Every agent your team has shipped is a worker. It takes actions, accesses data, and makes decisions on your behalf. The question your board will ask is not whether you have an AI policy — it is whether each of those workers has a job description, a credential boundary, a manager who approves the risky calls, and a personnel record an auditor can verify. ARX is the infrastructure layer that gives them all four. The headline numbers below are what that infrastructure produces in the first quarter of operation.
Internally-built AI agents are running in production at most large enterprises today. The first wave is in security — written by your engineering team, signed off informally, reaching into ServiceNow, CrowdStrike, Okta, AWS, and Snowflake. The next wave is already underway in finance, HR, legal, and platform. Each of these workers takes actions on your behalf. None of them has a job description in any system the CFO can audit. The board does not know the dollar exposure of any single call. Telling them "we have governance" does not help. Telling them "every agent has scoped credentials, a manager who approves risky calls, and a hash-chained personnel record — and here's the number per call before it runs" does.
Arx connects three nodes into a single graph. Risk is computed where the runtime node meets the intent node. Containment runs at runtime. The outcome node makes both auditable.
The score is computed inside the connector before the call leaves the platform. The formula is open and tunable: blast radius + connector sensitivity + session frequency + target sensitivity. Crossing your deny threshold is a deterministic verdict, not an alert.
# Example: ServiceNow change-close on three production tickets. operation_risk: 32 # write · production-impacting connector_sensitivity: 18 # ServiceNow change mgmt session_frequency: 12 # 3rd close in 60s target_sensitivity: 14 # prod tier risk_score: 76 # > review_threshold (60) verdict: APPROVAL_REQUIRED
No human is in the critical path for the things you've already decided are unsafe. Three deterministic primitives:
When something needs to be fixed — a misconfigured S3 bucket, a leaky IAM policy — Arx does not do the fix. Your remediation agent does. Arx's job is to grant that agent the narrowest possible permission, for the shortest possible time, and to record what happened. A typical grant: "S3 write to s3://prod-app-config/, 15-minute TTL, auto-revert on expiry, audit-bound to remediation request RR-4218." Arx grants the permission. The agent does the fix. The audit row proves both.
Every action — score, verdict, approver, scoped grant, drift event — is hashed into a chain. The tip is signed and published every five minutes to a witness bucket in your account that Arx can write to but not read or delete. Compliance maps for SOC 2, NIST AI RMF, ISO 42001, and EU AI Act fall out of platform state, bound to specific source line ranges. Compliance is the byproduct of the score, not the headline of the pitch.
Ship the agents that would have been blocked. Pilots stuck in the review board ship behind a per-call score and an automated containment policy. Capacity goes up. Time-to-deploy goes down. Each agent shipped carries a defensible risk number — not a hope.
Above the threshold, the platform decides — instantly, deterministically, audited. Below it, the call ships and is recorded. Drift suspends the agent before damage compounds. Remediation agents are bounded by scoped TTL grants. The dollar exposure of an unmeasured action goes to zero.
SOC 2, NIST AI RMF, ISO 42001, EU AI Act — mapped automatically from platform state. Static analysis binds controls to source line ranges. The witness-signed audit trail is what your auditor verifies. This is the byproduct, not the pitch. You do not pay extra for it; it falls out.
Two things make this presentable to a board, an auditor, or a regulator without hand-waving:
1. The risk formula is open. It is not a black box. Every input to the score is in the audit row. Anyone can recompute the score and reach the same verdict — including your auditor, a regulator, or you, three years later.
2. The audit trail is verified outside Arx. The chain tip is signed and published into a bucket you control. We cannot read it. We cannot delete it. Your auditor verifies the chain against the witness without our cooperation. Integrity is something you check, not something we promise.
Bring a Python agent your team has already written. We'll spin up a sandbox workspace, score every connector call against the open formula, run a drift scenario, and walk you through the witness-bucket verification. The output is the document your CFO can defend.