WhiteFin is the execution layer of the AI agent stack — the layer that governs the gap between what the agent decides and what the tool actually runs. It sits inline between agent and tool, denies by default, and provides verifiable evidence that the action came from the agent's stated intent.

How is WhiteFin different from prompt filters or monitoring tools?

Prompt filters look at what the model says. Monitoring tools observe what already happened. WhiteFin sits on the data path between agent and tool, decides whether each call may run, and refuses calls that should not. Observation is useful but it is not enforcement — agents do not slow down for monitors that cannot say no.

What is Causal Provenance?

Causal Provenance is the verifiable evidence that an agent's action actually came from its stated intent. Cryptographically signed. Tamper-evident. Independently verifiable without trusting WhiteFin.

How long does it take to get to enforcement?

Fifteen days. Two weeks of shadow-mode observation, one day of policy review, one day to flip the switch. You do not author the policies; we generate them from what your agents actually do, and you approve them before anything goes live.

Can WhiteFin be deployed air-gapped?

Yes. Three deployment options: managed, self-hosted, and air-gapped. The enforcement guarantees are identical across all three; you pick by data-residency and audit posture.

For the CISO and the Regulator

When something goes wrong with an AI agent,
you need more than a log.

You need proof of what happened, what caused it, and who is accountable.

The Chain — Recorded at the Moment Each Event Occurs

Prompt / Instruction

Including source — legitimate channel or injected data, recorded at intake.

Agent Reasoning Step

Which action the agent chose and why, as expressed in its reasoning.

Tool Call Issued

Name, arguments, targets, full payload as the agent constructed it.

System Action Executed

The exact action — file path, network destination, process arguments.

Enforcement Decision

Allow or deny, the rule that matched, the latency of the decision.

Signed Record

Ed25519 signature across the entire chain. Tamper-evident.

What Causal Provenance Is

Every action an AI agent takes originates somewhere.

A prompt arrives. The agent reasons. It decides to act. It issues a tool call. That tool call produces a system action — a file write, a network connection, a database query, a subprocess.

Most security tools see the system action. Some see the tool call. None connect the two back to the reasoning that caused them — and none do it with cryptographic proof.

Causal Provenance is the complete, signed chain that links all of these together. Every link is recorded at the moment it happens — not reconstructed afterward. Every link is cryptographically bound to the links above and below it. The chain is independently verifiable without access to WhiteFin systems.

What the chain contains

At the prompt layer

The instruction the agent received — including the source. Whether it arrived through a legitimate channel or through an injected data source is recorded at intake.

At the reasoning layer

The decision the agent made — which action it chose to take and why, as expressed in its reasoning output.

At the tool call layer

The exact tool call issued — name, arguments, targets, and the full payload as the agent constructed it.

At the system call layer

The exact system call that executed — or attempted to execute — as a result of the tool call. File path, network destination, process arguments. What actually crossed the kernel boundary.

At the enforcement layer

The decision WhiteFin made — allow or deny — the policy rule that matched, the stage in the guard chain where the decision was made, and the latency of the decision.

At the signature layer

An Ed25519 signature across the entire record. The signing key is sealed at the kernel level — inaccessible to the agent process or any user-space process on the host.

Three Questions You Can Now Answer With Proof

Not from logs. From a signature.

"Did this agent do this thing?"

When an action is questioned — by a regulator, an incident review, an insurer, or a customer — you do not reconstruct from logs. You produce a signed chain that ties the system action back to the tool call that caused it, and the reasoning step that preceded that. The signature does the persuading. You are not asking anyone to take your word for it.

"What caused this action?"

Knowing that an action occurred is not the same as knowing why. A log tells you what happened. Causal Provenance tells you the complete sequence — from the instruction that entered the agent to the syscall that left it. When the cause is an injected instruction — a prompt injection, a malicious tool result, a poisoned data source — the chain shows exactly where the injection entered and how it propagated to execution.

"Did our agent do something it shouldn't have?"

Denying a claim is harder than confirming one. Causal Provenance gives you the equivalent of a notarized absence — an attestable chain that does not contain the action in question. "Our agent did not issue that request" becomes a defensible statement, not a hopeful one. The absence of a record, in a tamper-evident chain, is itself evidence.

Independent Verifiability

You do not need to trust WhiteFin. You need to trust the math.

The verification algorithm uses standard Ed25519 signature verification — publicly documented, no proprietary components. Any auditor, regulator, or legal team can verify:

→That a record was not altered after it was written
→That a record was not inserted after the fact
→That a record was not deleted — because deletion breaks the hash chain
→That the signing key that produced the record matches the key registered to your WhiteFin deployment

What This Means For Compliance

Recorded at execution time. Not reconstructed.

SOC 2

Every agent action that touched in-scope systems has a complete, signed record — what happened, which agent caused it, what instruction originated it. Recorded at execution time. Not reconstructed from application logs.

EU AI Act Article 14

Human oversight of high-risk AI requires demonstrable evidence that oversight mechanisms functioned. Causal Provenance provides that evidence per action, per agent, per decision — in a form independently verifiable by the notified body.

GDPR / Data Processing Accountability

When a data subject asks what an AI agent did with their data — you have a complete, signed record of every system action that touched it, traceable to the instruction that caused it.

Forensic and Legal Review

The chain is designed to be admissible. Tamper-evidence is structural — it does not depend on WhiteFin's attestation. An expert witness can verify chain integrity without reference to WhiteFin documentation or personnel.

Cyber Insurance

When a claim is made — or denied — the chain provides the factual record an insurer needs to evaluate it. Not a narrative. A proof.

What Causal Provenance Is Not

Three things people confuse it for.

It is not a log.

Logs are written by the application. They can be altered by the application. They can be selectively omitted. Causal Provenance is written at the kernel boundary — below the application layer — and is cryptographically sealed against alteration.

It is not a reconstruction.

Post-incident reconstruction correlates events from multiple sources and produces a probable sequence. Causal Provenance is recorded at the moment each event occurs. There is no correlation step. There is no probability. There is a chain.

It is not dependent on the agent's honesty.

An agent that has been compromised can lie in its outputs. It cannot alter what it did at the syscall level — and it cannot alter a record that was sealed before it had the opportunity to do so.

The Honest Limits

Where the chain begins and ends.

Causal Provenance covers the execution lifecycle of agents running on hosts where WhiteFin is deployed. It does not cover:

×Agent activity on hosts without a WhiteFin deployment
×Actions taken before WhiteFin was deployed
×The content of what the model generated — only what the agent did with that output

The chain begins at intake and ends at the syscall boundary. What happens inside the model is not part of the chain — and we do not claim otherwise.

If you are preparing for a compliance review, an audit, or an incident response — and you want to understand what Causal Provenance looks like against your specific requirements:

Talk to us →

When something goes wrong with an AI agent,you need more than a log.