STS-001 · Pre-Execution Authorization
NSF I-Corps · Lehigh University 2026
No TAO,
no write.
TAO — Typed Authorization Object
Not blocked by a rule.
Blocked by construction.
Steward and Sync enforces pre-execution authorization at the persistence layer — for any actor, any system, any regulated environment. Every write to a system of record requires a cryptographically-signed authorization object before it happens. There is no configuration that bypasses this. It is the architecture.
The Problem
Every other governance system operates after the fact.
Filters, classifiers, behavioral monitors, policy engines — they all run at the application layer and they all fire after a decision has already been made. When they catch something, the action has already been attempted. The audit log records what happened. It does not prove what was authorized before it happened.
In regulated environments — pharma, finance, critical infrastructure, defense — that distinction is the difference between compliance and liability.
AI agents are being deployed in FDA-regulated labs, financial trading systems, and critical infrastructure now. Regulators are asking a question the existing tooling cannot answer: prove that action was authorized before it executed.
The Architecture
The gate sits below the application. Below the agent. Below the pipeline.
STS-001 places the enforcement point at the persistence layer — at the moment a write is attempted, not after it succeeds. Any actor must present a valid TAO before the write proceeds.
The authorization layer is not a classifier. It is a deterministic mathematical gate, verified by exhaustive computation across 13.8 billion cases with zero exceptions. Authorization is proven before execution, or the write does not proceed.
Multi-Plane Architecture
STS-001Governance Plane
Analogous to: QA / Regulatory Affairs
Issues TAOs. Evaluates authorization requests against policy. Produces tamper-evident receipts. Structurally isolated from the Reasoning Plane — the approver can never be the executor.
Reasoning Plane
Analogous to: Operations / Manufacturing
Where AI agents, models, human operators, and automated pipelines run. Any actor may propose an action. No actor in this plane can alter durable state directly — ever. Proposal is not authorization.
Persistence Plane
Analogous to: LIMS / EHR / System of Record
All writes to systems of record. Accepts only TAO-bearing transactions. Rejects unsigned or replayed authorization attempts below the application. Appends a cryptographic receipt to the append-only ledger before the write completes.
The Architectural Principle
"Information flows forward. Authority does not flow back."
The system that generates an action has no standing to evaluate its own action. Authorization is defined outside the system — or it is not authorization at all. A governed gate is not a feature you add. It is a plane you separate.
Read: "The Gate Stands Outside" ↗Writing
The arguments behind the architecture.
The Gate Stands Outside
Most AI governance today is a prop.
A lock is meaningless if the locked system can reach the key. Most governance operates inside the same trust boundary as the system it governs. That is not governance. That is a governance-shaped interface.
You Cannot Certify Yourself
A system that cannot certify itself is not a broken system. It is an honest system.
Capability and authority are orthogonal properties. Merging them produces a capable system that tells you it is governed — not one that actually is. Authorization is defined outside the system, or it is not authorization.
Probability Is Not a Wall
Probability is not a wall. Probability is a distribution.
For most applications, a 99.99% guardrail is sufficient. For regulated systems — where one unauthorized write creates liability, audit failure, or physical harm — it is not. Architecture doesn't fail at the tail.
The Gap-3 Phenomenon
The math isn't decoration. It's the enforcement mechanism.
Most mathematical conjectures live in the land of probably true. After 13.8 billion exhaustively computed cases with zero exceptions, the authorization structure moved out of that category.
Regulated Environments
Any actor. Any system. Any sector.
FDA 21 CFR Part 11 · GAMP 5 · ALCOA+
Pharma & Life Sciences
Every LIMS write, batch record update, and deviation log requires a TAO. Electronic signatures are TAOs. Reviewer independence is structural, not configured.
ISA/IEC 62443 · GAMP 5 Cat 4–5
Manufacturing & MES
Process parameter changes and recipe updates are TAO-gated at the persistence layer before they reach the controller.
SR 11-7 · SOX · DORA
Financial Systems
Trade execution and ledger entries each require a cryptographically-bound pre-authorization receipt. The audit trail is not a log — it is the proof.
NERC CIP · IEC 62443
Critical Infrastructure
SCADA/ICS setpoint commands are TAO-gated at the authorization layer — before the command is dispatched to the controller. No TAO, no authorized setpoint command. Not blocked by a rule.
HIPAA · HITECH · 21st Century Cures
Healthcare
EHR writes and order entry require pre-execution certificates for every actor — human or AI. Authorization is a receipt, not an access log.
NIST AI RMF · ISO/IEC 42001 · CMMC
Defense & Government
Every privileged action produces a tamper-evident receipt before the action executes.
Research & Intellectual Property
PR1–PR5
Five U.S. Provisional Patents
STS-001 family. Architecture, TAO protocol, persistence-layer enforcement, and deterministic authorization.
IEEE · Elsevier
3 Papers Under Peer Review
Deterministic authorization research under review at IEEE Transactions on Information Theory and Elsevier Finite Fields and Their Applications.
13.8B+
Cases Verified — Zero Exceptions
The authorization structure is verified by exhaustive computation. The decision is proven, not calibrated.
Ready to make non-compliant writes
structurally impossible?
We are working with a limited set of design partners in regulated industries. Tell us about your environment.
Request BriefingNDA available upon request · Design partner engagements are confidential