As nations bring AI capability in-house, the governing question is no longer which model to procure, but how autonomous agents may act on sovereign data — and how that control is demonstrated to a regulator, an auditor, or an allied state. PanGuard Sovereign is a governance and assurance layer that enforces national policy at every agent action and produces cryptographic evidence of every decision. It operates in front of any model or agent framework, on infrastructure the institution controls.
Data, compute, model, and governance — the four dimensions nations use to define AI sovereignty. The architecture provides an enforced, auditable control for each, positioned in front of any agent, model, or tool platform already in operation.
Sensitive data is classified and its handling enforced as it flows — decrypted only where policy and hardware attestation permit.
Executes on hardware the institution controls — fully offline, no phone-home — releasing keys only to attested endpoints.
Model-agnostic by design. Governs any agent or LLM; an optional on-premise adjudicator may escalate for review, never authorize.
Every agent action is decided by the institution's own signed policy and written to a ledger any third party can verify.
Sovereignty means the institution need never take the supplier's word. Every security-critical action is cryptographically signed, and any party holding only a public key can verify it, offline.
Policies, approvals, break-glass grants, key releases, and every gate decision are Ed25519-signed at the point of action.
An auditor holding only the public key and an inclusion proof confirms a decision occurred — without the log, without the operator.
A missing identity, an unverifiable policy, or a broken audit path denies the action. Absence never resolves to allow.
Built on the open Agent Threat Rules standard. No black box and no proprietary data model to adopt.
A design-intent mapping between the architecture's controls and the frameworks that govern national AI programmes. It indicates the controls the system is built to support — not a certification or accreditation.
| Control capability | Framework reference |
|---|---|
| Signed, tamper-evident decision ledger | EU AI Act Art. 12 (logging) · NIST 800-53 AU |
| Policy-as-code + least-privilege identity | NIST 800-53 AC · ISO/IEC 42001 |
| Signed, versioned policy distribution | NIST 800-53 CM (anti-rollback) |
| Classification, egress & jurisdiction control | NIST 800-53 SC · CUI handling |
| Human approval, break-glass, kill-switch | NIST 800-53 IR · human oversight (AI Act) |
| Air-gap signed delivery + supply-chain trust | SLSA-style provenance · supply-chain (SR) |
A working prototype under continuous independent adversarial review (approximately 1,600 automated tests; 27 review passes to date). Maturity is stated per capability against a two-state scale, defined in the legend below.
| # | Capability | Function | Maturity |
|---|---|---|---|
| 01 | Identity & least-privilege | Per-agent verified principal; delegation only attenuates, never widens | Implemented |
| 02 | Policy-as-code | Signed, versioned, deny-by-default; classification / jurisdiction / obligations | Implemented |
| 03 | Signed decision ledger | Ed25519 with Merkle transparency; third-party verifiable | Implemented |
| 04 | Data taint & egress control | Classification rides data; secret-egress and jurisdiction gates | Implemented |
| 05 | Human approval & break-glass | Signed single-use approvals; dual-control emergency override | Implemented |
| 06 | Supply-chain & A2A auth | Signed tool-trust catalogue; authenticated inter-agent messages | Implemented |
| 07 | Kill-switch | Enforced containment — severs the session; every subsequent call denied | Implemented |
| 08 | Policy-gated key release | Sensitive documents decrypt only at an authorized, attested endpoint | Implemented |
| 09 | Air-gap bundle | Signed manifest; the receiver verifies provenance before installing | Implemented |
| 10 | Operator console | Loopback, token-authenticated control surface with web interface | Implemented |
| 11 | Confidential-compute attestation | Measurement allowlist with key-binding anti-relay verification | Integration seam |
| 12 | On-premise adjudicator | Local model advises escalation only (tighten-only) | Integration seam |
For AI safety and security institutes, AI offices, ministries, and operators of defense and critical infrastructure. An asynchronous technical evaluation: architecture documentation, honest capability boundaries, and a verifiable demonstration — under NDA where required, with no commercial commitment.
For system integrators and national laboratories with public-sector relationships. Deploy locally, in the customer's jurisdiction and language. PanGuard supplies the runtime and signing stack; the partner owns the relationship and the deployment.
PanGuard Sovereign is a reference architecture at design-partner stage, built on the open Agent Threat Rules standard. This brief describes a working prototype under active development — not a generally-available, certified, or accredited product. Framework references indicate design intent and traceability, not certification. Maturity and capability statements are current as of Revision 0.1 and are subject to independent verification.