a11oy / SZL HOLDINGS
Enter Console
LIVE COMMAND PLATFORM

Governed-AI
Command Platform

Every AI decision becomes a cryptographically signed, verifiable receipt — policy, reasoning, the operator, and counter-UAS on one pane of glass.

UTC EPOCH DOCTRINE v11

What it is

One pane of glass over the whole decision.

a11oy is the command platform for SZL Holdings. It unifies four surfaces that usually live in four disconnected tools — and binds them to a single, auditable record of every action.

// POLICY

Policy

Gates that say what an AI agent may and may not do — evaluated before any action runs, not after.

// REASONING

Reasoning

The model's chain of thought, scored against a trust floor before it is allowed to act.

// OPERATOR

Operator

The human-in-command view: live state, halts, and the one button that approves or stops.

// COUNTER-UAS

Counter-UAS

Drone & vessel threat tracks fed into the same governed loop as everything else.


The differentiator

No leader signs individual AI decisions.
So the decision signs itself.

Every governed action emits a cryptographically signed receipt: a hash of what was decided, why, and under which policy. Anyone can re-compute the hash and confirm it was not altered — without trusting us.

The usual way

An AI takes an action. A log line is written. The log can be edited, lost, or contested. To trust it, you have to trust the operator and the database behind them.

The a11oy way

The action produces a signed receipt. The signature is over the exact decision payload. Re-hash it yourself; if one byte changed, the check fails. Trust the math, not the messenger.

// LIVE RECEIPT — re-computed in your browser
SIGNED computing…
Open the verifier in the console

Honest scope: receipts are signed with a real key where one is provisioned for that organ; otherwise the receipt carries its hash and is verifiable for integrity but not yet for issuer identity. Nothing here is a claim of FedRAMP, Iron Bank, or CMMC.


Live proof · pulled from the running platform

Real numbers, fetched from this Space right now.

Services up— / —live organ health probes
Trust score13-axis geometric mean
a11oy policy gatesevaluated pre-action
Policy verdictsa11oy gate · allow/deny ledger

An unreachable organ is shown as unreachable, never green. If a probe is slow, the tile says so rather than faking a value.


Formally proven

Five properties carry machine-checked proofs.

The governed loop rests on a Lean development. Five core properties are proven theorems. The trust-score uniqueness result is honestly an open research conjecture — not a theorem — and we label it as such.

01
Governed Loop Reachability
Every allowed action keeps the system inside the governed region.
Proven
02
Receipt Integrity
A receipt verifies if and only if its payload is unaltered.
Proven
03
Policy Soundness
A declined action can never be executed by the loop.
Proven
04
Trust-Floor Monotonicity
Tightening the trust floor never enlarges the set of permitted actions.
Proven
05
Quorum Liveness
A 3-of-4 organ quorum can always reach a verdict under partial failure.
Proven
// HONEST LABEL

Trust-score uniqueness

The claim that the 13-axis trust score is the unique aggregate satisfying our axioms is a research conjecture, not a theorem. The Lean development still has open goals on this result. We will not call it proven until it is.

// SUPPLY CHAIN

SLSA L1 honest; L2 .att emitted (not independently verified) · L3 roadmap

Build provenance attestations (cosign) ship on the organ images today at SLSA L1 honest; L2 .att emitted (not independently verified) (Sigstore keyless — Fulcio cert + Rekor, verifiable via gh attestation verify / cosign verify-attestation); SLSA L3 is on the roadmap. This is not SLSA L3, FedRAMP, Iron Bank, or CMMC — and we don't say it is.


Surfaces

Two front doors. One governed loop.

🌐Spaces