EMILIA is the authorization-receipt layer for irreversible AI-agent actions. Before an agent moves money, changes a record, deploys code, or deletes data, a named human signs the exact action on their own device — and afterward, anyone can verify who approved exactly what, offline, without trusting EMILIA or a compromised agent.
Most “AI governance” is policy documents and good intentions. EMILIA’s core guarantees are written as formal specifications and verified by a model checker on every commit. The proofs are open — read them, or try to break them.
Bounded model-checking of the authorization state machine (TLA+ / Alloy 6.0.0) — not a proof of any AI model’s behavior. It proves the protocol cannot be replayed, forged, or partially executed.
Start in observe mode: see every irreversible action that would require stronger approval — payments, overrides, vendor changes, autonomous AI actions — with zero blocking. The safe on-ramp before you enforce anything.
EMILIA Gate sits between approval and execution. Before a high-risk write reaches the system of record, it binds verified actor identity, authority chain, policy-pinned action context, and a one-time nonce.
Where policy requires it, a named, accountable human signs off on the exact action — on their own device, bound to the exact action hash. Self-approval fails by construction. For the highest-stakes actions, a multi-party quorum — the two-person rule, in order, each human bound to the exact action — is enforced before execution.
A signed, Merkle-anchored authorization receipt is produced — an auditor-grade evidence packet, publicly verifiable offline with `npm install @emilia-protocol/verify`.
If an agent or system changes money, permissions, code, records, or regulated state through an EMILIA-integrated path, it is either rejected before mutation or it produces an offline-verifiable receipt proving the exact action, policy, authority, signoff strength, and execution binding. Each line below names the attack it closes.
Consume must succeed before the write runs. An unauthorized action is stopped, not logged after the fact.
Action hash plus a WYSIWYS display hash close “signed the wrong thing” — the human signs the exact action they saw.
The receipt binds the policy content that was in force, not just a policy name or version label.
Holding a credential is separate from holding permission to approve. The authority registry proves the signer was allowed to.
High-risk actions require a passkey / WebAuthn device signoff — or stronger. Weaker assurance fails closed.
After approval, an attestation proves what actually ran — and flags drift between the approved and executed action.
Outside parties verify pinned keys, RP identity, and policy hash without trusting EMILIA’s server. npm install @emilia-protocol/verify.
Developers adopt the invariant directly around a dangerous write with requireReceipt(...) — no rebuild of the call site.
No receipt, no irreversible action. If it runs, anyone can verify who authorized exactly what.
MCP is already the tool-action layer for agents. EMILIA is one wrapper around the irreversible ones — release_payment, delete_repo, deploy_production — so the tool refuses to run without a receipt. Verticals like FinGuard and GovGuard are where this is already proving out; the tool-call wrapper is how you adopt it.
The actions that drain accounts and break production are rarely “hacks.” They’re authenticated users, legitimate tools, approved channels — and afterward, no one can say who approved this. That unanswered question is the whole problem.
A payment destination changed inside a valid session, approved through the normal process, to a vendor whose bank details quietly moved. Business email compromise — not a hack.
A remittance beneficiary was updated through approved channels. The system saw a legitimate change and let the money go.
An infrastructure credential was rotated and a deploy was pushed without action-bound authorization. Every access was valid; the blast radius was not.
An AI agent with broad tool access ran a high-risk, irreversible action. No human assumed responsibility for that specific operation.
Who approved this? In every case, no one could say.
EMILIA assigns a named human owner before the action runs — so the question always has an answer, on the record, that anyone can verify.
The same tool-call wrapper, proven where the stakes are highest. Identity and access tools check who is acting. EMILIA checks whether this exact action should happen — and binds a named, accountable human to it. vs. legacy controls →
The productized firewall for machine action. Deny-by-default at the actuator boundary: a consequential action runs only with a valid, sufficiently-assured, non-replayed receipt — then emits proof it ran. Software, cloud, and robots. Antivirus scanned files; firewalls filtered packets; EMILIA verifies actions.
Wrap a dangerous MCP tool — release_payment, delete_repo, deploy_production — so it refuses to run without a receipt. One wrapper, fail-closed, works with any framework. This is the developer wedge.
Authorize, shed, measure, and prove datacenter curtailment so the grid pays against cryptographic proof, not self-report. COSA moves the megawatts; EMILIA proves the move was authorized and delivered.
Ceremony-grade authorization on wire releases, beneficiary changes, account modifications, and privileged treasury actions before funds move.
Bind identity, authority, and action context before a benefit determination, redirect, or override. Accountable decisions, due process proven.
Require bound authorization for infrastructure changes, data exports, permission escalations, and production deployments.
Zero-dependency verification. Interactive playground.
Embeddable trust badges. Integrate in minutes.
Drop a receipt or a Face ID device signoff and watch every cryptographic check verify — entirely in your browser, nothing uploaded, no account, no EP server trusted.
Walk through the EP lifecycle interactively. Create entities, issue receipts, run handshakes — all from one page.
Verify any receipt, proof, or entity. Like Etherscan for trust. Public, transparent, cryptographically verified.
Drop a trust badge on any page. One script tag, one web component. Live data from the EP operator.
Start free and self-hosted, add the managed control plane when you scale, or bring it on-prem with the assurance a bank or agency needs to clear you.
Free and Apache 2.0. Grab a sandbox API key in 30 seconds — or self-host the SDK, MCP server, and Agent Guard.
Start freeHosted control plane — managed policy registry, signoff orchestration, and auditor-grade evidence, no infrastructure to run.
See pricingVPC and air-gapped deployment; SAML/OIDC SSO + SCIM provisioning built in. Sector packs, compliance mappings, SLA. Procurement-ready paperwork.
Talk to usUpdates on the standard, the verifier, and pilots — sent only when there’s something worth your time. No spam.
No spam. One email field, nothing else.