Skip to main content
ENFORCEMENT EVIDENCE BOUNDARIES

Auditor-first enforcement evidence

What the enforcement boundary proves, what it does not prove, and where operator responsibility begins.

This page is written for technology risk, platform engineering, internal audit, and external reviewers. Every claim should survive the question: under what conditions is this false?

Syndicate Code is the developer-side enforcement product in the AI Syndicate portfolio. Its implementation-level claim governance artifacts live at syndicatecode.ca and include the canonical claim set, governance modes, mechanism references, gap register, and IBV boundaries: syndicatecode.ca/governance/canonical-claim-set and syndicatecode.ca/governance/modes.

Attestation status.

SOC 2 Type I

Q3 2026 target.

Penetration testing

Ongoing.

SBOM attestation

Available on request for enterprise evaluations.

Current engagement status.

Regulated financial services evaluations are active. Technical review slots remain available for teams that need enforcement boundaries, attributable evidence, and documented operator responsibility before adoption.

What the portfolio enforces.

These are enforcement outcomes within the stated scope of each control. They are not blanket promises about models, providers, or operator policy quality.

Execution control

Policy is evaluated before side-effecting actions proceed. The enforcement authority is the control plane. Gate enforces that every request reaches that authority. The execution layer enforces that no request proceeds without the authority's decision. Products fail closed when required control dependencies are unavailable.

Scope: Within product-managed execution boundaries only.

Approval binding

Approval decisions bind to the normalized action parameters. Execution is cancelled when the digest no longer matches. Parameter substitution is detectable.

Scope: Applies where approval binding is part of the execution path.

Audit evidence

Products record attributable evidence: identity, policy version, approval decision, parameters, and outcome. Evidence is hash-chained and verifiable outside the runtime.

Scope: Evidence only covers events that pass through the governed path.

Gateway financial invariants

Gate enforces database-level budget invariants at the storage layer. No double billing. No negative balances. Idempotent request deduplication.

Scope: Applies to the gateway request lifecycle and backing persistence model.

Deployment scope and guarantee boundary.

The enforcement guarantee is a topological property, not a product property. It applies where and only where the execution boundary is closed. An agent workflow that bypasses Gate, routes around Claw, or reaches the execution layer without passing through the control plane is outside the guarantee, regardless of whether other parts of the same deployment are governed.

Partial boundary closure produces partial guarantees. To re-enter the governed system, external actions must pass through the boundary. Network controls, credential management, and endpoint hardening that prevent direct execution-layer access remain the operator's responsibility. A deployment scope review is part of every technical engagement for this reason.

What the portfolio does not promise.

These non-guarantees matter as much as the guarantees. They define the boundary between product controls, residual risk, and operator responsibility.

Model behavior

AI Syndicate does not make LLM outputs deterministic, truthful, or free from hallucination.

Implication: Model quality affects manifest quality, operator review burden, and downstream risk.

Universal containment

Products do not control side-channel execution outside managed boundaries or compromised binaries running outside the governed path.

Implication: Endpoint hardening, runtime isolation, and host controls remain your responsibility.

Traffic that bypasses enforcement

Products cannot govern traffic that does not pass through the enforcement boundary.

Implication: Network and credential controls must prevent direct provider access.

Operator judgment

The system does not replace careful policy authoring, approval design, or deployment review.

Implication: Bad policies and weak governance models produce bad outcomes.

Deployment responsibility boundaries.

The trust model only makes sense when the line between product responsibility and operator responsibility is explicit.

AI Syndicate is responsible for the governed path.

Policy evaluation before execution. Approval binding to parameters. Fail-closed defaults. Audit evidence production. These are the control surfaces inside Code, Gate, and Claw.

The operator is responsible for policy quality and deployment posture.

Policy authoring, workspace design, identity boundaries, environment hardening, and network controls that force traffic through the enforcement boundary. Governance only covers what passes through it.

The underlying model and provider remain separate trust domains.

Upstream providers, model behavior, and external billing systems are outside AI Syndicate control. The portfolio governs the request path around them. It does not certify provider correctness or billing accuracy.

Threat model summary.

Prompt injection

Mitigated by separating prompt payload from execution manifest. Claw executes control-plane-signed manifests rather than raw LLM output. Residual risk remains for novel multi-turn attacks.

Data exfiltration

Gate can enforce schema masking and detect known secret patterns, but subtle or novel exfiltration techniques remain a residual risk.

Replay attacks

Mitigated through nonces and TTL-bound control-plane signatures so captured permits cannot be replayed indefinitely.

Approval argument substitution

Approval tokens can bind to the SHA-256 digest of the normalized action manifest so execution is cancelled when runtime arguments diverge from what was approved.

Policy decomposition

Stateful policy tracking can reduce multi-step decomposition attacks within a governed session. Slow-burn or cross-session decomposition remains a residual risk.

Headless checkpoint bypass

Governance-suspended execution is an explicit operating mode, not an implicit bypass. Policy can prohibit it, and the system records governance mode and lineage when it is used.

System-level failure modes.

Control plane unavailable

Fails closed for new governed actions. Existing permits may execute until TTL expiration, but new execution signatures are not issued.

Audit chain corruption

Fails closed for new execution signatures. Provenance is treated as lost until the chain is verified and human intervention occurs.

Signing secret compromised

Active permits and reusable grants must be revoked, signing material must be rotated, and trust re-established before normal operation resumes.

Policy engine unavailable

Affected governed execution paths fail closed and require human intervention to resume.

Redis unavailable in Gate

Semantic caching is bypassed and rate limiting may deny requests in strict mode when the limiter cannot evaluate safely.

Governance-suspended prohibited by policy

Session start fails closed, the rejection is audited, and the run does not begin.

Relevant external references.

AI Syndicate is not claiming certification or compliance on the basis of these publications. They are useful reference points for how we describe control boundaries, evidence quality, and residual risk.

Need to evaluate the boundary against your environment?

We can walk through your control points, operator responsibilities, approval model, policy versions, and residual risks in a technical review.

Assess AI Execution Risk

PROOF AND VERIFICATION

Every claim above has corresponding proof. The following artifacts demonstrate the mechanisms:

Each proof page shows the mechanism, the verification method, and the boundary of what the proof demonstrates.