What is Agent OS? The missing layer between AI intent and execution. Agent OS is a governance and audit runtime that sits between your AI agent’s reasoning and real-world action execution. It intercepts every agent decision, evaluates it against policy, creates a provenance record, and either executes, gates, or blocks — before anything touches your infrastructure.
AI agents are not the risk. Unverifiable execution is the risk. ProvenanceCode separates reasoning from execution, and forces every decision to be recorded before it can act.
Plans actions and reasons about goals. Never executes directly.
Structured intent and risk assessment generated before any execution.
ISO 42001-aligned rules evaluate the record. Allow, deny, or gate.
Sandboxed action runner. Trusts policy — not the agent.
Signed provenance stored. Full audit trail. Replayable.
High-risk actions — pause here for human approval via SMS or email before proceeding.
Agent OS is the runtime layer. It interprets goals, breaks them into steps, annotates each step with risk, and produces a provenance record before any execution occurs. It delegates — it never acts directly.
This separation is the security model. Competitors mix reasoning and execution. ProvenanceCode keeps them strictly apart. The agent thinks. The executor acts. The provenance record is the verified handoff between them.
Before any action executes, Agent OS generates a structured provenance record — a deterministic contract of intent, risk assessment, and required permissions. Not a log. Generated before execution, not after.
{
"id": "attest_a1b2c3",
"timestamp": "2025-01-14T09:32:11Z",
"actor": { "type": "agent", "id": "agent_deploy_001" },
"intent": "Deploy updated API service to production",
"risk_assessment": {
"level": "high",
"factors": ["production environment", "service restart"]
},
"permissions": { "requires_approval": true, "approved_by": null },
"execution": { "executor": "aws.ecs", "status": "pending_approval" },
"result": null
}
Rules are defined in YAML and evaluated deterministically against the provenance record. No probabilistic safety — pure rule enforcement.
# High-risk actions require human sign-off - if: risk == "high" then: require_human_approval # Never allow writes to system directories - if: executor == "filesystem" and: path.startsWith("/etc") then: deny # Production locked to signed agents only - if: environment == "production" then: restrict_to_signed_agents
ISO/IEC 42001 is the international standard for AI management systems. Agent OS ships with a default policy baseline derived from its core controls — giving enterprises a defensible, auditable governance foundation from day one.
Executors are sandboxed interfaces to the real world. They receive a provenance record, validate it against policy, perform the action, and return a signed result. They do not trust agents — they trust the provenance record and policy.
Filesystem — read, write, delete on local or mounted filesystems.
HTTP — outbound API calls with full request/response logging.
AWS — ECS deploy, S3, Lambda invocation via Bedrock-native integration.
Docker — container lifecycle within sandboxed environments.
When policy requires human approval, the executor pauses and dispatches a notification — SMS or email — to the designated approver. The action does not proceed until an explicit approval or denial is received.
The approval request consumes one action credit on submission, covering notification cost and provenance record overhead. No additional charge on resolution.
Deploy in minutes. Two inputs.
Minimum inputs: AWS Bedrock / OpenAI key (your LLM credential) + ProvenanceCode API key (provided on signup). Default ISO 42001 policy loads automatically.
How Agent OS sits in your stack:
YOUR AI AGENT (OpenClaw / Bedrock / OpenAI)
↓
AGENT OS Policy engine · Provenance · Approval gateway
↓
EXECUTORS Filesystem · HTTP · AWS · Docker
↓
EXTERNAL SYSTEMS AWS ECS · S3 · APIs · Databases · Infra
Goal / task → Provenance record + policy check → Approved action → Human approval via SMS / email when required.
ProvenanceCode ships as a Docker image with linked containers. Configure with your LLM credentials and ProvenanceCode API key.
# Pull and run via Docker
docker pull provenancecode/prvc:latest
docker run \
-e BEDROCK_API_KEY=your_key \
-e PRVC_API_KEY=your_prvc_key \
provenancecode/prvc:latest
Agent OS operates as an intercept and evaluation layer — not an additional LLM call. Policy evaluation is deterministic rule-matching, not inference. The provenance record schema is compact JSON appended to the agent’s existing output.
Net result: token usage increases by less than 5% vs running the native LLM alone. Typical latency impact is on the order of tens of milliseconds for policy eval.
| Scenario | Tokens (illustrative) | Latency (illustrative) |
|---|---|---|
| Native LLM only | ~2,000 | ~1.2s |
| Native LLM + Agent OS | ~2,080 | ~1.25s |
How Agent OS stays lean: deterministic policy engine (zero LLM inference), compact provenance record (~80 tokens average), async human approval (agent waits; no extra tokens for the wait).