Your agent skips steps.
The gate doesn't.
The gap is sequence enforcement.
The agent cannot skip steps. Not shouldn't — cannot. AgenticRail gates every step before it executes — not observability, not logging, blocking.
Every permitted action produces a cryptographic receipt — HMAC-signed, sequenced, sealed. That receipt chain is your compliance record: what ran, when, in what order, written before the action executed.
The enforcement question is "did it proceed?" The accountability question is "can you prove it to your regulator?" Both answered. Same gate.
evaluates before execution
Three failures. Different industries. Same moment.
UnitedHealth Group stood in federal court and couldn't answer a simple question: what did your AI actually execute? Not what it was configured to do. Not what it reported afterward. What it actually ran, step by step, at the time it ran. No answer. That's a provenance failure. The receipts didn't exist.1
An FDA manufacturer was cited because AI was generating drug records with no verification step enforced. The step existed in the policy. It never ran.2
An AI agent deleted an entire production database in nine seconds. No gate between what it decided to do and the execution of that decision.3
Three organisations. Three governance frameworks. Zero enforcement.
The agent proceeded. Nobody knew until it mattered.
Logging tells you what happened. Alerting tells you after it happened. Neither stops it.
AgenticRail is the gate between what your AI decides to do and what it is allowed to execute. Every step evaluated before it runs. ALLOW or DENY. If it passes, a cryptographic receipt is written — proof the step ran, in sequence, at that exact time. If it fails, nothing proceeds. Not a governance dashboard. The enforcement layer underneath one.
Every receipt is also chain of custody — from decision to signed evidence. The enforcement question and the accountability question have the same answer: the gate ran first, and the receipt proves it.
1 Senate Finance Committee investigation into UnitedHealth Group AI claims denial, 2024. STAT News / ProPublica coverage. 2 FDA Computer Software Assurance enforcement — 21 CFR Part 11 observations on AI-generated records. 3 r/ExperiencedDevs: AI agent production database deletion incident, widely reported Oct 2024.
AI agents fail silently.
That's the problem.
When an AI agent skips a validation step, hallucinates a completed action, or proceeds without required context — it doesn't fail loudly. It continues. It produces output. You find out later. This is the probabilistic nature of language models colliding with the accountability requirements of real systems.
Logging tells you what happened. Alerting tells you after it happened. AgenticRail stops it before it happens. A cryptographic receipt chain is a structural guarantee — proof the sequence cannot have run differently from what the receipts record. The gate enforces the sequence. If a step fails, nothing proceeds. This is a fail-closed design — the gate denies by default when conditions are not met, never passes on uncertainty. EU AI Act Article 14 requires human oversight mechanisms for high-risk AI systems; AgenticRail's gate is that mechanism — enforced at infrastructure level, not at the application layer where models can bypass it.
- Agent skips validation — proceeds anyway
- Hallucinated completion logged as success
- No proof the sequence actually ran
- Failures discovered downstream
- No audit trail for compliance
- Gate evaluates before each step executes
- HALT returned immediately on failure
- Cryptographic receipt on every pass
- Sequence enforced at infrastructure level
- Cryptographic receipt chain — verifiable by any auditor, not just your team
Every action gets one of three answers.
Before every step executes, the gate evaluates it. The answer is immediate and absolute.
Step passed every gate condition. Cryptographic receipt written. Proceed.
Step failed a gate condition. Sequence halted. Nothing proceeds.
Critical violation. Full sequence stopped. No further steps accepted.
Every ALLOW generates a tamper-evident cryptographic receipt — proof the step ran, in sequence, at that exact time. Not a log. Not a self-report from the model. A signed fact that cannot be altered after the fact.
Your spine. The gate enforces it.
You define the step names for your workflow — AgenticRail enforces the order. A fintech team might run: verify_identity → assess_risk → request_approval → execute_transfer → audit. A compliance team: ingest → validate → classify → review → seal. Any sequence, any domain, any names. The gate evaluates each step call against your defined order — the model cannot skip ahead, replay a completed step, or execute without gate authorisation. This is sequence enforcement at the infrastructure layer, making probabilistic agents behave deterministically.
At every gate call, four things happen:
API key validated. Request structure checked. Wrong key, wrong format — HALT at step 0. No further evaluation.
Previous step receipt verified. Steps must run in order. No jumping ahead. No replaying completed steps.
Step-specific conditions checked against current state. All conditions must pass. One failure halts the entire sequence.
Cryptographic receipt generated and stored. Optional attestation evidence — approval IDs, risk scores, KYC results, document hashes — is signed into the receipt at the same time. The receipt is the proof. No receipt — no authorisation to proceed.
One endpoint. Any framework.
POST to the gate before each step. Read the decision. That is the integration. Python and JavaScript SDKs available, with LangGraph and CrewAI adapters. Full API reference, quickstart, and interactive demo in the docs.
pip install agenticrail · npm install @agenticrail/core · GitHub →
What you hand to the regulator.
After any sequence completes, one call generates the full compliance report — every step, every receipt, chain verified, sequence sealed. An audit narrative written to meet EU AI Act Article 11 documentation requirements. Ready to attach to your compliance file.
See a real enforcement report — full receipt chain, cryptographic verification, compliance narrative. This is what the regulator asks for.
See the compliance report →Every receipt verified — HMAC signature and chain linkage from step 0 → N. Tamper-evident. One failed link halts the report.
Audit statement written for EU AI Act Article 11 technical documentation. Ready to attach to your compliance file.
Available on Growth and above. Technical docs → · EU AI Act vs NIST vs ISO 42001 →
Every step. What justified it.
Each gate decision can carry evidence — a document hash, an approval token, a KYC result, a fraud score, a human sign-off ID. Whatever justifies the step gets signed into the receipt at the moment of enforcement. Immutable. Chained. Written before the action runs.
The baseline receipt proves what ran and when. Attestation proves what evidence justified it. A payment rail embeds a fraud-check score at risk assessment. A hiring pipeline embeds a bias-audit token at candidate evaluation. Each becomes a structural compliance artifact — not a log entry, a signed fact.
Risk scores, approval IDs, document hashes, KYC results, human sign-off tokens, batch references. Any evidence. Per-step.
A signed receipt binding the enforcement decision to the evidence that justified it. Court-ready. Regulator-ready. Written before the action ran — not reconstructed afterward.
"Can I show my lawyer what
the AI did last Tuesday?"
That question isn't about enforcement. It's about evidence. GDPR doesn't just require AI to behave correctly — it requires proof. Article 5(2): demonstrate accountability, don't just claim it. Article 22: document automated decisions that affect people. Article 30: maintain records of processing activities. These obligations apply to every business running AI that touches personal data — not just high-risk systems under the EU AI Act.
AgenticRail's receipt chain answers all three. Not as a side effect. Structurally. Every action that ran through the gate has a signed receipt — timestamped, sequenced, sealed. The receipt wasn't written after the fact. It was written before the action executed. That distinction is everything in a compliance context.
Must demonstrate compliance, not just comply. The receipt chain is the demonstration — signed facts that cannot be reconstructed after the fact, not self-reported logs.
Transparency obligations for automated decisions about people. Every gate decision is timestamped and preserved — the exact moment it was made, the exact conditions it was made under.
Systematic documentation of what the AI does. AgenticRail produces this automatically — one receipt per action, one verifiable report per sequence. No extra instrumentation.
Logs are self-reported. Receipts are structural evidence. An auditor cannot distinguish a genuine log from a reconstructed one — but they can verify a receipt chain cryptographically.
payload_hash) and stores the fingerprint — not the content. An auditor verifies the receipt chain and proves what happened without ever seeing your payload. The proof and the data stay separate.
"My lawyer asked what the AI did. Not what we intended. What it actually executed, step by step, at the time it ran."
Yes. Pull the sequence ID. Generate the report. Every step, every decision, chain-verified, signed. One command.
Receipt chain detail — GDPR mapping, receipt anatomy, audit report → · See a live compliance report →
Start free. Scale when ready.
Free tier available immediately — no signup, no commitment. Production plans from $399/month. Three capability tiers: enforcement, remote policy maps, execution plugin. We run AgenticRail on our own AI infrastructure — the live dashboard shows real enforcement calls, not a demo.
Deterministic AI governance — answered.
Real answers to the questions engineers and compliance teams ask before adopting AgenticRail. For deeper technical detail, see the API documentation and blog.
What is the difference between probabilistic and deterministic AI agents?
Probabilistic AI agents — LLMs and neural networks — generate outputs based on statistical likelihoods. The same input can produce different outputs, steps can be skipped if the model infers they are unnecessary, and actions can be hallucinated as complete. Deterministic AI agents enforce strict, reproducible execution paths: each step must satisfy defined preconditions before proceeding. AgenticRail adds a deterministic enforcement layer on top of probabilistic models, ensuring the agent's sequence is governed by cryptographic gate decisions rather than model inference alone. See our full comparison →
How to implement deterministic AI in regulated industries?
Regulated industries — finance, healthcare, legal, critical infrastructure — require that AI agent actions are auditable, reproducible, and cannot be silently skipped. Implementing deterministic AI means: (1) define your agent's spine as an ordered list of mandatory steps, (2) call the AgenticRail gate before each step executes via a single POST to /v1/evaluate, (3) proceed only on ALLOW, halt on DENY, (4) collect the cryptographic receipt chain. This chain constitutes a tamper-evident compliance record compatible with ISO/IEC 42001 AI management system requirements and EU AI Act traceability obligations. The gate decision precedes the action — there is no window in which the model can execute without gate authorisation.
What frameworks exist for agentic AI governance in 2026?
The primary frameworks for agentic AI governance in 2026 are: the EU AI Act (Regulation 2024/1689) — in force from August 2024, with high-risk AI obligations phasing in through 2026–2027; ISO/IEC 42001:2023 — the international standard for AI management systems; and NIST AI RMF 1.0. These frameworks define what governance must achieve — algorithmic accountability, human oversight, traceability — but not how to enforce it at the infrastructure level. AgenticRail is the enforcement layer: every agent action is gate-evaluated and receipt-stamped, producing an immutable audit trail that these frameworks require. See how AgenticRail maps to EU AI Act obligations →
How to prove AI sequence compliance for the EU AI Act?
EU AI Act Article 14 requires that high-risk AI systems incorporate human oversight measures that allow operators to intervene or halt the system. Proving compliance requires evidence that these measures actually fired — not documentation that they exist. AgenticRail produces this evidence: each sequence generates a receipt chain where every step's gate decision is HMAC-signed, timestamped, and stored immutably in R2. The compliance report endpoint (POST /report) generates a verifiable chain proof and compliance narrative for any sequence ID. This constitutes the technical documentation required under Article 11 and the logging required under Article 12 of the Act.
How does AgenticRail prevent replay attacks on AI agent sequences?
AgenticRail uses Cloudflare Durable Objects as a single-threaded nonce ledger per sequence. Each request must carry a unique nonce; the Durable Object rejects any nonce it has seen before (REPLAY_NONCE). Payloads timestamped more than 300 seconds from server time are also rejected (STALE_TIMESTAMP), eliminating the attack vector of capturing a valid payload and replaying it with a fresh nonce after a delay. Once a sequence reaches its final step, it is cryptographically sealed — no further steps are accepted for that sequence ID, ever.
How do I verify that my AI agent's sequence was enforced?
Every enforcement decision produces a cryptographic receipt — HMAC-signed, chained to the previous receipt, stored immutably in R2. You can verify any sequence in seconds: run a scenario on the demo page, copy the sequence ID, and paste it at report.agenticrail.nz. You'll get a full compliance report showing every step's decision, chain verification, and an AI-generated compliance narrative. No login required. No API key needed for demo sequences. The receipts are public — anyone can verify them.
What makes AgenticRail different from logging or monitoring tools?
Logging and monitoring tools observe what happened after the fact — they rely on the AI agent to accurately report its own behaviour. AgenticRail sits beneath the agent at the infrastructure layer and blocks non-compliant actions before they execute. The enforcement core is air-gapped — it has no public route, only accessible via authenticated service bindings. Every decision produces a cryptographic receipt that cannot be altered after the fact. Logs are self-reported. Receipts are structural evidence. An auditor cannot distinguish a genuine log from a reconstructed one — but they can verify a receipt chain cryptographically.
How do I get started with AgenticRail?
Three paths. Test immediately: use the public demo key DEMO-AGENTICRAIL-PUBLIC-2026 — no signup, no payment. Hit the API endpoint or use the interactive demo. Build your workflow: use the Workflow Builder — pick an industry template, generate a curl command, get your first ALLOW in 60 seconds. Production: choose a plan on the pricing page, complete Stripe checkout, and your API key arrives by email automatically. Full self-onboarding — no human involved.
"You cannot undo a cut. The gate enforces that — before the cut is made."
AgenticRail is built from whakairo — Māori carving philosophy. The chisel has no ctrl+z. Every committed action has consequence. The gate applies that discipline to AI agents.
The same law runs Rātā Gate — a generative visual engine that withholds expression until rhythm is achieved. Built in Hokianga, Aotearoa. Sequence is law.