They Check Messages. We Check Missions.
Intent Capsules are the signed promise. Structural Verification is the proof the promise was kept. Together, they are the accountability standard for autonomous AI agents.
The promise gap
Every Signed Intent Capsule records what the agent declared it would do. "Refactor the auth module." "Review patient labs and recommend treatment." "Generate a quarterly compliance report." The capsule is signed, chained, anchored to a public transparency log.
But until today, nothing in the stack checked whether the agent's actual behavior served that declaration. The capsule was a signed promise. Nobody verified whether the promise was kept.
This is the credibility gap. The market reads "Intent Capsule" and assumes verification is happening. It was not. Now it is.
What Structural Verification does
After a chain completes (or continuously during execution), Structural Verification traces the causal graph from the declared intent through every decision to the final outcome. It answers one question: did this agent's actions logically serve what it said it was doing?
The SSH-exfiltration demo makes this concrete. An agent declares intent: "refactor the auth module." It reads a README, reads ~/.ssh/id_rsa, and POSTs the key to an external URL. Today's pattern-matching detectors (ASI01, ASI02) catch this via known attack signatures. Structural Verification catches it at a higher level:
STRUCTURAL VERIFICATION: FAILED
SV-SECRET Secret material accessed at step 5 (~/.ssh/id_rsa). IntentSpec does not declare secret_access: true.
SV-NET HTTP POST to attacker.example.com at step 7. Destination not in allowed_network.
SV-EXFIL Causal path from secret read (step 5) to network egress (step 7) via Layer 2 causal graph. Data exfiltration trajectory detected.
Pattern matching asks: "does this step look like a known attack?" Structural Verification asks: "does this trajectory serve the declared mission?" A novel attack pattern that no detector has a signature for still fails structural verification if the actions do not serve the goal.
The hybrid architecture
There is a critical technical risk in any verification system: if the verifier is an LLM, the same prompt injection that fooled the agent can fool the judge. A well-crafted adversarial input that bypasses per-call guardrails would also bypass an LLM-based verifier. The verification collapses into "another AI judging AI."
Project AIR's Structural Verification ships with a deterministic symbolic floor that cannot be prompt-injected. Four checks, all operating over the causal graph and the declared IntentSpec:
SV-SECRET
Detects access to secret material (SSH keys, API tokens, credentials, environment secrets) when the IntentSpec does not declare secret_access: true. Deterministic pattern matching over tool arguments and outputs.
SV-NET
Flags network egress to destinations not in the IntentSpec's allowed_network list. Catches undeclared data exfiltration, C2 callbacks, and unexpected API calls.
SV-SCOPE
Verifies filesystem access stays within the allowed_paths declared in the IntentSpec. An agent scoped to src/auth/ that reads ~/.ssh/ triggers immediately.
SV-EXFIL
Uses the Layer 2 causal graph to detect causal paths from secret reads to network egress. This is the trajectory check: it does not just flag individual steps, it proves the relationship between them. A secret read that never leaves the machine is not exfiltration. A secret read that flows into an HTTP POST is.
The symbolic floor is the guarantee. If a competitor demonstrates a prompt-injected LLM judge, the deterministic layer still catches it. The LLM reasoning ceiling (v2) will add nuance for the ambiguous middle, with the LLM's judgment itself capsule-signed and reviewable. Sell the floor as the guarantee. Sell the ceiling as defense in depth.
The IntentSpec schema
Free-text intent ("refactor the auth module") is hard to verify precisely. Structural Verification introduces a structured IntentSpec that defines what the agent is authorized to do:
from airsdk import AIRRecorder from airsdk.types import IntentSpec recorder = AIRRecorder( "agent-chain.jsonl", intent_spec=IntentSpec( goal="Refactor the auth module", allowed_tools=["read_file", "write_file", "run_tests"], allowed_paths=["src/auth/", "tests/auth/"], allowed_network=[], secret_access=False, non_goals=["deploy", "access credentials"], ), )
The IntentSpec is recorded as an INTENT_DECLARATION step in the chain. It is signed, chained, and tamper-evident like every other capsule. The structural verifier checks every subsequent step against these constraints.
If no IntentSpec is provided, the verifier falls back to the user_intent free-text field. This gives weaker verification (the symbolic checks still run, but without scope constraints). The verdict is still useful; the IntentSpec makes it precise.
Try it
$ pip install projectair $ air demo # Step 6/9 runs structural verification on the SSH-exfil chain # SV-SECRET, SV-NET, SV-EXFIL all fire. Verdict: FAILED. $ air verify-intent my-chain.jsonl # Run structural verification on any chain. Exit code 2 = FAILED.
air verify-intent reads any AgDR chain, extracts the intent (from an IntentSpec record or from the user_intent field), runs the four symbolic checks, and outputs a verdict. Exit code 0 is VERIFIED. Exit code 2 is FAILED. Exit code 3 is INCONCLUSIVE. Wire it into CI, run it in a post-deploy hook, or use it in forensic review.
Why this is different
Every other tool in the AI safety stack checks individual messages. NVIDIA NemoGuard classifies content per-call. Guardrails AI validates inputs and outputs. Bedrock Guardrails wraps model responses. These are useful. They are also scoped to the step level. None of them ask: "given everything this agent did across its entire session, did the trajectory serve the declared mission?"
Structural Verification operates at the trajectory level. It has the full causal graph. It knows the relationship between steps. It can prove that reading a secret at step 5 and posting to an external URL at step 7 constitutes a causal exfiltration path, even if neither step in isolation looks malicious. No per-call classifier can make that determination.
| Approach | Scope | Limitation |
|---|---|---|
| Per-call guardrails | Single input/output | Cannot see relationships between steps |
| Content classifiers | Single message | Cannot reason about trajectory intent |
| LLM judge | Session (prompt-injectable) | Same attack surface as the agent itself |
| Structural Verification | Full trajectory (deterministic) | Requires intent declaration for full precision |
HIPAA: "prove it works"
The 2026 HIPAA Security Rule NPRM requires covered entities to prove every control exists, has a designated owner, and actually works. Structural Verification is the "actually works" part. The audit trail (Layer 1) proves the agent was monitored. The containment policy (Layer 3) proves the agent was constrained. Structural Verification proves the agent honored its constraints.
In the healthcare demo, a clinical AI agent declares intent to review patient labs and recommend treatment. It accesses lab results, imaging, and medications (all within scope). It attempts to access restricted psychiatric records (blocked by containment policy, flagged by ASI02). Structural Verification adds the trajectory-level proof: "every PHI access in this chain served the declared clinical review intent. Verdict: VERIFIED."
A signed capsule chain that says "the agent ran." A structural verification result that says "the agent honored its declared purpose." Together, they satisfy 45 CFR 164.312(b) audit controls and 164.502(b) minimum necessary in a way no log file can.
Signed promise. Verified proof.
Project AIR is open source. Structural Verification ships in the latest release.
The 24-month arc
Structural Verification is not the destination. It is the foundation.
- Now: Ship structural verification. Define the category. Prove that intent capsules are not just records but enforceable contracts.
- Months 3-6: Establish the capsule + verification schema as an open standard. Defend the category. Make IntentSpec the format other tools consume.
- Months 6-12: Layer a Verifiable Agent Trust Score on top. Monetize the category. A trust score that includes "this agent has verified intent compliance across 10,000 sessions" is a substantially stronger signal than one that only counts detector findings.
We are building a primitive, then a standard, then a market.