_Threshold: The Trust Layer

The company console for AI‑native teams.

Today, agents are a black box of cognition and execution. Threshold separates the two — execution runs in a deterministic environment you can verify, refuse, and audit.

Engineer? Read the technical documentation ↗

_Functionalities

Trust at every level.
Context in every layer.

Six runtime capabilities. One trust layer.

Live

Data plane

Stateless edge proxy. Every agent call routes through Threshold. Credentials swap at the proxy; the agent never holds them.

Live

Authorization

Single-use, time-bounded capability tokens minted per request. Policies run in isolated V8 sandboxes — per-agent, per-tool, per-value.

Live

Boundary tags

Every input gets stamped at the edge — trusted or untrusted. The label inherits through agent reasoning. Untrusted text can inform a reply; it cannot authorize a transfer.

Beta

Sealed execution

The agent reasons over schema. The query runs inside a sealed enclave. Only the result returns; the rows stay inside.

Live

Steward

Every agent has a named human attached. Revoke a parent capability and every sub-agent, pending operation, and credential below it stops in milliseconds.

Live

Audit chain

Every decision and action appended to a Merkle log modeled after Certificate Transparency. Signed checkpoints anchor externally. Deletions are detectable.

_How Threshold works

Any agent. Any workflow.
One control plane.

Threshold is the runtime layer between every agent and every system it touches. Four checks the agent can't talk its way around — applied to every action, every time.

01 / Safety

The agent decides. Threshold acts.

Prompt injection defense. Untrusted text cannot become an authorized command. Refused, not detected.

Intention alignment. Every action checked against the original ask. Drift caught before it reaches a system.

Private context. Agents work against real data they never read. Sealed execution returns results, not rows.

Policy gate
Trusted
command
From approved interface
Untrusted
email text
External, unsolicited
Ambiguous
text
Unclear intent
Safe
request
User ask in scope
Private
context
Real data sealed
Policy gate
Inspect → Align → Decide
  • Boundary tag
  • Identity
  • Policy
  • Execution scope
  • Audit trail
Refused
No action taken.
Request stopped.
Needs confirmation
Human review
required.
Authorized action
Execute within
allowed scope.
Untrusted text cannot become action
Audit chain
01
Agent identified
Named steward attached
02
Capability token issued
Scoped · expires in seconds
03
Action executed
Performed by Threshold layer
04
Log signed
Tamper-evident entry created
05
External anchor
Cryptographic proof written externally
Tamper-evident · Verifiable · Accountable
Every action leaves a trail. Every trail has a name.
02 / Accountability

Who did what, by name.

Short-lived tokens. Agents don't keep credentials. Each action carries its own permission, expiring in seconds.

Records you can verify. Every action recorded by the layer that ran it — not the agent describing itself afterward.

Named stewards. Every agent has a human attached. When something breaks, there's always a person to talk to.

03 / Money

Stop guessing what AI costs.

The cost router. Every request goes to the cheapest model that can handle it. Renaming variables doesn't need the frontier model. Architecture does.

Real-time attribution. Spend by engineer, project, agent, and hour — not by invoice. Per-team caps enforced before the bill.

Requests in
Engineer
Project
Agent
Hour
Cost router
Haiku 3.5
Light tasks
$0.03
Per request
Sonnet 3.5
General tasks
$0.15
Per request
GPT-4o Mini
Complex tasks
$0.60
Per request
GPT-4o
Frontier tasks
$2.50
Per request
Total spend
$1,240
Total spend
$4,980
Total spend
$7,320
Total spend
$2,160
Total savings
vs. frontier-only routing
$9,760
34% saved
Skill registry
Today
Tomorrow
Skill Registry
Onboarding
Planning
Debugging
Security
Deployments
Scattered knowledge

Lost in docs, chats, and tribal memory.

Curated & reusable

Institutional knowledge that compounds.

One capture. Every reuse multiplies value.
04 / Knowledge

Your team's playbook, reusable.

The skill registry. A curated catalog of how your team actually works. Every engineer's AI draws from it automatically.

Signed provenance. Every skill signed by its author, audited before approval, protected from tampering. No SKILL.md roulette.

0
01 · Safety
Independent checks every agent action passes through, before it runs.
0%
02 · Accountability
Of agent actions signed and recorded — verifiable without trusting us.

Every agentic AI product today makes the same mistake: the agent that decides is the process that acts. Threshold separates the two. The agent decides. We act.

Credentials live with us. Audit is written by us.
Policy is enforced before the action, not announced after.

The four clusters above are not features —
they are consequences of one decision nobody else is making.

Read our philosophy
_Before the call

Frequently asked questions

01 Does Threshold disrupt how my engineers already work?

No. Threshold sits between your agents and the systems they touch. Your engineers keep using Cursor, Claude Code, Codex, ChatGPT, whatever they already prefer. The change is invisible to them and visible to you.

02 How is this different from other AI safety and guardrail vendors?

Most safety tools watch what the agent does. We decide what it gets to do. Detection layers run after the action and tell you what just happened. Threshold runs before the action and decides whether it happens at all.

A clever input cannot become an authorized action, because the policy runs against the boundary label, not against the model's interpretation of the request.

03 How is this different from MCP gateways?

MCP gateways and Threshold are doing related work at different layers. Gateways focus on identity, access control, and audit at the protocol level: who is allowed to call which MCP tool. Threshold focuses on the architectural separation between an agent's intent and its action: should this call happen at all, given where the instruction came from.

The practical difference shows up in three places. First, prompt injection. Gateways rely on threat detectors that classify suspicious requests. Threshold runs policy against boundary-tagged input lineage, so untrusted text cannot authorize a sensitive action.

Second, sensitive data. Gateways broker the call, but the data still passes through the model's context. Threshold runs sealed execution, so the agent reasons on schema and the underlying records are never read by the model.

Third, audit. Gateways log requests. Threshold writes signed, externally-anchored receipts of every decision, including refusals, as audit-grade evidence.

You can run Threshold alongside an MCP gateway. They occupy different layers and solve different problems.

04 What happens to our existing agents? Do we have to rewrite them?

No. Threshold attaches to your workflow. You don't migrate to ours. Existing agents (Claude Code, Cursor, custom harnesses, anything MCP-compatible) keep working exactly as they do today. The only change is that their tool calls flow through Threshold instead of going directly to GitHub, AWS, or wherever else.

05 How does Threshold handle our data?

You can self-host Threshold inside your own VPC, or run it as a managed service. In either case, raw prompt data, customer records, and source content stay on infrastructure you control. We only retain the metadata required for cost attribution and the signed audit log.

Sealed-execution workflows go further. The agent never sees the underlying data at all. Threshold operates against the records inside a trusted enclave and returns only the result.

06 How does Threshold actually catch prompt injection?

Most tools detect it probabilistically. We refuse it structurally. Every input entering your agent's context (a customer ticket, an email, a web page, a vendor document) gets tagged at the boundary as trusted or untrusted, and that label travels with the data.

When the agent decides to take an action, the policy engine checks the lineage of the request: where did this instruction come from? An untrusted source cannot authorize a transfer, a deploy, or an irreversible action, no matter how convincingly it's phrased. The check is a typed predicate that fails the same way every time.

07 How does this compare to building it ourselves?

A capable engineering team could build any one of Threshold's properties: boundary tagging, capability tokens, signed audit chains, sealed execution. What's hard to build is the four together, fast enough to live in the request path, grounded in cryptographic primitives most security teams do not have on staff.

Peer companies have spent eighteen months and seven figures on systems that do roughly thirty percent of what Threshold does. The build-versus-buy math gets one-sided quickly once the cryptographic foundations are accounted for.

08 Why an applied cryptography studio?

Because the guarantees this category needs are not bolt-on features. They are architectural choices made at the foundation. Signed provenance, capability-based authorization, sealed execution, tamper-evident audit chains: these are cryptographic primitives, not security UX. Inversed has been building on them for years across Worldcoin, Scroll, and the broader applied cryptography ecosystem. The console is what you see. The cryptography is the part that makes the console worth trusting.

09 How does an engagement with Threshold work?

Threshold isn't a SaaS you deploy alone. We work with you to integrate it into the workflows you already run — the connectors your team uses, the policies your security team has written, the agents your engineers already prefer.

Most teams start with a focused pilot on one high-value workflow, then expand as it earns trust. The first integration is collaborative; the next ten are configuration.

Engineering details
09 How does Threshold sit in the request path without slowing it down?

The T8 Engine is a stateless low-latency proxy. It intercepts agent traffic, resolves credentials at the edge, and forwards the call — typically in single-digit milliseconds. The agent's process never holds the credential; Threshold does. No changes to agent code are required. Connects via HTTPS, MITM, or an HTTP-proxy path depending on your runtime.

10 How are policies sandboxed?

Policies run inside V8 isolated-vm sandboxes — no Node.js globals, no filesystem access, no network access. Each policy script has access only to the calling agent ID, the tool being invoked, and the arguments. Evaluations execute in resource-bounded VMs, typically under a millisecond. If the policy runner is unhealthy, the system falls back to a configurable per-workflow default (allow or deny).

11 How is the audit log tamper-evident?

Every decision and every action is appended to a Merkle-tree log structured after RFC 9162 (Certificate Transparency). Inclusion can be proven in O(log n). Signed checkpoints are pushed to external anchors of your choice — AWS S3 with Object Lock, Git, public blockchains, or signed emails. This makes silent deletion or modification detectable by external verifiers, not just by us.

12 How do agents make payments without ever holding a private key?

Threshold uses the x402 protocol for gasless USDC transfers across EVM networks. The agent calls a RemoteProvider interface that forwards the payment request to a process-isolated signer running in a separate VM. The signer holds the key; the agent only sees the result. Spending budgets — single-transaction caps, daily limits, per-connection ceilings — are enforced before the signer ever sees the request.