What is VEX Protocol?

VEX Protocol is an execution boundary enforcement system for autonomous AI agents. It separates proposal from authorization — no real action executes without explicit, policy-governed approval — and produces cryptographically verifiable evidence of what crossed the execution boundary.

What are Evidence Capsules?

Evidence Capsules are cryptographically verifiable records produced by VEX Protocol for governed actions. Each capsule preserves the governance context of the execution: what was authorized, what was proposed, and what crossed the boundary. The evidence is tamper-evident and can be audited for compliance and incident response.

How does VEX Protocol support EU AI Act compliance?

VEX Protocol's Evidence Capsule architecture supports three key EU AI Act requirements for high-risk AI systems: Article 13 (transparency — every action is interpretable and attributable), Article 14 (human oversight — execution gates enforce mandatory approval before any real action), and Article 17 (quality management — tamper-evident audit trails support documentation and post-market monitoring requirements).

What is the difference between McpVanguard and VEX Protocol?

McpVanguard is a real-time security proxy that blocks malicious or unauthorized MCP tool calls at the execution boundary. VEX Protocol is a governance and evidence protocol that enforces policy authorization and produces cryptographic audit evidence for every action it governs. They are complementary: McpVanguard secures the tool-call surface; VEX Protocol governs and proves what the agent was authorized to do.

The protocol layer that makes autonomous AI reviewable before it acts.

VEX puts a control point between what the agent suggests and what actually runs — then proves it happened that way.

Explore a pilot Technical overview

Pre-execution control

Verifiable offline

Portable Evidence

Evidence capsule

Execution with governance attached

Bound

Authority

Actor, scope, and decision basis.

Intent

Proposed action as structured context.

Identity

Principal bound to the evidence record.

Witness

Outcome preserved as cryptographically verifiable evidence for review.

Why it matters

VEX changes the contract between an agent and a privileged system.

Instead of asking whether a model looked aligned after the fact, VEX places an explicit governance layer between suggested action and real consequence.

Proposal is no longer permission

VEX treats model output as a request for action, not authority to execute. That split is the foundation of governed autonomy.

Authorization moves outside the model

Scope, policy, and runtime controls are evaluated independently, reducing the agent's ability to self-expand its trust boundary.

The result becomes a reviewable record

Each action that matters is bound to context, the reasoning behind it, and the outcome — so you can reconstruct what happened later.

Evidence Capsule

What an artifact looks like

Governed execution events in VEX produce cryptographically verifiable evidence. Here is an illustrative example of what the evidence structure can look like.

vex-cap-9f3a2b1e-7d4c

VERIFIED1.0.0

network: provn-localnetts: 2026-05-24T14:32:17.843Z

Authority

auth:sha256:a7f3c9...e4d2

authorized_principal:org:provn:platform-team

governed_scope:filesystem:read:/var/data/invoices/*

permitted_actions:[fs_read, api_call, db_query]

verification:0x9a2f...b7e1

Intent

intent:sha256:c8e1b2...f5a3

authorized_goal:Generate monthly compliance report

session_context:sess-7c4a-9f2b-11e3

constraints:read-only, no-egress, 30s-timeout

verification:0x3d4e...a9c2

Identity

id:sha256:d2a5f7...c8b1

agent_reference:agent:provn:v1:0x7a9c...

trust_context:verified:ref-ABCD-1234

runtime_context:runtime:verified:0x3f2a

verification:0x5e6f...d3a1

Witness

witness:sha256:e3b6a1...d7c4

integrity_root:0x1a2b3c...4d5e6f

sequence_anchor:0x9f8e7d...6c5b4a

record_count:14

verification:0x7b8c...e2f1

Verification

integrity_root0x1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d

prev_reference0x9f8e7d6c5b4a39281726354

verification0x7b8c9d0e1f2a3b4c5d6e7f8

Execution flow

Four steps between model output and consequence.

VEX is intentionally small at the control point. Its job is to make the execution boundary explicit, enforceable, and inspectable before the system acts.

Proposal

The agent proposes an action, target, and intended effect. Proposal is captured before any privileged execution begins.

Scope check

Runtime context, resource constraints, and execution scope are checked against the declared request.

Independent authorization

Policy controls outside the agent boundary determine whether the action is permitted before any privileged execution begins.

Evidence preservation

Execution outcome and decision basis are preserved as reviewable evidence — including denied, escalated, or blocked paths where relevant.

Architecture position

VEX is the control point, not the entire stack.

ProvnAI contributes across adjacent governance work, but VEX has a narrow and valuable role: it sits where proposed action becomes real execution and makes that boundary externally governable.

VEX

Execution boundary layer

The execution boundary layer where proposed action is independently authorized and preserved as cryptographically verifiable evidence.

Governance framing layer

Policy models and control assumptions that define what actions are permitted and who can authorize them.

External authority layer

External authority and review services that complement governed execution.

Product maturity

Clean lines between what is shipped and what is in pilot.

The protocol story is strongest when it is precise. This roadmap distinguishes what is available today from what we are actively piloting with design partners.

Available now

Controlled execution scope
Cryptographically verifiable evidence
Portable verification artifacts
Local verification tooling

In pilot

Enterprise deployment patterns
Design partner integrations
Policy and review workflows

Audience

Built for environments where AI consequence is material.

VEX is not a general-purpose chatbot feature. It is for teams that need a protocol surface around real execution, policy, and evidentiary review.

Enterprise platform teams

Teams introducing autonomous systems into production environments where privileged actions need someone to review and sign off before they run.

Public sector and regulated environments

Organizations that need AI decisions to be designed for auditability, attribution, and review under formal oversight.

Research, standards, and assurance collaborators

Researchers and standards bodies working on formal verification, identity, and cryptographic proof for agentic systems.

Pilot access

Secure your
autonomous AI agents

We are accepting a limited number of design partners and pilot deployments for secure agent execution. Tell us what you are building.

Enterprise & Startup Pilots

Deploy controlled execution for your agent stack. We work directly with your security and platform teams.

Public-Sector & Consortium

Standard-setting conversations for secure AI in regulated environments. EU AI Act, DORA, SOC2 alignment.

Architecture Collaboration

Formal verification, ZK proof systems, and protocol-level trust. We support open academic and institutional collaboration.

We read every submission and reply within two business days.

Related Glossary Terms

Evidence Capsule

A cryptographic evidence construct that preserves the governance context of governed execution events.

Authority Control

Authorization policies that govern which tools and actions an agent is permitted to execute.

Intent Attestation

The binding of agentic sessions to authorized goals — ensuring actions remain within the declared scope.

Witness Log

Tamper-evident execution records preserving what crossed the boundary during governed actions.

Merkle Audit Trail

Cryptographic integrity mechanism for execution logs, making post-hoc modification detectable.

TEE Isolation

Hardware-enforced runtime isolation that protects agent context from host-level extraction.

Execution Boundary

The formally defined perimeter that VEX enforces for every agent session.