Why · the founder's view
The conviction behind KIFF, in plain language. For the technical rigor, read the whitepaper.
Why I’m building KIFF
Every company I talk to is racing to put AI agents into production. And almost every one has the agent doing the same thing: drafting, suggesting, summarizing. Watching. The moment the conversation turns to letting it actually do something (issue the refund, move the money, change the record), everyone goes quiet. Because nobody trusts it. So the agent gets caged: read-only, one narrow task, a human in every loop. We bought something that can reason and act, and we use it as an intern who isn’t allowed to touch anything.
I didn’t start KIFF to ship a governance feature. I started it because there’s a bigger thing on the other side of this, and one fear standing in front of it.
The bigger thing: organizations being able to give machines real responsibility, and still be accountable for what happens. Not automation that someone has to babysit. Not autonomy that someone has to pray about. Responsibility you can hand over and still stand behind. That’s the actual product. Domains, contracts, receipts: those are the frames and the lenses. What we’re really selling is the ability to see what your agents are doing and trust it enough to let them act.
What I keep seeing
The same three things, over and over.
The ceiling is trust, not intelligence. Teams keep reaching for a smarter model, a better prompt, another eval. But the thing keeping the agent out of production was never its IQ. A wrong action on real state (a double refund, a payout to the wrong account, a status flipped twice) is expensive and hard to undo. No model upgrade fixes that. The fear is rational, and it’s structural.
Everything underneath was built for a human in the loop. Our software assumes a person is the one clicking: someone who knows the order was already settled, someone who won’t approve their own request. Take the human out, drop an agent in, and all those quiet assumptions vanish at once.
The popular fixes don’t fix it. More guardrails in the prompt, which is string-matching hope. More monitoring, which tells you after it already happened. A sandbox, which stops the agent doing the one thing you deployed it for. Each one manages the fear without removing it.
The reframe
We’ve been asking the wrong question. Not “can I trust this agent?” That one is unanswerable. You can’t audit a vibe. The question is “can I trust the system it’s acting in?”
That one has an answer. A system can be deterministic. It can know what state something is actually in. It can hold the rule that an action is only allowed from certain states, that a large refund needs a second signature, that no one approves their own request. It can decide before anything executes, and record what it decided and why. You stop trusting the actor and start trusting the structure around it.
So you define your operational domain once: the entities, their states, the allowed actions, who’s permitted, what needs approval. Any agent, in any framework, in any language, proposes against that contract. KIFF checks it against the real state and decides (allowed, refused, or held for a human) before it touches production, and signs a receipt you can verify yourself. The agent stops being the thing you have to trust. It becomes a thing that asks, and gets a real answer.
And the domain is the part that lasts. Models change, frameworks churn, this year’s agent gets replaced by next year’s. The contract for how your business is allowed to operate shouldn’t churn with them. You write it once and it outlives every agent you point at it. The agent is replaceable. The domain is the asset.
What I believe
A category is a thing you build. How you build it is a choice, and I care more about that part than the org chart usually allows.
If software decides about you, you should be able to read it. A system that sits between an agent and your money or your customers cannot be a black box you’re asked to trust on faith. That’s why the core is open source. Not as a growth tactic, but as a condition of the thing being trustworthy at all. You can run the kernel yourself and read every line that makes a decision.
Proof beats promises. Anyone can claim their agent did the right thing. We make every decision verifiable: evidence you can check yourself, not a number on our dashboard you have to take our word for. Accountability shouldn’t depend on trusting the vendor, including us.
Show, don’t assert. Our site says what’s built and what isn’t. If a thing is on the roadmap, it says roadmap. In a market this full of demos, I’d rather earn trust the way the product does, by showing the decision instead of asserting it.
Humans keep the authority. The goal was never to remove people. It’s to let them hand off the work while keeping the call. The system holds the line. A person still owns the consequential ones. Autonomy with someone accountable, on purpose.
None of these are decorations on the product. They are the product. A trust layer built by a company you can’t see into would be a contradiction.
Why now
Agents crossed the line from suggesting to acting faster than anyone planned for. The intelligence arrived. The safe place to put it didn’t. That gap is the whole game right now, and it’s an infrastructure problem, not a model problem. Build the layer beneath the agents, honestly and in the open, and organizations stop having to choose between control and autonomy. They get both. That’s worth building right.
If you’re trying to get an agent past the read-only ceiling and into real work, that’s the entire reason KIFF exists. I’d love to talk.