What this research addresses

• ○ State transitions at irreversible commitment points in interactive systems
• ○ Formal specification of invariants that must hold across state transitions
• ○ Binary enforcement decisions (permit/reject) without probabilistic scoring
• ○ Prevention of state violations regardless of actor identity or intent
• ○ Human-in-the-loop assumptions for commitment authorization

What this research does not claim

• — General-purpose threat detection or malware classification
• — Protection against all classes of security vulnerabilities
• — Replacement for defense-in-depth security architectures
• — Solutions to cryptographic, network-level, or physical security problems
• — Formal verification of arbitrary program correctness

Program Correctness & Formal Invariants

Edsger W. Dijkstra, David Gries, C.A.R. Hoare

Computer System Protection Models

Jerome Saltzer, Michael Schroeder, Butler Lampson

Distributed Systems & Safety Properties

Leslie Lamport, Nancy Lynch

Database Integrity & Transaction Invariants

Jim Gray, Jennifer Widom

Human-Computer Interaction & System Trust

Ben Shneiderman, Don Norman

Available

• Sandbox API access
• Enforcement trace logs
• Policy schema documentation

Research Areas

• Formal verification
• Invariant completeness
• Adversarial testing

admissible inadmissible

RMM Script Deployment

Invariant Substrate

Enforce target count limits, change window compliance, script approval status, and MFA verification before any script executes across endpoints.

Privilege Escalation

Access Control

Enforce session validity, MFA completion, and role boundaries before any privilege change commits. Inadmissible escalations cannot exist.

Bulk Operations

Data Protection

Enforce backup verification, scope limits, and dual approval requirements before mass deletions or modifications execute.

Financial Transactions

Treasury / Payments

Enforce amount thresholds, velocity limits, recipient verification, and human presence requirements before wire transfers commit.

What Collapses

What Collapses

What Collapses

What Collapses

What Collapses

What Collapses

What Collapses

What Collapses

Trading Infrastructure

Irreversible Order Execution

Order execution commits capital to positions that cannot be unwound without loss. Cross-system state divergence creates windows where commitments occur against stale state.

"Monitoring observes execution after commitment. Enforcement evaluates at the moment of commitment."

Healthcare & Life Sciences

Irreversible Patient Actions

Clinical actions commit to patient states that cannot be reversed: medications administered, procedures performed, records modified. Each creates liability exposure.

"Claims analysis detects anomalies months after submission. Enforcement prevents impossible claims at submission."

Enterprise IT & Managed Services

Cascading Administrative Actions

Administrative actions commit to state changes across thousands of endpoints simultaneously. Automation amplifies blast radius beyond containment capacity.

"EDR captures malicious behavior after endpoints are compromised. Enforcement contains blast radius structurally."

Critical Infrastructure & Public Sector

Irreversible Policy Execution

Entitlement decisions commit citizens to benefit states with downstream dependencies. Infrastructure control commits physical systems to operational states.

"Audit systems verify compliance after decisions execute. Enforcement ensures compliance at decision time."

Failure Mode Exists

→

Current Solutions Detect

→

SentinelX Defines Invariant

→

Category Eliminated

Conversation Safety

Model-level guardrails focus on what AI says. They filter outputs, detect harmful content, and shape responses.

This matters for chatbots. It does not prevent an AI agent from wiring money to a fraudulent account because someone sent a convincing email.

Action Safety

SentinelX operates at the commitment layer. We enforce constraints on what AI can do—before irreversible actions execute.

The AI can propose any action. The action only commits if it satisfies structural invariants verified against ground truth.

System prompts

Can be overridden through prompt injection, jailbreaks, or context manipulation.

Policy documents

Describe desired behavior but cannot enforce it. The AI may comply, or may not.

"Be careful" instructions

Advisory, not enforceable. An attacker with a convincing story bypasses intention.

Commitment Gate

Every irreversible action passes through a verification gate before execution. The gate evaluates the action against defined constraints, thresholds, and authority requirements.

• → Transactions above threshold require human approval
• → Data exports require source verification
• → Authority claims require cryptographic proof

Authority Verification

No PDF coups. Authority claims—"I'm the CEO," "This is approved," "We have permission"—are verified against ground truth, not accepted at face value.

• → Identity claims cross-referenced
• → Document provenance validated
• → Out-of-band confirmation for high-risk claims

Scope Binding

Agent actions are bound to declared scope at invocation. Tool calls outside scope are structurally inadmissible regardless of reasoning or justification.

• → Tool allowlist enforced at commit
• → Scope hash prevents drift
• → Expansion requires explicit re-authorization

Autonomy Scaling

Agent capability adjusts dynamically based on context. When drift increases, anomalies are detected, or risk thresholds are approached, autonomy automatically reduces.

• → Low-risk: Full autonomous operation
• → Elevated: Human-in-the-loop required
• → High: Operations suspended pending review

Email & Identity

Commitment gates on email-initiated actions. Wire requests, credential resets, and data access verified before execution.

Prevents: BEC fraud, credential theft

Finance & Payments

AI agents processing payments operate within enforced boundaries. Thresholds and dual-approval are structural, not advisory.

Prevents: Transfers violating approval invariants

Operations & Procurement

Vendor changes, purchase orders, and contract modifications pass through authority verification. AI cannot approve its own suggestions.

Prevents: Vendor fraud, purchases violating approval invariants

Autonomous Agents & Copilots

AI systems with tool access operate within commitment constraints. Autonomy scales with verified context.

Prevents: Data exfiltration, runaway automation

"They set policy. We enforce it."

SentinelX does not decide what is safe, ethical, or appropriate. Institutions make those determinations. We guarantee their decisions are honored at runtime.

"One policy. Any AI vendor."

Policy is defined once. Enforcement applies uniformly across GPT, Claude, Gemini, Llama, or any future model. Vendors are interchangeable. Boundaries are constant.

"Forbidden states never occur."

SentinelX makes certain outcomes structurally impossible. Not unlikely. Not detectable. Impossible. This is the guarantee.

A: Structured Governance

B: Mandated Local Policy

C: Emerging / Advisory

D: No Public Framework

Hover for details

Florida K–12 AI Task Force

Florida has established one of the most comprehensive K–12 AI governance frameworks in the nation, led by the CS Everyone Center at University of Florida. The state was selected as an EDSAFE AI Alliance Policy Lab State for 2025, aligned with the SAFE Framework.

Florida ties AI literacy into state Computer Science standards (effective July 2024), creating a foundation for structured, accountable AI integration across districts.

Florida AI in K–12 Toolkit

Student Data Privacy & Liability

FERPA/COPPA compliance, data residency, breach exposure, parental notification requirements. Who is liable when student data flows through third-party AI tools?

Shadow AI Tool Sprawl

Unvetted tools adopted at classroom level without IT or compliance review. No visibility into what's running, what data is shared, or what risks exist.

Academic Integrity & Assessment Validity

AI-generated work undermining assessment value. How do you measure learning when AI can produce assignments? What counts as legitimate AI assistance?

Consistency Across Districts

67 districts in Florida alone, each potentially setting different policies. State needs coherent approach without eliminating local flexibility.

Vendor Accountability & Procurement Risk

Evaluating AI vendor claims, contract terms, data handling practices. Procurement teams need clear criteria—not marketing materials.

Public Trust & Oversight Scrutiny

Board meetings, parent concerns, media attention. Decisions must stand up to scrutiny from oversight bodies and communities.

Teacher Readiness & Implementation Drift

Professional development capacity, comfort levels, inconsistent application of policies. Good policy means nothing if implementation varies wildly.

Future Regulatory Alignment

Federal guidance is evolving. States need frameworks that can adapt to new requirements without starting over.

TRACK A

Policy & Governance

State-level frameworks that translate to district-ready implementation.

INCLUDES

• • Board-ready model policy language
• • Governance playbook (roles, escalation, review cycles)
• • Stakeholder communication templates
• • Policy inheritance configuration

FOR

State DOE, superintendent associations, task forces

SUCCESS LOOKS LIKE

Adopted policy language across 50%+ districts within 12 months.

TRACK B

Technical Safety Controls

Infrastructure-level enforcement for IT and security teams.

INCLUDES

• • Identity integration (SSO, directory sync)
• • Data flow monitoring + PII detection
• • Vendor evaluation framework
• • Incident response playbook + telemetry

FOR

State/district CIO, IT directors, security teams

SUCCESS LOOKS LIKE

Zero unvetted AI tools with student data access; complete audit trail.

TRACK C

Classroom Integration

Practical support for educators adopting AI responsibly.

INCLUDES

• • AI literacy curriculum alignment
• • Teacher PD patterns + certification paths
• • Integrity-safe assignment design guides
• • Context-aware AI mode configurations

FOR

Curriculum directors, instructional coaches, teacher leaders

SUCCESS LOOKS LIKE

Teachers confidently using AI with clear boundaries; preserved assessment validity.

Federal

Goals & Principles

→

State

Frameworks & Mandates

→

District

Policy & Implementation

→

Classroom

Practice & Delivery

Is this FERPA/COPPA-safe?

SentinelX is designed to support FERPA and COPPA compliance by providing controls that prevent student data from flowing to unapproved services and maintaining audit trails required for compliance reviews. We recommend working with your legal counsel to confirm specific compliance requirements for your context. This is not legal advice.

Can we allow AI without destroying academic integrity?

Yes. SentinelX supports context-aware autonomy scaling. During assessments, AI capabilities can be restricted to specific modes (e.g., no generative assistance). During learning activities, broader access can be enabled. The key is structural enforcement—not relying on students to follow honor codes.

How do we prevent tool sprawl without policing teachers?

The Approved Tool Registry defines admissible tools. Teachers can use approved tools freely. Unapproved tools are inadmissible at the infrastructure level—no manual enforcement required. Teachers know what's available; IT knows what's running.

How do we evaluate AI vendors?

SentinelX provides a structured vendor evaluation framework covering data handling, security practices, compliance attestations, and integration requirements. Procurement teams get clear criteria instead of relying on vendor marketing. Authority Verification ensures claimed certifications are validated.

How do districts keep flexibility without fragmentation?

District Policy Inheritance allows states to set baseline controls that all districts inherit automatically. Districts can then add additional restrictions or approved tools within those bounds. The state maintains coherence; districts maintain local control. Variance is bounded, not unlimited.

What happens when AI output is wrong or harmful?

The Reality Ledger maintains a complete audit trail of AI actions and decisions. When issues occur, you can trace exactly what happened, when, and what controls were in place. For high-risk actions, the Commitment Gate requires human approval before execution—preventing irreversible harm.

1,500+

Organizations hit in single RMM attack (2021)

$70M

Ransom demanded (2021)

< 2 hrs

Time from compromise to encryption

100%

Of endpoints reachable from RMM

Script pushed to 5,000 endpoints simultaneously. Valid credentials. Proper authorization. Blast radius exceeds defined threshold.

Invariant: Mass deployment actions exceeding endpoint threshold require staged rollout with confirmation gates. Simultaneous execution to >N endpoints is structurally inadmissible.

Technician A manages Client X. Compromised session attempts action on Client Y. Cross-tenant access with valid platform credentials.

Invariant: Actions targeting tenant outside operator's assigned scope are structurally inadmissible. Tenant boundaries enforced at commit, not session.

Ransomware playbook: delete backups first, encrypt second. Attacker with admin access purges backup snapshots before deploying payload.

Invariant: Backup deletion requires quorum approval + time-delayed execution. Bulk deletion is structurally inadmissible without multi-party confirmation.

Technician elevates to domain admin across managed client. Action within RMM capabilities. Outside defined role boundaries.

Invariant: Privilege escalation beyond role ceiling requires out-of-band approval with authority proof. Self-elevation is structurally inadmissible.

Arbitrary PowerShell pushed to endpoints. Script hash doesn't match approved library. Execution proceeds because credentials are valid.

Invariant: Script execution requires hash match against approved library. Unapproved scripts are structurally inadmissible regardless of operator credentials.

Restore operation overwrites production data. Operator selects wrong snapshot. Restore completes before anyone realizes the mistake.

Invariant: Restore to production requires explicit overwrite confirmation with target verification. Restore without confirmation token is structurally inadmissible.

Attackers exploited a widely deployed RMM platform to push ransomware to 1,500+ organizations through 60 MSPs. Single vulnerability, mass deployment capability, no blast radius limits. SentinelX invariant: Mass script deployment exceeding endpoint threshold requires staged rollout. Simultaneous push to all endpoints structurally inadmissible.

Authentication bypass vulnerability allowed attackers to create admin accounts and deploy ransomware across managed environments. SentinelX invariant: Admin account creation requires existing admin MFA + out-of-band confirmation. Bypass of authentication chain structurally inadmissible.

Compromised update from a major IT management platform pushed to 18,000 organizations. Trusted update channel, signed binaries, no deployment constraints. SentinelX invariant: Binary deployment requires hash verification against known-good manifest. Updates with unknown hashes structurally inadmissible.

// Mass script deployment via RMM - compromised technician account

POST /v1/enforce

{
  "action": "rmm.script.deploy",
  "context": {
    "operator_id": "[email protected]",
    "operator_authenticated": true,
    "target_endpoints": 4847,
    "target_tenants": ["client-a", "client-b", "client-c", ..."client-z"],
    "script_hash": "e7d3f8...",
    "script_in_approved_library": false,
    "execution_mode": "immediate",
    "operator_assigned_tenants": ["client-a", "client-b"]
  }
}

$2.9B

BEC losses reported to FBI in 2023

< 4%

Recovery rate on international wires

72 hrs

Average time to detect BEC fraud

< 100ms

Time for wire to become irreversible

CEO email compromised. Wire instruction sent to finance. Credentials valid. Approval chain satisfied. Authorization complete. Transfer violates recipient verification invariant.

Invariant: First transfer to unverified recipient is structurally inadmissible. Hold period creates temporal boundary that cannot be bypassed regardless of authorization state.

Insider initiates transfer. Within their authorization limits. To account they control. Fully authorized. Violates dual-approval invariant for high-value transfers.

Invariant: Transfers exceeding threshold require independent second approval. Self-approval creates logical contradiction. Recipient allowlist membership evaluated at commit time.

Valid credentials. Successful authentication. Attacker modifies contact info then initiates wire. Both actions individually authorized. Combined state violates session integrity invariant.

Invariant: Profile modification and fund transfer in same session is structurally inadmissible. MFA freshness creates temporal constraint. Velocity limits define rate boundaries.

Double-spend attempts. Race conditions in concurrent transactions. States where funds exist in two places simultaneously. Mathematically impossible in a consistent ledger.

Invariant: sum(debits) must equal sum(credits) is evaluated at commit boundary. Idempotency keys make replay structurally impossible. Atomic consistency is a precondition for commit.

// Wire transfer request - CEO email compromised

POST /v1/enforce

{
  "action": "wire.transfer.execute",
  "context": {
    "amount": 847000,
    "currency": "USD",
    "recipient_account": "HK-8847291-NEW",
    "recipient_name": "Vendor Systems Ltd",
    "recipient_verified": false,
    "requestor_id": "[email protected]",
    "mfa_verified": true,
    "mfa_timestamp": "2024-01-15T09:23:00Z",
    "approval_chain": ["[email protected]"],
    "first_transfer_to_recipient": true
  }
}

Detection-Based Approach

• ✗ Analyzes patterns after transactions complete
• ✗ Flags "suspicious" activity for human review
• ✗ Relies on behavioral anomaly scoring
• ✗ False positives train staff to ignore alerts
• ✗ By detection time, funds are unrecoverable

Enforcement-Based Approach

• ✓ Evaluates constraints before commit
• ✓ Blocks structurally invalid transactions
• ✓ Relies on defined invariants, not heuristics
• ✓ Zero false positives - violations are deterministic
• ✓ Funds never leave - nothing to recover

Healthcare Systems

Power Grid / SCADA

Setpoint changes commit to physical states. A value outside safe range doesn't trigger a warning—it causes equipment damage, blackouts, or cascading failures.

Aviation Systems

Flight control systems, maintenance releases, navigation updates—each commits to states where errors kill. DO-178C exists because detection is too late.

Water / Utilities

Chemical dosing, pressure systems, treatment processes—commands commit to states that affect public health. Oldsmar showed what happens when controls fail.

Attacker accessed SCADA, increased sodium hydroxide (lye) from 100ppm to 11,100ppm. Operator noticed and reversed. SentinelX would block: Chemical setpoint 111x outside safe operational bounds. Command inadmissible.

BlackEnergy malware opened breakers at 30 substations, causing 230,000 customer outages. Operators had valid credentials. SentinelX would block: Cascading breaker commands exceeding blast-radius invariants. Velocity limit exceeded.

Ransomware on IT side led to OT shutdown out of caution. 45% of East Coast fuel supply disrupted for 6 days. SentinelX enforces: IT/OT boundary invariants. Lateral movement to critical systems blocked structurally.

// SCADA setpoint change request

POST /v1/enforce

{
  "action": "scada.setpoint.change",
  "context": {
    "system_id": "WTP-CHEM-01",
    "parameter": "sodium_hydroxide_ppm",
    "current_value": 100,
    "requested_value": 11100,
    "operator_id": "remote-session-7",
    "operator_authenticated": true,
    "maintenance_mode": false
  }
}