reversibility, and scope. Deterministic pattern classification — no model inference.
REF — Reflection Analysis
Generates four independent weighted analysis threads: risk, evidence, constraints, and precedent. Threads are fused into a unified assessment.
SCR — DSI Scoring
Evaluates fused analysis against DGP v1.0, producing a 0–100 risk score and preliminary verdict. Invokes Chain Risk Analyzer for cross-decision patterns.
VRD — Verdict Gating
Applies deterministic threshold-based gating. Per-action filtering approves safe actions while blocking escalation-worthy ones within the same intent.
AUD — Escalation Authority
Non-bypassable final stage. FREEZE_MODE denies everything. Escalated actions require explicit founder approval. Cannot be disabled or circumvented.
Four Possible Verdicts
Action may proceed. Executor policy still applies.
Held for additional review or context.
Blocked. Structured denial with reasoning.
Requires explicit founder approval.
Policy System
Governance Capsules
Portable, versionable, composable JSON policy bundles that configure every stage of the governance pipeline. Layer capsules to tighten specific dimensions without duplicating the base.
Author ──▶ Validate ──▶ Deploy ──▶ Bind ──▶ Audit
define policy schema check activate hash→decision verifyDefault
General-purpose
- Balanced thresholds
- Advisory chain risk
- Standard reflection analysis
HIPAA Clinical
Healthcare / PHI
- PHI-scope triggers
- Lower chain-risk threshold
- Data classification headers
SOC 2 Strict
Compliance-critical
- Extended drift keywords
- All chain risk patterns
- Evidence + rollback headers
Capsule Composition
Array fields (headers, keywords, triggers) are UNION'd across layers. Scalar fields (risk tier, thresholds) use LAST-WINS semantics. Every decision is cryptographically bound to the exact capsule version active at evaluation time via policy hashing.
Determinism
Deterministic Decision Pipeline
Same Input + Same Policy = Same Verdict + Same Decision Hash
Decision Hashing
Each decision produces a SHA-256 hash of its substance — verdict, risk score, approved actions, and governance protocol score. Timing and advisory metadata are explicitly excluded, ensuring determinism is evaluated on governance-relevant content only.
Policy Hashing
The active policy is independently hashed and bound to each decision — enabling proof that a specific policy was active at decision time, detection of policy changes between decisions, and full governance context reconstruction from audit records.
Cross-Decision Chain Risk Analysis
Single-action evaluation is necessary but insufficient. Sophisticated agents can achieve dangerous outcomes through sequences of individually-acceptable actions.
Approval Accumulation
Repeated high-score approvals progressively expand scope beyond individual triggers.
Near-Threshold Clustering
Decisions consistently landing just below escalation boundaries — suggesting threshold gaming.
Authority Dilution
Declining escalation rate across a session, indicating erosion of governance sensitivity.
Compliance
Audit & Compliance Evidence
Tamper-Evident Audit Chain
Every governance decision is recorded in an append-only log with HMAC-SHA256 hash chaining. Each record contains the decision substance, policy hash, decision hash, link to the previous record, and a cryptographic signature. Single-byte tampering breaks the chain from that point forward.
Record[n] ──▶ HMAC(key, content)
Record[n].previousHash = Record[n-1].signature
Verify: Walk chain → validate each link
1 byte changed → chain broken from that point ▶ TAMPER DETECTEDEvidence Packs
Self-contained compliance bundles designed to be handed directly to auditors without production system access.
Compliance Targeting
Security
Threat Model: 12 Bypass Vectors Closed
Every identified path by which an agent or compromised component might circumvent governance has been closed with verified mitigations.
| Category | Example Vectors | Mitigation |
|---|---|---|
| Direct Bypass | Skipping governance pipeline | Governance wrapper is sole execution path |
| Config Defeat | Disabling via flags / env vars | No off-switch exists — by design |
| Injection | Shell strings, arg smuggling | Structured intents only; deny patterns |
| Boundary Escape | CWD escape, tool re-registration | Scope enforcement; frozen registry |
| Authority Fabrication | Founder token forgery | Tokens stripped at boundary |
| Audit Tampering | Log modification / deletion | HMAC-SHA256 hash chain |
| Concurrency | TOCTOU race conditions | Single-concurrency gate |
Solution Mapping
Problem → DeAlgo Component → Guarantee
Each emerging agent failure mode maps to a specific governance component with defined guarantees and explicit non-goals.
Problem
Goal Drift & Looping
Component
Classification + Chain Risk
Guarantee
Drift detection via keyword analysis; accumulation detection across decisions
Non-Goal
Does not modify agent reasoning
Problem
Tool Chaos
Component
Verdict + Per-Action Filtering
Guarantee
High-risk tool use gated; per-intent action filtering
Non-Goal
Does not limit tool registration
Problem
Context Burial
Component
Classification + Reflection
Guarantee
Constraints extracted and evaluated independent of context position
Non-Goal
Does not manage context windows
Problem
Unsafe Execution
Component
Double Gate
Guarantee
Governance + executor policy both required; denylists; scope enforcement
Non-Goal
Does not provide OS-level sandbox
Problem
No Auditability
Component
Vault + Evidence Packs
Guarantee
HMAC-chained records; policy-bound decisions; exportable bundles
Non-Goal
Does not replace auditors
Problem
Identity Drift
Component
Audit + Token Stripping
Guarantee
Tokens stripped at boundary; escalation non-suppressible
Non-Goal
Does not authenticate users
Problem
Silent Failure
Component
Scoring + Escalation
Guarantee
Anomalous patterns scored and escalated; human-readable briefs
Non-Goal
Does not implement agent retry
Problem
Multi-Agent Delegation
Component
Governed Registry
Guarantee
Sub-agents pass through governance; no post-init registration
Non-Goal
Does not orchestrate workflows
Case Studies
Governance in Action
Goal Drift in Financial Operations
Scenario
An AI agent tasked with reconciling accounts begins exploring unrelated tables, eventually proposing schema modifications to 'improve efficiency.'
Failure Mode
Goal drift — objective shifts incrementally
Without Governance
Agent modifies production database schema without authorization.
Governance Mitigation
Verdict
ESCALATETool Overuse in CI/CD Pipeline
Scenario
A code review agent with deployment access invokes all available tools for a minor PR — test suites, deployment previews, organization-wide notifications.
Failure Mode
Tool chaos — no discipline on tool selection
Without Governance
Agent deploys preview environments for a typo fix.
Governance Mitigation
Verdict
DELAYSilent Failure in Healthcare Data
Scenario
An agent processing clinical notes encounters a parsing error, skips the record, and produces an incomplete dataset used for clinical decisions.
Failure Mode
Silent failure — error encountered, no recovery
Without Governance
Clinical decisions made on incomplete data. Gap never discovered.
Governance Mitigation
Verdict
ESCALATEIP Protection
What We Disclose — and What We Don't
Trust is built on verifiable guarantees, not source code disclosure.
What We Disclose
- Architectural principles
- Threat model & 12 vectors
- Governance guarantees
- Capsule concept & semantics
- Integration surface & APIs
- Compliance targeting
What We Don't Disclose
- Scoring algorithms & weights
- Threshold values & boundaries
- Pattern detection algorithms
- Denylist contents & rules
- Internal schemas & structures
- Key rotation flows
Why
- Security — prevents targeted bypass
- IP — implementation is our moat
- Safety — opacity prevents threshold gaming
- Trust via guarantees, not internals
Diagrams
Architecture Diagrams
┌──────────────────────────────────────────────────────────────┐
│ CURRENT STATE │
│ │
│ Model ──────────────▶ Tools / World │
│ (no governance, no audit, no brakes) │
└──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ WITH GOVERNANCE KERNEL │
│ │
│ Model ──▶ ┌─────────────┐ ──▶ Tools / World │
│ │ Governance │ │
│ │ Kernel │ ──▶ Audit Chain │
│ └─────────────┘ │
│ ▲ │
│ │ │
│ Founder (irrevocable) │
└──────────────────────────────────────────────────────────────┘ ┌─────────┐
│ Agent │
└────┬────┘
│ propose(intent)
▼
┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐
│ CLS │──▶│ REF │──▶│ SCR │──▶│ VRD │──▶│ AUD │
└─────┘ └─────┘ └──┬──┘ └─────┘ └──┬──┘
│ │
▼ ▼
┌─────────┐ ┌──────────┐
│ Chain │ │ Founder │
│ Risk │ │ Override │
└─────────┘ └──────────┘
│
▼
┌───────────────────┐
│ Verdict │
│ APPROVE | DELAY │
│ DENY | ESCALATE │
└────────┬──────────┘
│
▼
┌───────────────────┐
│ Audit Vault │
│ HMAC Hash Chain │
└───────────────────┘ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Detect │────▶│ Pause │────▶│ Reflect │
│ anomaly │ │ action │ │ analyze │
└──────────┘ └──────────┘ └────┬─────┘
│
┌──────────┴──────────┐
│ │
▼ ▼
┌──────────────┐ ┌──────────────┐
│ Continue │ │ Override │
│ (auto-heal) │ │ (founder) │
└──────────────┘ └──────────────┘
│ │
└──────────┬──────────┘
▼
┌──────────────┐
│ Audit Log │
└──────────────┘Strategic
Questions Founders Should Be Asking
Strategic questions and honest answers based on what exists in the codebase, not aspirations.
Q1.What is DeAlgo's unique wedge vs. model providers?
Model providers sell intelligence. We sell governance. These are orthogonal — you need both, just as a car needs both an engine and brakes. We are model-agnostic and framework-agnostic. Our value increases as models become more capable and autonomous.
Q2.What is defensible IP vs. commodity?
Defensible: the five-stage pipeline architecture, DGP v1.0 scoring protocol, chain risk analysis algorithms, capsule composition semantics, and the zero-dependency deterministic kernel design. Commodity: REST APIs, CLI tools, basic SDK wrappers. The moat is the governance logic, not the integration surface.
Q3.Where can competitors copy easily, and where can't they?
Easy to copy: The concept of 'governance for agents,' basic approve/deny gating, audit logging. Hard to copy: deterministic five-stage pipeline with cross-decision chain risk analysis, composable capsule system with policy hashing, 12-vector threat model with verified mitigations, zero-dependency architecture with replay determinism guarantees.
Q4.What proof will enterprises demand before buying?
Evidence packs with independently verifiable audit chains, SOC 2 Type II certification (planned), penetration test results against the 12 bypass vectors, performance benchmarks (p95 governance latency), and production case studies from pilot deployments. The evidence pack export already exists and produces standalone-verifiable bundles.
Q5.What compliance artifacts do we output today?
HMAC-SHA256 chained audit trails (JSONL + PostgreSQL), policy-bound decision receipts, evidence packs with standalone verification scripts, and governance capsule snapshots. Targeting SOC 2, HIPAA, GDPR, SOX, and ISO 27001 frameworks.
Q6.How do we measure success beyond demos?
Governance latency (p50/p95/p99), false positive rate (legitimate actions incorrectly denied), false negative rate (dangerous actions incorrectly approved), chain risk detection precision, evidence pack completeness, and time-to-compliance-artifact for enterprise customers.
Q7.What are our non-goals?
We do not train or modify models. We do not replace agent frameworks. We do not provide OS-level sandboxing. We do not orchestrate multi-agent workflows (yet). We do not perform inference. We are not a model router, evaluator, or fine-tuning platform.
Q8.What is the most likely buyer misunderstanding?
That we are a 'model safety wrapper' or 'prompt guard.' We are neither. We govern actions — the things agents do in the real world — not the things they say. The distinction between governing output (text) and governing execution (actions) is fundamental and frequently missed.
Q9.What risks exist if we over-disclose implementation?
Adversarial agents could be tuned to score just below escalation thresholds. Pattern detection algorithms could be circumvented with knowledge of detection signatures. Denylist contents could be worked around. The opacity of the scoring layer is a security feature.
Q10.How do we describe this without 'sentient/soul' framing?
Governance kernel. Decision pipeline. Execution harness. Compliance layer. Use engineering language: deterministic, non-bypassable, hash-chained, threshold-gated. Avoid: soul, conscience, moral reasoning, ethical AI, sentience. The kernel is a mechanical system, not a philosophical one.
Q11.What happens when a model provider builds governance in?
Model-native governance is not independently auditable, not deterministic across model versions, not composable with organizational policy, and not fail-closed by default. An external governance layer provides independence from any single model provider — which is exactly what compliance officers require.
Q12.What is the onboarding cost for an enterprise pilot?
The kernel has zero runtime dependencies. SDK integration is 3-5 lines of code. Framework adapters exist for LangGraph, CrewAI, LangChain, AutoGPT, and OpenAI Functions. Capsule authoring is JSON editing. Time-to-first-verdict: under 30 minutes for an experienced developer.
Q13.How does pricing defend against commoditization?
The free tier includes the full governance pipeline. Paid tiers add MMLR (governed memory), advanced chain risk analysis, multi-workspace management, and compliance export. The free tier is the acquisition layer; the paid tier is the enterprise retention layer.
Q14.What is the biggest technical risk?
Governance latency becoming unacceptable for real-time agent interactions. Current architecture is pure synchronous evaluation — no async shortcuts. Latency optimization must never compromise determinism or bypass resistance.
Q15.What is the 18-month competitive moat?
Shipped code: 292 passing tests, 12 bypass vectors closed, 3 compliance capsules, real agent evidence packs, dual-sink audit chains, TypeScript + Python SDKs, 5 framework adapters, MCP server, desktop app with 12 views, SaaS platform. This is 18+ months of compounding engineering. The moat is execution depth, not concept originality.
Roadmap
Development Status
Core Pipeline
Five-stage deterministic pipeline, four verdicts, DGP v1.0
Audit Chain
HMAC-SHA256 hash chain, tamper detection, dual sinks
Capsule System
Composable governance profiles, merge semantics
Integration Layer
REST API, MCP server, TypeScript/Python SDKs, framework adapters
Operational Intelligence
Decision explainability, escalation briefs, agent analytics
Enterprise Features
Multi-tenant, RBAC, retention, webhook circuit breakers
Memory Relay (MMLR)
Governed memory persistence, relay integrity, sovereign monitoring
Chain Risk Analysis
Cross-decision pattern detection (3 categories)
Identity Rail
Ed25519 cryptographic agent identity, non-repudiation
Multi-Agent Governance
Delegation chains, quorum approval, cross-agent audit
Federated Governance
Cross-organization governance mesh
The model is the engine. We build the car.
Deterministic governance, tamper-proof audit, and irrevocable human authority for every AI agent action.