Compliance & governance
The authorization layer regulators are starting to require.
OWASP Agentic Top 10, NIST AI RMF, SOC 2, ISO 27001, and the EU AI Act all point to the same gap: AI agents taking consequential actions without verifiable human authorization. Permission Protocol closes that gap with signed authority receipts — proof that a human approved the action before it ran.
The compliance argument
“Human in the loop” is an architecture claim. An authority receipt is evidence.
Regulators and auditors are asking the same question: when an AI agent takes a consequential action, what proves a human authorized it? “We had HITL in the system design” is not an answer. A signed, timestamped, verifiable receipt naming the approver and the specific action is.
NIST AI RMF
NIST AI Risk Management Framework
GOVERNEstablish accountability for AI actions and decisions
Every authority receipt names the approver, the policy, and the specific action — creating an immutable accountability record outside the agent's control.
MANAGEImplement human oversight for consequential AI decisions
The authorization gate requires a named human to explicitly approve each consequential action before it executes. Fail-closed by design.
MEASURETrack and audit AI system behavior
Receipt audit trail provides per-action records: actor, action, resource, approver, policy, timestamp, cryptographic signature.
SOC 2
SOC 2 Type II
CC6 — Logical AccessControl and monitor access to production systems
Authorization receipts enforce that AI agents cannot reach production without an explicit human approval. The gate is enforced by branch protection — not a system prompt.
CC7 — Change ManagementAuthorize and document production changes
Each production change initiated by an AI agent produces a signed receipt documenting who authorized it. Unsigned changes are blocked at the enforcement point.
CC4 — MonitoringMaintain audit evidence for security controls
Receipt IDs are stable, resolvable, and retained for a minimum of 7 years. Auditors can verify any receipt independently via the verification API.
ISO 27001
ISO/IEC 27001
A.9 — Access ControlRestrict access to information and systems
AI agents are treated as untrusted actors requiring explicit per-action authorization — not persistent privileged access. Authorization is action-scoped and time-limited.
A.12 — Operations SecurityControl operational changes and prevent unauthorized activity
Deploy gates and data mutation gates enforce that no AI-initiated production operation proceeds without a prior signed receipt.
A.16 — Incident ManagementDocument and respond to information security incidents
When an AI agent action causes an incident, the authority receipt provides an exact forensic record: who authorized it, what they saw, and when.
EU AI Act
EU Artificial Intelligence Act
Article 14 — Human OversightHigh-risk AI systems must allow human oversight and intervention
Every consequential action by an AI agent requires a human authorization receipt before execution. The oversight is not advisory — it is enforced at the infrastructure level.
Article 12 — Record KeepingMaintain logs sufficient to assess compliance
Authority receipts are signed, portable, and verifiable. They constitute contemporaneous records of human authorization decisions, not reconstructed audit logs.
Article 9 — Risk ManagementImplement risk management systems for AI
Consequence-aware policy evaluates each AI action as cleared, approval_required, or denied before execution. High-impact actions escalate to human review automatically.
OWASP Agentic
OWASP Top 10 for Agentic Applications (2026)
ASI02 — Tool MisuseAction-level authentication and approval; immutable logs of tool invocations
Every wrapped tool call is gated. Destructive operations escalate to a named signer with diff preview. The receipt records tool, parameters, signer, and policy.
ASI03 — Identity & Privilege AbusePer-action authorization; human-in-the-loop for privilege escalation
Per-action authorization is the core PP primitive. Privilege escalations always route to a human signer. Receipts include signer identity and authority chain.
ASI08 — Cascading FailuresTamper-evident, time-stamped logs bound to cryptographic identities; non-repudiation
Receipts are tamper-evident, time-stamped to the millisecond, bound to both the signing human and the originating agent. Non-repudiation by design.
ASI10 — Rogue AgentsSigned audit logs; fresh attestation and human approval before reintegration
Every receipt is a signed audit log. A drifted agent cannot transact until a named human signs off — the receipt records exactly that re-attestation.
What every authority receipt documents.
The same evidence that satisfies your internal audit also satisfies your auditors and regulators.
Who authorized it
Named human approver or policy engine — never anonymous
What was authorized
Specific action, resource, environment — scoped, not blanket
When
Timestamp at authorization time — before execution, not after
Under which policy
Named policy version that evaluated the request
Who requested it
AI agent identity — not the operator's credentials
Cryptographic proof
Ed25519 signature verifiable independently by any enforcement point
Common compliance questions.
Does Permission Protocol provide compliance documentation for auditors?
Yes. Authority receipts are verifiable by external auditors via the verification API. Each receipt includes a stable ID, timestamp, approver identity, policy name, and cryptographic signature. We provide DPA on request and SOC 2 Type I is planned for Q3 2026.
Can we export authority receipts for audit evidence?
Yes. Receipts are exportable via API in JSON format. You can pull receipt records into your GRC platform, SIEM, or audit package. Receipts are retained for a minimum of 7 years on paid plans.
How does Permission Protocol handle the 'human in the loop' requirement?
The authorization gate requires a named human to explicitly approve each consequential action before it executes. This is enforced externally — by a GitHub required status check or SDK gate — not by a system prompt instruction the agent could reinterpret.
Is there a way to configure which actions require human approval vs. policy-engine approval?
Yes. Policy configuration lets you route action types to human review, automatic clearance, or denial. Production deploys typically require human approval; staging actions can be auto-cleared by policy. Every path produces a signed receipt.
Does this work for AI agents beyond code deployment?
Yes. The authorization gate works for any AI agent action: database mutations, API calls, financial operations, data access, multi-agent orchestration. The receipt format is the same regardless of the action type.
Get started
Talk to a compliance engineer.
We map Permission Protocol to your specific framework requirements, provide DPA, and can join your security review. Most enterprise implementations run a pilot in under two weeks.