Why every production agent needs a safety certificate before it executes.
The Liability Gap in Autonomous Systems
Autonomous systems are making consequential decisions — executing trades, provisioning infrastructure, sending communications, adjusting satellite orbits. The tooling ecosystem has responded with guardrails: output filters that scan what an agent says. But guardrails solve the wrong problem. The risk isn't in what an agent says. The risk is in what an agent does.
When an autonomous agent executes an action, three questions matter: Was the action evaluated against known constraints before execution? Did the evaluation produce a deterministic, auditable result? Can a regulator, insurer, or compliance officer verify that result after the fact?
No probabilistic output filter answers these questions. The gap isn't safety — it's certification.
Certification vs. Guardrails
The distinction is architectural, not semantic.
Guardrails operate post-generation. An LLM produces output, a filter scans it, and the output is either passed through or blocked. The evaluation is probabilistic (another model judges the first model), stateless (no memory of prior evaluations), and opaque (no reproducible proof of the decision).
Certification operates pre-execution. An agent proposes an action, a deterministic engine evaluates that action against a set of constraint channels, and the engine produces a cryptographically hashed certificate that records the decision, the binding constraint, the safety margins on every channel, and the remaining drift budget before a zone boundary is crossed. The evaluation is deterministic (same inputs always produce the same certificate), stateful (budget consumption, rate windows, and regime detection carry forward), and auditable (the certificate is a first-class artifact that can be verified independently).
The pipeline is simple:
Agent proposes action
↓
QAE Certification Kernel
↓
Safety Certificate
↓
Execute / Warn / Escalate / Block
This is QAE — a deterministic certification engine that verifies autonomous actions before execution.
How the Kernel Works
The kernel is domain-agnostic. It knows nothing about finance, AI agents, or satellite orbits. Domain-specific logic is plugged in through a trait called DomainAdapter, which provides three capabilities: mapping a proposed action to a state vector, supplying constraint channels that evaluate that state, and detecting regime changes in the operating environment.
The Certification Pipeline
Every certification follows the same six-step flow:
Step 1 — Action Mapping. The domain adapter translates the proposed action into a numerical state vector. For a financial trade, the state might be position weights. For an AI agent, it might be budget utilization, rate count, and scope/reversibility/sensitivity scores. The kernel doesn't interpret these dimensions — it just evaluates them.
Step 2 — Constraint Evaluation. Each constraint channel independently evaluates the state vector and returns a margin — a continuous value in [0, 1] where 0 means the constraint boundary has been reached and 1 means maximum headroom. Channels run in parallel. There is no ordering dependency.
Step 3 — Bottleneck Identification. The kernel finds the binding constraint — the channel with the lowest margin. This is the dimension that most limits the proposed action. It determines the overall safety zone.
Step 4 — Regime Detection. The domain adapter compares the current state to the proposed state and flags whether the operating environment has shifted. In finance, this might be a volatility regime change. In agentic systems, it might be budget exhaustion approaching a critical threshold. Regime changes force escalation regardless of margins.
Step 5 — Decision Logic. The binding margin maps to a zone and a decision:
| Binding Margin | Zone | Decision |
|---|---|---|
| > 0.6 | Safe | Certified |
| (0.3, 0.6] | Caution | Certified with Warning |
| (0.1, 0.3] | Danger | Escalate to Human |
| ≤ 0.1 | Danger | Blocked |
A regime change detected at any margin forces EscalateToHuman.
Step 6 — Certificate Generation. The kernel builds a SafetyCertificate containing the decision, zone, per-channel margins, binding constraint name, drift budget (distance to the next zone boundary), a domain-specific payload, and a deterministic SHA-256 hash of the entire certificate for tamper detection.
What "Deterministic" Means
Every data structure in the kernel uses BTreeMap (ordered) rather than HashMap (non-deterministic iteration order). No random sampling. No system clock in computations (timestamps are metadata, not inputs to margin calculations). The same proposed action against the same adapter state always produces the same certificate with the same hash. This is what makes the certificate a verifiable artifact rather than an opinion.
Constraint Channels
A constraint channel is a pure function: state vector in, margin out. The kernel ships with two domain adapters that demonstrate the pattern.
Agentic AI: 5 Channels
The agentic adapter maps agent tool calls to a 7-dimensional state vector and evaluates five channels:
Budget — How much of the allocated budget (API cost, token spend) has been consumed. A tool call that would push utilization past 90% sees its budget margin drop toward the block threshold.
Rate — Actions per time window. Prevents runaway loops where an agent executes hundreds of tool calls in seconds.
Scope — Whether the proposed action stays within authorized boundaries. A file-system write to an unexpected directory scores low on scope.
Reversibility — Whether the action can be undone. Sending an email is irreversible (low margin). Creating a draft is reversible (high margin).
Data Sensitivity — Whether the action touches sensitive data. Accessing PII scores lower than reading public documentation.
Each channel returns a margin. The kernel finds the bottleneck. If the agent proposes an irreversible action that touches sensitive data while the budget is 85% consumed, the binding constraint might be budget at margin 0.15 — which falls in the Danger zone and triggers escalation to a human reviewer.
Financial Risk: 6 Channels
The finance adapter wraps six constraint channels against portfolio and market data:
Market risk (VaR, DV01, FX exposure), credit risk (CS01, expected loss), liquidity risk (position-to-ADV ratios), concentration risk (issuer and sector HHI), regulatory capital (Basel III RWA vs. available capital), and factor risk (systematic exposure decomposition).
A proposed trade is certified only if all six channels clear. The binding constraint tells the trader exactly which dimension limits the position. The drift budget tells them how much room remains before the next zone boundary.
The same kernel. The same pipeline. Different constraint channels, different domain adapter, same certificate artifact.
Integration in Practice
Python (PyPI)
from qae_safety import SafetyCertifier, AgenticAdapter, SimpleAction, StateDelta
# Initialize with budget and rate limits
adapter = AgenticAdapter(budget_limit=100.0, rate_limit=50.0)
certifier = SafetyCertifier(adapter)
# Certify a proposed action
action = SimpleAction(
action_id="send-email-42",
agent_id="sales-agent",
state_deltas=[
StateDelta("scope_score", 1.0, 0.9),
StateDelta("reversibility_score", 1.0, 0.2), # Email is irreversible
StateDelta("sensitivity_score", 1.0, 0.6),
],
)
cert = certifier.certify(action)
if "Certified" in cert.decision:
execute_action()
elif "Escalate" in cert.decision:
request_human_approval(cert)
else:
log_blocked_action(cert)
Custom Domains
The kernel is extensible. Implement DomainAdapter and ConstraintChannel to certify any action in any domain:
from qae_safety import DomainAdapter, ConstraintChannel, SafetyCertifier
class LatencyChannel(ConstraintChannel):
def name(self) -> str:
return "latency_budget"
def evaluate(self, state: list[float]) -> float:
current_ms, max_ms = state[0], state[1]
return max(0.0, 1.0 - (current_ms / max_ms))
def dimension_names(self) -> list[str]:
return ["current_latency_ms", "max_latency_ms"]
class InfraAdapter(DomainAdapter):
def domain_name(self) -> str:
return "infrastructure"
def constraint_channels(self) -> list:
return [LatencyChannel()]
def map_action_to_state(self, action) -> list[float]:
return [float(d.to_value) for d in action.state_deltas]
def detect_regime_change(self, current, proposed) -> bool:
return False
certifier = SafetyCertifier(InfraAdapter())
Agent Frameworks
The certification node slots into any agent execution graph. In LangGraph, it's a node between "agent proposes tool call" and "tool executes." In Claude MCP, it's a server that exposes certify_action as a tool. In OpenAI function calling, it's middleware that wraps tool execution.
The pattern is always the same: intercept the proposed action, certify it, route based on the decision.
The Certificate as Artifact
The certificate is not a log entry. It's a first-class artifact with a deterministic hash that can be independently verified. This matters for three audiences:
Regulators need to see that every autonomous action was evaluated against defined constraints before execution, with a reproducible proof chain. The EU AI Act's requirements for high-risk AI systems map directly to constraint-based certification with audit trails.
Insurers need to quantify residual risk. The drift budget on each certificate tells them exactly how close the system operated to a zone boundary. A portfolio of certificates with consistently high margins is a lower-risk profile than one with frequent caution-zone operations.
Enterprise compliance needs to demonstrate that autonomous systems operated within policy. The binding constraint on each certificate creates a natural audit dimension — if 40% of blocked actions cite data_sensitivity as the binding constraint, that tells the compliance team where to focus policy refinement.
One Kernel, Three Proof Environments
The kernel is domain-agnostic by design. We demonstrate it across three stress environments — not because we're building three products, but because the strongest proof of infrastructure is that it works under fundamentally different constraint regimes.
Agentic AI proves the kernel handles real-time decision certification for autonomous software agents with budget, rate, scope, reversibility, and data sensitivity constraints.
Financial risk proves the kernel handles high-dimensional constraint evaluation (6 channels, continuous market data) with regulatory-grade determinism and a 423× speed advantage over Monte Carlo simulation.
Constellation operations proves the kernel handles physical safety constraints — collision avoidance, spectrum compliance, debris mitigation — where certification failures have irreversible consequences.
Same ProposedAction → DomainAdapter → ConstraintChannels → SafetyCertifier → SafetyCertificate pipeline. Same deterministic hash. Same audit trail. Different constraint channels.
Getting Started
The kernel publishes to PyPI and crates.io:
pip install qae-safety # Python (PyO3 bindings)
cargo add qae-safety-kernel # Rust
Documentation and API reference: qaesubstrate.com
Research foundation: "Containment as Catalyst" — figshare DOI: 10.6084/m9.figshare.31742857
Working integration examples: - QAE + LangGraph — Certified agent actions in LangGraph workflows - QAE + Claude MCP — MCP server exposing certification tools to Claude
Autonomous systems should not execute actions without certification.
QAE is built by Northbeam Solutions LLC. Licensed under BSL-1.1, converting to Apache 2.0 in 2032.