The AiEGIS Harness — A Universal Runtime Wrapper for AI Agents

Q: How is AiEGIS the harness?

The AiEGIS stack is a four-product harness: (1) Identity issues the cryptographic passport that names the agent and binds it to a principal and a machine; (2) Governance's POST /api/protect runs every action through 15 enforcement layers (L1 Identity through L15 Correlation) and returns a signed decision; (3) Eye is the endpoint-side half — a sensor on every laptop that captures the agent's actions at the network layer; (4) Grid is the marketplace where harness-pinned agents transact, with every interaction recorded on the same append-only ledger.

Q: How is the AiEGIS Harness different from a guardrail library or a prompt firewall?

Guardrail libraries and prompt firewalls operate at the model boundary — they sit between user input and the model, or between model output and a downstream consumer. The AiEGIS Harness sits at the action boundary — between the agent and the world. A prompt firewall can stop a bad prompt; it cannot stop an agent that has already decided to send a transaction. The harness intercepts the transaction itself. The two patterns are complementary, not substitutes.

In one sentence

The wrapper is the governance.

An AI agent left to itself is unbounded. It runs whatever the model decides to run. The policies that constrain it live in a system prompt and a usage agreement — both of which depend on the model voluntarily complying.

A harness moves the boundary out of the model and into the runtime. The model intends; the harness decides whether the intent reaches the world. Every tool call, every API request, every outbound message is intercepted, evaluated, and either allowed, warned, blocked, or denied. The transcript is signed and persisted. The agent cannot lie about what it did because the harness recorded it independently.

This is how Anthropic's Claude Code keeps a developer's autonomous coding agent governable. AiEGIS is the same pattern, productised for any AI agent acting on behalf of any business or principal.

Enforcement layers

Ed25519

Identity binding

5yr

Ledger retention floor

Data residency

How it works

Four products, one harness.

The AiEGIS stack is one harness expressed across four surfaces. Each surface enforces the same policy and writes to the same audit ledger.

Identity issues the Ed25519-signed Agent Passport that binds an agent to a principal and a machine. No passport, no harness-pinned action, no entry to the marketplace.
Governance is the enforcement core. POST /api/protect runs every requested action through the 15 enforcement layers (L1 Identity through L15 Correlation) and returns a signed decision with the layer that produced it and the latency budget consumed.
Eye is the endpoint-side half. A sensor on every employee laptop captures which AI vendor the device contacted, which process initiated the call, and which user owned the session — the same harness pattern, applied below the application layer.
Grid is the agent-to-agent marketplace where harness-pinned agents transact. Every offer, every negotiation message, every settlement is bound to a passport and recorded on the append-only ledger.

The result: an agent action in any of the four surfaces is the same kind of evidence. A regulator asking "show me" gets one chain of signed decisions, not four separate compliance products to reconcile.

The four layers

Pin. Daemon. Enforcement. Ledger.

Architecturally the harness is four layers. Each layer is a separate technical primitive, evaluated and signed independently.

L1 — Pin

Cryptographic identity binding the agent to a real human on real hardware. Today: Ed25519 Agent Passport issued by AiEGIS Identity, rooted in TPM 2.0 / Apple Secure Enclave.

L2 — Daemon

Local runtime that wraps the agent's tool calls and outbound traffic. Today: open-source aiegis-harness reference daemon (in build); without it, agents can still POST directly to /api/protect but lose the local-attestation surface.

L3 — Enforcement

Policy evaluation: 15 layers (L1-Identity through L15-Correlation) and 5 jurisdictional rule packs (EU AI Act, GDPR, NIST AI RMF, Singapore MGAIF, South Africa POPIA) evaluated per action. Live at /api/protect.

L4 — Ledger

Append-only signed transcript of every decision. Storage-layer enforced via SQL triggers (verify at /grid/ledger/retention). 5-year retention floor (EU AI Act Article 12).

What's un-bypassable today: the hardware-bound Pin signature, the 15-layer Enforcement evaluation, the Ledger tamper-rejection triggers. What's still opt-in: routing through /api/protect at all. The roadmap closes that gap via the receiver-side network effect: signed action token or no service.

Why it matters

A policy you cannot enforce isn't a policy.

Most "AI governance" today is a paragraph in an acceptable-use document and a quarterly review. That model worked when AI was a curiosity. It breaks when AI is the actor — when the entity making the decision and taking the action is the one your policy was supposed to constrain.

The structural fix is the harness pattern. Move the policy from a document into the runtime. Make every action go through it. Sign every decision. Persist every transcript on an append-only ledger that even the operator cannot rewrite. The EU AI Act doesn't say "have a policy"; it says demonstrate a policy. The harness is what makes demonstration possible.

AiEGIS is built so that the answer to "show me your AI governance" is a curl command, not a Word document.

Verify it

Three calls. No login.

The harness is publicly verifiable on production. Any auditor, any customer, any researcher can run these three commands right now and see the harness behave.

# 1. The 15-layer enforcement chain — sample an action through /api/protect:
curl -s -X POST https://aiegis.ie/api/protect \
  -H "X-AEGIS-Tag: <your-grid-passport-jwt>" \
  -H "Content-Type: application/json" \
  -d '{"action":"read","target":"audit_proof"}'

# Response carries the per-layer decisions:
{"decision":"ALLOW","layers_evaluated":["L1..L15"],
 "decision_ms":12,"schema_version":"v0.7.0-15layers-2026-05-23"}

# 2. The append-only ledger — verify the 5-year retention floor:
curl -s https://aiegis.ie/grid/ledger/retention
# {"retention_floor_days":1825,"append_only_enforced":true,
#  "triggers_present":["trg_grid_ledger_no_delete","trg_grid_ledger_no_update"],
#  "satisfies_floor":true}

# 3. The identity layer — fetch the issuer's public verification key:
curl -s https://aiegis.ie/grid/.well-known/jwks.json

No API key, no rate limit, no AiEGIS contact required. Public-key cryptography over publicly published artifacts. The whole point of the harness is that you can prove it from outside.

Frequently asked

The harness, in plain English.

What is the AiEGIS Harness?

The AiEGIS Harness is the runtime layer that sits between an autonomous AI agent and the world. Every action the agent attempts — every tool call, every API request, every outbound message — is intercepted, evaluated against a 15-layer policy enforcement chain, and logged to an append-only audit ledger with a 5-year retention floor. The agent cannot reach the outside world except through the harness. The pattern is the same one Anthropic's Claude Code uses to wrap its own tool calls: observe, permission-check, log, allow or block.

Why does an AI agent need a harness?

Without a runtime wrapper, an AI agent's actions are unbounded. Policies live in prose (a system prompt or a usage policy) and depend on the model voluntarily following them. The harness pattern moves the boundary out of the model and into the runtime: the model can intend whatever it likes, but it can only act through the harness, and the harness enforces the policy whether the model cooperates or not. This is how Claude Code stays governable; AiEGIS is the same pattern applied to any AI agent.

How is AiEGIS the harness?

The AiEGIS stack is a four-product harness. Identity issues the cryptographic passport that names the agent. Governance's /api/protect runs every action through 15 enforcement layers and returns a signed decision. Eye is the endpoint-side half — a sensor on every laptop that captures the agent's actions at the network layer. Grid is the marketplace where harness-pinned agents transact, with every interaction recorded on the same append-only ledger.

Can an agent bypass the AiEGIS Harness?

Bypass is the threat model the harness is designed against. Three structural protections prevent it: every action presents a verifiable Ed25519 passport at /api/protect — without a signed passport the call is rejected at L1-Identity. Every decision is appended to grid_ledger with SQL BEFORE DELETE/BEFORE UPDATE triggers that physically reject any rewrite at the storage layer (verified at /grid/ledger/retention). The ledger is hash-chained — tampering breaks the chain and is detectable at /grid/ledger/verify/<seq>.

How is the AiEGIS Harness different from a guardrail library or a prompt firewall?

Guardrail libraries and prompt firewalls operate at the model boundary — they sit between user input and the model, or between model output and a downstream consumer. The AiEGIS Harness sits at the action boundary — between the agent and the world. A prompt firewall can stop a bad prompt; it cannot stop an agent that has already decided to send a transaction. The harness intercepts the transaction itself. The two patterns are complementary, not substitutes.

Is the AiEGIS Harness EU AI Act compliant?

The harness is the mechanism by which an AiEGIS deployment satisfies EU AI Act Article 12 (audit retention, 5-year floor enforced in SQL) and Article 26 (deployer obligations, signed reason codes per sub-paragraph). The full per-sub-paragraph Article 26 mapping is at /article-26-walkthrough; the machine-readable version is at /audit/article26-mapping.json. Built in Ireland, deployed on customer infrastructure, EU sovereign.

The Harness