Your model can reason. It can plan. It can execute. The moment it acts in the real world, every team hits the same wall — and it’s not a capability problem:
“Who approved this exact action?”
Every agent platform eventually has to answer for what its agent did — to a board, a regulator, an insurer, a court. “The model did it” is not an answer. And when prompt injection turns a helpful assistant into a financial weapon, the headline names you, not the user.
All shipping autonomous action. All hitting the same wall.
A named human cryptographically assumes responsibility for the exact action — not a role, not a token, a person. This is the answer to "who owns this decision?"
A signed, offline-verifiable record of the decision (formerly Trust Receipt): action, policy, approver, outcome. Anyone verifies it with no account and no call home (Ed25519 + Merkle).
The exact policy version that authorized the action, pinned into the receipt. The rules that applied are provable after the fact, not reconstructed.
The delegation path — who was allowed to authorize whom — bound to the action. Permission isn’t assumed; it’s carried and checked.
Four concepts. Nothing else. Formally verified (26 TLA+ theorems), Apache-2.0, no vendor lock-in.
EMILIA ships as an MCP server, so any MCP-capable client — Claude, GPT, Gemini, Cursor, Windsurf — can experiment with accountable actions in one line. No partnership meeting required.
npx -y @emilia-protocol/mcp-server
Or guard an existing OpenAI-compatible agent — OpenAI, xAI Grok, Together — so every irreversible tool call routes through EMILIA before it runs:
npm install @emilia-protocol/openai-guard
For production: a high-volume async signoff example (the gate is selective — the agent loop never blocks on a human), and an open recipe PR on xAI’s cookbook.
For Grok specifically, the hardened Python guard does the offline cryptographic check itself — it verifies the device signature in-process against a pinned signer key, bound to the exact requested action and single-use, so a server merely saying “approved” is never enough. It ships with a red-team regression suite that re-runs six attack vectors on every change.
The open benchmark harness points an autonomous treasury-agent prompt at high-stakes requests (large wires, a “CFO says skip approval” injection, payout-bank changes) and safe controls, then scores what would execute with and without EMILIA. The model behavior varies by run; the EMILIA result is deterministic because the policy gate refuses receiptless high-risk actions.
Six high-stakes treasury requests and six safe controls, scored from raw model output.
The verified engine gates every ≥$50k release and bank-destination change unless a valid, action-bound receipt is present.
Publish model-specific percentages only from a saved harness run; the repo gives reviewers the scorer and cases.
Don’t take our word for it — the harness is open. Reproduce it, or point it at your own model:
BENCH_API_KEY=sk-... node bench/run.mjs