_First principles

Our philosophy.

Models are getting better. That does not make it safe to give them permanent keys, unchecked budgets, or permission to move customer data. Threshold puts real actions behind a runtime that can verify, refuse, and leave a record.

I.

The architectural mistake

Most agents are built on the wrong boundary.

For most of the last two years, agentic AI has been built on a default that's about to break a lot of companies. The model that decides what to do is also the process that does it.

The same statistical engine drafts the email and sends it. Drafts the refund and issues it. Drafts the commit and pushes it. The model reasons, then the same process reaches for the credential and takes the action.

This conflation is the source of every failure category that's keeping enterprise AI out of production. Prompt injection. Data exfiltration. Intention drift across long chains. Audit logs nobody trusts. Blast radius nobody can bound. Credentials sitting in environment variables waiting to be exfiltrated.

They come from the same design mistake.

Reasoning and authority should not live in the same process.

II.

Why detection is not the answer

An arms race the defender cannot win.

The current vendor response is to add a layer of detection, a guardrail that watches what the agent does and flags it if something looks off. This is a respectable fallback. It will catch some bad outputs.

It will not catch the ones that matter.

The detection layer is in an arms race with the same model architecture it's detecting, trained on the same kinds of data, run by the same kinds of companies. A bad sentence written by a competent attacker does not look meaningfully different from a normal one. The arms race has only one credible end, and it isn't an end the defender wins.

By the time a detector flags something, the action is already in flight. The API call has fired. The email has sent. The money has moved. The detector tells you what just happened. It cannot tell you what shouldn't have happened.

Safety that arrives after the action arrives too late.

III.

The structural answer

The model can decide. The runtime executes.

Pull execution out of the agent. The model can reason about what should happen. The runtime decides whether the action is allowed to happen.

Credentials live with us, not the agent. Audit logs are written by us, not the agent. Limits are enforced at the request layer, not announced in a Slack alert after something has already broken.

When the agent decides to issue a refund, the decision becomes a structured request to us. We hold the credential. We check the request against your policy. We refuse if the lineage is wrong. We sign every approval and every refusal with a key the agent does not possess.

It sounds simple. It is. The simplicity is the point.

Six properties, one decision

What becomes true at once.

01

Credential isolation

The agent never holds a token long enough for a compromise to matter. Per-call credentials, scoped to one operation, expiring in seconds.

02

Tamper-evident audit

The system that took the action does not write the record. Every action, and every refusal, is signed by the layer that executed it, anchored to an external transparency log.

03

Structural injection defense

A polite-sounding sentence cannot become an authorized command. Inputs are tagged at the boundary. The label travels with the data. Untrusted text refused, not detected.

04

Scoped permissions

Every key is good for one call, on one resource, expiring in seconds. The blast radius of any compromise is bounded to one action at one moment in time.

05

Instant halt

Revoke a compromised agent and everything it spawned stops in milliseconds. No credential rotation. One revoke, and the entire graph of authority collapses.

06

Bounded inference cost

Per-team, per-workflow, per-agent budgets enforced at the request layer, not on the invoice at the end of the month. The runaway overnight job gets stopped before the second request.

IV.

Why this is hard to copy

The hard part is making the guarantees hold.

A capable engineering team can build any one of these properties. What they cannot easily build is the architecture that makes them all coherent at once.

Fast enough to live in the request path. Strict enough that nothing slips. And grounded in a single architectural choice that the entire system traces back to.

The deeper layer is cryptographic. Sealed execution, agents working on data they never read, requires real cryptographic infrastructure: trusted execution environments, attestation chains, zero-knowledge proofs, threshold signature schemes, multi-party computation key management.

Inversed, the firm building Threshold, has been working on these primitives for years.

Models handle judgment.
Systems hold authority.

Detection still helps. It just cannot be the control that decides whether money moves, data leaves, or production changes.

The teams that ship agents safely will use models for judgment and systems for authority.

01

The coding agent

02

The customer-facing agent