Technical Architecture

Every AI action. Enforced before it happens.

VisIQ operates at the execution boundary — where AI agents act — not downstream where it's already too late. 4 modules. 1 total control plane.

02The Runtime Pipeline

What happens between “run” and “done”

Every request an AI agent makes passes through this sequence — in real time, before any data moves.

AgentAI agent makes a request
ISOLATEIntercepts & holds the request
ALLOWValidates intent & policy
▶ Releaseor✕ Block
ORCHESTRATEValidates delegation chain
RECORDSeals cryptographic proof
ISOLATE

Execution Boundary

Browser-native request interception using MV3 service worker + declarativeNetRequest. The request is held at the network boundary — not forwarded — until ALLOW decides. There is no code path around this.

ALLOW

Decision Authority

The hero module. Validates agent intent against policy using P19 (intent congruence) and P20 (contextual validity). Low-risk executes automatically. Elevated risk triggers Step-Up review. Fail-closed by design.

ORCHESTRATE

Delegation Enforcement

Validates the authority chain for agent-to-agent and human-to-agent delegation. When an action exceeds granted scope, ORCHESTRATE blocks and triggers a revocation cascade — session suspended, delegator notified.

RECORD

Proof Layer

Cryptographically signed receipt of every enforcement decision — written before the action is released or blocked. Not a log. A proof. Ed25519-signed. Append-only. Tamper-evident. Impossible to backfill.

03Technical Mechanics

What actually happens, step by step

This is not middleware. This is not a proxy. Here is exactly what occurs when an AI agent makes a request inside a VisIQ-governed session.

  1. ISOLATE intercepts the outbound request

    ISOLATE

    The moment an AI agent fires an outbound request, the Chrome MV3 service worker intercepts it using declarativeNetRequest. The request is paused at the network boundary. Nothing is forwarded. The agent cannot bypass this — there is no code path around it in a managed browser session.

  2. ALLOW validates intent against policy

    ALLOW

    ALLOW receives the intercepted request and evaluates it against your policy engine. P19 validates the agent's declared intent against what was actually observed — executed scope must equal approved scope. P20 checks contextual validity: is this request consistent with the session, the user, the policy, and the moment? The Trust Core engine runs in milliseconds.

  3. Human approval — when the risk warrants it

    ALLOW · Step-Up

    When policy confidence falls below threshold — high-risk action, novel intent, PII in scope — ALLOW triggers a Step-Up. A human reviewer receives a structured approval request showing the agent, the action, the data scope, and the full context. The request waits. The reviewer decides. The agent cannot self-approve.

  4. ORCHESTRATE validates the delegation chain

    ORCHESTRATE

    When an agent is acting on behalf of another agent or a human principal, ORCHESTRATE audits the full authority chain. It checks that the action falls within the scope the delegating principal actually granted. If the action exceeds that scope — wrong environment, wrong data class, wrong capability — ORCHESTRATE blocks it and triggers a revocation cascade: the session is suspended and the delegator is notified immediately.

  5. RECORD seals the decision as proof

    RECORD

    Before the request is released or denied, RECORD writes a cryptographically signed receipt: the agent identity, the action, the policy outcome, the reviewer if any, the ORCHESTRATE delegation verdict, and the timestamp. Signed with Ed25519. Written before output is sent — not after. This is not a log. This is a proof artifact that cannot be backfilled.

  6. Execute or Block — with an immutable record

    ISOLATE releases the request if ALLOW approved, or drops it if ALLOW denied. Either way, RECORD holds the signed proof of what happened and why. In every outcome, the chain of custody is complete. Regulators can audit it. Lawyers can use it. You can prove what your AI did — or didn't do.

VisIQ Platform — RECORD Receipt Viewer
Cryptographic Receipt — #REC-465
Decision
BLOCKED (ESCALATED → HUMAN APPROVED BLOCK)
Agent
[email protected] → DeepSeek R2
Action
bulk_customer_upload
Approver
Chris Mancuso · Platform Admin
P19 · Intent
FAIL — executed scope ≠ approved scope
P20 · Context
PASS — session valid at t-exec
ORCHESTRATE
PASS — delegation chain valid
Written at
2026-05-26T14:32:07Z · before output sent

Ed25519:8df5552534928dfc9f6da5f4b04ec235e540febd2586e3cd7a1f49b30882a3c4

04Adaptive Autonomy

Built for frictionless autonomy.

Most AI actions execute automatically under policy. Human review is reserved for elevated risk, novel intent, or context change — not the default.

Low Risk
Internal summarization
Standard support query
Read-only data access
Auto-approved
Medium Risk
CRM record update
Outbound API write
PII in prompt context
Policy validation
High Risk
Financial transfer
Bulk data export
Credentials in scope
Human escalation
Critical
Sensitive export
Scope drift detected
Unauthorized AI service
Blocked
continuously evaluates
  • Action scope — what the agent is trying to do and how much
  • User posture — identity, session history, access tier
  • System sensitivity — the resource being touched and its classification
  • Policy congruence — does intent match what was authorized (P19)
  • Contextual validity — is approval still valid at execution time (P20)
The result
  • Most requests execute instantly — no human in the loop
  • Policy handles the routine; humans handle the novel
  • Every human decision feeds back into policy — the queue shrinks over time
  • Agents learn their approved scope; escalations become the exception
  • Full enforcement without operational drag

How the queue shrinks

Every decision teaches the system. Escalations become the exception, not the default.

  1. 1
    First occurrence

    An unfamiliar action is intercepted. ALLOW has no prior policy for this exact pattern — so it escalates to a human reviewer. The agent waits.

  2. 2
    Human decides — and the system offers to remember

    Approve or reject. Immediately after, VisIQ presents a “Save as Runtime Policy” card — pre-filled conditions, one click to add. The decision becomes a rule.

  3. 3
    Second occurrence — handled automatically

    The same pattern fires again. This time ALLOW has a policy for it. The request is resolved in milliseconds — no escalation, no human involved, signed receipt written automatically.

  4. The queue gets shorter — automatically

    Every human decision narrows the space of what requires review. Over weeks, the escalation queue reflects only genuinely novel risk. The system becomes more autonomous — without becoming less safe.

47
Escalations · Week 1
12
Escalations · Week 4
3
Escalations · Week 12

As policy coverage grows, only genuinely novel risk reaches a human.

Human review becomes the exception — not the workflow.

VisIQ minimizes human intervention while maximizing execution trust.

05Why It's Different

Observation is not enforcement. Logs are not authority.

Every other approach watches what happens after the fact. VisIQ operates at the point of execution — before the data moves, before the action completes, before the damage is done.

NO CONTROL
observe · log · report
EMPLOYEE SUBMITS FINANCIAL DATA TO AI SERVICE
drafts Q1 financial summary
Submitted — No Interception
Financial data · customer PII · sent to ChatGPT
confidential data now outside the org
DLP / CASB / SIEM
alert generated — data already transmitted
Too Late
Data transmitted · no record of approval
no proof · no policy · no chain of custody
WHAT YOU CAN'T SEE
  • No inventory of which AI services are in use
  • No policy on what data can be shared
  • No proof any interaction was authorized
VISIQ
intercept · enforce · prove
SAME EMPLOYEE · SAME ACTION · VISIQ ACTIVE
drafts Q1 financial summary
ISOLATE
MV3 service worker intercepts · request held at boundary
nothing forwarded — agent cannot bypass
ALLOW
Policy evaluation · intent validation · risk scoring
low risk: auto-release · elevated risk: step-up review
Released
query proceeds
Blocked
no data sent
RECORD
cryptographic proof sealed before outcome executes
Every other approach
  • Observes — does not stop. DLP and CASB platforms see what's happening. They don't intercept it.

  • Logs what happened — after it happened. SIEM and audit trails operate post-hoc. The breach is already complete.

  • No cryptographic proof. Logs can be altered. There is no signed, immutable chain of custody for AI actions.

VisIQ
  • Intercepts at the network boundary. ISOLATE holds every request. The agent cannot proceed without authorization. Fail-closed.

  • Proof before the action completes. RECORD seals a signed receipt before output is sent — regardless of outcome.

  • Human authority in the execution path. Step-Up is built into ALLOW. The agent waits. The human decides. The decision is recorded.