PERMISSION/PROTOCOL

Compliance & governance

The authorization layer regulators are starting to require.

OWASP Agentic Top 10, NIST AI RMF, SOC 2, ISO 27001, and the EU AI Act all point to the same gap: AI agents taking consequential actions without verifiable human authorization. Permission Protocol closes that gap with signed authority receipts — proof that a human approved the action before it ran.

The compliance argument

“Human in the loop” is an architecture claim. An authority receipt is evidence.

Regulators and auditors are asking the same question: when an AI agent takes a consequential action, what proves a human authorized it? “We had HITL in the system design” is not an answer. A signed, timestamped, verifiable receipt naming the approver and the specific action is.

NIST AI RMF

NIST AI Risk Management Framework

RequirementWhat it asks forHow PP satisfies it
GOVERN

Establish accountability for AI actions and decisions

Every authority receipt names the approver, the policy, and the specific action — creating an immutable accountability record outside the agent's control.

MANAGE

Implement human oversight for consequential AI decisions

The authorization gate requires a named human to explicitly approve each consequential action before it executes. Fail-closed by design.

MEASURE

Track and audit AI system behavior

Receipt audit trail provides per-action records: actor, action, resource, approver, policy, timestamp, cryptographic signature.

SOC 2

SOC 2 Type II

RequirementWhat it asks forHow PP satisfies it
CC6 — Logical Access

Control and monitor access to production systems

Authorization receipts enforce that AI agents cannot reach production without an explicit human approval. The gate is enforced by branch protection — not a system prompt.

CC7 — Change Management

Authorize and document production changes

Each production change initiated by an AI agent produces a signed receipt documenting who authorized it. Unsigned changes are blocked at the enforcement point.

CC4 — Monitoring

Maintain audit evidence for security controls

Receipt IDs are stable, resolvable, and retained for a minimum of 7 years. Auditors can verify any receipt independently via the verification API.

ISO 27001

ISO/IEC 27001

RequirementWhat it asks forHow PP satisfies it
A.9 — Access Control

Restrict access to information and systems

AI agents are treated as untrusted actors requiring explicit per-action authorization — not persistent privileged access. Authorization is action-scoped and time-limited.

A.12 — Operations Security

Control operational changes and prevent unauthorized activity

Deploy gates and data mutation gates enforce that no AI-initiated production operation proceeds without a prior signed receipt.

A.16 — Incident Management

Document and respond to information security incidents

When an AI agent action causes an incident, the authority receipt provides an exact forensic record: who authorized it, what they saw, and when.

EU AI Act

EU Artificial Intelligence Act

RequirementWhat it asks forHow PP satisfies it
Article 14 — Human Oversight

High-risk AI systems must allow human oversight and intervention

Every consequential action by an AI agent requires a human authorization receipt before execution. The oversight is not advisory — it is enforced at the infrastructure level.

Article 12 — Record Keeping

Maintain logs sufficient to assess compliance

Authority receipts are signed, portable, and verifiable. They constitute contemporaneous records of human authorization decisions, not reconstructed audit logs.

Article 9 — Risk Management

Implement risk management systems for AI

Consequence-aware policy evaluates each AI action as cleared, approval_required, or denied before execution. High-impact actions escalate to human review automatically.

OWASP Agentic

OWASP Top 10 for Agentic Applications (2026)

RequirementWhat it asks forHow PP satisfies it
ASI02 — Tool Misuse

Action-level authentication and approval; immutable logs of tool invocations

Every wrapped tool call is gated. Destructive operations escalate to a named signer with diff preview. The receipt records tool, parameters, signer, and policy.

ASI03 — Identity & Privilege Abuse

Per-action authorization; human-in-the-loop for privilege escalation

Per-action authorization is the core PP primitive. Privilege escalations always route to a human signer. Receipts include signer identity and authority chain.

ASI08 — Cascading Failures

Tamper-evident, time-stamped logs bound to cryptographic identities; non-repudiation

Receipts are tamper-evident, time-stamped to the millisecond, bound to both the signing human and the originating agent. Non-repudiation by design.

ASI10 — Rogue Agents

Signed audit logs; fresh attestation and human approval before reintegration

Every receipt is a signed audit log. A drifted agent cannot transact until a named human signs off — the receipt records exactly that re-attestation.

What every authority receipt documents.

The same evidence that satisfies your internal audit also satisfies your auditors and regulators.

Who authorized it

Named human approver or policy engine — never anonymous

What was authorized

Specific action, resource, environment — scoped, not blanket

When

Timestamp at authorization time — before execution, not after

Under which policy

Named policy version that evaluated the request

Who requested it

AI agent identity — not the operator's credentials

Cryptographic proof

Ed25519 signature verifiable independently by any enforcement point

Common compliance questions.

Does Permission Protocol provide compliance documentation for auditors?

Yes. Authority receipts are verifiable by external auditors via the verification API. Each receipt includes a stable ID, timestamp, approver identity, policy name, and cryptographic signature. We provide DPA on request and SOC 2 Type I is planned for Q3 2026.

Can we export authority receipts for audit evidence?

Yes. Receipts are exportable via API in JSON format. You can pull receipt records into your GRC platform, SIEM, or audit package. Receipts are retained for a minimum of 7 years on paid plans.

How does Permission Protocol handle the 'human in the loop' requirement?

The authorization gate requires a named human to explicitly approve each consequential action before it executes. This is enforced externally — by a GitHub required status check or SDK gate — not by a system prompt instruction the agent could reinterpret.

Is there a way to configure which actions require human approval vs. policy-engine approval?

Yes. Policy configuration lets you route action types to human review, automatic clearance, or denial. Production deploys typically require human approval; staging actions can be auto-cleared by policy. Every path produces a signed receipt.

Does this work for AI agents beyond code deployment?

Yes. The authorization gate works for any AI agent action: database mutations, API calls, financial operations, data access, multi-agent orchestration. The receipt format is the same regardless of the action type.

Get started

Talk to a compliance engineer.

We map Permission Protocol to your specific framework requirements, provide DPA, and can join your security review. Most enterprise implementations run a pilot in under two weeks.