Agents act. The runtime decides what they're allowed to do.
Autonomy without governance is liability at machine speed. Summit's agent runtime is deny-by-default: every tool call is policy-checked before it executes, every sensitive action requires structured approval, and every run can be replayed exactly — including air-gapped.
Default deny, at the tool boundary
The tool boundary is where agent intent becomes real-world effect — so that is where governance lives. No tool call executes until policy admits it.
- Gated tool access. Every tool invocation — file writes, network calls, deployments, external APIs — passes through a policy gateway. The default verdict is DENY; capability must be granted, scoped, and recorded.
- Rule of Two. Sensitive actions require a second, independent approval before execution — a structured check, not a rubber stamp, with both verdicts captured in the evidence chain.
- Every denial is evidence. Blocked calls are not silent failures. Each verdict — admit or deny — lands in the audit record with the rule that produced it.
- agent
- release-orchestrator.3
- tool-call
- deploy.production
- policy
- rule-of-two · second approval absent
- verdict
- DENY · execution blocked
- recorded
- evidence chain · signed
fig. 1 — a blocked tool call. the denial is part of the record.
Memory you can defend
Agent memory is an attack surface. Whatever an agent reads can steer what it does next — so material earns influence through explicit trust states, and roles stay isolated.
Explicit trust states
Poisoning resistance
Role isolation
Replayable runs, gated releases
Governance that cannot be demonstrated after the fact is just configuration. Every agent run is reconstructable, and nothing ships without passing its gates.
Deterministic replay
Release gates
Govern one fleet. Prove it worked.
The 10-day pilot puts a real agent workflow under the runtime — gated tools, trust-stated memory, full replay — and finishes with findings in writing.