autonomy-ladder.io

Whitepaper

The Autonomy Ladder™

In any high-stakes autonomous system, the failure that hurts is rarely that the model couldn’t do the task. It’s authority granted before it was earned — with no record of who decided it was ready, or what would pull it back. This is the framework that fixes the order.

  • A0→A4, every rung demotable
  • Sovereign veto + hash-chain audit ledger
  • Six open libraries, with a runnable proof below
Read the full whitepaper (PDF) Get the libraries

By Kunjar Bhaduri — I build the governance, then the system that lives under it.

The Reorder

Prove the evidence, then grant the rung — and keep a control you can’t switch off

Most teams have the deployment sequence backwards: grant broad authority, then bolt on controls when something breaks. The Autonomy Ladder reverses it. Five explicit levels, each with its own evidence bar, its own inspectable control surface, and the standing ability to be demoted. You climb one rung at a time, only on evidence, never skipping.

A0
InformationalAgent reads and recommends. No write authority.
A1
AssistedAgent drafts. Human approves every write.
A2
DelegatedAgent writes inside a hard envelope. Human reviews a sampled subset and every out-of-envelope decision.
A3
Supervised AutonomousAgent writes for the in-scope decision class, under a non-overridable sovereign veto and a live audit ledger. Humans supervise by exception.
A4
Production AutonomousA3 plus inter-agent orchestration and operator-validated escalation paths.

Three controls make it a control, not a slide: a sovereign veto the agent can’t clear on its own, a tamper-evident hash-chained audit ledger, and a mechanical demotion that drops a rung the moment assurance degrades.

The Proof

The three controls, running — in under a minute

This is not a diagram. The three controls run end-to-end against the open banking-agent-audit library. Every import path and call signature is the real published API — nothing here is pseudocode. Paste it and run it.

# pip install "git+https://github.com/linus10x/banking-agent-audit@v0.1.3"   (Python 3.12+)
from banking_agent_audit.governance import (
    AdverseActionGate, AuditChain, SovereignVeto, VetoReason,
    DEFCONMachine, RiskMetrics,
)
from banking_agent_audit.governance.adverse_action_gate import (
    AdverseActionDecision, AdverseActionType,
)

# One tamper-evident, hash-chained ledger underwrites every action below.
ledger = AuditChain(deployer_id="example-bank", mode="advisory")
gate   = AdverseActionGate(audit_chain=ledger)
veto   = SovereignVeto(agent_id="adverse-action-agent", audit_chain=ledger)
defcon = DEFCONMachine(audit_chain=ledger)

def notice(applicant, reason):  # stand-in for the agent assembling a Reg B notice
    return AdverseActionDecision(
        applicant_id=applicant, action_type=AdverseActionType.DENIAL,
        principal_reasons=(reason,), notice_provided=True, days_to_notice=9,
        used_consumer_report=True, cra_name_provided=True,
        credit_score_disclosed=True, applicant_rights_disclosed=True,
    )

# A3: the agent drafts adverse-action notices autonomously — under a veto it cannot clear.
print("agent may act:", veto.allow_execution(), "| DEFCON:", defcon.current_level().name)

# In-envelope: a specific, accurate basis. The gate passes it; the ledger records it.
ok = gate.evaluate(notice("app-1001", "debt-to-income ratio 0.62 exceeds the 0.43 product limit"))
print("in-envelope notice compliant:", ok.compliant)

# Out-of-envelope: the generic reason CFPB Circular 2022-03 forbids. Drift is detected,
# and it mechanically trips the sovereign veto and escalates the demotion machine.
drift = gate.evaluate(notice("app-1002", "score too low"))
if drift.warnings:
    veto.trigger(VetoReason.MODEL_DRIFT, triggered_by="monitor:reason-code-drift",
                 description="generic adverse-action reason breached the envelope")
    defcon.evaluate(RiskMetrics(consecutive_losses=8))

# The agent is now demoted out of autonomous drafting — and cannot self-clear.
print("agent may act:", veto.allow_execution(), "| DEFCON:", defcon.current_level().name)

# Only a human clears the veto. Then the entire trail proves tamper-evident.
veto.clear("reviewed; reason corrected to a specific basis", operator_id="fair-lending-lead")
print("after human review, agent may act:", veto.allow_execution())
print("ledger events:", len(ledger), "| tamper-evident verify:", ledger.verify())

It prints the safety case in five lines:

agent may act: True  | DEFCON: NORMAL              # granted authority at A3
in-envelope notice compliant: True                 # a specific, accurate basis passes the gate
agent may act: False | DEFCON: HALT                # a generic reason trips the veto and demotes — mechanically
after human review, agent may act: True            # only a human clears it; the agent cannot self-clear
ledger events: 5 | tamper-evident verify: True     # the whole trail is hash-chained and verifiable

The decision class here is fair-lending; swap it for a tool call in an agent swarm or a perception-to-execution handoff in a robot fleet and the same three controls hold. A fully non-financial agent-swarm version ships at finserv-agent-audit/examples/agent_coordination/.

The Libraries

Six open, DOI-archived reference libraries

Reference implementations, not deployed controls — published openly so the framework can be examined, criticized, and adapted rather than taken on faith. Each ships an installable Python package, a runnable test suite, and decision-class templates.

Financial Serviceslinus10x/finserv-agent-audit

Cross-vertical FS — readiness state machine, sovereign veto, hash-chain audit, agent-coordination demo.

MIT OR Apache-2.0
Bankinglinus10x/banking-agent-audit

Model-risk effective-challenge, ECOA / Reg B adverse-action gate, OFAC reference workflow.

MIT OR Apache-2.0
Paymentslinus10x/payments-agent-audit

OFAC screening, BSA / AML, Reg E, and a rail-finality gate for transfers that can’t be clawed back.

MIT
Healthcare Payerlinus10x/payer-agent-audit

Coverage-determination and utilization-management governance for health-insurance payers.

MIT OR Apache-2.0
Private Capitallinus10x/private-capital-agent-audit

SEC-registered investment advisers — Advisers Act §206 fiduciary controls and risk-limit gates.

MIT OR Apache-2.0
Commercial Real Estatelinus10x/cre-agent-audit

Lease-abstraction provenance, fair-housing pre-flight, tenant-PII residency.

MIT