Control

They say agentswon't follow rules

They're right — self-restraint doesn't scale. So Perstack doesn't ask the agent to behave: every operation passes a rule engine, outside the model, before anything commits.

A rule's life

Who writes the rules, where they live, what enforces them, and how they change — the four questions that decide whether control is real.

Written

By you, in plain text. The design AI drafts rules from your description; you read and edit them like any document.

Lives

Inside the workflow definition — not in a prompt. Versioned, with every change recorded.

Enforced

The rule engine checks every operation request before commit. The agent's cooperation is not required.

Changed

As a definition change, with a diff and a date. You can audit when a rule took effect.

The four kinds of rules

  • DataAn amount is always positive; an invoice number never repeats

    The shape of the data itself — a write that violates it cannot exist.

  • ProcessReceived → matched → posted, in that order

    The shape of the process — steps cannot be skipped.

  • OperationA payment over the cap stops as “Amount exceeds the cap”

    Each operation declares how it can fail, and stops there.

  • ApprovalCommitting a payment is a person's decision

    Where a person decides is written in the definition, not left to the agent's judgment.

Commit control

The model asks. Runtime decides what commits.

Operation intent enters the system, deterministic checks run outside the model, and only passed or approved operations write.

Operation: publish a skill sheet

Actor
Interview AI
Policy
Write guard
Commit
held
  1. 1. Intent

    from the agent

    The agent asks for a named operation, with its inputs and the business state it depends on.

    request queued

  2. 2. Decision

    outside the model

    Runtime returns pass, wait-for-approval, or block — before any write reaches the database or a gateway.

    pass / wait / block

  3. 3. Record

    outside the agent

    Who asked, what was checked, what happened, and when — stored outside the agent.

    audit line appended

Commit gate

pending approval

No write reaches the database until the check clears or you approve.

The agent can retry from feedback. It cannot approve its own write.

The harness

Agent (AI)
Rule engine

every operation passes through here

1. Routine operation

passes → executes

2. Critical operation

approved → executes

3. Rule-breaking operation

blocked → rolled back

AUDIT RECORD

All three outcomes, recorded outside the agent's reach

The incident ledger —which defense stops what

The failure classes teams have actually met with agents, and the mechanism that makes each one structurally impossible here.

Money out the door

Over-cap payments, duplicate payments, paying a fraudulent invoice

Approval checkpointPre-commit rule check

Data destruction

Bulk deletes, “cleanups” that hit production

Allowed operations only

External communication

Mass mis-sends, promising terms to a customer

Approval checkpointAllowed operations only

Confidentiality & compliance

Data exfiltration, skipped credit or sanctions checks

GatewayPre-commit rule check

Internal control violations

Self-approval, changes with no trail, cutoff violations

Separation-of-duties rulesTamper-proof audit

Runaway loops

Retry storms, duplicated orders, exploding API bills

Pre-commit rule checkUnique constraints

Judgment overreach

Deciding credit, HR, or contract calls on its own

Approval checkpoint

Operating principle

Works exactly as written.Does nothing that isn't.

The agent can reason, ask, retry, and delegate. What exists, what can happen, and what must wait — the definition decides, and runtime enforces.

How we work

We don't ask you to trust the AI.We make the work inspectable.

The system comes first

What you evaluate is a running workflow — data, operations, rules together — not a chatbot pretending to operate.

Policy lives outside the model

Prompts may explain a rule. Runtime enforces it before the write lands.

Evidence before scale

You see the definition and the run records before any rollout conversation.

We say no when a lighter tool fits

If the job is drafting or search, Perstack is not the recommendation — and security, procurement, and data-residency constraints surface before production, not after.

Getting started

Bring one workflowthat already hurts

Rough notes are enough. No requirements document, no process map, no company-wide AI plan.

What to send

  • The workflow

    What starts it, what finishes it, which handoffs make it slow.

  • One hard rule

    The thing the AI must never do.

  • The system edge

    The database, SaaS, or internal API it reads or writes.

What comes back

A short memo, before any commitment:

  • Fit or not — if a lighter tool is enough, we say so
  • A first definition: trigger, finish line, rules, approvals
  • A sample of the run record you would inspect

Before you buy

Fit

Pick one operation

We map it into a first definition together. If it does not fit, that is the answer.

Month 1

Production

Core workflow live

Schema, integration, core operations — about 2 person-weeks of build.

Month 2

Steady state

Exceptions and routine

External edges, exception paths, monitoring, and the runbook.

Give AI one workflow.It can't break your rules.

Rough notes are enough: what starts it, one rule that cannot break, the system it touches. A short memo comes back — fit or not, a first definition, a sample run record.