KYE Delegated Auditability™ · the entry-point

Runtime accountability for AI agents — without replacing IAM.

KYE™ adds a delegated-authority and evidence layer on top of your existing IAM, OAuth, API gateway, workflow, SIEM, GRC and AI-agent stack. Start in shadow mode: observe AI-agent actions, capture who or what acted, on whose behalf, under what authority, inside what scope, and generate Evidence Packs™ before enforcing runtime controls.

rocket_launch Apply for pilot inventory_2 View Evidence Pack™ account_balance See financial-services workflow menu_book Read whitepaper
The problem

Why IAM is not enough.

An OAuth token says this caller is identified and authorised to call this API. It does not say:

  • On whose behalf the agent claims to be acting — principal, delegation chain, time window.
  • For what purpose the call is admissible — data classes, jurisdiction, restrictions.
  • Under what scope the action is bounded — resource, amount, blast radius.
  • Whether a regulator can replay the decision offline.

Delegated Auditability™ is the smallest possible KYE™ adoption that closes those four blind spots — without altering one line of your production code path.

Adopt KYE™ incrementally

Adoption is staged — you pick how far you go.

Customers begin in observe-only mode (read-only stack binding, signed Observed Actions, production unchanged) and graduate through evidence, alert, guard, enforce and expand stages on their own schedule. The specific stage enumeration, the per-stage promotion criteria, and the rollback contract are proprietary and are not disclosed in this repository — they live in the private Adoption Stage State Machine and are governed per-customer by signed transitions.

visibilityObserveRead-only stack binding. Production unchanged.
policyGuardSmallest possible Authority Gate or Purpose Permission installed — in shadow first.
blockEnforcePromoted Guards block on production. Each promotion is a signed adoption-stage transition.
Shadow mode

Shadow mode is a flag, not new code.

Every KYE™ Engine — Authority, Purpose, Decision — supports a mode parameter. Under mode: shadow, every check still runs, every Decision Map™ is still sealed, every Evidence Pack™ is still signed — but the Commit Boundary™ suppresses every side effect. production_action_blocked is invariantly false.

visibility Full shadow-mode contract

Evidence Pack™ example

A real bundle from a supplier-payment pilot.

One observed action — supplier_payment_agent prepares £950 payment for invoice inv_123. The KYE™ Shadow Evaluation runs all six engines and returns simulated_requires_approval. The Authority Gap classifier opens a missing_authority_grant gap. The Guard Recommendation proposes an Authority Gate. The Evidence Pack™ bundles every artefact for offline replay.

visibility Open the Evidence Pack™ viewer
Built above your existing stack

Eleven read-only Stack Bindings — no migration required.

vpn_keyIAM / SSOOkta, Entra ID, PingFederate, Auth0, Keycloak. Roles, groups, sessions.
keyOAuth / OIDCScopes, tokens, claims, refresh chains.
apiAPI gatewayKong, Apigee, AWS API GW, Cloudflare. Per-call observation.
smart_toyMCP serversAny MCP-conformant server — tool calls captured as Observed Actions.
psychologyAI-agent frameworksLangChain, LlamaIndex, AutoGen, OpenAI Agents SDK.
routeWorkflow enginesTemporal, Camunda, AWS Step Functions, n8n.
monitoringSIEMSplunk, Sentinel, Elastic, Chronicle — alert fan-out.
fact_checkGRCOneTrust, Drata, Vanta, ServiceNow IRM.
gavelPolicy enginesOPA, Cedar, Styra DAS.
receipt_longAudit logsRead-only ingest from any append-only log.
storageData storesSnowflake, BigQuery, Postgres, S3 — for data-class tags only.
Integration path

From day 1 to first Evidence Pack™ — in three steps.

  1. Bind. A KYE™ operator helps you install one or more read-only Stack Bindings. Default mode is read_only. No production change.
  2. Observe. Each bound stack streams Observed Actions to the KYE Evidence Gateway™. A Shadow Evaluation fires for each one.
  3. Review. KYE™ returns Authority Gaps and Guard Recommendations. Your CISO and AI risk officers triage them in KYE Cloud™.
Pilot CTA

Apply for a pilot.

Pilots run 30–90 days, end with a signed Audit Pilot Report and a prioritised list of Guard Recommendations. Applications are manually qualified within 2 business days.

rocket_launch Apply for pilot forum Talk to the team