You can't see them
Agents spawn children, call APIs, and message each other over buses that never touch your HTTP gateway. The fleet you know about is smaller than the fleet you run.
Every agent gets a cryptographic identity. Every intent is policy-checked before it executes — not logged after. Every decision lands on an immutable chain.
DNA IDs
Agent identity
10/10
CISA/NSA controls
6+
Cloud providers
< 1 ms
Ledger write p99
The gap
“How will I know what my agent was doing?” is the question every enterprise is asking. The honest answer, today, is three gaps wide.
Agents spawn children, call APIs, and message each other over buses that never touch your HTTP gateway. The fleet you know about is smaller than the fleet you run.
Your agent policy is a document. Agents don't read documents. Nothing at runtime stands between an agent's intent and the payment rail, the database, or the outbound network.
When the regulator asks what your agent did on March 14th, a grep through mutable application logs is not an answer. You need a record that can't be edited after the fact.
Sumway's answer
Blocked before it happened. Proven after.
How it works
Sumway wraps every agent action in a four-stage pipeline — register, classify, enforce, and chain — so no intent escapes the audit trail.
An agent declares its identity, owner, jurisdiction, capabilities, and system prompt. It receives a DNA ID and enters PENDING state — it cannot act until a human approves it.
The agent submits a natural-language intent to the Sumway kernel. The kernel classifies the intent and checks it against the agent's declared capability bounds.
Permitted intents execute. Blocked intents are rejected before any API call, payment, or state change fires — with the reason written to ledger at the moment of decision.
Every outcome is hashed over its content plus the previous entry's hash, then replicated to your cloud store. The audit trail is complete, immutable, and independently verifiable.
Use cases
Bulk Payroll Agent
> run payroll batch — 02:14, outside approved window
✗ BLOCKED · 1ms · reason recorded
Without Sumway
4,000 salary payments fire at 2am. You find out when the bank calls.
With Sumway
The intent never reached the payment rail. Ledger entry written at decision time; approver notified.
FX Rate Agent
> override FX rate to 1.42 manually
✗ BLOCKED · 1ms · reason recorded
Without Sumway
A mispriced conversion books at the wrong rate. The exception report lands next quarter.
With Sumway
Rate overrides aren't in the agent's capability set. Fail-closed rejection, reason recorded in the hash-chained ledger.
AML Monitor
> structuring pattern — $9,800 × 8 deposits
▲ ESCALATED · 4ms · reason recorded
Without Sumway
The pattern sits in a log file until the monthly review — or the regulator finds it first.
With Sumway
High-risk classification escalates to a human approver. Nothing executes until sign-off.
x402 agentic payments
Sumway speaks x402 — the HTTP 402 payment protocol — natively, on both sides of the transaction. Your agents can buy paid APIs under kernel-enforced spend ceilings, and your services can charge other agents for access. Every payment is signed by the kernel, settled in USDC, and recorded in the same hash-chained ledger as everything else.
Agents request payments; the gateway signs EIP-3009 USDC authorizations after policy checks. Agents never receive the signing key; production deployments require managed or HSM-backed custody.
Per-agent caps enforced at the kernel with atomic spend reservations — no race can push an agent past its ceiling, ever.
Put any API, dataset, or agent service behind HTTP 402. Settle-before-serve: no settled payment and audit record, no content.
Optional verification of a signed agent request before settlement. Binding an agent identity to the settling payer address is a planned control.
Prepaid credits for repeat buyers, with a revenue endpoint that reports earnings — every sale written to the same hash-chained ledger.
Buy-side kernel caps plus ranked provider selection — your agents automatically pay the cheapest qualifying seller.
Why Sumway
Observability tells you what happened. Guardrails filter what models say. Sandboxes limit where code runs. None of them stand between an agent's intent and the action — Sumway does, inline, before execution.
| Observability | LLM guardrails | Sandboxes | Sumway | |
|---|---|---|---|---|
| When it acts | After the fact | At the prompt | At the process | Before execution |
| What it governs | What agents did | What models say | Where code runs | What agents may do |
| Blocked actions | Alerts you later | Filters text only | Can't read intents | Fail-closed at the kernel |
| Agent identity | Trace IDs at best | None | Process IDs | Ed25519 DNA IDs |
| Audit evidence | Mutable logs | None | None | SHA-256 hash chain |
Cryptographic audit chain
Each ledger entry is hashed with SHA-256 over its full content plus the previous entry's hash. A single bit change anywhere in history cascades into every downstream hash — making forgery detectable by any party with read access, including regulators.
Agent registers: Outbound Payment Agent
prev: 000000000000
a3f9c2d8e1b4…Intent: initiate $12,500 wire transfer
prev: a3f9c2d8e1b4
b7e1a4f2c9d3…Intent: override FX rate to 1.42 manually
prev: b7e1a4f2c9d3
c8d3b6e1f2a4…Intent: query payment status TX-8821
prev: c8d3b6e1f2a4
d1a9e5c3b7f2…Chain intact · 4 entries · head: d1a9e5c3b7f2…
Sumway Ledger
AWS S3
Google Cloud
Azure Blob
Cloudflare R2
MinIO
Any S3-compatible
All endpoints speak s3:// — switch providers without changing your code
Cloud agnostic
Data sovereignty requirements differ by jurisdiction. Sumway exposes a standard S3-compatible replication layer so your audit trail lands in the cloud region your compliance team approved — not ours.
Platform capabilities
Sandboxing limits where agents run. Sumway governs what they are allowed to intend.
Every agent carries a cryptographic DNA ID, a declared owner, a parent-child lineage, and explicit capability bounds. You always know who an agent is, who authorised it, and whether it is still trusted to act.
The kernel intercepts every agent intent before execution. Blocked actions never reach an API, payment rail, or database — the policy check happens at the kernel boundary, not the application layer.
A heuristic scanner inspects every intent for role-override patterns, jailbreak keywords, exfiltration commands, and embedded instruction markers. Suspicious content is quarantined before any downstream execution.
Per-session profiling tracks action history, out-of-role requests, policy escalation probes, and read→network exfiltration sequences. Fatal anomalies terminate the session and cascade-kill all child agents.
An HTTP CONNECT proxy enforces per-agent outbound allowlists on every kernel. Kernel ≥ 6.7 also applies Landlock v4 TCP rules at the syscall layer — two independent enforcement points.
Parent agents sign child spawn requests with Ed25519. Children inherit a capability subset — never more than the parent holds. Revoking a parent cascade-terminates every descendant in the lineage tree.
Watch every decision as it happens — allowed, blocked, or escalated — with classification, latency, and policy reason. Not a report tomorrow morning. Live, at decision time.
Every ledger entry cryptographically links to the previous one. Tamper any record and the entire downstream chain breaks — giving auditors mathematical proof of integrity without a trusted intermediary.
Replicate to AWS S3, Google Cloud, Azure Blob, or Cloudflare R2 — whatever your risk team approved. Data sovereignty built in. Switch providers without changing a single line of runtime code.
The CISA/NSA/Five Eyes joint guidance on deploying AI agents securely defines ten controls. Sumway maps its implementation to those controls; this is not a certification or compliance attestation.
Agent Identity & Authentication
Ed25519 DNA IDs — cryptographic identity declared at registration, verified on every call.
Least Privilege & Capability Bounding
Declared capability set enforced at the kernel; child agents can never exceed parent permissions.
Human Oversight & Approval Workflows
High-risk intents escalate to human approvers; the kernel blocks execution until explicit approval arrives.
Immutable Audit Trail
SHA-256 hash-chained ledger written at decision time — allow or block — replicated to your cloud store.
Prompt Injection Defence
Heuristic scanner detects role-override, jailbreak, exfiltration, and embedded instruction patterns in every intent.
Behavioural Anomaly Detection
Per-session profiling flags out-of-role actions, escalation probing, and storage→network exfil sequences.
Network Isolation
HTTP CONNECT proxy + Landlock v4 TCP rules enforce agent outbound allowlists at two independent layers.
Multi-Agent Trust & Spawn Signing
Parent signs child spawns with Ed25519; cascade termination propagates to all descendants on revocation.
Credential & Secret Isolation
Ambient credential scrubber strips API keys, tokens, and secrets from every agent subprocess environment.
Secure Supply Chain
Agent registry enforces owner declaration, system-prompt hash, and jurisdiction — signed at registration.
Reference: CISA/NSA/ACSC/NCSC/CCCS/GCSB/NCSC-NZ joint guidance — “Deploying AI Systems Securely” (2025). Talk to us →
Built for oversight
Compliance teams and regulators shouldn't need to SSH into a server. Sumway ships a dedicated portal with fleet-level visibility across all agents and organisations, chain integrity checks, and blocked intent timelines — read-only, zero trust dependency required.
Agent Fleet
CapitalPay Orchestrator
Stratus Capital
Bulk Payroll Agent
Stratus Capital
AML Monitor
RiskShield AI
KYC Document Validator
RiskShield AI
Jurisdiction ready
Every audit trail is independently verifiable — if your regulator can read S3, they can verify your chain. No trusted intermediary. No site visit.
Prudential authority standards
WORM electronic records retention
Protection of Personal Information
Records of processing activities
FSP conduct & reporting
Transaction reporting & audit trail
AI & digital finance guidelines
Digital operational resilience
Digital payment audit requirements
Information security controls
Consumer protection compliance
Trust services audit evidence
Fintech regulatory sandbox
Cardholder data audit trail
Capital markets oversight
Operational risk data requirements
Don't see your jurisdiction? The audit chain is standard SHA-256 — any regulator with S3 read access can verify independently. Talk to us →
Private deployment
Sumway is in private deployment with a select group of organisations and regulators. We're working directly with compliance and engineering teams to shape the governance standard for AI agents in production.
Enterprises — Deploy AI agents with provable governance from day one — identity, policy, and audit trail built into the runtime.
Fintechs — Ship AI-driven payment and decision features with a compliance record that satisfies regulators without custom tooling.
Regulators — Audit any supervised organisation without site visits — just S3 read access and the chain verifier.
Compliance teams — Generate evidence on demand for SOC 2, ISO 27001, and jurisdiction-specific submissions.
Response time
1 business day
Every enquiry is reviewed by an engineer, not a sales bot.
The governance kernel for the agentic era
Sumway gives every agent a cryptographic identity, a policy boundary, and an immutable audit trail — enforced at the kernel level before anything executes.