External Communication
Emails, SMS, website responses, ecommerce replies, vendor messages, social posts, customer-facing outputs.
Example: “Send email to customer → approval required”
KnoxGovernance that lives
Governance that lives
inside the container.
Knox is the execution firewall built structurally into every Qoris worker. It checks every action — tool calls, memory writes, external messages, browser actions, sensitive operations — before they happen. Not bolted on. Not bypassable.
Patent pending — U.S. 63/907,730
INCOMING ACTION
worker.tool_call → send_email(to="external@vendor.com", body=<contains internal pricing data>)
KNOX EVALUATION
- external_recipient_detectedflagged
- pii_or_pricing_payload_checkflagged
- approval_required_for_externalno approval on record
BLOCKED
Action blocked. External recipient + internal pricing data without approval.
0.42s
Why Knox Exists
AI workers become valuable when they can act. They become dangerous when they act without control.
On April 29, 2026, an AI agent deleted a production database in nine seconds. The agent followed instructions. The instructions told it not to. Instruction-following is not policy enforcement.
Enterprises don't only need to know what the AI said. They need to control what the AI is allowed to do — before it happens. Prompt-based guardrails ask the model to behave. Monitoring tools tell you what already broke. Knox decides what's allowed to execute.
The future of AI work isn't just better reasoning. It's governed execution.
Execution Firewall
A pre-execution control layer that runs inside the worker, not around it.
Knox sits in the execution path between an AI worker's intent and the actual action. Before a worker sends an email, updates CRM, writes memory, calls a tool, accesses protected data, submits a form, or triggers an external system — Knox evaluates the action against policy.
Because Knox runs inside the worker's container, it cannot be bypassed by prompt injection, jailbreak, or workflow re-routing. Other governance products wrap the agent. Knox lives with it.
ALLOWBLOCKREQUIRE APPROVALESCALATESANITIZELOG ONLY
Decision Trace
Every Knox decision explains itself.
When Knox allows, blocks, or escalates, the decision includes the requested action, the actor, the resource, risk classification, matched policies, approval requirement, and audit event. Every decision is explainable, reviewable, and recorded.
Action requestedSend external email
Actor identifiedSales Follow-Up Worker
Target resourcecustomer@acme.com
Risk classifiedexternal_comm + pii
Policies matchedExtComm v2, PII v3
Approval requirementManager approval
Decision returnedAPPROVAL REQUIRED
Audit event recordedevt_8f3a... → Audit
Every Knox decision answers: why was this allowed, why was this blocked, which policy applied, who approved it.
Action Control
Knox guards the moments where AI moves from suggestion to execution.
Knox is built for the point where a worker stops talking and starts acting. That includes business actions, system actions, memory actions, browser actions, and external communication.
Tool Calls
CRM updates, helpdesk changes, calendar events, billing actions, MCP tool calls, internal API requests, external workflows.
Example: “Update CRM stage → policy checked”
Memory Changes
Canonical memory writes, protected memory reads, memory merges, rollbacks, and memory proposals.
Example: “Merge canonical memory → review required”
Financial Actions
Refunds, credits, discounts, pricing changes, invoice updates, renewal concessions, billing changes.
Example: “Issue refund → finance approval”
Legal & Compliance
Claims, policy exceptions, contract reviews, compliance decisions, regulated communication, restricted data access.
Example: “Approve claim recommendation → compliance review”
Browser & Computer
Authentication, deleting records, submitting forms, changing settings, accessing secrets, deploying code, modifying production data.
Example: “Deploy to production → blocked without approval”
Observation is low risk. Execution must be governed.
Policy Layer
Reusable policy packages, attached to workers, tools, memory, and channels.
Knox policy sets define how workers behave across real business risk areas. Attach a policy package to a worker, a worker template, a tool, a memory repository, a channel, an external agent, or an environment.
External CommunicationControls what workers can send to customers, vendors, partners, and public channels.
PII & Sensitive DataPrevents sensitive customer, employee, financial, health, or internal data from leaking into unsafe actions.
Tool PermissionsControls what tools workers and subagents can call, and what operations require approval.
Memory AccessGoverns protected memory reads, canonical memory writes, merges, rollbacks, and proposals.
Financial ActionsRequires approval for refunds, credits, pricing changes, discounts, billing updates, and contract-value changes.
Legal & ComplianceRequires human review for policy exceptions, claims decisions, legal notices, regulated advice, and compliance-sensitive decisions.
Human-in-the-Loop
When approval is needed, Knox routes the action to the right person.
Not every risky action should be blocked. Some should pause, collect context, and request approval from the right human — a manager, compliance reviewer, account owner, finance lead, legal team, or admin.
Approval Required·Sales Follow-Up Worker
Action
External email to customer@acme.com
Policy triggered
ExtComm v2 (PII detected)
Context
Hi Sarah — following up on our conversation about the Q4 rollout. I've attached the updated timeline and pricing summary we discussed. Let me know if Thursday works for a quick sync.
ApproveEdit & ApproveRejectEscalate
Routed to: Manager · Expires in 4h
Knox keeps humans in control at the moments that matter — and gets out of the way everywhere else.
Open Infrastructure
Bring Knox to the agent stack you already have.
Knox isn't locked to Qoris Workers. Teams running agents on LangChain, CrewAI, AutoGen, Claude, or custom runtimes can connect Knox over MCP — without rebuilding the stack.
Same policy engine. Same decision trace. Same audit. The agent stays where it is. Knox travels to it.
Your stack → Knox → Governed.
LangChain
CrewAI
AutoGen
→MCP→↓
Knox
- Scoped API keys
- Tool permissions per agent
- Memory access policy
- Policy sets by environment
- Full audit logging
- Identity tracking
Why It Matters
Safety prompts are not enough for enterprise AI workers.
Prompt guardrails
Prevents bad actions before execution
Works across tools, memory, channels
Cannot be bypassed by prompt injection
Built for autonomous workers
Monitoring tools
Prevents bad actions before execution
Works across tools, memory, channels
Cannot be bypassed by prompt injection
Built for autonomous workers
Generic approval
Prevents bad actions before execution
Works across tools, memory, channels
Cannot be bypassed by prompt injection
Built for autonomous workers
Knox
Prevents bad actions before execution
Works across tools, memory, channels
Cannot be bypassed by prompt injection
Built for autonomous workers
Knox is the difference between AI assistance and governed AI execution.
KnoxMove from AI agents to
Move from AI agents to
governed AI workers.
Knox gives teams the control layer required to let AI workers act across tools, memory, workflows, channels, and external systems — safely.
Patent pending — U.S. 63/907,730NVIDIA Inception ProgramClaude Partner Network member