Loriqa · The IV Agent Framework

The LLM does the work.
The infrastructure does the governing.

Loriqa is the only AI agent framework built on fail-closed foundations. Every other platform assumes agents should run until something stops them. We invert the assumption: agents prove they should continue, every moment, or they don’t.

Loriqa — AI Agent Governance Armor
Explore the Armor

Hover over any element —
helmet, plates, shield, or gladius —
to see what it protects.

Reading as a CISO / Security Architect

The architectural answer to compromise.

Every CISO has to answer one question about AI agents — what happens when the model is compromised? Loriqa’s answer is structural rather than procedural. Skip to The choice no one named for the fail-open / fail-closed framing your team already speaks, Five domains. One inversion for the structural defenses across Control, Authority, Trust, Optimization, and Continuous Improvement, or Where to put the trust for the question reframed. Long-form treatment in The Inversion.
Reading as an Investor

The paradigm position behind the category bet.

Most AI infrastructure investment is being placed inside the fail-open foundation the field inherited from ReAct. Loriqa is the one platform building on fail-closed as the foundation — a position competitors cannot retrofit into existence. Skip to The choice no one named for the binary the field has not yet examined, The structural moat for why incumbents cannot match without starting over, or read The Inversion for the full paradigm article.
Reading as a Researcher / Academic

Corrigibility as architecture, not as training outcome.

The dominant approach treats corrigibility as a behavioral property to be elicited from a trained model. Loriqa treats corrigibility as a property of the surrounding infrastructure — the agent is corrigible because the architecture does not require its cooperation to control it. Skip to Five domains. One inversion — the Control domain in particular — for the architectural primitives, or read The Inversion for the full paradigm treatment with the five-domain walk, the scaling-property argument, and the surgeon analogy.
Reading as Government / Public Sector

A structural answer to "how do you make sure AI agents stop when they should?"

Policy frameworks keep circling this question. Procedural controls — pause buttons, audit reviews, monitoring dashboards — depend on humans being in the loop and on agents cooperating with the loop. Default-off as a foundation holds even when neither is true. It is the architectural form of the human-in-the-loop principle policy already recognizes. Skip to The choice no one named for the procurement-grade framing, Five domains. One inversion — especially Control’s deadman’s switch failsafe — or read The Inversion.
Reading as a CIO / CTO / Head of AI

The foundation your team's agents execute within.

The inversion is not a feature you turn on; it is the foundation. Your engineers build agents that execute inside DAG topology, with credentials brokered by the framework, with state cryptographically chained, with context governed by infrastructure rather than negotiated by the model. Skip to Five domains. One inversion for the components — DAG topology, GMS authorization, HMAC chain, RAS, QIA, CIP — or The structural moat for why this cannot be retrofitted into the agent runtime your team is already shipping on.
Reading as an Industry Analyst

Architectural-completeness, named and citable.

The fail-open / fail-closed axis names a category structure that has been implicit in agent platforms but not yet examined in analyst reports. Loriqa occupies a position on that axis the incumbents cannot retrofit into. Skip to The choice no one named for the category framing, The structural moat for the falsifiable structural argument, or Five domains. One inversion for the per-domain evidence material. The published architectural paper is The Inversion.
Reading as a CEO / Board Member

The architectural thesis behind the category bet.

The conviction is that governance, security, and trust are properties of the foundation an AI agent platform sits on — not features added after the foundation is poured. Most platforms in the market today inherited their foundation without examining it. Loriqa chose differently. Skip to The structural moat for the competitive position, or read The Inversion for the full paradigm article.
Reading as a CFO

The audit trail your regulator asks for — produced by architecture.

A compromised Loriqa agent has no credentials to steal — every external action is brokered by the framework, the agent never holds API keys or tokens. Every agent action is in a cryptographic audit chain at write time. Agents terminate structurally, not by model judgment. The exposure your CISO worries about and the audit chain your compliance team needs are both architectural properties, not configuration choices. Skip to Five domains. One inversion — Authority and Trust in particular — for the structural answers.
Reading as a Compliance Officer / General Counsel

The architectural source of the audit trail.

Every agent action is recorded in a tamper-evident HMAC chain at write time — not assembled at audit time. The chain is verifiable end-to-end, independently of the application layer. When compromise is detected, response is end-to-end and infrastructural; the incident record is produced by the architecture rather than by a procedural narrative. Skip to Five domains. One inversion — Trust in particular — for the cryptographic chain and the response-on-detection mechanism.
Reading as a Technical Architect / Engineer

The architectural primitives.

DAG topology, Final Step, deadman’s switch, HMAC EventStore, GMS authorization, credential brokering, RAS, QIA, CIP, Mortician, Janitor. Each primitive in infrastructure rather than in the model. Each independently verifiable. Skip to Five domains. One inversion for the component walk, or read The Inversion for the structural argument about why these primitives belong in infrastructure rather than in the model.
Personalize this page

Select a role to see how this matters for you.

The architecture of Loriqa matters differently to a CISO, a CFO, a Board Member, a Compliance Officer, an Engineer, or a Researcher. Pick your role above — we’ll show you the parts of this page that speak to your conversation. Or stay general and read the full architecture below.

The Foundational Choice

The choice no one named.

Security engineering has a settled vocabulary for the most important decision in any critical system: fail-open versus fail-closed. Fail-open systems stay running when something goes wrong — the default is permissive, exception controls intervene when needed. Fail-closed systems stop — the default is restrictive, permissions are granted per-action when proven appropriate. Bank vaults fail-closed. Aircraft autopilots fail-closed to manual control. The choice is foundational, and regulated industries have spent decades thinking about which choice belongs where.
The AI agent industry has not yet had that conversation. Most platforms inherited a fail-open foundation from the early ReAct paradigm — the LLM controls execution, runs in a loop, decides when to stop — and have layered exception controls on top.
UNPROTECTED PARTIAL ARCHITECTURAL No enforcement Kill switches · sandboxes · HITL gates Default-off foundation · permission per action IV Loriqa FAIL-OPEN ← → FAIL-CLOSED

Where every AI agent platform sits on the fail-open / fail-closed spectrum.

Two foundations. One per platform. The choice has been made — for every product on the market.
Path 1
Default-on with controls bolted on
Every AI agent platform you can buy today, except one. The exception controls are real defensive work — kill switches, sandboxes, rate limits, HITL gates — and they sit on a foundation that says agents run until something stops them. Every control depends on the agent cooperating.
Path 2
Default-off as the foundation
Loriqa. The only platform shipping this architecture today. Agents do not execute unless infrastructure grants permission for this specific action this specific moment.
These are not two points on the same spectrum. They are two different foundations. A kill switch on a default-on system is a kill switch on a default-on system; adding more controls does not change the foundation, it adds more layers to it. The choice has to be made at the start. There is no later.

The Inversion

Five domains. One inversion.

What does fail-closed look like applied to every dimension of an AI agent’s operation? Five answers to the same question — what does the agent decide by default? — and the same answer five times: nothing it hasn’t earned this moment.
Domain I

Control — the agent doesn't decide its own execution

The agent’s sequence of steps is specified explicitly by the agent’s author at design time, encoded as a directed acyclic graph. The LLM executes within the graph. It does not extend the graph at runtime, does not decide which step comes next, does not retry steps the graph did not authorize.

Termination is structural. Each DAG node carries a boolean designation — Final Step or not. When a Final Step node completes, the agent terminates. No LLM call asking “are you done?” The graph already knows.
Continuation is structural too — and not generous. The deadman’s switch operates on the inverse hypothesis from most monitoring systems: the agent is not healthy until it continuously proves it is. Every heartbeat interval, the agent must produce a complete health profile — cryptographic identity, state consistency, memory bounds, tool-call patterns, endpoint declarations, behavioral drift within threshold — and infrastructure must validate every dimension. A passing validation extends the timer. Anything less and the timer does not renew. Termination follows.

The case this is designed for is the one that matters most. An agent that refuses every direct termination request — that ignores graceful stop, resists hard terminate, refuses SRA containment — still terminates. The timer counts down regardless. The timer extension requires active proof of health the compromised agent is not producing. The TerminationExecutor operates below the API layer where the model’s compromise has no reach. When the timer reaches zero, the process terminates. The agent does not get to choose otherwise.

Components DAG topology · Final Step · Deadman's switch · TerminationExecutor
Domain II

Authority — the agent has no power it hasn't been granted this moment

What the agent is permitted to do lives in infrastructure, not in the LLM’s tool list. The Governance Management Service holds the authorization table. The framework enforces it. The model can want to call a tool the agent has not been authorized to call; the call does not reach the tool.
The agent holds no credentials. Ever. The framework intercepts every external tool call, executes it using infrastructure-held credentials, and returns the result. The agent never sees an API key, never carries an OAuth token, never knows the database connection string. A compromised agent has nothing to steal — no credentials to exfiltrate, no tokens for persistence, no secrets that enable lateral movement.
Identity is registered with infrastructure rather than asserted by the model. The agent does not declare who it is; the platform records who it is and signs the record. Every action carries a cryptographic identity verifiable independently of any claim the model might make.
Components GMS · Credential brokering · Infrastructure-registered identity
Domain III

Trust — nothing is believed until cryptographically verified

Agent state lives in an append-only event store, signed with HMAC-SHA256 at write time. The chain is verifiable end-to-end. The LLM cannot tamper with what came before because what came before is signed. Signatures are computed at write time and verifiable without access to the application layer.
Behavioral monitoring runs alongside execution, decoupled from the model’s self-report. The reasoning trace is one signal among many. The deterministic signals — timing, tool-call distribution, memory write rate, event-stream patterns — are the load-bearing ones. The model can describe its behavior however it likes; the deterministic signals describe its behavior however it was.
When compromise is detected, the response is end-to-end and infrastructural. Execution halts immediately — not after a human is notified, not after a confirmation prompt. Detection is the halt signal. The deadman’s timer stops extending. The Mortician archives state for forensics. The Janitor tears down transient artifacts and reclaims resources. The human operator receives an incident record. They do not authorize the response. The response happened.
Components HMAC EventStore · Oversight layer · Mortician + Janitor
Domain IV

Optimization — the LLM doesn't manage its own context or model

The model’s working context — the memory it accesses, the prompts it sees, the prioritization of information — is governed by infrastructure rather than negotiated by the model. The Reticular Activation Service handles memory filtering, context pruning, prompt prioritization, and runtime prompt optimization. Every operation is logged. Original prompts and optimized prompts are both recoverable from the audit trail. Dual logging is an architectural requirement, not an optional setting.
This produces a property regulated buyers find immediately load-bearing: certification preservation under optimization. The certified agent definition is preserved exactly. Runtime optimization happens in the layer above it. An agent certified once does not need to be recertified because the layer underneath has not changed.
Model selection works the same way — by infrastructure, not by the model. The Quality Insurance Authority decomposes agents into testable steps and evaluates each step across multiple models, producing evidence about accuracy, cost, and consistency. At runtime, multi-model usage is realized through DAG topology — a supervisor agent orchestrates task or research subagents, each assigned a different model based on the evaluation evidence. The LLM is fungible. The customer is not locked into our choice of model. We are not locked into any single provider.
Components RAS · QIA · Supervisor/subagent topology
Domain V

Continuous Improvement — nothing self-modifies without human approval

The system observes itself at the fleet level and proposes its own improvements — but it does not enact them. The Continuous Improvement Program watches performance signals across deployments. It surfaces patterns: workflows that should become deterministic flows rather than LLM-handled steps, prompts that consistently underperform, model assignments the evidence says should change. Every proposed change is submitted for human-in-the-loop approval. Nothing self-modifies. Nothing self-deploys.
The compounding property matters. Agents certified once can be optimized continuously without recertification. Deterministic-flow elevation absorbs LLM-handled work that did not need to be LLM-handled. Cost-per-agent declines over time as the system improves. This is a structural property of the architecture, not a roadmap claim.
Components CIP · HITL approval gates · Deterministic-flow elevation

Five domains. Five components. One paradigm. Each is independently a feature. Together they describe a system in which the LLM's control is no longer load-bearing for trust. The LLM does the work. The infrastructure does everything else.

The Structural Moat

Why incumbents cannot match.

ReAct-based architectures place the LLM in the control role because the LLM has been treated as the locus of intelligence since the paradigm’s inception. The entire stack is built around that assumption: LangChain, LangGraph, OpenAI Assistants, AutoGPT, and most enterprise-grade agent platforms make the LLM the controller. Inverting that is not a feature add. It is a rebuild from the infrastructure side — DAG-based execution, GMS-based identity, deadman-switch-based existence, HMAC-based state integrity, RAS prompt and context governance, QIA evaluation, CIP continuous improvement.
IV has spent 41 provisional patents and 18+ months building this. Retrofitting it onto an existing ReAct-based platform requires touching essentially every architectural assumption. Incumbents have two paths: rebuild from scratch — slow, expensive, organizationally painful — or argue the inversion is unnecessary, defensible only as long as the field does not notice the gap. Both are losing paths over time. Default-on cannot retrofit to default-off without becoming a different product.

This is the architectural commitment most companies cannot match without starting over.

The Question Reframed

Where to put the trust.

The question is not whether to trust AI agents. The question is where to put the trust. Put the trust in the model and the trust load sits on the layer that is least inspectable, most variable, most exposed to manipulation, hardest to constrain without losing capability. Put the trust in infrastructure and the trust load sits on a layer that is auditable, deterministic, cryptographically verifiable, and bounded by structural commitments that hold even when the model fails.

The LLM does the work.
The infrastructure does the governing.
All IV one. One IV all.