iiSP Flagship Platform
Elorynv0.27.27
The governance and security layer between your AI agents and the systems they act on.
Morality is not a speech. It is a switch statement.
The Problem
Natural language is not a security boundary
Standard AI safety is a system prompt — a politely-worded request the model can be argued out of. Prompt injection, capability escalation, and data exfiltration all succeed against natural language.
Physics cannot be argued with.
What Eloryn does
It gates intent before it becomes action
When an agent decides to do something — query a database, write a record, move money, send a message — that intent passes through Eloryn first. There it is cryptographically identified, capability-scoped, screened for threats, and judged against policy and privacy law.
The result is deterministic, in milliseconds, with a signed and hash-chained record of every decision: permitted, paused for a human, or refused. The model stays free to reason; it is not free to act outside the trust chain.
The Product
Two pillars, every action, zero exceptions
Eloryn governs both the security and the compliance of AI communication in an enterprise. These are not two features — they are the product.
Security — at machine speed
Cryptographic identity, a capability-scoped execution sandbox, a harm-evaluated semantic firewall, and circuit breakers. Deterministic enforcement in milliseconds, with no human in the hot path.
Governance — with human judgment
A constitutional judge, a human-pause gate for the ambiguous and high-impact, statutory privacy law enforced as types, and a signed, hash-chained, offline-verifiable audit trail.
Architecture
The 5-Layer Guardian Architecture
Every intent passes through five independent layers. Any one of them can stop the action — and none of them is a language prompt.
Identity
Biscuit tokens (Datalog) signed with Ed25519. Delegation is attenuable — a sub-agent's scope is provably a subset of its parent's. Privilege escalation fails at the signature.
The Cage
A WASM capability sandbox (Wasmtime) with deny-all defaults. The approved intent hash maps to exactly the capability set required — nothing more. Cross-platform, no hypervisor or Kubernetes required.
Semantic Firewall
A Rust proxy with a Llama-Guard-3 sidecar. Screens the canonicalized intent for prompt injection and exfiltration, applies Unicode NFKC normalization against homoglyph attacks, and detects canary tokens in outbound traffic.
Constitutional Supervisor
A gRPC judge — a Ternary Moral Logic evaluator, not a blocklist. It renders a verdict, signs permitted actions with Ed25519, and routes ambiguous or high-impact intents to the Human Pause gate.
Circuit Breakers
Token-bucket rate limiting, 3σ anomaly detection, a health score H ∈ [0,1], and budget caps. When behaviour degrades or a compromise is detected, the breaker trips and the process is contained.
The WASM cage is the isolation boundary Eloryn ships with — no hypervisor or Kubernetes required. Operators who want a second, hardware-enforced boundary may run Eloryn inside their own VM, but it is optional.
Logic Engine
Ternary Moral Logic
Binary authorization is allow or deny. AI operations hit edge cases that need human context. Every action resolves instead to one of four deterministic states — compiled in, not requested of a model.
Callers never receive a bare success: boolean. Every outcome carries its own typed payload — rationale, Ed25519 signature, intent hash, and triggering principle.
Permit
All checks pass. The action runs in the sandbox with a scoped capability set.
Sacred Pause
Ambiguity, irreversible or high-impact intent, or degraded health. Execution halts; a human approves, rejects, or escalates.
Prohibit
Invalid token or policy denial. Refused — no execution path exists.
Terminate
Active compromise detected. Keys are zeroized, the stream is terminated, and the incident is captured.
The Live Demo
Governing real agent traffic
The demo is live at eloryn.io, and the Governance Center is the demo. Autonomous LLM-driven agents make real model calls and real queries against a synthetic Government-of-Canada dataset — every action governed live through all five layers before it is allowed.
Real model calls
Autonomous agents call live LLM providers (Groq as the rate-budgeted primary, with provider failover) — not a scripted feed.
Real audit trail
The dashboard tails the signed, hash-chained audit database. Every event you see is a real governed decision.
All outcomes fire live
Permit, Sacred Pause, Prohibit, Firewall Reject (Layer-3 exfiltration), and Terminate (honeytoken/compromise) — all verified against real traffic.
On-demand agents
Each agent runs a bounded battery of curated events at ~2-second cadence. Activation is explicit and per-agent; agents never auto-run.
Synthetic GoC data
Queries hit a synthetic Government-of-Canada resource set, so the scenarios are realistic without exposing any real data.
Isolated & reset daily
The stack runs as an isolated Docker profile; a 24-hour sidecar clears demo logs so every demonstration starts clean.
Next up — Demo 2.0: a curated fleet of eleven organizational agents (federal, provincial, banking, insurance, and medical), each running 40–50 deterministic events that exercise both pillars, all five layers, and every outcome.
The Governance Center
A control plane, not a developer toy
Eloryn is operated through the web console by four oversight roles — the control plane an organisation uses to put its autonomous AI under provable, auditable control.
Auditor
The full, tamper-evident event log — verdict, rationale, triggering principle, and an offline-verifiable Ed25519 signature on every record.
Supervisor
The Human Pause Queue: when an action is ambiguous or high-impact, execution stops and waits for a human to approve, reject, or escalate.
Compliance Officer
A live multi-jurisdiction posture (CA · US · EU · AU) showing how agent activity measures against each privacy law, with statutory citations.
Platform Admin
Confirmation that enforcement is running, plus configuration of policy profiles, active jurisdictions, identity, and circuit-breaker thresholds.
Privacy Engineering
Privacy law as enforced contracts
Eloryn encodes privacy law as enforced contracts, not compliance-officer checklists. Each governed action is evaluated against the jurisdictions enabled for your deployment, and the result is recorded with a statutory citation in the signed audit trail.
🇨🇦 Canada — Federal
PIPEDA · Privacy Act
Granular consent masks, incident-draft generation on data-loss alerts, and plain-language decision rationale. Designed to align with ITSG-33 and the NIST AI RMF.
🇨🇦 Québec
Law 25
Consent enforcement live in the demo, residency-scoped data controls, and French-first record obligations.
🇨🇦 Govt of Canada
TBS Directive (DADM)
AIA impact levels 1–4 computed per resource from live jurisdiction, data-category, and consent data; the §6.4 human-review gate fires at AIA 3+.
🇨🇦 Defence
DAOD
Clearance-gated resource access and compartment-aware prohibit logic.
🇺🇸 United States
CCPA / CPRA
A DoNotProfile opt-out disables profiling history; a consumer data-export endpoint satisfies access requests. Designed to align with the NIST AI RMF.
🇪🇺 European Union
GDPR Art. 17
Cascading "right to be forgotten" deletes and an override that halts special-category data processing. Designed to align with ISO/IEC 42001.
🇦🇺 Australia
Privacy Act · APP
Org-unit data sandboxing and breach-notification-formatted audit logs.
On AIDA (Bill C-27): Canada's Artificial Intelligence and Data Act is still in the parliamentary process and is not yet in force. Eloryn's architecture is designed to align with its obligations for high-impact systems — risk assessment, transparency, human oversight, auditability — so that compliance becomes a configuration step, not a retrofit, if and when the Act is enacted.
“Designed to align with” means Eloryn's mechanisms map to a framework's requirements. It does not mean Eloryn holds certification or accreditation under ITSG-33, ISO/IEC 42001, the NIST AI RMF, or any other standard.
Status
Where Eloryn is
- Core platform — production shape
Identity, cage, firewall, judge, breaker, compliance, runtime, packaging, and OpenTelemetry across a TypeScript + Rust monorepo.
- Live demo server — since June 2026
Real LLM agents governed live through all five layers, all outcomes firing, real audit trail — at eloryn.io.
- In build — Demo 2.0
A curated fleet of eleven organizational agents replacing the earlier randomized battery.
- Next — hardware signing & bilingual docs
FIDO2 / WebAuthn hardware key-turn for high-impact actions, operator auth, an OpenTelemetry span-tree UI, and full English/French documentation parity.
Engineering
The stack
Canadian Sovereign AI
Eloryn is built around Canadian AI and privacy policy — PIPEDA, Québec Law 25, and the Treasury Board Directive on Automated Decision-Making — and designed to align with ITSG-33 and the forthcoming AIDA. It supports on-premise and air-gapped deployments for complete data sovereignty, with locally hosted open-source models where required.
See it governing live
The Eloryn Governance Center is live at eloryn.io — real agent traffic, the Ternary Moral Logic engine, multi-jurisdiction compliance, the human-pause queue, and the tamper-evident audit trail, all in one console.