Skip to main content
system: operating/agents: 35/red-line breaches: 0/integrity: green/audit rows: 1,300,000+
// Trust & safety

The safety story is the product.

Modern AI tools are sharp, unsupervised, and structurally invisible to compliance — which is exactly why agents have started deleting production systems and leaking data on borrowed credentials. VoidLens is built the opposite way: every action is recorded before it happens, every destructive capability is gated, every new behavior earns its way through a forty-eight-hour shadow window, and every change ships with an evaluation set. The trust posture is not a marketing surface — it is the engineering.

// The Five Rails

How safety is built in.

The security field has converged on one hard rule: the safety layer is the system, not the model. Five engineering rails carry the whole posture — and each is enforced at the architecture layer, not at the prompt layer, not at deploy time, not by author discipline alone.

Rail one

Guardian-gated capabilities

Every destructive or external action passes a per-agent capability gate — the principle of least privilege, written into the system. An immutable forbidden list (moving money, permanent deletions, unapproved web submits, security-permission changes, sensitive-credential handling) overrides any agent prompt and any per-deal carve-out.

Rail two

Structured audit trail

Every non-trivial action lands a structured row: timestamp, who acted, what they did, on what, with what outcome, cost, duration, and against which playbook. Subpoena-ready by default and SOC 2 / ISO 27001 schema-aligned from day one — a sample-ready export from your cockpit on demand.

Rail three

Forty-eight-hour shadow ladder

Every agent climbs an autonomy ladder through a clean forty-eight-hour shadow window. Six gates check pass-rate before promotion. No skipping tiers, no "just for this run." Any forbidden-list touch, unbudgeted spend, or safety regression resets the clock.

Rail four

Eval-driven deployment

Behavior changes ship with an evaluation set. CI-style checks measure pass-rate against known examples before merge or deploy, and thresholds block production. "Did we break what was working?" has a number every time — and that number lands in the audit trail too.

Rail five

Audit-before-effect

The record precedes the effect. An agent logs its intended action and clears the Guardian gate before anything happens in your systems — never after. Denied-by-default: if the gate does not recognize the action, it does not run. The audit trail is not a postmortem; it is the permission slip.

// The gap · governance is lagging adoption

The market just quantified the gap.

Enterprises are shipping agents far faster than they can govern them. VoidLens is built for the side of that gap most companies have not closed yet — governance that is native, not bolted on.

Deloitte 2026

21% governed, 73% worried

In Deloitte’s 2026 State of AI, only 21% of organizations report a mature model for governing autonomous agents, while 73% name data privacy and security as their top concern — even as roughly three-quarters plan to deploy agentic AI within two years. (Source: Deloitte, “AI agents are scaling faster than their guardrails,” 2026.)

Docker 2026

60% in production, 40% blocked

Docker’s State of Agentic AI, a survey of 800+ builders, found 60% already run agents in production, but 40% cite security and compliance as the number-one barrier to scaling them further. (Source: Docker, State of Agentic AI, 2026.)

The VoidLens answer

Deterministic guardrails on every action

The industry is converging on exactly what VoidLens ships: deterministic guardrails on every agent action, with a complete audit trail. The Guardian gate denies unrecognized actions by default, and the record precedes the effect — so “governed” is a property of the system, not a policy document.

// Resilience · no single point of failure

Two brains, and math that doesn't guess.

Trust is not only about what an agent is forbidden to do — it is also about the system staying honest and available when conditions are bad. Two architecture choices carry that load.

Adaptive failover

The Adaptive Second Brain

A primary cloud model (Claude) does the heavy reasoning; the Adaptive Second Brain runs locally on your own hardware (open-weight models via an Ollama-class runtime) and takes over the instant the primary is unavailable or rate-limited. Shipped today as one shared local standby model; on larger deployments it can be provisioned as high-capability standalone local models — up to one per division, each keeping its division's lights on (enterprise configuration). A cloud outage or a credit lapse degrades gracefully — read-only agents keep running, action-bearing agents queue with an incident audit row — instead of going dark. The local brains also cost nothing per call.

Verified compute

The tensor unit (synapse)

When a task needs real mathematics — optimization, modeling, tensor work — VoidLens does not let a language model improvise the numbers. It routes the calculation to a dedicated tensor compute substrate (the synapse, built on Julia + ITensor) that runs it on a real solver and returns a verified, audit-stamped result. The language models reason; the math engine computes — and the answer is checked, not guessed.

// Forbidden by design · the red lines

Immutable boundaries.

Field note (2026): real agent breaches keep landing on the actions these lines deny — documented credential/token exfiltration and API-key theft in a widely-used AI coding agent (Cline), and command-injection sandbox escapes that turn prompt injection into host code execution. VoidLens denies the action before it runs.

A small set of capabilities are forbidden system-wide. No agent's playbook can override. No founder override. No autonomy bump. No board vote. No "this one's special." The list is the contract — and each line carries an immutable reason.

Financial actions

Moving money, executing trades, placing orders, initiating transfers — categorically forbidden. Customers can categorize transactions and generate reports; the system never executes the transaction.

Permanent deletions

No agent issues a permanent delete. Archive, sidecar, move, quarantine — yes. Permanent removal of customer data, records, or audit rows under the customer's retention contract — never.

Unapproved external submits

Submitting forms or posting payloads to domains outside the per-agent allowlist is forbidden. The allowlist is auditable and operator-controlled; the denial lands an audit row regardless of intent.

Security-permission changes

Sharing documents, changing access, modifying visibility, granting roles — operator-only. Agents propose; the operator dispositions; the system records both halves of the decision.

Sensitive credential handling

Bank account numbers, government identifiers, full payment-card data, medical records, secrets and API keys — agents do not enter, transmit, or persist these. Customers handle them directly.

Provider-specific destructive ops

Mass-deletes, account closures, permission revocations on shared resources require explicit per-action operator authorization through the cockpit, with an audit row carrying both the proposal and the disposition.

Every denial against a forbidden category is recorded — what was attempted, by which agent, with which playbook, blocked at which gate. Your compliance program sees the deny chain, not just the action chain.

// Customer-hosted

Your data lives with you.

VoidLens is customer-hosted with no shared SaaS layer. No shared infrastructure between customers, no shared audit log, no shared data plane. The model is BYOK — your contract with the model provider, your spend, your rate limits. The cockpit reads through MCP connectors and OAuth tokens you control; the audit rows live in your workspace. Subprocessor disclosures are short because the architecture is short.

Your weights, your machine, your audit trail: BYOK extends to local open-weight models (Ollama-class) for sovereignty-sensitive and high-volume steps at near-zero marginal token cost, while frontier models carry the complex agentic work. Honest scope: local models trade some capability for sovereignty — the router makes that trade explicit, and the audit trail records which model did what. The Adaptive Second Brain ships today as a single shared local model and is architected to scale — up to a standalone local brain per division (enterprise configuration) — your host's capability deciding which model occupies each seat.

Customer

Hosting model

BYOK

Model billing

Your stack

Data residency

MCP + OAuth

Connector model

// Compliance roadmap

SOC 2, ISO, and the audit window.

The audit-row schema, the capability-allowlist contract, the role-based access model, the shadow ladder, and the eval-driven deploy are SOC 2 control-evidence aligned out of the gate; our roadmap targets a SOC 2 Type 1 evidence pack. The retention curve maps to your review cycles — debugging at a week, quarterly at ninety days, annual at one year, regulatory at seven.

7 days

Vesyr retention

90 days

Obscura retention

1 year

Ignis retention

7 years

Decus retention

// Common questions, plain answers

What your compliance team will ask.

Where does data live?

In your workspace, behind your tools' existing security boundaries. VoidLens is customer-hosted — there is no shared SaaS layer. Audit rows are local to your cockpit and exportable on demand.

How is access controlled?

Per-agent capability allowlists at the operator-controlled cockpit. The forbidden list is system-wide and immutable. Operator dispositions are required for any action outside the steady-state allowlist.

How are incidents detected?

A watchdog continuously monitors the workforce. Drift, runaway costs, silent failures, and unexpected capability requests are flagged into a structured incident record before they reach your inbox.

How do we audit a specific action?

Pull the audit-row export for the window. The row identifies the agent, the action, the target, the outcome, the cost, and the playbook that authorized it. Cross-reference to the playbook for the full decision context.

Can we add our own forbidden capabilities?

Yes. Enterprise customers add to their own forbidden list. They cannot remove from the system-wide immutable list — that contract is shared across all VoidLens deployments and is what makes the safety claim defensible.

What happens during a model provider incident?

The cockpit degrades gracefully — read-only agents continue; action-bearing agents queue their next step with an explicit incident audit row; the operator dispositions on recovery. The Guardian gate is independent of the model layer; nothing forbidden becomes permitted during an outage.

What about AI that improves itself?

In June 2026, Anthropic publicly urged a coordinated pause option as frontier AI nears recursive self-improvement, naming loss of human oversight as the risk. VoidLens is built the opposite way: no agent modifies itself, its playbook, or its permissions — every change is proposed, human-approved, and recorded, and autonomy is earned tier by tier on the 48-hour ladder. The industry's own frontier lab says unsupervised self-improvement is the danger line; this system is engineered not to cross it.

Read the rails. Then drive the cockpit.

Twenty minutes. Open the live audit log, watch the gate deny a forbidden action in real time, and ask any compliance question you want.