EMILIA GOVGUARD

Who approved the disbursement?

When AI drafts or triggers a payment, a vendor bank-account change, or a benefit change, every irreversible action gets a named human approval and a verifiable audit record - an authorization receipt. Provable later, even offline, even if the vendor is gone.

For county treasurers, auditors, and controllers: your decision logs prove it to you. The receipt proves it to everyone else - auditors, regulators, acquirers - without anyone having to trust your logs, your vendor, or EMILIA.

GovGuard binds each action to one accountable approver. Where statute or policy requires dual approval — the two-person rule — escalate to a multi-party quorum with EMILIA Quorum.

Scope a 60-day observe-mode pilot Run observe-mode sandbox

We don’t block anything at first. You see what would have needed signoff, and you get an audit evidence packet.

PILOT SHAPE

Start by watching one workflow.

One workflow

Pick a single disbursement or change flow to watch first.

Observe mode

Nothing is blocked. You see what would have needed signoff.

60 days

Long enough to catch the actions that matter, short enough to scope.

$25K

Scoped enough for a departmental pilot.

Audit packet

Receipts, decisions, and evidence your auditors can verify offline.

THE WOUND

A fake bank-change email is how the money leaves.

Vendor bank-account-change fraud doesn’t break in. It walks through an approved-looking workflow:

1

A "we changed banks, please update our payment details" email arrives, formatted like every other vendor notice.

2

The vendor banking record is updated. The clerk is logged in, the role can edit the field, the form submits.

3

The next disbursement run queues a payment to the new account.

Without GovGuard

The payment releases to the fraudulent account. The money is gone and irreversible. The audit log shows a valid session, but no one can prove who approved the bank-account change before it moved.

With GovGuard

The bank-account change is flagged at the action boundary and held pending a named human's device signoff. Once that person approves, an authorization receipt is issued and the payment releases with provable approval. If no one approves, no money moves.

Your audit evidence survives vendor turnover, acquisition, and SaaS sunset.

WHY AUTHENTICATION IS NOT ENOUGH

Most payment failures start inside approved-looking workflows.

The employee is logged in. The role can edit the record. The form submits. The audit log records a valid session. None of that proves the exact action was authorized before money moved.

GovGuard sits at the action boundary and asks the question authentication cannot answer: who approved this irreversible change, under which policy, for these exact parameters?

PROTECTED ACTIONS

Initial government payment-integrity pack.

vendor_bank_account_change

Vendor bank-account change

A supplier payment destination changes before the next disbursement run.

disbursement_release

Disbursement release

A high-value payment is ready to leave treasury or accounts payable.

benefit_change

Benefit change

A benefit amount, routing destination, or claimant record changes.

caseworker_override

Caseworker override

An operator bypasses a system recommendation or eligibility control.

HOW IT WORKS

Six audit points, from action to evidence.

1

Observe

GovGuard receives a copy of the proposed action. It logs the action, evaluates policy, and does not block the existing system.

2

Classify

The action is checked for payment destination changes, new vendors, after-hours updates, missing authority, and policy-specific risk flags.

3

Bind

The actor, policy, action parameters, nonce, and time window are bound into the authorization context for the exact action.

4

Signoff

If policy would require approval, GovGuard records the named approver path and forbids self-approval in the evidence model.

5

Receipt

The completed authorization receipt proves who authorized what, under which policy, for which exact parameters.

6

Evidence packet

The pilot report shows which actions would have required signoff and gives auditors verification material they can check offline.

ENFORCEMENT MODES

Observe first. Enforce only after the evidence is trusted.

Government programs cannot move from zero to blocking overnight. GovGuard is designed to begin as an evidence layer that shows what would have needed signoff before it becomes a control layer.

observe

Evaluate protected actions, produce authorization receipts, and report what would have required signoff. No production blocking.

warn

Return a decision to the caller while the agency decides when to honor warnings by workflow.

enforce

Fail closed only after policy owners are comfortable with the evidence and escalation path.

AUTHORIZATION RECEIPTS

The artifact auditors can verify later.

A GovGuard pilot produces EP-RECEIPT-v1 authorization receipts. Each receipt is tied to the action hash, policy hash, approver path, nonce, expiry, and log checkpoint.

POST /api/v1/trust-receipts
GET /api/v1/trust-receipts/{receiptId}/evidence
POST /api/v1/signoffs/request
POST /api/v1/signoffs/{signoffId}/approve

DEPLOYMENT & ASSURANCE

It runs where your security review needs it to run.

On-prem and air-gapped deployment is available - a self-contained offline installer that runs with no route off the host. SSO (SAML 2.0 / OIDC) and SCIM 2.0 provisioning connect the named humans who can sign off to your directory. And the evidence is verifiable offline, without EMILIA: a receipt checks out with pure crypto, on a machine that has never touched our network.

Scope a pilot. Nothing gets blocked.

Pick one workflow: vendor bank-account change, disbursement release, benefit change, or caseworker override. GovGuard observes for 60 days, produces the authorization evidence, and shows what would have required named signoff. Pilot fee: $25K.

Scope a 60-day observe-mode pilot

For your compliance file: EU AI Act mapping for government programs · RFP language