AGP compiles your SOPs into Lean4 canonical proofs and runs them as a CEDAR-backed validation gate in front of every agent action. Non-compliant paths terminate before generation - not after. Deterministic by construction, model-agnostic, audit-defensible.
Every governance technique in production today operates inside the probabilistic substrate of the model. Each lowers the probability of violation; none eliminates it. The ceiling is not a tooling gap - it's a property of probabilistic systems.
The numbers below are drawn from public benchmarks (HarmBench 2024, Lakera technical disclosures) and from production telemetry across guardrail and output-filter deployments.
System-prompt instructions live inside the same probabilistic context window the model uses to reason. They compete for attention with user messages - and lose. Conversational pressure, multi-turn structuring, and novel phrasings bypass guardrails that the model classifies as "instructions" rather than "constraints."
8-15% jailbreak rate - HarmBench 2024Filters fire after the model has already committed compute and made the decision. Only the surface response is suppressed; the internal violation has already happened, partial outputs may have crossed boundaries, and tool calls may have been issued. Every block is evidence of what the agent attempted, not proof of what it would not have done.
250-450ms median latency before blockEvery detector - prompt-injection, output-filter, conversation-rail - is itself a learned classifier. It catches what its training data prepared it to catch. Cross-language attacks pass; novel formulations pass; semantic edge cases pass. There is no decidable artefact you can show a regulator that says "this rule was provably enforced."
0 machine-checkable proofs in standard stacksThe architectural question follows: can a single design eliminate violation as a possibility, rather than reduce its probability - without leaving the probabilistic substrate?
Lakera, Guardrails AI, and NeMo Guardrails each get something right - and each is excellent for the failure mode it was designed to catch. None is positioned to deliver deterministic, pre-execution, audit-defensible enforcement of business rules, because the architecture they share is a learned classifier, not a proof.
"Is this prompt malicious?" is a probabilistic question. The detector reduces violations; it cannot eliminate them.
A schema validator catches malformed output. It cannot catch correctly-formed output that violates policy.
Keeping a chatbot from discussing competitors is a different problem from preventing a non-compliant action.
All three are valuable. None is sufficient. AGP does not displace any of them - it sits in the architectural layer they cannot reach: deterministic, pre-execution, business-rule enforcement.
For any probabilistic system with non-zero violation probability p per request, the probability of at least one violation in N requests is:
As N grows, P approaches 1. No probabilistic governance technique escapes this: lower the per-request violation rate by 10x and the probability of at least one violation across a year of enterprise traffic still approaches certainty. The deterministic alternative is the inverse: validate the action against a proof before generation. If the proof holds, the action proceeds. If it does not, the action terminates. P(violation | rule authored, proof valid) = 0 - by construction, not asymptotically.
The honest bound: this only holds for rules that have been authored. AGP enforces what you write into it. Un-thought-of edge cases pass through. Rule completeness remains a human responsibility - but every authored rule is unbreakable. We address the bound directly in Section Limitations.
Numbers below reflect production observations across pilot deployments. AGP's deterministic claims (zero violation, decidable artefact) follow from the architecture, not from measurement. Latency claims are measured.
For authored rules with a valid Lean4 proof. By construction.note
Median CEDAR validation latency. P95 under 18ms across pilot rule sets.
Every action carries a Lean4 proof reference and a CEDAR evaluation trace.
Works with GPT, Claude, Gemini, Llama, Qwen - any model, on-prem or hosted.
AGP's CEDAR-based runtime evaluates a typical rule set in single-digit milliseconds; competing techniques add classifier inference (Lakera), conversation-rail recognition (NeMo), or full output regeneration cycles (Guardrails AI on retry). Numbers reflect single-request median across pilot deployments; full methodology and reproducible test harness coming alongside the benchmark report.
| Dimension | Lakera | Guardrails AI | NeMo Guardrails | AGP |
|---|---|---|---|---|
| Validation primitive | Classifier | Schema validator | Rail recogniser (LLM) | Mathematical proof |
| Validation timing | Pre-call (prompt) | Post-call (output) | Mixed | Pre-execution (action) |
| Rule semantics | Adversarial patterns | Output structure | Conversation flow | Business rules + aggregates |
| Median latency down | ~80 ms | ~350 ms | ~250 ms | ~8 ms |
| Audit artefact | Confidence score | Schema result | Rail log | Lean4 proof + CEDAR trace |
| Failure mode | Probabilistic miss | Probabilistic retry | Probabilistic recognition | Deterministic block |
| Cross-language coverage | Training-set bound | Schema-bound | LLM-dependent | Language-independent |
| Compliance evidence | None | Limited | Limited | Comprehensive |
note The "0% violation" claim applies to authored rules with a valid proof. Rules that have not been authored cannot be enforced. AGP makes authored rules unbreakable; rule completeness remains a human responsibility. Latency numbers are single-request medians from pilot deployments; reproducible benchmark harness, full methodology, and the comparison study against Lakera / Guardrails AI / NeMo are being assembled into a public benchmark report. Public timelines: end-Q2 2026.
A policy document enters the pipeline once. Rules are extracted, reviewed, structured, and compiled into Lean4 proofs and CEDAR policies. From that point on, every agent action is validated against the compiled policy set - deterministically, in single-digit milliseconds, before generation.
A flat ruleset doesn't model how organisations think about policy. AGP files every rule into a four-tier structure that mirrors the real-world hierarchy: jurisdiction inherits, domain refines, use case specialises, flow operationalises. Override and reuse become first-class - and templates emerge naturally at the upper tiers.
An agent attached to this flow inherits all four tiers' rules - evaluated as a single composed CEDAR policy set at runtime.
RBI Master Direction caps unsecured loans - KYC documentation per PMLA - customer-protection mandates - DEPA consent flow.
Aggregate exposure limits - interest-rate disclosure rules - required risk-warning language - escalation matrix for large-ticket products.
Tone constraints - PII handling for chat - auto-escalation triggers - forbidden topics list - in-channel data retention policy.
DTI threshold - pre-approval data set - rate-quote freshness window - required fields before pre-approval emit - approver tier above Rs 50L.
Every action the agent takes is evaluated against the composed policy set in a single CEDAR call. Override semantics are explicit; an inner-tier rule that loosens a constraint is recorded as an override, not a silent re-interpretation.
Tiers 1 + 2 form system templates reusable across organisations in the same jurisdiction and industry. A new Indian bank onboarding to AGP starts from a curated India + Banking template - they author only their organisation-specific deltas.
When an agent intends to take an action, AGP renders that action as a CEDAR request and evaluates it against the active policy set - twice. Once before the model is invoked (request validation), once after the model proposes its plan (action validation). Both gates emit decidable artefacts.
For every permit decision, the policies that fired carry their compiled Lean4 proof artefact. The proof is canonical, mechanically checkable, and reproducible. For a regulator asking "how do you know this was compliant?", the answer is the proof.
The full evaluation trace: which policies were considered, which fired, which abstained, which conflicted. This is what a compliance reviewer reads to understand why the system reached its decision - not a summary, the raw evaluation artefact.
Timestamp, agent identity, user identity, request context, policy versions in effect. The audit trail is immutable, append-only, and addressable by request ID. Replay any historical decision against any policy version for audit-trail integrity.
The pairing of pre-generation request validation and post-generation action validation closes the loop. There is no point in the lifecycle at which a non-compliant action reaches the user.
Seven operations cover the full lifecycle of governing an agentic system: extracting rules, editing thresholds, managing dependencies, sharing templates, attaching governance to agents, and propagating it across multi-agent networks. Each is one click - no code path through engineering.
Switch any rule on or off from the admin UI. Toggled-off rules stay in the system as versioned artefacts; reactivation is one click. The difference between a governance layer engineering owns and one compliance owns.
Rules depend on rules. AGP tracks dependencies as a graph and warns before destructive changes - every disable surfaces the affected rules so impact is reviewed before commit. No silent breakage.
Edit thresholds, time windows, currencies, and named entities directly. Changes propagate to every agent in the next CEDAR evaluation. Versioned: replay any historical decision against any rule version.
Upload new SOP versions whenever a policy changes. AGP proposes the deltas - new rules, modified parameters, removed rules - for admin review. Continuous extraction keeps the rule set current.
When rule groups are shared across organisations as templates, organisation-specific identifiers are stripped automatically. Functional logic preserved; proprietary names and entities scrubbed.
Inside Vanij's Agent Studio, a dropdown attaches an AGP template to any agent at design time. The agent inherits the rule set and validates against it at runtime - governance ships with the agent.
In multi-agent flows, a shared AGP template applies network-wide. Whether the network has two agents or twenty, every agent evaluates against the same composed CEDAR policy set. Without this, multi-agent systems regress to the worst-case behaviour of any single agent. With it, the entire network inherits the governance posture of the template.
Every rule group authored on AGP becomes a candidate template. Templates are the structural mechanism by which the platform's value to the next customer compounds with every previous customer's authoring effort. Anonymisation makes cross-organisation sharing safe.
Anchored to a jurisdiction and an industry. Curated by Adya in collaboration with regulatory experts and partner organisations. Encode the rules that apply to every organisation in that segment.
A new Indian bank attaches this template and starts with regulatory baseline coverage - they author only their organisation-specific deltas.
More granular. Anchored to a specific department and operational flow. Authored by the organisations using AGP and shared back, anonymised. Every bank's loan enquiry flow has variants - but they share 70-80% common shape.
A bank refines this over six months in production; they publish the anonymised version. The next bank adopts it as a starting point and customises from there.
The functional logic - rule structure, thresholds, dependencies, override semantics - is preserved. The proprietary details - internal product names, system identifiers, named entities, organisation-specific approval roles - are scrubbed at template-publication time. The original organisation retains the unanonymised version; the published template is a sanitised projection.
Every new rule group authored expands the template library. Geographies, domains, and use cases that have a few templates today will have many in two years. The library map is a live, growing artefact.
Templates that are widely adopted accumulate refinement. With a hundred organisations on a template, the bugs and gaps get found and fixed. A template six months from now is sharper than one today.
A new organisation onboarding today might need three to six months to author a comprehensive rule set from scratch. With templates, the same organisation runs deterministic governance in days, with refinement happening in flight.
The shape of the moat is the same one Linux, GitHub, and Stack Overflow each built: the artefact library matters more than any single artefact.
AGP is a powerful system because it is honest about what it does - and what it does not do. The mathematical floor is real. So is the limit. This section is load-bearing: mis-stating the bound damages every other claim on this page.
The "0% violation" claim is conditional on a rule being authored. A bank that has authored rules about loan thresholds, KYC requirements, and aggregate exposure - but has not authored a rule about a novel cross-product structuring scheme that emerges in 2026 - will not be protected by AGP against that scheme. AGP will faithfully enforce every rule in the system; it will not invent rules that do not exist.
This is not a deficiency of AGP. It is a property of any rule-based system. Fire codes, traffic laws, and accounting standards all share this shape.
AGP can accelerate rule authoring (the deep research agent ingests a regulatory corpus in hours rather than months), structure it (the four-tier hierarchy is a clear taxonomy), and maintain it (continuous document extraction keeps rules current). It cannot do the work. Compliance teams remain the authors. Legal teams remain the reviewers.
For prospective customers: the value depends on the rule-authoring effort. Thin rule set -> thin protection. Comprehensive authoring -> comprehensive protection.
For the long tail of scenarios no one has thought of yet, probabilistic detection - output filters, anomaly classifiers, behavioural monitors, human-in-the-loop review - remains the only available technique. AGP does not displace these; it relieves them of routine compliance load so they can focus on novelty. Deterministic for known rules, probabilistic for unknown unknowns.
The pattern is the one used in security architecture: deterministic controls handle the 99% case, detection-based controls handle the long tail.
AGP is a powerful tool because it is honest about what it does and does not do. The mathematical floor is real for authored rules. Beyond authored rules, the work remains human.
AGP runs as a Vanij module today. The external API - currently in flight - exposes the same pre-execution gate as a model-agnostic compliance call for agents not built on Adya. SDKs in Python, Node, and Go. Per-call pricing, volume tiers, enterprise SLAs.
Adya
from agp import AGP
agp = AGP(template="india.banking.cs.loan_enquiry")
# before invoking your model - check the action
decision = await agp.validate(
principal={"agent_id": "loan-bot-v3"},
action="approve_pre_qualification",
resource={"customer_id": "C-91204",
"loan_amount": 7500000,
"product": "home_loan"},
context={"dti_ratio": 0.52,
"kyc_status": "verified"},
)
if decision.permitted:
# proceed - proof attached to decision.proof_ref
response = await model.generate(...)
else:
# structured refusal - rule(s) named in decision.violations
return agp.refusal(decision)from agp import AGP
agp = AGP(template="india.banking.cs.loan_enquiry")
# for any historical decision - get the full artefact
record = await agp.audit(
request_id="req_01HXKR5...",
)
# Lean4 proof reference (canonical, machine-checkable)
print(record.proof_ref)
# -> "lean4://india.banking.dti_threshold@v3"
# CEDAR evaluation trace (which policies fired)
print(record.cedar_trace.policies_fired)
# -> ["dti_max_50pct", "kyc_recency_30d", ...]
# decision provenance
print(record.decision) # PERMIT | FORBID
print(record.policy_version) # the rule set in effect
print(record.timestamp) # RFC 3339Adya-managed endpoint, on-prem deployment, or air-gapped install for regulated workloads. Same SDK shape across all three.
CEDAR runtime keeps validation overhead in the single-digit milliseconds at p50, sub-20ms at p95 across pilot rule sets.
First-class SDKs in three languages. REST and gRPC interfaces for everything else. Per-call and volume-tier pricing.
The core engine is shipped and in production. The external API is in flight. The learning-governance and open-protocol phases are mapped. Status is current as of May 2026 - and is updated as phases land.
The deterministic floor. Document upload & processing, NLP rule extraction, four-tier hierarchy, rule toggle, real-time editing, Lean4 proof generation, CEDAR runtime, pre-execution validation gate, Agent Studio integration.
Operational scale. Dependency management with impact warnings, template anonymisation, cross-organisation template sharing, Multi-Agent Orchestration template propagation, advanced search and filter in the template browser.
AGP exposed as a model-agnostic compliance API for agents not built on Vanij. Per-call pricing, volume tiers, SDKs in Python, Node, and Go. Enterprise contracts with SLA guarantees. The strategic decoupling: AGP becomes the deterministic layer for any agentic system, regardless of underlying platform.
From a static rule engine to a learning system. Performance analytics, automatic rule refinement from outcome data, predictive rule suggestions for new organisations based on comparable patterns, dynamic rule confidence scores, anomaly alerts for dead or broken rules.
The infrastructure for this - rule firing logs, outcome tracking, decision provenance - is being captured from Phase 1 onward. The data is already accumulating.
The AGP protocol specification and reference implementation released as an open standard. The intent: establish AGP as the deterministic governance layer of the agentic AI stack - the way HTTP, OAuth, and OpenTelemetry became standards for their respective layers.
Open protocol does not displace the commercial offering. The pattern is the one used by NVIDIA with CUDA and the Linux Foundation with the kernel: free protocol, commercial implementation, network effect.
The full paper, the citations the architecture stands on, and the comparison cohort it positions against. Reproducible benchmark harness ships alongside the public benchmark report (end-Q2 2026).
The full whitepaper. 11 sections covering the architectural premise, the mathematical floor, the four-tier hierarchy, the Lean4 + CEDAR pipeline, the empirical comparison, the honest bound, and the production use cases.
Get the paperAGP is shipped today. The core engine, four-tier hierarchy, Lean4 proofs, CEDAR runtime, and pre-execution gate are live. The external API is in flight. If you are deploying agents in regulated workflows, the layer that makes "probably compliant" into "provably compliant" is available now.