How Xybern works · The authorisation layer for AI agents.

Section 01 · The authorisation pipeline

5 stages. None optional.

Every AI action in your organisation passes through all 5 stages before it can execute. This is not middleware. This is not a monitoring layer. This is the authorisation pipeline.

Diagram 01 — Authorisation flow

Agent proposes action → Xybern intercepts → 5-stage pipeline → Authorisation decision → Vault record

01

Intercept

Action captured before any system can act on it. The pipeline begins here.

02

Identify

Agent cryptographic identity verified. Authority scope established.

03

Authorise

Action evaluated against agent identity, permission boundaries, and policy rules.

04

Decide

Binary. AUTHORISE or BLOCK. Deterministic. Under 50ms. No third option.

05

Record

Immutable vault entry. SHA-256 hash chain. HMAC-SHA256 signature. Permanent.

An AI action that has not passed through all 5 stages has not been authorised. Xybern makes unauthorised execution structurally impossible.

Section 02 · Each stage in detail

What actually happens inside the pipeline.

The pipeline overview names the 5 stages. This section explains what is passed in, what is checked, and what is returned at each one.

Stage 01

Intercept

Your AI system calls Xybern instead of executing directly. One API endpoint replaces the direct call to your LLM, agent framework or automation tool. The action is held inside the pipeline, it cannot proceed to any subsequent system until all 5 stages complete. There is no way to route around the interception point.

Input: proposed action + agent context + timestamp

Output: action held, pipeline initiated, interception logged

Failure: action rejected before evaluation begins, rejection recorded

Stage 02

Identify

The agent proposing the action is verified against its cryptographic identity before any evaluation begins. Xybern establishes who is acting, what their defined permission boundaries are, and whether their current behaviour is consistent with their historical baseline. An agent whose identity cannot be verified does not proceed.

Input: agent ID + cryptographic signature + behaviour context

Output: verified identity object + permission scope + trust baseline

Failure: unverified agent → blocked immediately, identity failure recorded

Stage 03

Authorise

The xybern-reasoning-v1 model receives the proposed action, the verified identity, the permission boundaries, the active policy set and the jurisdictional context for this action. It evaluates the action against the agent's permissions and policy rules, and produces a structured authorisation determination.

Input: action + identity + permission scope + policies + jurisdiction

Output: policy evaluation + permission check + authorisation recommendation

Failure: policy violation or permission boundary exceeded → recommendation = DENY

Stage 04

Decide

Binary. Authorise or deny. The decision is deterministic, given the same inputs it produces the same output every time. There is no grey zone, no retry, no human-in-the-loop delay. The authorisation decision is made in under 50ms. The action either proceeds or it does not. There is no third option.

Input: authorisation evaluation + policy threshold configuration

Output: AUTHORISE or DENY decision object

Failure: permission boundary exceeded OR policy violation → DENY

Stage 05

Record

Every decision Xybern makes, authorised or denied, is written immediately to the provenance vault. The entry contains the full action, the agent identity, the evaluation result, the authorisation decision, and a precise timestamp. It is anchored in a SHA-256 cryptographic hash chain with HMAC-SHA256 signatures. The entry cannot be deleted. The entry cannot be altered. The chain itself is evidence.

Input: full decision object + authorisation metadata

Output: immutable ledger entry + authorisation ID (auth_...) + hash anchor

Both authorised and denied actions create a permanent record

Section 03 · Stage 03 in depth

A reasoning model built for authorisation.

Most authorisation systems use static rules. Rules do not understand context. xybern-reasoning-v1 is a proprietary 7B reasoning model trained specifically to evaluate AI actions against policies, not to generate outputs. It receives the proposed action, the agent's verified identity, the permission boundaries, the active policy set and the jurisdictional context. It returns a structured authorisation determination.

Unlike static rule-engines and pattern-matching guardrails, xybern-reasoning-v1 evaluates intent, context, jurisdiction, permissions, and agent history simultaneously, in a single deterministic pass, in under 50ms.

Authorisation response object

Every authorisation decision returns a fully structured object. Not a score, a complete record of what was checked, what permissions were evaluated, and what was decided.

authorisation_response.json

{ "authorisation_id": "auth_8f3a2c...", "agent_id": "crm-agent-v2", "permission_scope": "db:read, comms:send", "policy_evaluated": "financial-services-uk", "policy_result": "pass", "boundary_check": "within_scope", "jurisdiction": "EU", "decision": "AUTHORISE", "latency_ms": 43, "immutable": true, "vault_entry": "auth_8f3a2c..." }

Permission evaluation

Actions are evaluated against the agent's permission boundaries and active policy rules. A single policy violation or boundary breach is sufficient to deny the entire action, there is no partial authorisation.

Adaptive permission scoring

Permission scores update dynamically based on agent behaviour history across all sessions. An agent that has previously exceeded its permission boundary carries a lower baseline score on all future actions until rehabilitated.

Policy authorisation

Governance policies, regulatory frameworks and internal rules are all evaluated in a single pass by the same reasoning model. SM&CR accountability rules, FCA SYSC obligations and custom internal policies handled uniformly.

Section 04 · Stage 02 in depth

Every agent has a cryptographic identity.

Not just a token.

API tokens tell you which application is calling. They do not tell you which agent within that application proposed this specific action, what reasoning chain it used to arrive at it, or whether its behaviour is consistent with its history. Xybern assigns every agent a persistent cryptographic identity, verified at every stage of every execution.

API token

Identifies the application only
Static, shareable credential
No behaviour history tracked
Cannot detect agent drift
No policy linkage possible

Session token

Identifies the session only
Expires and rotates per session
No agent-level context
Cannot link to authorisation policy
No cross-session history

Xybern agent identity

Identifies the specific agent
Cryptographically bound and verified
Full behaviour history tracked
Detects drift from established baseline
Policy-linked authorisation at every action

Section 05 · Runtime authorisation

Every action. Authorised or denied.

This is Xybern running in production. Every row is a real authorisation decision, an AI agent proposed an action, Xybern evaluated it against policy, and a decision was made. The decisions on the right are final. They cannot be reversed. They are already in the vault.

Diagram 02 — Live authorisation feed Live

Total today

0

Authorised

0

Denied

0

Authorisation ID	Action	Agent	Scope	Time	Decision
auth_a7f3d2...	Database query	crm-agent-v2	db:read	12:04:28	Authorised
auth_b2e1c9...	Bulk data export	crm-agent-v2	db:export	12:04:31	Denied
auth_c9d4f1...	Outbound email	comms-agent-v1	comms:send	12:04:33	Evaluating
auth_d1e8a4...	Workflow update	ops-agent-v3	ops:write	12:04:37	Authorised

Vault chain: a7f3d2... → b2e1c9... → c9d4f1... → d1e8a4... SHA-256

Section 06 · Stage 05 in depth

Nothing disappears.

Nothing mutates silently.

Every authorisation decision Xybern makes is written to the provenance vault. The vault is an append-only ledger, entries can never be deleted. Each entry is anchored in a SHA-256 cryptographic hash chain with HMAC-SHA256 signatures and Merkle proof verification. The chain itself is the evidence.

Diagram 03 — Provenance ledger

Authorisation ID	Action	Agent	Scope	Timestamp	Decision	Hash anchor
auth_8f3a...	email.send	crm-agent-v2	comms:send	2026-03-18 14:02	Authorised	a7f3d2...
auth_7b2c...	db.update	ops-agent-v1	db:write	2026-03-18 14:01	Denied	b2e1c9...
auth_5d9e...	workflow.trigger	finance-agent-v3	ops:trigger	2026-03-18 14:01	Authorised	c9d4f1...
auth_3a1f...	payment.initiate	billing-agent-v2	pay:send	2026-03-18 14:00	Denied	d3a8e7...
auth_2e8d...	report.generate	analytics-v1	report:read	2026-03-18 13:59	Authorised	e5b2c4...

a7f3d2... → b2e1c9... → c9d4f1... → d3a8e7... → e5b2c4... SHA-256 hash chain · HMAC-SHA256 · Merkle proof export

Append-only ledger

Entries cannot be deleted

Once written, permanent. The vault has no delete operation.

SHA-256 hash chain

Entries cannot be altered

Any change to any entry breaks the hash chain, immediately detectable.

Merkle proof export

Chain integrity verifiable

Full Merkle proof export for any compliance audit, on demand.

Section 07 · The platform

Every authorisation decision. On record.

The Xybern dashboard is your authorisation control plane, not an observability tool. Every entry represents a decision Xybern made before an AI action was allowed to execute: what was authorised, what was denied, which agent triggered it, the permission scope, the policy evaluation, and the cryptographic proof behind every decision. Permanent. Auditable. Court-ready.

Live authorisation feed Agent identity panel Policy configuration Vault export

Section 08 · Deployment patterns

Two ways to deploy.

One authorisation standard.

Xybern supports two deployment patterns depending on whether you are a platform provider embedding authorisation into your AI product, or an enterprise deploying authorisation across your internal AI estate.

Embedded deployment

Xybern inside your AI product

Xybern integrates directly into your AI platform stack. It sits between your model outputs and your end users. Every output your platform delivers has been intercepted, authorised against policy, and recorded before it reaches the user. Your platform gains authorisation and provenance as a native capability.

          Your model → [Xybern authorisation] → Your user
        

Single API integration, no infrastructure rebuild
Every model output authorised against policy before delivery
Deterministic authorisation decisions on every output
Full audit trail anchored in provenance vault
Xybern becomes the authorisation layer inside your product

Most common

Centralised deployment

Xybern above all your AI systems

Xybern deploys as an infrastructure layer that sits above every AI system in your organisation. Internal LLMs, employee copilots, autonomous agents, customer-facing AI, all route through a single authorisation point before any action reaches production.

          All AI systems → [Xybern authorisation layer] → Production
        

All agents authorise through one control point
Single policy set across entire AI estate
No AI system operates without authorisation
Complete cross-system audit trail
Jurisdiction-aware authorisation built in

Section 09 · Integration

One endpoint.

Any provider. Any framework.

Integrating Xybern into your existing AI stack requires one change, you call Xybern instead of calling your LLM or tool directly. Nothing else changes. Your existing infrastructure, your existing models, your existing agent frameworks all remain in place.

integration.py

# Before Xybern # Your agent calls the LLM directly response = openai.chat.completions.create( model="gpt-4", messages=messages ) # After Xybern # One line change — Xybern authorises inline response = xybern.authorise( agent_id="crm-agent-v2", action=proposed_action, policy_set="financial-services-uk", jurisdiction="GB" ) # Returns the same response object # Plus the full authorisation result print(response.authorisation_id) # auth_8f3a... print(response.permission_scope) # db:read, comms:send print(response.decision) # AUTHORISE

Compatible with your stack

OpenAI Anthropic Google Gemini Meta Llama Mistral Cohere AWS Bedrock Azure OpenAI LangChain CrewAI AutoGPT LlamaIndex Custom agents

Xybern does not replace your frameworks. It is the authorisation layer above them. Your framework builds the pipeline. Xybern decides what it's allowed to do.

Deployment time

Day 1

API integration

Point your first agent at the Xybern endpoint. First authorised action in under an hour.

Week 1

Policy configuration

Define permission boundaries, policy rules, and authorisation constraints for your AI systems.

Week 2

Full deployment

All AI systems routing through Xybern. Full authorisation, full audit trail, full coverage. Every action authorised. Every decision recorded.

Section 10 · Regulated environments

Built for environments where AI mistakes have consequences.

Xybern was designed from the ground up for regulated industries. The authorisation pipeline, the identity layer and the provenance vault were all built with financial services and legal services compliance obligations in mind.

Financial services

SM&CR and FCA compliance

Xybern maps directly to SM&CR Senior Manager accountability requirements. Every AI decision is attributed to a specific agent with a specific permission scope and a specific authorisation record. FCA SYSC 8 outsourcing obligations satisfied by design. Full audit trail available for regulatory inspection at any time.

SM&CR SYSC 8 FCA MiFID II

Legal services

SRA obligations and legal AI governance

Every AI action taken on behalf of a client passes through Xybern before it executes. Supervision obligations are met structurally, not by policy documentation but by architectural authorisation. Client data boundary rules authorised at the action level, not the application level.

SRA Legal AI Client data Supervision

Enterprise · UK & MENA

Cross-jurisdiction authorisation

Jurisdiction-aware authorisation means the same policy engine applies different rules depending on where an action originates and where it has effect. UK, EU AI Act and MENA regulatory contexts are all handled in a single Xybern deployment, no separate configurations required.

UK EU AI Act MENA Cross-border

One system. One job.
Every AI action authorised or denied.

5 stages. None optional.