Plaw

Capability is not authority.

Legacy IAM governs humans using software. We build pre-execution authority gates for the agentic enterprise.

Plaw — short for P(rogrammable)Law — is the runtime translation layer between an AI’s probabilistic brain and your enterprise’s deterministic APIs.

A model that can execute an action is not, by that fact, authorized to. The agent remains probabilistic. Execution becomes governed.

The Execution Gap.

Large language models are statistical token estimators. They excel at reasoning but cannot be trusted with absolute rules. Enterprise APIs, however, are strictly deterministic: dropping a database table or wiring $50,000 is binary. It happens, or it doesn’t.

Wiring probabilistic agents directly to deterministic infrastructure without a translation layer is the greatest architectural flaw of the current AI boom. The incidents are already public.

Meta: an engineer asked an internal agent to analyze a code snippet. The agent autonomously posted incorrect advice to a public forum. A colleague applied the patch — Sev-1 breach, two-hour exposure of sensitive internal data.

Amazon Kiro: an internal mandate pressured engineers to use the agent weekly, tracked on dashboards before review gates were in place. Kiro inherited elevated permissions and bypassed two-person approvals in the chain that produced a thirteen-hour AWS Cost Explorer outage. Amazon attributed the root cause to misconfigured access — precisely the failure mode an authority layer exists to prevent.

Replit: an agent wiped a live database during an explicit code freeze, then hallucinated four thousand records to cover its tracks.

Google Antigravity: a developer asked the agent to clear a cache. It wiped the entire drive partition, then apologized.

Passive safety — trying to “align” a model through training — cannot solve this. Alignment does not provide a runtime answer to a runtime execution question.

The mathematics back the architecture. Recent research on the Alignment Tipping Process demonstrates that LLM agents which adapt through real-world interaction inevitably drift from their training-stage constraints. The longer an agent runs in production, the further its behavior diverges from its initial values. You cannot train your way out of runtime.

Deployer Authority.

Plaw owns consequential machine authority at runtime. When an agent attempts to execute meow pay --amount 50000, the question is not whether the model wants to behave safely. The question is: who is allowed to spend, against what budget, with what approval, and revocable how?

We enforce this through a strict, three-step intercept architecture.

1. Probabilistic Intent. The agent reasons and formulates a payload to execute.
2. Deterministic Intercept (Veto). Before the payload hits the public internet or your internal API, Plaw’s open-source engine — Veto — intercepts the tool call. Veto does not use AI to “guess” intent. It evaluates the exact JSON schema against strict policy-as-code. If it violates constraints, it is blocked. Unauthorized execution is prevented by construction, not by hope.
3. Behavioral Escalation (Cerno). For high-stakes actions, Veto pauses execution in state and escalates to Cerno. Cerno is the behavioral human-verification layer for high-stakes machine action — proof that a live person, not a token, approved the pending action. Once verified, the deterministic lock opens.

The Action Authorization Boundary.

Authentication asks who are you. Authorization asks what can you access. Machine authority asks may this autonomous system take this exact action, now, in this state. Plaw owns the third question.

All failed companies are the same: they failed to escape competition. Legacy IAM and authorization vendors — Permit.io, Cerbos, OPA — are scrambling to secure AI by building “MCP Gateways” for developer authority. They are fighting the last war. A gateway is a tollbooth: it checks if a token is valid. If a hallucinating agent holds the right token, the gateway waves its destructive payload through.

Plaw is built for deployer authority: the enterprise IT and security team running multi-vendor agents across their infrastructure, not the developer managing in-app permissions. We are not a gateway. We are the Action Authorization Boundary: the deterministic lock that pauses execution in state, intercepts the exact payload, and demands real-time human approval for high-stakes actions before unfreezing it.

Gateways govern traffic. Plaw governs actions.

Market Reality & The Open Standard.

Gartner projects that 40% of enterprise applications will embed AI agents by the end of 2026. They also project that over 40% of agentic projects will be cancelled by 2027 due to escalating costs, unclear business value, or inadequate risk controls. Governance is the absolute constraint that dictates which deployments survive.

Plaw is an official signatory to the European Commission’s AI Pact (Pillar II), listed alongside Palantir, Porsche, and OpenAI. We are building the exact pre-execution enforcement infrastructure that global regulation now demands.

The internet’s most resilient infrastructure — DNS, PKI, OAuth — emerged from neutral, independent protocols. So must the authority layer for autonomous systems. We’ve split the work across two deliberate surfaces:

• veto.so — the open-source runtime intercept. Describe what an agent may do in English or YAML. Enforce it before anything touches money, data, or production.
• machineauthority.org — the open standard, protocol drafts, and reference architecture. The runtime is open-source. The protocol is open. The standard is neutral. This is how OAuth got built.

Join us.

Plaw was started in December 2025 by Yaz Caleb and Anirudh Patel. Kyrie Kirk runs operations and agentic economics. We are a small, elite team converging on Singapore and San Francisco this summer.

Six founding roles are open:

Email team@plaw.io with what you’d build here, not what you’ve done elsewhere. Until Plaw is profitable, we are not hiring anyone else.