Layer 2

Certified guardrails first

Formal verification is the strongest sellable wedge because it creates a one-sided guarantee for modeled safety properties.

Why this runs before the router

A sound over-approximating verifier may block safe actions, but it does not pass unsafe actions for the modeled property. False positives become escalations; false negatives break the product promise.

Abstract interpretation

Proves that all concrete executions represented by an abstract state satisfy a safety property.

Runtime enforcement

Security automata and edit automata monitor or modify execution at the boundary.

Policy-as-code

OPA/Rego or Cedar evaluate structured action requests, fail closed, and produce replayable logs.

Shielding

A synthesized shield restricts the agent to a safe action set or overrides unsafe choices.

Action requestactor, tool, args, tenant Sound verifierover-approximates effectschecks formal policy Certified safeexecute + log Unsafeblock + log Uncertifiedsend to router
Conservatism becomes escalation. A modeled unsafe action should not execute.