Some actions are too consequential for one signature. The fix is old — launch keys turned by two officers, dual control on a wire desk, four-eyes on a deployment. The new problem is making that rule hold when the thing about to act is an autonomous agent, not a person at a keyboard.
A single human signoff is a real control — it puts a named person on the hook for an exact action. But for the highest-stakes operations, one signature is also one thing to phish, coerce, or socially engineer. Treasury learned this and answered with dual control. The military answered with the two-person concept. Auditors call it separation of duties. The principle is the same: no single individual can unilaterally execute the irreversible thing.
AI agents make the case sharper, not softer. An agent with tool access can be steered — by a prompt-injected document, a poisoned data source, a malformed model response — toward an action no human intended. If one approval gates that action, the attacker only has to manufacture one approval. If a quorum of distinct, named humans gates it, the bar is categorically higher.
A policy document that says "two people must approve" is only as strong as the system that enforces it. The point of a protocol is to make the rule fail-closed and checkable by anyone — not a process you trust an org to follow, but a predicate that either holds or doesn't. A cryptographic quorum binds these properties together:
Each individual approval is a device-bound WebAuthn signoff — a passkey assertion (Face ID, Touch ID, a security key) over the exact action context. What the human saw is what they signed. The quorum is just the composition of those signoffs under a stated policy.
A decision log that says "three people approved" is testimony — controlled by the party who acted. A quorum receipt is evidence: an auditor, a regulator, or a counterparty can verify it offline, with open-source code, without trusting the system that issued it. That is the difference between "we have a policy" and "here is proof the policy held for this exact action."
To earn that claim, the verification has to be unambiguous enough that independent implementations agree. EMILIA ships three reference verifiers — JavaScript, Python, and Go — that share no code, and a cross-language conformance suite feeds the same adversarial vectors through all three. They agree on authorization receipts, on device signoffs, and on multi-party quorum: the accept cases pass and each reject case (under threshold, duplicate human, out of order, action mismatch, expired window, one bad signature, wrong role) is refused identically. That is the standards bar — multiple independent interoperable implementations — and it runs on every change.
The two-person rule is overkill for most actions and exactly right for a few — the ones where a single forged approval is unrecoverable:
Multi-party quorum in EMILIA is a verifiable protocol capability today: the three-language reference verifiers agree on it, and a live in-browser demo runs an ordered three-party signoff and rejects a duplicate signer in front of you. The server-side enforcement that holds a high-stakes action until the full quorum is satisfied is built, merged, and verified end-to-end — an automated test drives three independent devices through an ordered signoff and proves the action cannot be consumed until every required human has signed. What is deliberately still ahead: a production deployment of that flow and, for defense, an accredited environment. We would rather state that plainly than overclaim a control this consequential.
Run an ordered multi-party quorum in your browser — three named approvers, each bound to the exact action, with a duplicate signer rejected live and the whole thing verified client-side. Nothing uploaded, no account, no EP server trusted.