Auditor-first enforcement evidence
What the enforcement boundary proves, what it does not prove, and where operator responsibility begins.
This page is written for technology risk, platform engineering, internal audit, and external reviewers. Every claim should survive the question: under what conditions is this false?
Syndicate Code is the developer-side enforcement product in the AI Syndicate portfolio. Its implementation-level claim governance artifacts live at syndicatecode.ca and include the canonical claim set, governance modes, mechanism references, gap register, and IBV boundaries: syndicatecode.ca/governance/canonical-claim-set and syndicatecode.ca/governance/modes.
Attestation status.
SOC 2 Type I
Q3 2026 target.
Penetration testing
Ongoing.
SBOM attestation
Available on request for enterprise evaluations.
Current engagement status.
Regulated financial services evaluations are active. Technical review slots remain available for teams that need enforcement boundaries, attributable evidence, and documented operator responsibility before adoption.
What the portfolio enforces.
These are enforcement outcomes within the stated scope of each control. They are not blanket promises about models, providers, or operator policy quality.
Execution control
Policy is evaluated before side-effecting actions proceed. The enforcement authority is the control plane. Gate enforces that every request reaches that authority. The execution layer enforces that no request proceeds without the authority's decision. Products fail closed when required control dependencies are unavailable.
Scope: Within product-managed execution boundaries only.
Approval binding
Approval decisions bind to the normalized action parameters. Execution is cancelled when the digest no longer matches. Parameter substitution is detectable.
Scope: Applies where approval binding is part of the execution path.
Audit evidence
Products record attributable evidence: identity, policy version, approval decision, parameters, and outcome. Evidence is hash-chained and verifiable outside the runtime.
Scope: Evidence only covers events that pass through the governed path.
Gateway financial invariants
Gate enforces database-level budget invariants at the storage layer. No double billing. No negative balances. Idempotent request deduplication.
Scope: Applies to the gateway request lifecycle and backing persistence model.
| Area | Enforced outcome | Scope |
|---|---|---|
| Execution control | Policy is evaluated before side-effecting actions proceed. The enforcement authority is the control plane. Gate enforces that every request reaches that authority. The execution layer enforces that no request proceeds without the authority's decision. Products fail closed when required control dependencies are unavailable. | Within product-managed execution boundaries only. |
| Approval binding | Approval decisions bind to the normalized action parameters. Execution is cancelled when the digest no longer matches. Parameter substitution is detectable. | Applies where approval binding is part of the execution path. |
| Audit evidence | Products record attributable evidence: identity, policy version, approval decision, parameters, and outcome. Evidence is hash-chained and verifiable outside the runtime. | Evidence only covers events that pass through the governed path. |
| Gateway financial invariants | Gate enforces database-level budget invariants at the storage layer. No double billing. No negative balances. Idempotent request deduplication. | Applies to the gateway request lifecycle and backing persistence model. |
Deployment scope and guarantee boundary.
The enforcement guarantee is a topological property, not a product property. It applies where and only where the execution boundary is closed. An agent workflow that bypasses Gate, routes around Claw, or reaches the execution layer without passing through the control plane is outside the guarantee, regardless of whether other parts of the same deployment are governed.
Partial boundary closure produces partial guarantees. To re-enter the governed system, external actions must pass through the boundary. Network controls, credential management, and endpoint hardening that prevent direct execution-layer access remain the operator's responsibility. A deployment scope review is part of every technical engagement for this reason.
What the portfolio does not promise.
These non-guarantees matter as much as the guarantees. They define the boundary between product controls, residual risk, and operator responsibility.
Model behavior
AI Syndicate does not make LLM outputs deterministic, truthful, or free from hallucination.
Implication: Model quality affects manifest quality, operator review burden, and downstream risk.
Universal containment
Products do not control side-channel execution outside managed boundaries or compromised binaries running outside the governed path.
Implication: Endpoint hardening, runtime isolation, and host controls remain your responsibility.
Traffic that bypasses enforcement
Products cannot govern traffic that does not pass through the enforcement boundary.
Implication: Network and credential controls must prevent direct provider access.
Operator judgment
The system does not replace careful policy authoring, approval design, or deployment review.
Implication: Bad policies and weak governance models produce bad outcomes.
| Area | Non-guarantee | Implication |
|---|---|---|
| Model behavior | AI Syndicate does not make LLM outputs deterministic, truthful, or free from hallucination. | Model quality affects manifest quality, operator review burden, and downstream risk. |
| Universal containment | Products do not control side-channel execution outside managed boundaries or compromised binaries running outside the governed path. | Endpoint hardening, runtime isolation, and host controls remain your responsibility. |
| Traffic that bypasses enforcement | Products cannot govern traffic that does not pass through the enforcement boundary. | Network and credential controls must prevent direct provider access. |
| Operator judgment | The system does not replace careful policy authoring, approval design, or deployment review. | Bad policies and weak governance models produce bad outcomes. |
Deployment responsibility boundaries.
The trust model only makes sense when the line between product responsibility and operator responsibility is explicit.
AI Syndicate is responsible for the governed path.
Policy evaluation before execution. Approval binding to parameters. Fail-closed defaults. Audit evidence production. These are the control surfaces inside Code, Gate, and Claw.
The operator is responsible for policy quality and deployment posture.
Policy authoring, workspace design, identity boundaries, environment hardening, and network controls that force traffic through the enforcement boundary. Governance only covers what passes through it.
The underlying model and provider remain separate trust domains.
Upstream providers, model behavior, and external billing systems are outside AI Syndicate control. The portfolio governs the request path around them. It does not certify provider correctness or billing accuracy.
Threat model summary.
Mitigated by separating prompt payload from execution manifest. Claw executes control-plane-signed manifests rather than raw LLM output. Residual risk remains for novel multi-turn attacks.
Gate can enforce schema masking and detect known secret patterns, but subtle or novel exfiltration techniques remain a residual risk.
Mitigated through nonces and TTL-bound control-plane signatures so captured permits cannot be replayed indefinitely.
Approval tokens can bind to the SHA-256 digest of the normalized action manifest so execution is cancelled when runtime arguments diverge from what was approved.
Stateful policy tracking can reduce multi-step decomposition attacks within a governed session. Slow-burn or cross-session decomposition remains a residual risk.
Governance-suspended execution is an explicit operating mode, not an implicit bypass. Policy can prohibit it, and the system records governance mode and lineage when it is used.
System-level failure modes.
Fails closed for new governed actions. Existing permits may execute until TTL expiration, but new execution signatures are not issued.
Fails closed for new execution signatures. Provenance is treated as lost until the chain is verified and human intervention occurs.
Active permits and reusable grants must be revoked, signing material must be rotated, and trust re-established before normal operation resumes.
Affected governed execution paths fail closed and require human intervention to resume.
Semantic caching is bypassed and rate limiting may deny requests in strict mode when the limiter cannot evaluate safely.
Session start fails closed, the rejection is audited, and the run does not begin.
Relevant external references.
AI Syndicate is not claiming certification or compliance on the basis of these publications. They are useful reference points for how we describe control boundaries, evidence quality, and residual risk.
NIST AI Risk Management Framework 1.0
Useful for governance, risk, and accountability framing.
Opens in a new tab.
NIST SP 800-53 Rev. 5
Relevant for control-family thinking around system security and auditability.
Opens in a new tab.
OWASP Top 10 for LLM Applications
Useful for threat categories such as prompt injection and data leakage.
Opens in a new tab.
Need to evaluate the boundary against your environment?
We can walk through your control points, operator responsibilities, approval model, policy versions, and residual risks in a technical review.
Assess AI Execution RiskPROOF AND VERIFICATION
Every claim above has corresponding proof. The following artifacts demonstrate the mechanisms:
Each proof page shows the mechanism, the verification method, and the boundary of what the proof demonstrates.