Why Sanction
Why authorization is its own system
Autonomous software acts. Everything else in the stack — identity, prompts, observability, human sign-off — gets treated as if it were the control. None of them are. These are the six claims Sanction is built on.
01Identity isn't authorization.
Knowing who an agent is says nothing about what it may do right now. Identity is a prerequisite, and it belongs upstream — Entra, SPIFFE, agent cards, your issuer of record. Authorization is a separate question asked on every action, against live policy and live budget state. Sanction consumes canonical identity and mints governed runtime identity; it never becomes your identity provider, and your identity provider never becomes your policy engine.
02Prompts aren't policy.
“Please don’t spend more than $200” is a suggestion to a stochastic process. A policy is a limit that holds when the model is confused, jailbroken, or simply wrong — because it is enforced outside the model, by a system the model cannot argue with. If your guardrail lives in the system prompt, your guardrail is an opinion held by the thing being guarded.
03Observability isn't enforcement.
A dashboard that shows you the overspend after it cleared is a record of a decision nobody made. Watching agents is necessary and insufficient: the check has to happen before the action, atomically with the budget debit, or sibling agents will race past the cap between your metric and your alert. Sanction sits in the request path on purpose.
04Approval is not execution.
A human saying yes should not hand the agent a blank check — it should mint exactly one authorization. In Sanction, approval produces a single-use, expiring grant bound to the request that escalated. The agent redeems it once, the evidence records it, and the authority dies with the use. Standing permission is how one good approval becomes a thousand unreviewed actions.
05Evidence requires replay.
A log line says what happened; it cannot prove why. Proof requires determinism: pure rules, an immutable revision for every policy edit, and the exact context each decision evaluated — stored. Ask “why was this denied?” and Sanction re-runs the same rules over the same context and shows the outcome reproduces. The same property runs forward: replay last week under a candidate policy before you set it. If a decision can’t be replayed, it can’t be audited — only narrated.
06Governance should travel with the agent.
Platform vendors govern agents inside their own walls — and agents don’t stay inside walls. The same policy has to answer over REST, MCP, an SDK, a Bedrock action group, an LLM gateway, and the open AuthZEN standard, so that switching runtimes never means shedding governance. Authorization that only works in one ecosystem isn’t governance; it’s a feature of someone else’s product.
The consequence
Take the six claims together and the conclusion is structural: authorization has to be a system of its own — deterministic at the core, atomic where money and state move, evidenced everywhere, and independent of any platform the agent happens to run on. That system is what Sanction is.