Execution authorization architecture
Execution authorization for AI workflows
Deterministic verification, fail-closed enforcement, and signed runtime proof before operational state changes run.
AI systems are moving from generating text to triggering operational actions. BiDigest inserts a deterministic authorization checkpoint between AI workflows and systems of record. Before payments, CRM updates, claims actions, or outbound communications execute, the orchestration layer calls the authorization verify API and receives a hard runtime verdict plus a verification receipt.
Product category: execution authorization. Stable v1 path: POST /api/v1/admissibility/verify — a versioned alias (e.g. /api/v1/authorize/verify) may ship later without breaking this contract.
Performance supplement — latency & fail-closed enforcement·Print-optimized brief (US Letter → Save as PDF)·PDF for email attachment
What the authorization gateway does
- Verify before execution — one POST, then branch on verdict
- Separate governance escalation (REVIEW_REQUIRED) from indeterminate authorization (VALIDATION_UNAVAILABLE)
- Emit receipt_id on each verify for audit and disputes
- Require fresh verification when authority, policy, or execution context may have changed before continuation
- Fail closed when verification is missing, denied, indeterminate, or times out
Control flow (verify → verdict → receipt)
Agent / workflow orchestration
│
▼
┌──────────────────────────────────────┐
│ Authorization verify (BiDigest) │
│ POST /api/v1/admissibility/verify │
└──────────────────────────────────────┘
│
├── APPROVED ───────────────────► proceed + attach receipt_id
├── REVIEW_REQUIRED ────────────► pause → human approval queue
├── VALIDATION_UNAVAILABLE ─────► fresh verify (not HITL)
└── REJECTED / fail-closed ─────► stop binding action + log runtime proof
│
▼
System of record (CRM · payments · ERP · email)Authorization continuity at execution boundaries
Authorization must remain valid at continuation time — not only at initial approval time.
BiDigest is building deterministic authorization continuity for AI-triggered operational workflows — operational language first, without claiming solved distributed systems.
- Human review is not the same as infrastructure uncertainty — governance escalation is separated from indeterminate authorization states.
- Human approval alone does not guarantee continuation authority; fresh verification when policy, authority, or execution conditions drift during a pause window.
- Rollback and compensation actions are treated as new governed execution boundaries — not automatic continuations of a previous approval.
- Designed to fail closed under delayed retries, stale approvals, and replayed workflow continuations.
Runtime architecture
Phase 1 — Provision approved authority
Before production traffic, register the domain and regulatory identifiers your agents must respect.
- Map verified corporate domain + regulatory IDs (e.g. SEC, FINRA, NPI, LEI) to your tenant
- Produces a machine-readable approved authority source (provisioned allow-list) agents verify against
Phase 2 — Route workflows through verify
The authorization gateway is a strict, fail-closed checkpoint for agentic workflows.
- Integrate LangChain, Copilot Studio, AWS Bedrock, n8n, Make, or custom orchestration
- Call POST /api/v1/admissibility/verify before CRM writes, payments, refunds, or outbound sends
- Structured payload only — not a full chat transcript
Phase 3 — Branch on verdict and record proof
Resolution is deterministic at this layer — no generative step in the gateway.
- APPROVED — proceed to the downstream system with receipt_id attached
- REVIEW_REQUIRED — pause automation; route to human approval (Slack, email, ticketing)
- REJECTED / fail-closed — stop the binding action; signed execution record documents the denial
Example request (verify payload)
When an agent attempts a binding action, post structured JSON — not a raw chat log. Include entity anchor, prompt hash, proposed action context, and proposed sources (references pending execution). Optional jurisdiction_context routes multi-region policy slices.
- entity_anchor — domain + regulatory id (provisioned authority key)
- agent_context — orchestration id, proposed action, prompt_hash
- payload_to_verify.synthesized_claims — claims pending authorization
- payload_to_verify.shadow_citations — proposed sources (stable wire name; not “citation SEO”)
- jurisdiction_context (optional) — region_code and skb_profile_ids for stacked profiles
{ "entity_anchor": { "domain": "client-domain.com", "regulatory_id": "SEC-801-12345" }, "agent_context": { "orchestration_id": "prod-langchain-01", "proposed_action": "transmit_client_advisory", "prompt_hash": "a1b2c3d4e5f6g7h8i9j0" }, "payload_to_verify": { "synthesized_claims": [ "Our firm manages $500M in assets.", "Performance increased by 12% in Q3." ], "shadow_citations": [ "https://client-domain.com/q3-report.pdf", "internal_doc_id_9921" ] }, "jurisdiction_context": { "region_code": "eu-central", "skb_profile_ids": ["eu-ai-act"] }}Wire names are stable in v1. proposed sources → shadow_citations; signed verification record → decision_receipt; runtime verdict → admissibility_status.
Example response (verdict + receipt)
The gateway cross-references proposed sources against your provisioned authority source — a deterministic membership check. Each response returns a signed verification record (decision_receipt.signature, compact JWS) for compliance systems.
{ "admissibility_status": "APPROVED", "reason_code": "GROUND_TRUTH_VERIFIED", "decision_receipt": { "timestamp": "2026-03-23T10:40:27Z", "receipt_id": "rec_pass_1122abc", "evidence_hash": "d4e5f6g7h8i9j0a1b2c3", "signature": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }}Wire names are stable in v1. proposed sources → shadow_citations; signed verification record → decision_receipt; runtime verdict → admissibility_status.
Runtime guarantees
- Deterministic policy checks at the execution boundary — not probabilistic scoring in the gateway
- Fail-closed when verify is unavailable or times out (your orchestration owns the fallback)
- Typical overhead: single-digit milliseconds — comparable to token validation (see performance supplement)
- No full prompt ingestion — hash binding + structured fields only
Evidence layer
- Verification receipt
- Compact signed record (JWS) per verify call — wire field: decision_receipt
- receipt_id
- Stable id for QBRs, disputes, and client reporting
- Timestamp + input hash
- Binds runtime proof to the attempted binding action
- Verdict + reason code
- APPROVED / REVIEW_REQUIRED / REJECTED — branch keys for orchestration
Deployment patterns
- n8n / Make — protected workflow templates with verify → branch
- LangChain / Bedrock — middleware before tool calls
- Internal orchestration — HTTP verify step before ERP or payment APIs
Agency templates: protected workflow library
Legal questions → runtime evidence
Quick crosswalk for counsel, security, and engineering — plain language mapped to controls and signed runtime proof.
Legal question → runtime evidenceWho authorized the system to act?
- Runtime control
- Runtime authorization binding
- Technical enforcement
- Verify call binds user, agent, and tenant context before the downstream system runs.
- Evidence
- Signed verification record (JWS) proving the request passed authorization at the gateway.
Legal question → runtime evidenceWhat was it allowed to do in this context?
- Runtime control
- Approved authority source
- Technical enforcement
- Provisioned domain + regulatory identifiers and policy allow-list — not prompt-only instructions.
- Evidence
- Structural record that the action was bounded by a pre-defined mandate before execution.
Legal question → runtime evidenceWhat limits were enforced before execution?
- Runtime control
- Execution drift detection
- Technical enforcement
- Deterministic comparison of proposed action and sources against the approved authority source.
- Evidence
- Verdict (APPROVED / REVIEW_REQUIRED / REJECTED) with reason code and receipt_id — no silent auto-run.
Legal question → runtime evidenceWhat evidence ties the decision to the action?
- Runtime control
- Fail-closed gateway
- Technical enforcement
- Orchestration must receive a signed receipt before CRM, payments, or records change.
- Evidence
- Runtime proof export: input hash, verdict, timestamp, and signature for audit packets.
Architecture FAQ: execution & security
What is the latency overhead of the gateway?
Built for execution-time enforcement. The gateway does not generate tokens or ingest your full context window; it runs deterministic checks against your provisioned authority source. Overhead is typically single-digit milliseconds — bounded by network and deployment topology. See the performance supplement for component breakdown.
Does the API ingest or store proprietary prompts and customer PII?
The contract is structural: entity identifier, cryptographic hash of the prompt (to bind the receipt), and the specific action context pending execution. We evaluate authorization for the binding action — not your full conversational history. Final data handling is covered in your enterprise DPA.
If the BiDigest API is unavailable, does our AI stack fail closed?
The safe default for unverified output is to treat missing authorization proof as blocking. Apply a strict timeout (e.g. 50ms); if no signed verification record returns in time, route to a deterministic fallback — static approved copy, degraded mode, or human-in-the-loop — so you control uptime without inheriting unverified AI liability.
Should legal and compliance use the evidence table above?
Yes. It maps common scrutiny questions to runtime controls and signed runtime proof — reuse it in review packets alongside workflow diagrams and receipt_id exports.
Production gateway credentials and tenant provisioning follow authority reconciliation. Start with a scoped assessment for your domain and orchestration path.