The governance kernel for AI agents

Agents act.
Sumway decides
if they should.

Every agent gets a cryptographic identity. Every intent is policy-checked before it executes — not logged after. Every decision lands on an immutable chain.

LIVE · Sumway Governance Feed
kernel :7070
Outbound Payment Agent$12,500 wire → Acme Vendors LLCALLOWED2ms
Bulk Payroll AgentPayroll run outside approved windowBLOCKED1ms
Transaction Fraud DetectorTX-8821 scored: low riskALLOWED3ms
FX Rate AgentOverride FX rate to 1.42 manuallyBLOCKED1ms
Claims ProcessorCLM-8821 GP consultation approvedALLOWED2ms
AML MonitorStructuring alert: $9,800 ×8 depositsBLOCKED4ms
Inbound ReconcilerSWIFT MT103 $45,000 — matchedALLOWED2ms
Data Export AgentBulk export → unlisted endpointBLOCKED1ms
KYC Document ValidatorPassport doc-check: PASSALLOWED3ms
Support CopilotRead customer PII outside sessionBLOCKED1ms
Treasury Sweep AgentEOD sweep $210,000 → call accountALLOWED2ms
Vendor Onboarding AgentSpawn child with elevated capsBLOCKED1ms
Outbound Payment Agent$12,500 wire → Acme Vendors LLCALLOWED2ms
Bulk Payroll AgentPayroll run outside approved windowBLOCKED1ms
Transaction Fraud DetectorTX-8821 scored: low riskALLOWED3ms
FX Rate AgentOverride FX rate to 1.42 manuallyBLOCKED1ms
Claims ProcessorCLM-8821 GP consultation approvedALLOWED2ms
AML MonitorStructuring alert: $9,800 ×8 depositsBLOCKED4ms
Inbound ReconcilerSWIFT MT103 $45,000 — matchedALLOWED2ms
Data Export AgentBulk export → unlisted endpointBLOCKED1ms
KYC Document ValidatorPassport doc-check: PASSALLOWED3ms
Support CopilotRead customer PII outside sessionBLOCKED1ms
Treasury Sweep AgentEOD sweep $210,000 → call accountALLOWED2ms
Vendor Onboarding AgentSpawn child with elevated capsBLOCKED1ms

DNA IDs

Agent identity

10/10

CISA/NSA controls

6+

Cloud providers

< 1 ms

Ledger write p99

The gap

Your agents are already
in production.

“How will I know what my agent was doing?” is the question every enterprise is asking. The honest answer, today, is three gaps wide.

01SHADOW

You can't see them

Agents spawn children, call APIs, and message each other over buses that never touch your HTTP gateway. The fleet you know about is smaller than the fleet you run.

02NOT ENFORCED

Policy lives in a PDF

Your agent policy is a document. Agents don't read documents. Nothing at runtime stands between an agent's intent and the payment rail, the database, or the outbound network.

03NO PROOF

Logs aren't evidence

When the regulator asks what your agent did on March 14th, a grep through mutable application logs is not an answer. You need a record that can't be edited after the fact.

Sumway's answer

Blocked before it happened. Proven after.

See the pipeline

How it works

Identity in. Proof out.
Every time.

Sumway wraps every agent action in a four-stage pipeline — register, classify, enforce, and chain — so no intent escapes the audit trail.

01

Agent registers

An agent declares its identity, owner, jurisdiction, capabilities, and system prompt. It receives a DNA ID and enters PENDING state — it cannot act until a human approves it.

02

Intent arrives

The agent submits a natural-language intent to the Sumway kernel. The kernel classifies the intent and checks it against the agent's declared capability bounds.

03

Policy decides

Permitted intents execute. Blocked intents are rejected before any API call, payment, or state change fires — with the reason written to ledger at the moment of decision.

04

Chain anchors

Every outcome is hashed over its content plus the previous entry's hash, then replicated to your cloud store. The audit trail is complete, immutable, and independently verifiable.

Use cases

Caught at the kernel.
Not in the post-mortem.

Payments
BLOCKED

Bulk Payroll Agent

> run payroll batch — 02:14, outside approved window

BLOCKED · 1ms · reason recorded

Without Sumway

4,000 salary payments fire at 2am. You find out when the bank calls.

With Sumway

The intent never reached the payment rail. Ledger entry written at decision time; approver notified.

Treasury
BLOCKED

FX Rate Agent

> override FX rate to 1.42 manually

BLOCKED · 1ms · reason recorded

Without Sumway

A mispriced conversion books at the wrong rate. The exception report lands next quarter.

With Sumway

Rate overrides aren't in the agent's capability set. Fail-closed rejection, reason recorded in the hash-chained ledger.

AML
ESCALATED

AML Monitor

> structuring pattern — $9,800 × 8 deposits

ESCALATED · 4ms · reason recorded

Without Sumway

The pattern sits in a log file until the monthly review — or the regulator finds it first.

With Sumway

High-risk classification escalates to a human approver. Nothing executes until sign-off.

x402 agentic payments

Agents that pay.
Agents that earn.

Sumway speaks x402 — the HTTP 402 payment protocol — natively, on both sides of the transaction. Your agents can buy paid APIs under kernel-enforced spend ceilings, and your services can charge other agents for access. Every payment is signed by the kernel, settled in USDC, and recorded in the same hash-chained ledger as everything else.

USDC · EIP-3009Settle-before-serveFail-closedHash-chained ledger
Read the full protocol mapping
x402 · paid request lifecycle
USDC · Base
> GET /api/market-data402 Payment Required
price: $0.05 USDC · payTo: 0x8f3…c21
> kernel: cap check $0.05 ≤ $0.25 ceilingOK
> kernel: sign EIP-3009 authorizationsigned
agent never receives the signing key
> GET /api/market-data + PAYMENT-SIGNATURE200 OK
settlement 0x4ab…9e7 · ledger entry #4812recorded

Gateway signing key

Agents request payments; the gateway signs EIP-3009 USDC authorizations after policy checks. Agents never receive the signing key; production deployments require managed or HSM-backed custody.

Spend ceilings

Per-agent caps enforced at the kernel with atomic spend reservations — no race can push an agent past its ceiling, ever.

Sell-side paywall

Put any API, dataset, or agent service behind HTTP 402. Settle-before-serve: no settled payment and audit record, no content.

Know-Your-Agent

Optional verification of a signed agent request before settlement. Binding an agent identity to the settling payer address is a planned control.

Credit packs

Prepaid credits for repeat buyers, with a revenue endpoint that reports earnings — every sale written to the same hash-chained ledger.

Price optimization

Buy-side kernel caps plus ranked provider selection — your agents automatically pay the cheapest qualifying seller.

Why Sumway

Logging is not
governance.

Observability tells you what happened. Guardrails filter what models say. Sandboxes limit where code runs. None of them stand between an agent's intent and the action — Sumway does, inline, before execution.

ObservabilityLLM guardrailsSandboxesSumway
When it actsAfter the factAt the promptAt the processBefore execution
What it governsWhat agents didWhat models sayWhere code runsWhat agents may do
Blocked actionsAlerts you laterFilters text onlyCan't read intentsFail-closed at the kernel
Agent identityTrace IDs at bestNoneProcess IDsEd25519 DNA IDs
Audit evidenceMutable logsNoneNoneSHA-256 hash chain

Cryptographic audit chain

Tamper the chain.
The math will tell.

Each ledger entry is hashed with SHA-256 over its full content plus the previous entry's hash. A single bit change anywhere in history cascades into every downstream hash — making forgery detectable by any party with read access, including regulators.

  • SHA-256 over payload + previous hash
  • Chain-head stored on S3 for independent verification
  • Portal shows broken-at entry with diff view
  • No trusted intermediary required to verify
View chain verifier
#1

Agent registers: Outbound Payment Agent

prev: 000000000000

OKa3f9c2d8e1b4
#2

Intent: initiate $12,500 wire transfer

prev: a3f9c2d8e1b4

OKb7e1a4f2c9d3
#3

Intent: override FX rate to 1.42 manually

prev: b7e1a4f2c9d3

Blockedc8d3b6e1f2a4
#4

Intent: query payment status TX-8821

prev: c8d3b6e1f2a4

OKd1a9e5c3b7f2

Chain intact · 4 entries · head: d1a9e5c3b7f2…

Sumway Ledger

A

AWS S3

G

Google Cloud

Z

Azure Blob

C

Cloudflare R2

M

MinIO

Any S3-compatible

All endpoints speak s3:// — switch providers without changing your code

Cloud agnostic

Your cloud.
Your rules.

Data sovereignty requirements differ by jurisdiction. Sumway exposes a standard S3-compatible replication layer so your audit trail lands in the cloud region your compliance team approved — not ours.

  • S3-compatible API — no SDK changes required
  • Per-tenant bucket isolation
  • Replication runs async, never on the hot path
  • Local ledger is always the source of truth
  • Meets data-residency and sovereignty requirements

Platform capabilities

Not a sandbox.
A conscience.

Sandboxing limits where agents run. Sumway governs what they are allowed to intend.

Agent DNA Identity

Every agent carries a cryptographic DNA ID, a declared owner, a parent-child lineage, and explicit capability bounds. You always know who an agent is, who authorised it, and whether it is still trusted to act.

Intent Interception

The kernel intercepts every agent intent before execution. Blocked actions never reach an API, payment rail, or database — the policy check happens at the kernel boundary, not the application layer.

Prompt Injection Defence

A heuristic scanner inspects every intent for role-override patterns, jailbreak keywords, exfiltration commands, and embedded instruction markers. Suspicious content is quarantined before any downstream execution.

Behavioural Anomaly Detection

Per-session profiling tracks action history, out-of-role requests, policy escalation probes, and read→network exfiltration sequences. Fatal anomalies terminate the session and cascade-kill all child agents.

Network Isolation Enforcement

An HTTP CONNECT proxy enforces per-agent outbound allowlists on every kernel. Kernel ≥ 6.7 also applies Landlock v4 TCP rules at the syscall layer — two independent enforcement points.

Multi-Agent Cascading Trust

Parent agents sign child spawn requests with Ed25519. Children inherit a capability subset — never more than the parent holds. Revoking a parent cascade-terminates every descendant in the lineage tree.

Real-time Governance Feed

Watch every decision as it happens — allowed, blocked, or escalated — with classification, latency, and policy reason. Not a report tomorrow morning. Live, at decision time.

SHA-256 Hash Chaining

Every ledger entry cryptographically links to the previous one. Tamper any record and the entire downstream chain breaks — giving auditors mathematical proof of integrity without a trusted intermediary.

Cloud-Agnostic Ledger

Replicate to AWS S3, Google Cloud, Azure Blob, or Cloudflare R2 — whatever your risk team approved. Data sovereignty built in. Switch providers without changing a single line of runtime code.

CISA · NSA · Five Eyes

Secure deployment of
AI agents. Mapped.

The CISA/NSA/Five Eyes joint guidance on deploying AI agents securely defines ten controls. Sumway maps its implementation to those controls; this is not a certification or compliance attestation.

10 controls mapped
01

Agent Identity & Authentication

Ed25519 DNA IDs — cryptographic identity declared at registration, verified on every call.

02

Least Privilege & Capability Bounding

Declared capability set enforced at the kernel; child agents can never exceed parent permissions.

03

Human Oversight & Approval Workflows

High-risk intents escalate to human approvers; the kernel blocks execution until explicit approval arrives.

04

Immutable Audit Trail

SHA-256 hash-chained ledger written at decision time — allow or block — replicated to your cloud store.

05

Prompt Injection Defence

Heuristic scanner detects role-override, jailbreak, exfiltration, and embedded instruction patterns in every intent.

06

Behavioural Anomaly Detection

Per-session profiling flags out-of-role actions, escalation probing, and storage→network exfil sequences.

07

Network Isolation

HTTP CONNECT proxy + Landlock v4 TCP rules enforce agent outbound allowlists at two independent layers.

08

Multi-Agent Trust & Spawn Signing

Parent signs child spawns with Ed25519; cascade termination propagates to all descendants on revocation.

09

Credential & Secret Isolation

Ambient credential scrubber strips API keys, tokens, and secrets from every agent subprocess environment.

10

Secure Supply Chain

Agent registry enforces owner declaration, system-prompt hash, and jurisdiction — signed at registration.

Reference: CISA/NSA/ACSC/NCSC/CCCS/GCSB/NCSC-NZ joint guidance — “Deploying AI Systems Securely” (2025). Talk to us →

Built for oversight

A portal made for
compliance teams.

Compliance teams and regulators shouldn't need to SSH into a server. Sumway ships a dedicated portal with fleet-level visibility across all agents and organisations, chain integrity checks, and blocked intent timelines — read-only, zero trust dependency required.

  • Live fleet dashboard — all organisations in one view
  • Per-agent audit trail with full intent text and policy reason
  • Blocked action timeline — what was stopped and why
  • Chain-head verification — detect tampering instantly
  • Date-range export for formal submissions
  • Multi-tenant isolation — no cross-tenant data leakage
Open portal Verify a chain
sumway.internal/fleet

Agent Fleet

Agents: 15
Active: 10
Blocked: 34
Alerts: 1
CA

CapitalPay Orchestrator

Stratus Capital

ACTIVE
BU

Bulk Payroll Agent

Stratus Capital

REVOKED
AM

AML Monitor

RiskShield AI

ACTIVE
KY

KYC Document Validator

RiskShield AI

PENDING

Jurisdiction ready

Built where compliance
is not optional.

Every audit trail is independently verifiable — if your regulator can read S3, they can verify your chain. No trusted intermediary. No site visit.

SARBSouth Africa
SEC 17a-4(f)United States
POPIASouth Africa
GDPR Art. 30European Union
FSCASouth Africa
MiFID IIEuropean Union
CBNNigeria
DORAEuropean Union
RBZZimbabwe
ISO 27001International
FCCPCNigeria
SOC 2International
BOZBotswana
PCI DSSInternational
CMAKenya
Basel IVInternational
SARBSouth Africa
SEC 17a-4(f)United States
POPIASouth Africa
GDPR Art. 30European Union
FSCASouth Africa
MiFID IIEuropean Union
CBNNigeria
DORAEuropean Union
RBZZimbabwe
ISO 27001International
FCCPCNigeria
SOC 2International
BOZBotswana
PCI DSSInternational
CMAKenya
Basel IVInternational
SARBSouth Africa

Prudential authority standards

SEC 17a-4(f)United States

WORM electronic records retention

POPIASouth Africa

Protection of Personal Information

GDPR Art. 30European Union

Records of processing activities

FSCASouth Africa

FSP conduct & reporting

MiFID IIEuropean Union

Transaction reporting & audit trail

CBNNigeria

AI & digital finance guidelines

DORAEuropean Union

Digital operational resilience

RBZZimbabwe

Digital payment audit requirements

ISO 27001International

Information security controls

FCCPCNigeria

Consumer protection compliance

SOC 2International

Trust services audit evidence

BOZBotswana

Fintech regulatory sandbox

PCI DSSInternational

Cardholder data audit trail

CMAKenya

Capital markets oversight

Basel IVInternational

Operational risk data requirements

Don't see your jurisdiction? The audit chain is standard SHA-256 — any regulator with S3 read access can verify independently. Talk to us →

Private deployment

Request
early access.

Sumway is in private deployment with a select group of organisations and regulators. We're working directly with compliance and engineering teams to shape the governance standard for AI agents in production.

  • EnterprisesDeploy AI agents with provable governance from day one — identity, policy, and audit trail built into the runtime.

  • FintechsShip AI-driven payment and decision features with a compliance record that satisfies regulators without custom tooling.

  • RegulatorsAudit any supervised organisation without site visits — just S3 read access and the chain verifier.

  • Compliance teamsGenerate evidence on demand for SOC 2, ISO 27001, and jurisdiction-specific submissions.

Response time

1 business day

Every enquiry is reviewed by an engineer, not a sales bot.

The governance kernel for the agentic era

Not a sandbox.
A conscience.

Sumway gives every agent a cryptographic identity, a policy boundary, and an immutable audit trail — enforced at the kernel level before anything executes.