Permit0 is the action authorization layer for AI agents — the deterministic policy enforcement between what an agent decides and what it executes. We provide a canonical taxonomy of agent actions across 20 domains, risk defaults, and compliance mappings. Built for engineering teams shipping agents into production with trust.
from permit0 import guard, permit @guard def refund_customer(charge_id, amount): permit.require("payments.refund", { "amount": amount, "actor": "support_agent_v2", }) return stripe.Refund.create(charge_id) # agent fires this after a customer complaint refund_customer("ch_3O9k...", amount=85000)
Identity layers control which agents exist. Observability layers report what already happened. Platform vendors govern only what runs inside their boundary. Cross-platform action authorization — the layer that decides whether a specific action gets to execute, in real time, before it does — is structurally opposed to every incumbent's business model. So we built it.
Built by engineers who shipped service infrastructure at Google Cloud and enterprise audit and trust at Salesforce. The architecture is published, the code is open, the risk model is mathematically defensible.
The decision path is rules and cryptography. No model sits in the hot path. Every block, allow, and escalation is replayable, signed, and grounded in a policy your team owns. AI helps author the policy. It never makes the call.
Salesforce Agentforce governs Salesforce. Microsoft Agent 365 governs Microsoft. Okta Agent Gateway governs identity. Permit0 governs the action — whether the agent reads from Salesforce, processes through OpenAI, and refunds through Stripe. One policy, one audit trail, one source of truth across every framework, every tool, every cloud.
Every policy engine ships an empty policy. Permit0 is the layer that ends the patching — providing central policy control, compliance-grade auditing, and the trust your team needs to deploy agents into production.
Stop writing permission checks inside agent code. Full risk taxonomy and production-grade defaults — pip install, ship.
Every framework, every tool, every team — each reinventing authorization. Permit0 is the single control plane. Write the policy once. Enforce it everywhere.
AI agents are your newest employees — no onboarding, no permission boundaries. 88% of organizations report AI agent incidents. Permit0 puts a deterministic gate between every decision and its execution.
Compliance has gone from quarterly review to deployment blocker. Permit0 gives your team replayable, exportable evidence — pre-mapped to the frameworks auditors already use.
Open source at the core. Self-hosted, managed VPC, or cloud — the policy decision runs where your data lives.
The deterministic policy engine. The Tool Action Compiler normalizes any tool call into a canonical action. The Risk Engine scores against 9 flags and 10 amplifiers. Two-stage review pairs a deterministic scorer with an optional LLM reviewer that can only deny or escalate — never approve. Capability tokens bind approved actions to payload hashes, constraint envelopes, and decision provenance.
Architecture spec →A canonical taxonomy of 119 agent actions across 20 domains — each scored across 9 risk dimensions with opinionated defaults. Open, versioned, citable. The vocabulary your auditor can verify against and the substrate every Permit0 deployment runs on. Ship a policy-guarded agent in days, not quarters.
Read the spec →Audit-of-record evidence designed for the frameworks regulated buyers already work with — EU AI Act, Colorado AI Act, NIST AI RMF, ISO 42001, SOC 2, FINRA, HIPAA, SR 11-7, and more. Built to be the certifying authority your auditor recognizes.
Compliance roadmap →The taxonomy, the engine, and the deployment model are engineered for the auditor's spreadsheet — not just the developer's IDE.
Permit0 leads with the segments that need pre-execution evidence — not post-hoc detection. The 2026 regulatory clock is short.
Agents touching money have the highest blast radius. Refunds, transfers, ledger writes, KYC dispositions, SAR drafting. SR 11-7 and FFIEC examiners increasingly ask for pre-execution evidence on every autonomous action.
Voice and SMS agents under FDCPA, Reg F, and TCPA. Every outbound contact is a 7-in-7 / consent / time-of-day decision the CFPB can subpoena. Bureau-furnishing writes are irreversible under FCRA § 623.
Claim approve / deny / pay agents. EU AI Act Annex III explicitly lists insurance pricing and claims as high-risk. Denials carry UDAAP and bad-faith exposure under state DOI rules.
Privileged communications, contract drafting, e-signature dispatch. Lawyers understand liability instinctively — and they want the evidence trail, not just the audit log.
PHI access, clinical-note generation, patient-facing communication, prior-auth and claims agents. Every action touching a patient record is a HIPAA event. EU AI Act Annex III explicitly lists health AI as high-risk and requires deployment-time controls Permit0 enforces.
Resume screening, candidate scoring, performance assessment, benefits enrollment. EEOC has signaled AI hiring tools are subject to existing anti-discrimination law. NYC LL 144 mandates pre-deployment bias audits. Illinois AIVID and Colorado AI Act add state-level disclosure and impact-assessment requirements.
Free for high-growth fintech, insurtech, and healthtech teams shipping AI agents into production. Co-develop a vertical compliance pack with the founding team.
Survive the EU AI Act (August 2026) and Colorado AI Act (June 2026) without a retrofit.
Everything Permit0 enforces is documented, versioned, and verifiable.
The complete public specification of canonical actions, risk flags, and amplifiers.
Read the spec →How the engine, capability tokens, and policy distribution work end-to-end.
Read the paper →Article 9, 12, and 14 mapped to default policies across actions — with sample evidence formats.
Download the brief →Open source SDK, action packs, and the self-hosted policy engine. Apache 2.0.
View on GitHub →Open source. Production-grade. Ready for the regulated verticals where post-hoc audit is no longer enough.