Every AI action. Enforced before it happens.
VisIQ operates at the execution boundary — where AI agents act — not downstream where it's already too late. 4 modules. 1 total control plane.
What happens between “run” and “done”
Every request an AI agent makes passes through this sequence — in real time, before any data moves.
Execution Boundary
Browser-native request interception using MV3 service worker + declarativeNetRequest. The request is held at the network boundary — not forwarded — until ALLOW decides. There is no code path around this.
Decision Authority
The hero module. Validates agent intent against policy using P19 (intent congruence) and P20 (contextual validity). Low-risk executes automatically. Elevated risk triggers Step-Up review. Fail-closed by design.
Delegation Enforcement
Validates the authority chain for agent-to-agent and human-to-agent delegation. When an action exceeds granted scope, ORCHESTRATE blocks and triggers a revocation cascade — session suspended, delegator notified.
Proof Layer
Cryptographically signed receipt of every enforcement decision — written before the action is released or blocked. Not a log. A proof. Ed25519-signed. Append-only. Tamper-evident. Impossible to backfill.
What actually happens, step by step
This is not middleware. This is not a proxy. Here is exactly what occurs when an AI agent makes a request inside a VisIQ-governed session.
ISOLATE intercepts the outbound request
ISOLATEThe moment an AI agent fires an outbound request, the Chrome MV3 service worker intercepts it using
declarativeNetRequest. The request is paused at the network boundary. Nothing is forwarded. The agent cannot bypass this — there is no code path around it in a managed browser session.ALLOW validates intent against policy
ALLOWALLOW receives the intercepted request and evaluates it against your policy engine. P19 validates the agent's declared intent against what was actually observed — executed scope must equal approved scope. P20 checks contextual validity: is this request consistent with the session, the user, the policy, and the moment? The Trust Core engine runs in milliseconds.
Human approval — when the risk warrants it
ALLOW · Step-UpWhen policy confidence falls below threshold — high-risk action, novel intent, PII in scope — ALLOW triggers a Step-Up. A human reviewer receives a structured approval request showing the agent, the action, the data scope, and the full context. The request waits. The reviewer decides. The agent cannot self-approve.
ORCHESTRATE validates the delegation chain
ORCHESTRATEWhen an agent is acting on behalf of another agent or a human principal, ORCHESTRATE audits the full authority chain. It checks that the action falls within the scope the delegating principal actually granted. If the action exceeds that scope — wrong environment, wrong data class, wrong capability — ORCHESTRATE blocks it and triggers a revocation cascade: the session is suspended and the delegator is notified immediately.
RECORD seals the decision as proof
RECORDBefore the request is released or denied, RECORD writes a cryptographically signed receipt: the agent identity, the action, the policy outcome, the reviewer if any, the ORCHESTRATE delegation verdict, and the timestamp. Signed with Ed25519. Written before output is sent — not after. This is not a log. This is a proof artifact that cannot be backfilled.
Execute or Block — with an immutable record
ISOLATE releases the request if ALLOW approved, or drops it if ALLOW denied. Either way, RECORD holds the signed proof of what happened and why. In every outcome, the chain of custody is complete. Regulators can audit it. Lawyers can use it. You can prove what your AI did — or didn't do.
- Decision
- BLOCKED (ESCALATED → HUMAN APPROVED BLOCK)
- Agent
- [email protected] → DeepSeek R2
- Action
- bulk_customer_upload
- Approver
- Chris Mancuso · Platform Admin
- P19 · Intent
- FAIL — executed scope ≠ approved scope
- P20 · Context
- PASS — session valid at t-exec
- ORCHESTRATE
- PASS — delegation chain valid
- Written at
- 2026-05-26T14:32:07Z · before output sent
Ed25519:8df5552534928dfc9f6da5f4b04ec235e540febd2586e3cd7a1f49b30882a3c4
Built for frictionless autonomy.
Most AI actions execute automatically under policy. Human review is reserved for elevated risk, novel intent, or context change — not the default.
- Action scope — what the agent is trying to do and how much
- User posture — identity, session history, access tier
- System sensitivity — the resource being touched and its classification
- Policy congruence — does intent match what was authorized (P19)
- Contextual validity — is approval still valid at execution time (P20)
- Most requests execute instantly — no human in the loop
- Policy handles the routine; humans handle the novel
- Every human decision feeds back into policy — the queue shrinks over time
- Agents learn their approved scope; escalations become the exception
- Full enforcement without operational drag
How the queue shrinks
Every decision teaches the system. Escalations become the exception, not the default.
- 1First occurrence
An unfamiliar action is intercepted. ALLOW has no prior policy for this exact pattern — so it escalates to a human reviewer. The agent waits.
- 2Human decides — and the system offers to remember
Approve or reject. Immediately after, VisIQ presents a “Save as Runtime Policy” card — pre-filled conditions, one click to add. The decision becomes a rule.
- 3Second occurrence — handled automatically
The same pattern fires again. This time ALLOW has a policy for it. The request is resolved in milliseconds — no escalation, no human involved, signed receipt written automatically.
- ✓The queue gets shorter — automatically
Every human decision narrows the space of what requires review. Over weeks, the escalation queue reflects only genuinely novel risk. The system becomes more autonomous — without becoming less safe.
As policy coverage grows, only genuinely novel risk reaches a human.
Human review becomes the exception — not the workflow.
VisIQ minimizes human intervention while maximizing execution trust.
Observation is not enforcement. Logs are not authority.
Every other approach watches what happens after the fact. VisIQ operates at the point of execution — before the data moves, before the action completes, before the damage is done.
- No inventory of which AI services are in use
- No policy on what data can be shared
- No proof any interaction was authorized
- ✕
Observes — does not stop. DLP and CASB platforms see what's happening. They don't intercept it.
- ✕
Logs what happened — after it happened. SIEM and audit trails operate post-hoc. The breach is already complete.
- ✕
No cryptographic proof. Logs can be altered. There is no signed, immutable chain of custody for AI actions.
- ✓
Intercepts at the network boundary. ISOLATE holds every request. The agent cannot proceed without authorization. Fail-closed.
- ✓
Proof before the action completes. RECORD seals a signed receipt before output is sent — regardless of outcome.
- ✓
Human authority in the execution path. Step-Up is built into ALLOW. The agent waits. The human decides. The decision is recorded.