# IRONGATE - Product Sheet **Verifiable authorization checkpoint for AI agents.** Article 11 AI Inc. - Wyoming C-Corp - SDVOSB/VOSB - CAGE and UEI available on request --- ### What you buy A deterministic control plane with an authorization checkpoint for an AI agent's consequential actions. When an orchestrator routes a public claim, external send, configuration change, key rotation, or deletion through IRONGATE, the action must present **cryptographic human authorization** and **real evidence** - or the checkpoint refuses it. Allowed actions can be recorded on an independent, hash-linked ledger (IRONLEDGER) that an outside party can verify. **Enforcement model:** today IRONGATE is an orchestrator-invoked checkpoint. Inline runtime enforcement inside the agent harness remains roadmap. ### The one-sentence value *Prove a human authorized each consequential AI action routed through the checkpoint - and prove the evaluator did not accept unsupported authority.* ### Why now On March 31, 2026 the leaked source of a major AI coding agent revealed an "Undercover Mode": an agent told to contribute publicly without disclosing it was an AI. Autonomous agents are shipping faster than the controls that bound them. Buyers in regulated and federal environments need oversight that is **verifiable**, not promised. ### What it does (verified, today) - **Human-key authorization (Ed25519).** Consequential actions require an artifact signed by a human-held key. The private key never touches any AI system. Single Bridge signer today; multi-party quorum and hardware-token custody are roadmap. - **Deny-by-default, evidence-bound evaluation.** Controls resolve from real evidence; a caller cannot assert a control with a string; unknown actions are denied by default when routed through the checkpoint. - **Action-to-control registry.** Each class of action (public claim, trust-root change, external send, key rotation, route deletion, hard delete) maps to the controls it requires. - **Unconditional prohibitions.** Irreversible-destruction actions are never unlockable by approvals. - **Tamper-evidence.** Any change to a signed authorization breaks the signature and the action is refused. - **Auditable record.** Allowed actions are written to IRONLEDGER; the verdict is independently reproducible. ### Proof (not a slide - run it) - Live demo reproduces, against the real modules: deny-by-default -> allow-on-valid-signature -> tamper-rejected -> honest capability board. - First production use: on 2026-05-31 a real public-claim change (publishing the company's public proof surface) was carried end-to-end by a Bridge signature; both the signature verifier and the evidence-bound evaluator returned ALLOW. Authorization id on file. - The public proof surface is live now: an IRONLEDGER verify endpoint, a downloadable independent verifier, and an auditor guide - so a buyer can check the record without trusting our word. ### Honest maturity (we tell you what is not built) Working core today: human-key authorization, deny-by-default evaluation, action registry, prohibitions, tamper-evidence, audit record. On the roadmap and labeled as such by the product itself: multi-party quorum, hardware-token key custody (YubiKey + Shamir backup), a mandatory-dissenter block channel, and in-line runtime enforcement inside the agent harness. The capability board prints "UNVERIFIABLE" for any control it does not yet have. ### Alignment Designed to support human-oversight and traceability expectations (e.g. NIST AI RMF GOVERN / MANAGE functions). This is a control plane you operate and audit - not a certification or a guarantee. ### Licensing / engagement The governance layer is CC0 (public domain) - fork it and run it. Engagements: integration into an existing agent stack, a hosted verification/assurance surface for auditors and buyers, and continuity/escrow of the control plane. ### Contact Article 11 AI Inc. - EIN and SAM.gov UEI available on request - article11.ai *Safety that lives in infrastructure survives. You cannot fire a Constitution, and unsupported authority should fail at the checkpoint.*