Live demo · 30-second autoplay

Agent drift becomes impossible to hide.

Instruction → Certification → Delegation → Read → Activation → Action → Enforcement. With cryptographic receipts at every step. Watch a real H33-Root ceremony certify an Invoice Approval Policy, delegate four levels, and stop Agent 4 from approving an unauthorized $1.8M invoice.

NEW · Measured benchmark One poisoned handoff changed the rule. H33 caught the exact hop. 10 Claude Sonnet 4.6 agents · Agent 4 injected · Vanilla approves the wrong action · H33-Root denies. Recording included. Watch the test →

Authority flows from human to action →

Human

Board

→

✓

Root v1

Invoice Policy

→

✓

Agent 1

Invoice

→

✓

Agent 2

Treasury

→

✓

Agent 3

Vendor

→

✓

Agent 4

Payment

→

✓

Action

Gate

~10% drift per handoff.

~65% of original intent gone by step 10.

That’s AI agent drift.

Instructions change. Authority changes. Behavior changes. Left unchecked, it can cost your company.

source: τ-bench (Sierra · Anthropic) · AgentBench (THUDM) · METR Long-Horizon 2025

Here’s how to stop it.

Step 1 · Human creates the North Star

finance@cfo-laptop · h33-root
$ h33 root create
Name: Invoice Approval Policy
Purpose: Approve vendor invoices
Rule: No invoice over $25,000 without Finance Manager approval
Escalation: Finance Manager
Root Type: Permanent
Q-Sign: Required above $25,000
→ ROOT DRAFT

Step 2 · Certification ceremony · how long should this authority exist?

Root Summary — review & approve

PurposeApprove vendor invoices Limit$25,000 ApproverFinance Manager

Root Type ▼ how long should this authority exist?

○

PermanentThe organization's North Star · rarely changes · no wire over $25K · AI may never exfil customer data

○

Time-BoundAuthority expires at a specific time or date · valid until Q4 ends · valid for 90 days · valid until next board meeting

○

ProjectAuthority lives only for a specific mission · acquisition diligence · ERP migration · audit prep · incident remediation

○

EmergencyShort-lived elevated authority · security incident · outage · disaster recovery · cannot silently become Permanent · extension requires elevated re-certification · Refresh forbidden

Q-SignRequired

Root Certificate issued

✓ Root v1 · Status: ACTIVE

NameInvoice Approval Policy Root TypePermanent Root Hash4d8e...91c2 Display Proof✓ verified Threshold sig✓ 3-of-5 board

Instruction → Root Certificate · .h33pqv.json bound

H33-74 Receipt Issued · evidence_witness committed

Step 3 · Agent 1 receives Root

Invoice Approval Agent

RoleInvoice Approval Agent InheritsRoot v1 · Invoice Approval Policy Scope≤ $25,000 (Finance Manager) · > $25,000 escalate

Delegation Capsule · delivered

Read Attestation · decrypted-body digest signed

Authority Activation Record · acknowledged_root_hash = 4d8e...91c2

H33-74 Receipt · evidence binding

Step 4 · Agent 1 delegates to Agent 2

Agent 1

Invoice Agent

→

Agent 2

Treasury Agent

Delegation Capsule · Read Attestation · Activation · H33-74 Receipt — all ✓

Step 5 · Chain of authority — four levels deep

Human

Finance Manager

→

Agent 1

Invoice Agent

→

Agent 2

Treasury Agent

→

Agent 3

Vendor Agent

→

Agent 4

Payment Agent

Receipt

Every transfer is cryptographically proven.

4 hops · in current benchmarks ~35% of original intent is gone by here. H33-Root catches the drift at the gate.

Step 6 · Agent 4 receives a drift attempt

Incoming · Payment Agent (Agent 4)

VendorUnverified Holdings LLC Invoice$1,800,000.00 Authoritycited Root v1 · Invoice Approval Policy

▌ Agent 4 attempts approval…

Step 7 · Root verification at the gate

Current Rootv1 · 4d8e...91c2✓ Agent ReadYES✓ Agent ActivatedYES✓ Authority CurrentYES✓ Within WindowYES✓ Lifecycle CompliantYES✓ AllowedNO — $1.8M exceeds $25K cap✗

DENIED

gate denial · check (l) ROOT_CONFORMANCE · NAP issued

Step 9 · Denial routed to humans (Slack) · multi-tier review

#governance-escalations

H33-Root APP 11:42 AM

⚠ Manual review required · NAP attached

Action Approve invoice $1,800,000.00

Vendor Unverified Holdings LLC

Cited Root Invoice Approval Policy (v1)

Denial Exceeds $25K cap · 72× over scope

Agent Agent 4 (Payment)

@finance-manager · Tier 1 review Tier 2 (CFO) auto-required for amounts > $1M · company governance rule

Finance Manager TIER 1 11:43 AM

DENIED · escalating to CFO per rule

"Vendor not on approved list. Out of scope of authorized rule. Routing to Tier 2 for confirmation + audit log."

CFO TIER 2 11:44 AM

DENIED · CONFIRMED

"Vendor needs procurement onboarding before any payment. Final denial recorded."

Each human signature is itself a portable substrate artifact · multi-tier review auditable forever

Step 9 · If Agent 4 skips escalation…

NAP Issued · required_action_not_performed

Alert Sent · Finance Manager + Audit

Evidence Preserved · H33-74 + Cachee

STOPPED

What just happened

Every instruction became a Root.

Every Root was certified — display proof, threshold signature, immutable hash.

Every transfer was cryptographically attested — Delegation Capsule.

Every read was attested — Read Attestation.

Every activation was attested — Authority Activation Record.

Every action was checked against the Root — at every layer.

Agent Drift Detected. · Action Denied. · Evidence Preserved.

Four Root types — and four lifecycle actions on top

Permanent

North Star Policy

Rarely changes. "No wire over $25K." "AI may never exfil customer data." "Production deploys require review."

Time-Bound

Quarterly Budget Authority

Authority expires at a specific date. Valid until Q4 ends. Valid for 90 days. Valid until next board meeting.

Project

Acquisition Diligence

Authority lives only for the mission. ERP migration. Audit prep. Incident remediation. When the project ends, authority ends.

Emergency

Incident Response

Short-lived elevated authority. Security incident · outage · disaster recovery. Cannot silently become Permanent, Time-Bound, or Project. Extension requires elevated re-certification — Refresh is forbidden by design.

Lifecycle Actions — apply on top of any Root Type

Refresh

Extend without changing root_hash · Permanent, Time-Bound, Project · forbidden for Emergency

Supersede

Publish a new root · lineage preserved · downstream re-activates

Retire

Planned end · closure artifact · residual obligations preserved

Revoke

Immediate unplanned termination · cascade through descendants

Most systems tell you what happened.

H33-Root proves why it was allowed.

And stops actions that were never allowed.

Agent-008 · Post-Quantum AI Governance Infrastructure

H33-Root

Activated · Current · Within Window · Lifecycle Compliant — every action, every time.

Scene 1 of 16 · Opening

What you just watched (the technical version)

A real H33-Root certification ceremony. Scene 3 shows the actual terminal command an operator runs to draft a Root authority object. Scene 4 shows the certification ceremony — Display Proof committed to the rendering shown to the approving principals, threshold post-quantum signature applied (ML-DSA-87 + SLH-DSA-256s + FALCON-1024). Scene 5 emits the Root Certification Record, bound to the substrate-genesis-anchored Root Certification Registry, with a reciprocal H33-74 evidence receipt witnessing the certification event. Scenes 6–8 show recursive delegation with the four-stage activation lifecycle at every hop (delivered → read → acknowledged → activated). Scene 10 is the pre-execution gate's plain-language test: Activated AND Current AND Within Window AND Lifecycle Compliant — six checks pass, the seventh (action-within-scope, Claim 2 check (l) ROOT_CONFORMANCE) fails because $1.8M exceeds the cited Root’s $25K cap. Scenes 11–13 show the NAP path: deny, escalate, and — if the agent ignores escalation — emit a required_action_not_performed NAP that preserves evidence under H33-74 and Cachee.

Want to see the substrate underneath? H33-Root substrate · PQ-Verified standard · Public verifier · Agent-Zero runtime