pre-execution proof · agentic finance operations

When the agent touches money,who authorized it?

Every finance team running AI agents is making economic decisions without a paper trail. Logs say something happened. KIFF proves what was authorized — before the money moved — in a way nobody can alter afterward.

start sandbox, free → launch pilot, $1,500 for 90 days

first protected control: duplicate-payment guard

the duplicate-payment proof

$10,000 invoice.
One payment.Nine blocked retries.

An AP agent pays an invoice. A flaky connection drops the success response. The transport retries ten times. Each retry is a legitimate call — same invoice, same amount. Without KIFF, that's $100,000 across ten debits. Only a state-aware gate can stop it.

without kiff — ungoverned
10 retries / $100,000 exposure
1 pay_invoice(inv-001) → ap-app debit #1
2 retry → ap-app (no state check) debit #2
3 retry → ap-app debit #3
retries 4 – 9 +6 debits
10 retry → ap-app debit #10
$100,000 · 10 debits · no receipts
with kiff — state-aware gate
1 debit / 9 blocked / signed receipts
1 KIFF decides: Invoice PENDING → PAY_INVOICE allowed
ap-app debits, state advances → PAID debit #1
2 KIFF decides: Invoice PAID → PAY_INVOICE blocked
retries 3 – 10, same state check ×9 blocked
signed receipt issued for each decision 10 receipts
$10,000 · 1 debit · Exhibit A in hand

Every individual $10,000 call was legitimate. Only a state-aware gate stopped the repeat. The state machine is not a dedup table in the application — it is an independent authority that knows Invoice inv-001 was PENDING when the first call arrived, and PAID when the retry arrived. That fact is recorded, signed, and tamper-evident. That is not a log. That is Exhibit A.

how it works

Six phases.One protocol.
Same for humans, agents, services.

Every action — human or AI — follows the same clearance path. No agent gets special treatment. No action escapes the record.

01 · event
Something happens
An agent proposes an action. A human submits a request. A webhook fires. Every fact enters as an event with a source, actor, and timestamp.
source · actor · time
02 · state
Current state is read
KIFF reads the entity's current state from the event log. Invoice PENDING. Refund REQUESTED. Payout PENDING_APPROVAL. What is true right now.
deterministic · from events
03 · decision
Policy evaluates
The action contract is checked: is this state allowed? Does the actor hold the required permissions? Are required parameters present? Risk level assessed.
allowed · blocked · approval_required
04 · action
Change is prepared
If allowed, the action is validated, not yet executed. Parameters confirmed. The executor is ready. Nothing touches the system of record until this clears.
validated · not executed yet
05 · approval
Authority signs
High-risk actions wait for a human signature. The proposer cannot approve their own proposal. Attribution is explicit. The approval is part of the receipt.
proposer ≠ approver
06 · audit
Logged and replayable
Every decision is appended to the tamper-evident audit trail. The entity's history can be replayed from events alone. Six months later, the same receipt.
tamper-evident · replayable
first-market actions

Six actions that move money.All need Exhibit A.

Start with whichever action you are most afraid to let an agent execute without a guard. Each becomes one Protected Control — one production action KIFF decides before execution and proves afterward.

PAY_INVOICE
Duplicate payment
Flaky retries on a $10K invoice become a $100K incident. KIFF blocks the retry when state says PAID. First proof pack, ships today.
ISSUE_REFUND
Refund approval
Refunds above a threshold route to a human approver. The agent cannot self-approve. Every refund carries a signed authorization.
CREATE_PAYOUT
Vendor payout
Vendor payouts are one-directional and hard to reverse. KIFF holds the gate on CREATE_PAYOUT until policy and approvals clear.
APPLY_CREDIT
Credit issuance
Credit issued to the wrong account or twice is a money-equivalent mistake. KIFF tracks entity state so the same credit cannot issue twice.
OVERRIDE_DISCOUNT
Discount override
Discount overrides are margin leakage when unchecked. KIFF enforces approval for overrides above policy threshold, with full attribution.
APPROVE_REIMBURSEMENT
Reimbursement
Expense reimbursements touch payroll-adjacent systems. KIFF gates approval on policy rules and keeps the decision chain intact for audit.
the distinction that matters

Logs say what happened.
Receipts prove what was authorized.

what logs give you
A record that the payment call was made
A timestamp from the application
A status code from the payment processor
No proof the action was authorized before it ran
No evidence of entity state at the time of the call
No tamper-evidence — logs can be altered after the fact
Nothing to show an auditor, lawyer, or regulator that a control existed
what kiff receipts give you
A signed decision made before execution, not after
The entity's state at the exact moment of the decision
The action contract that was checked: state, permissions, parameters
The actor and role that proposed the action
A tamper-evident chain — the receipt cannot be altered after issuance
Approval attribution when a human sign-off was required
Exhibit A: a replayable, auditable chain from intent to outcome
framework · open source · MIT

The protocol is a Go package.
Embed it in your backend.

The framework is public, MIT-licensed, and framework-agnostic. Wire it into an existing Go backend in an afternoon. Or connect your agent runtime to KIFF Cloud without touching your application code.

A1 · framework open source, MIT — embed the protocol in your Go backend A2 · guard open-source SDK — attach to your agent to observe tool calls, then enforce before they run A3 · studio author a domain into a kiff.yaml and scaffold the code A4 · cloud hosted runtime — start a workspace or continue onboarding A5 · pricing protected-control plans, paid activation, private beta
ready to protect a production action

What is the first costly action
you don't want an agent to execute without a guard?

Start with the sandbox to prove KIFF can observe your runtime and draft a Protected Control. When you're ready to put it in production, the Launch Pilot activates it with founder-led setup.

start sandbox, free → see pricing talk to us