Product / Accountable Signoff

Accountable Signoff

When policy requires human ownership, EP requires a named responsible human to explicitly assume responsibility for the exact action before execution.

Request Pilot

Not MFA. Not human-in-the-loop. Named human accountability.

Multi-factor authentication proves identity. Human-in-the-loop confirms a step happened. Neither binds a named human to a specific action with cryptographic evidence.

MFA

Proves you are who you claim to be. Does not prove you authorized this specific action with these specific parameters. A session authenticated with MFA can still execute unauthorized actions.

Human-in-the-loop

Confirms a human clicked a button. Does not bind a named principal to the exact action context. The audit trail shows a confirmation happened, not who is accountable for what.

Accountable Signoff

A named human reviews the exact action parameters and explicitly assumes responsibility. The signoff is cryptographically bound to the action, the principal, the policy, and the timestamp. It is one-time consumable and replay-resistant.

How it works

Three steps. No ambiguity about who authorized what.

01

Challenge

The system presents the exact action context to the named principal: what will happen, to what, with what parameters. The challenge is cryptographically bound to the action.

02

Attest

The named principal reviews the action context and explicitly attests. The attestation binds their identity to the exact action parameters using their chosen signoff method (passkey, secure app, platform authenticator).

03

Consume

The attestation is consumed exactly once. The action executes. The signoff record is immutable. The attestation cannot be replayed for a different action, a different amount, or a different target.

Signoff methods

EP supports multiple attestation methods. Policy determines which methods are acceptable for each action risk class.

Passkey

FIDO2/WebAuthn credential bound to device hardware. Phishing-resistant, biometric-gated. The strongest available consumer-grade signoff method.

Secure App

Dedicated mobile application that displays the exact action context and requires explicit confirmation. Action details are rendered on the device, not in the requesting session.

Platform Authenticator

OS-level biometric or PIN challenge (Touch ID, Windows Hello, Android biometric). Uses the platform's trusted execution environment for key operations.

Out-of-band

Signoff delivered through a separate channel from the requesting session. SMS, email, or push notification with action-bound one-time code. Weakest method, used only where stronger methods are unavailable.

Dual Signoff

Two named principals must independently attest to the same action before execution proceeds. Each signoff is cryptographically bound to the exact action parameters. Used for the highest-risk operations.

When signoff is required

Policy defines when accountable signoff is required. These are the most common trigger surfaces.

Payment changes above threshold

Any modification to payment destination, routing, or amount that exceeds a policy-defined threshold requires a named human to sign off on the exact change before it commits.

Government benefit redirects

Disbursement target changes within benefits programs. The signoff binds the exact new destination, program, and amount to a named authorizing principal.

Agent destructive actions

AI agent actions classified as destructive or irreversible. The agent cannot proceed without a named human explicitly assuming responsibility for the specific action.

Privileged enterprise operations

Privilege escalation, access grants, configuration changes, and administrative overrides in enterprise environments. Each operation requires named accountability.

Why it matters

Different environments need accountable signoff for different reasons. The mechanism is the same. The evidence it produces satisfies each context.

IGGovernment

Inspector General and GAO auditors receive action-level evidence chains with named human accountability. Every signoff produces an immutable record binding the authorizer to the exact action.

SOXTreasury

SOX-grade evidence for payment authorization. Named signoff records satisfy segregation-of-duties requirements and provide tamper-evident audit trails for financial controls.

PAMEnterprise

Privilege escalation prevention. No administrative action executes without a named human signing off on the exact operation. Eliminates blanket session-based approvals.

AIAgent Execution

Human responsibility chain for AI agent actions. When an agent requests a high-risk operation, a named human must explicitly accept responsibility before the agent can proceed.

Request Pilot

Name

Organization

Title

Trust surface of interest

Problem description

Notes