For CISO / Security Teams
Prompt injection is unsolved.Blast radius isn't.
For high-impact agent actions, Good Proof enforces fail-closed execution: if Status Link is not VALID, execution is blocked or escalated.
External verification • Revocable authorization • Decision-time evidence • Scope-bounded control
Not a certification. Scope-limited verification.
CISO 60-Second Brief
Problem
Prompt injection and goal hijack remain persistent risk classes.
Control
Status Link verification before high-impact execution.
Output
Evidence Pack for IR, audit, and legal review.
Boundary
Limits blast radius; does not claim prevention or blanket compliance.
Is this a fit?
Best fit
- High-impact actions with security, financial, legal, or operational consequences
- Workflows that require stop-rely and decision-time evidence
Not fit
- Low-risk chat-only use cases
- Teams seeking prompt tuning without execution controls
Done means: your selected workflow blocks automatically when status ≠ VALID.
Runtime Control Outcomes
Hard gate
No Stamp → No high-impact execution
Live revocation
Source withdrawal propagates under policy-bounded enforcement
Audit-ready trail
Exportable Evidence Pack for IR/audit/underwriting
Fail-closed
Timeout/TLS/mismatch → NOT_VERIFIED → block/escalate
How Enforcement Works
1
Agent requests a high-impact action
2
Gate verifies Status Link from official verifier
3
Policy evaluates status + scope + expiry
4
Execute only if VALID, otherwise block/escalate
5
Log Gate Decision + evidence fields
Failure Semantics
Explicit condition → state → action mapping
| Condition | State | Action |
|---|---|---|
| Verifier timeout | NOT_VERIFIED | Block/Escalate |
| TLS failure | NOT_VERIFIED | Block/Escalate |
| Domain mismatch | NOT_VERIFIED | Block/Escalate |
| Malformed response / signature failure | NOT_VERIFIED | Block/Escalate |
| WITHDRAWN | WITHDRAWN | Block |
| NEEDS_REFRESH | NEEDS_REFRESH | Escalate/Review |
| Out-of-scope / expired | NOT_VERIFIED | Block/Escalate |
What a Stamp Proves
Proves (within scope)
- Action class + Gate Decision
- Verification timestamp
- Signer/authority reference
- Scope boundaries + expiry
- Validity state
- Evidence window for IR/audit
Does not prove
- Prompt injection prevention
- Model correctness or output accuracy
- Agent intent or alignment
- Raw sensitive payloads
- Regulatory compliance guarantee
In incidents: Status Link = reliance state now. Evidence Pack = decision-time record.
Status Triggers
NEEDS_REFRESH
- Model/tool version change
- Policy/scope change
- Key rotation or credential refresh
- Workflow/routing change
- Incident opened pending review
WITHDRAWN
- Confirmed prompt injection or goal hijack
- Agent compromise or unauthorized tool access
- Scope boundary breach
- Material incident requiring stop-rely
- Critical vulnerability in agent stack
Evidence for IR/Audit/Legal
Fields per Gate Decision
evidence-fields.json
stamp_idaction_classdecisionstatusverified_atexpires_atverifier_domainsignerversionrequest_idreason_codefailure_mode
Designed for decision-time reconstruction and external review.
Fits Into Your Security Program
Compensating control, not replacement
Least privilege and role-based accessSandboxing and isolated executionEgress controls and network segmentationSecrets management and credential rotationSIEM/SOAR/XDR integration
What Procurement, Legal, and Security Will Ask
Do you require sensitive payloads for verification?
No. Verification uses references, hashes, and scope identifiers. Sensitive payloads excluded by default.
What happens if the verifier fails?
Fail-closed. Any verification failure returns NOT_VERIFIED → block or escalate.
Is this a certification?
No. Scope-limited verification within contract-defined action classes.
Who controls retention and telemetry?
Buyer-controlled. Retention periods defined in Order Form. Minimal disclosure by default.
"Reliance on agent-executed high-impact actions is contractually conditioned on VALID status at decision time."
Verification path excludes raw PII/PHI payloads by default.
"High-impact [ACTION CLASS] SHALL require a valid externally-verifiable Status Link (No Stamp → No Ship)."
30-Day Sprint
One lane live with fail-closed gating, Status Link verification, and Evidence Pack output.
1
Scope & criteria
3 action classes, boundaries, success criteria
2
Integrate gate
Verification checks, logging, Status Link endpoint wiring
3
Failure testing
Timeout/TLS/mismatch drills + tabletop incident
4
Go-live report
Metrics, control gaps, rollout plan
Risk Reduced vs Residual
Risk reduced
- Unbounded blast radius from compromised agents
- High-impact actions without revocable gate
- IR evidence gaps
- Stale authorization after material change
Residual (out of scope)
- Prompt injection prevention as a category
- Model correctness or output quality
- Insider threat or privileged abuse
- Blanket compliance or certification guarantees
Designed to limit blast radius, not eliminate compromise.
Assurance Governance (Optional by Lane)
Mind Chill Guardians
Programme-scoped human finality for exception lanes only
Conflict checks and rotation
Multi-review thresholds for high-risk lanes
Minimal disclosure with auditable traceability
Ready to gate high-impact agent actions?
Definition of done: your workflow blocks on status ≠ VALID.
Each month without execution gating extends unbounded reliance risk during compromise.
Scope-limited verification. Not a certification.