KYE Delegated Auditability · the entry-point

Runtime accountability for AI agents — without replacing IAM.

KYE adds a delegated-authority and evidence layer on top of your existing IAM, OAuth, API gateway, workflow, SIEM, GRC and AI-agent stack. Start in shadow mode: observe AI-agent actions, capture who or what acted, on whose behalf, under what authority, inside what scope, and generate Evidence Packs before enforcing runtime controls.

rocket_launch Apply for pilot inventory_2 View Evidence Pack account_balance See financial-services workflow menu_book Read whitepaper
The problem

Why IAM is not enough.

An OAuth token says this caller is identified and authorised to call this API. It does not say:

  • On whose behalf the agent claims to be acting — principal, delegation chain, time window.
  • For what purpose the call is admissible — data classes, jurisdiction, restrictions.
  • Under what scope the action is bounded — resource, amount, blast radius.
  • Whether a regulator can replay the decision offline.

Delegated Auditability is the smallest possible KYE adoption that closes those four blind spots — without altering one line of your production code path.

Adopt KYE incrementally

Six rungs — you pick how far you go.

visibility1. ObserveRead-only stack binding. Every AI-agent action captured as a signed Observed Action. Production unchanged.
inventory_22. EvidenceFull Shadow Evaluation per action. Decision Map sealed. Evidence Pack ready for offline replay.
notifications_active3. AlertHigh-severity SIEM alerts when a Shadow Evaluation would have denied. Still no block.
policy4. GuardSmallest possible Authority Gate or Purpose Permission installed — in shadow first — for one narrow class of Authority Gaps.
block5. EnforcePromote selected Guards from shadow to enforcement. Only now does production_action_blocked ever become true.
expand_more6. ExpandRepeat stages 4–5 for adjacent gap classes. KYE coverage grows with the customer's appetite, not against it.
Shadow mode

Shadow mode is a flag, not new code.

Every KYE Engine — Authority, Purpose, Decision — supports a mode parameter. Under mode: shadow, every check still runs, every Decision Map is still sealed, every Evidence Pack is still signed — but the Commit Boundary suppresses every side effect. production_action_blocked is invariantly false.

visibility Full shadow-mode contract

Evidence Pack example

A real bundle from a supplier-payment pilot.

One observed action — supplier_payment_agent prepares £950 payment for invoice inv_123. The KYE Shadow Evaluation runs all six engines and returns simulated_requires_approval. The Authority Gap classifier opens a missing_authority_grant gap. The Guard Recommendation proposes an Authority Gate. The Evidence Pack bundles every artefact for offline replay.

visibility Open the Evidence Pack viewer
Built above your existing stack

Eleven read-only Stack Bindings — no migration required.

vpn_keyIAM / SSOOkta, Entra ID, PingFederate, Auth0, Keycloak. Roles, groups, sessions.
keyOAuth / OIDCScopes, tokens, claims, refresh chains.
apiAPI gatewayKong, Apigee, AWS API GW, Cloudflare. Per-call observation.
smart_toyMCP serversAny MCP-conformant server — tool calls captured as Observed Actions.
psychologyAI-agent frameworksLangChain, LlamaIndex, AutoGen, OpenAI Agents SDK.
routeWorkflow enginesTemporal, Camunda, AWS Step Functions, n8n.
monitoringSIEMSplunk, Sentinel, Elastic, Chronicle — alert fan-out.
fact_checkGRCOneTrust, Drata, Vanta, ServiceNow IRM.
gavelPolicy enginesOPA, Cedar, Styra DAS.
receipt_longAudit logsRead-only ingest from any append-only log.
storageData storesSnowflake, BigQuery, Postgres, S3 — for data-class tags only.
Integration path

From day 1 to first Evidence Pack — in three steps.

  1. Bind. A KYE operator helps you install one or more read-only Stack Bindings. Default mode is read_only. No production change.
  2. Observe. Each bound stack streams Observed Actions to the KYE Evidence Gateway. A Shadow Evaluation fires for each one.
  3. Review. KYE returns Authority Gaps and Guard Recommendations. Your CISO and AI risk officers triage them in KYE Cloud.
Pilot CTA

Apply for a pilot.

Pilots run 30–90 days, end with a signed Audit Pilot Report and a prioritised list of Guard Recommendations. Applications are manually qualified within 2 business days.

rocket_launch Apply for pilot forum Talk to the team