Subnet345

The product

The era of agents is here.

Coordination across agents. Policy enforced at the moment of action. An audit chain the auditor can interrogate. Deployed inside your boundary, air-gapped where the workload requires it. One substrate, four properties, every action attributed.

§ 01 Four properties

01

Coordination

Your workload is not a single prompt. It is a chain.

An agent receives the work, hands off to the next agent, which hands off again, down to the agent that records the outcome. Each handoff is itself an action that needs attribution, and each receiving agent decides on the previous agent's record. The seam between agents is where the work actually lives, and the seam is what coordination governs.

  • The chain is legible at every link: which agent acted, which received, in what order, on which data, under which policy.
  • Handoffs carry the record forward. The receiving agent inherits the audit context the prior agent emitted, not a summary of it.
  • Branching is governed. When a decision splits into parallel actions, every branch is tracked as an attributed action of the agent that branched.
  • Multi-agent dependencies surface where the work crosses. Asking which agent did this gets an answer, not a guess.

02

Policy-as-code

Policy is code. Code is enforced at the moment of action. A refused action is itself a recorded action.

The policy that authorizes an agent action is not a slide, a wiki page, or a guardrail that catches mistakes after the fact. It is code, reviewed by your team, deployed alongside the substrate, and enforced at the decisional event by the substrate itself. The agent does not run the action; the substrate runs the action when the policy permits it.

  • Reviewable: pull-request review by your model-risk, compliance, and security functions. The version that authorized an action is the version the auditor reads.
  • Testable: the substrate runs the policy against representative actions before it lands. Coverage of the decision space is a property of the policy.
  • Enforced where the action happens: not at an API gateway, not at a dashboard watching afterward, but at the moment of action.
  • The refusal is the record: a refused action is an attributed audit event showing the agent that attempted, the policy that refused, and the conflict.

03

Immutable audit

The record of what happened cannot be altered after the fact. By anyone.

Each recorded action is hashed into a chain whose continuity an auditor can prove was not altered, from the first record to the current state. Operators cannot rewrite the record. Agents cannot rewrite the record. The substrate cannot rewrite the record.

  • Hash-chained at write: each action's hash includes the prior action's hash, so the chain verifies from any point back to the start.
  • Retention that satisfies the audit window, held for the required retention period, not at the operator's discretion.
  • Integrity is provable, not asserted: the verification is something an auditor runs, not something the operator certifies.
  • The record is the action. There is no separate logging layer to fall behind or drop fields. The substrate does not run unless the record is captured.

04

Tamper-evidence

If the record is altered, the substrate detects it. The auditor sees the alteration.

Tamper-evidence is a property of how the chain is built, not a feature added on top. Any modification to a recorded action, to the substrate that holds the chain, or to a system upstream of it produces a chain that does not verify. The auditor running the verification sees the failure.

  • Alteration of a recorded action breaks the chain; the verification fails.
  • Alteration of the substrate that holds the chain breaks the chain; the verification fails.
  • Alteration upstream (the agent, the policy, the data) is itself a recorded action, attributable to whoever caused it.
  • It is built to be auditable not because the operator is trusted, but because the auditor trusts no operator.

§ 02 How it works

Governed autonomy, licensed by tier

Four classes of agent, four levels of trust. You move up the ladder as the audit trail earns it.

  • Supervised for the agent the operator watches; every action approved before it runs.
  • Coordinated for the multi-domain agent, governed within policy, every handoff attributed.
  • Autonomous-within-Policy for the agent that decides on its own, inside bounded authority.
  • Air-gapped for the workload where the data does not leave the boundary, by construction.
Read the full harness autonomy tier ladder →

Policy-as-code, in practice

The policy lives in your repository. The review goes through your pull-request process. The deployment ships through your release pipeline. The substrate runs the policy against the agent's proposed action and records the decision it makes.

The team responsible for the policy reads the policy. The auditor reads the policy. The substrate enforces it. The agent does not negotiate with it.

The audit chain, in practice

When an agent acts, the substrate records the action and attributes it: the agent, the time, the data it saw, the policy that authorized it, and the parent action that produced it. The record is hashed into the chain. The chain ships to retention.

When the auditor arrives, the auditor runs the verifier. The verifier walks the chain. The chain either verifies or it does not. This is how someone asks to see the trace and gets an answer.

§ 03 Deployment

Inside your perimeter. The substrate is air-gap-capable today; the models are not.

The substrate runs where your workload runs: private cloud, on-premise, or air-gapped infrastructure. The deployment posture is your decision, workload by workload.

For the highest-tier workload, air-gapped deployment is what the auditor expects. An air-gapped deployment, by construction, cannot constitute a data transfer to a vendor. The data does not leave the boundary. The substrate operates without external network connectivity, and the audit chain ships to retention inside the boundary being audited.

What zero cloud dependency means for the substrate

The substrate does not require an outbound connection to a vendor cloud to operate. It does not phone home. It does not require a vendor-managed coordination service to enforce policy, or a vendor-managed surface to produce the audit chain. You run the substrate. You audit what it produced.

When posture is the differentiator

An organization running multi-agent production cannot depend on a switch held in a room you do not reach. The deployment posture is what answers the operational-continuity question, the data-residency question, and the sovereignty question. We build the substrate that lets you choose the posture the workload requires, and operate it where you operate every other governed system.

§ 04 Engagement

From Discovery to Pilot to Design Partner.

Each tier of engagement is sized to the workload it serves. Nothing skips a tier on the substrate an auditor will ask about.

Discovery

Bounded and paid. Produces a workload map and a substrate-tier recommendation against your governance posture, the artifact your risk, audit, and finance functions read together. It is not a pitch. It is the first piece of work.

Pilot

A defined workload, deployed on the substrate, inside the boundary you choose. The Pilot proves the substrate produces the audit chain your auditor accepts, scoped to a workload your team can supervise.

Design Partner

The workload runs on the substrate. The audit chain is the system of record. The team that owns the workload owns the policy that governs it, operated against your SLOs and your audit demands.

Pre-launch · first design partners

Become a design partner.

We are pre-launch and selecting our first design partners carefully. The Discovery cycle is the first conversation: bounded, paid, and it produces an artifact you can take to your board. If you are running multi-agent production and the audit cannot answer the question your auditor is now asking, that is the conversation we are here to start.

Become a design partner →