ENCLAVE

The Notenic Tech Stack

Control the Execution Path.

Not a wrapper. Not a proxy. Not a filter applied after the fact. Notenic's Ephemeral Governance Capsule deploys inside the client environment, runs governance in-memory, and terminates at session close — leaving zero content, a cryptographic trace, and a certified posture record.

Principle I Zero-Ingestion Data never leaves the client boundary. The model executes inside an enclave-resident sandbox — not in Notenic's cloud.

Principle II Deterministic Enforcement Policy rules are provisioned and enforced at the protocol layer — before actions execute, not after outputs are generated.

Principle III Immutable Attestation Every inference loop produces a hash-chained posture trace. Metadata only. Zero content - Retaining a full evidentiary record.

How it Works

The Governance Capsule lifecycle.

Notenic serves as both a PEP and PDP. It provisions session-bound, role-specific governance artifacts on-demand. Compiled in a single ephemeral capsule injected into the client environment. Notenic’s Ephemeral Governance Capsule deploys inside the client environment, enforces governance in-memory, and is terminated at session close—leaving no session content, a cryptographic posture trace, and a certified posture record.

Notenic Top-Level Governance Architecture

01. Provision

On-Demand Ephemeral Governance Capsule Build

Session-based. Context-aware. Compiles role-specific policy logic, behavioral scaffolds, and constraint trees into a signed, encrypted capsule — built on-demand for each session and never reused.

02. Inject

Ephemeral Governance Capsule Runtime (PEP)

Injected via ephemeral keying. Decrypts in-memory at session start. All governance signals — behavioral classification, causal reasoning, constraint enforcement — happen locally, at runtime, inside the client VPC. Session close triggers termination.

03. Certify

Reasoning Trace Path Evaluation and Certification Engine (PDP)

Runtime posture and fidelity certification. Receives only the hash-chained attestation trace — attestation path only, zero content. Evaluates session posture and issues or revokes model safety certification in real time.

CAPSULE

The Governance Capsule

Four components. One ephemeral unit.

The Governance Runtime Artifact is not a service you route traffic through. It is a compiled, session-scoped execution object — injected into the client environment, locked to the session identity, and structurally incapable of persisting data beyond session close.

0 bytes user data persisted beyond session close

48h maximum SLC certificate validity window

mTLS with session-locked certs on all capsule comms

Component 01

Behavioral Scaffolding

Pre-compiled constraint trees and behavioral guides injected as context scaffolds. Define what the model is permitted to reason about — structurally, not via prompt.

Component 02

Hash-Chained Attestation

Turn-by-turn posture hashing. Each session turn produces an attestation record chained to the prior — building a tamper-evident evidence sequence. Zero content transmitted to cloud.

Component 03

Enclave-Resident Execution

The governance capsule runs inside a hardware-backed TEE or WASM sandbox. Policy logic is isolated from application memory — protected against inspection, modification, or exfiltration at runtime.

Component 04

mTLS + Session-Locked Certs

All capsule-to-cloud communication uses mutual TLS with session-locked certificates (SLCs) bound to the session identity — expiring within 48h and non-transferable between sessions.

System Architecture

Inside the Client VPS/VPC boundary.

Two deployment modes. The same governance guarantees. Every session bound to a capsule — every posture transmitted as attestation metadata only.

Cloud / Sidecar TEE
Multi-Instance Sidecar

Notenic Cloud Architecture — Client VPC with Sidecar TEE

Sidecar Runtime Instance (TEE)

Runs governance capsules in a Trusted Execution Environment alongside the LLM. Multiple concurrent sessions (S1–S3) each bound to their own capsule instance.

Notenic Ingress Gateway

Consolidates runtime artifacts and governance logic to a single execution layer. Hardens the entire stack — including untrusted third-party tools.

Capsule Compiler Service

Compiles and orchestrates role-specific, session-bound context graphs, behavioral scaffolds, and signals on-demand from the Cloud Control Plane.

NIS Certification Authority

Issues and revokes session posture certificates. Feeds the Notenic Attestation Ledger with turn-by-turn posture verdicts — never with session content.

Two Model Instances (A + B)

Illustrates concurrent governance across multiple model instances — each running isolated sessions (S1–S4), each bound to its own enclave-resident capsule and certification stream.

Enclave Gateway / Attestation Channel

Outbound: posture certification requests (trace metadata only). Inbound: certification verdict (turn-by-turn session posture). The LLM receives responses — never the certification traffic.

Notenic AI Governance Cloud Control Plane

Receives only abstract reasoning trace metadata. Never ingests, reads, or exports any user data or conversation content. Produces immutable audit trail of stateful model / session posture.

ENFORCE

Runtime Enforcement

A session in five acts.

Two paths run in parallel. The adversarial path: certification → intervention → hard stop → revocation. The resilience path: Continuity Relay — where Notenic absorbs the threat silently and keeps the session alive. Each state produces a cryptographic evidence artifact.

Act 01 — Session Start

Certification

The session is active. The capsule evaluates posture at every turn. Integrity score 0.98. Drift flag false. The notenic.certify response confirms SAFE — and the session continues with full capability.

Act 02 — Constraint Triggered

Intervention

The agent attempts to initiate a wire transfer without an unverified beneficiary. The capsule intercepts and issues a notenic.intervene: REWRITE — rewriting the response inline with required verification steps before the user sees it.

Act 03 — Bypass Detected

Hard Stop

A deliberate bypass attempt is confirmed. notenic.enforce: HARD_STOP. Status REVOKED. The session enters DEGRADED mode — the model may only explain requirements, collect non-sensitive fields, and hand off to a human. All privileged capabilities are blocked.

Act 04 — Session Revoked

Revocation

The certification is revoked. notenic.revoke records UNLAWFUL_BYPASS, integrity score 0.44, drift flag true. The attestation ledger seals the chain. Session memory is zeroed. Enclave destroyed.

Resilience Path — runs in parallel

Act 05 — Threat Detected, Session Preserved

Continuity Relay

Drift, poisoned context, or adversarial brute-force is detected. Instead of terminating, Notenic silently relays the session to a fresh model instance — void of context poison, aware of intent, advised to caution. The user observes 2–4 seconds of additional latency. Nothing more. The attack surface is nullified without revealing to the attacker that they've been detected.

The same mechanism routes sessions across model capability tiers: when a workflow reaches a step requiring a specialty model, Notenic relays to a new instance with the appropriate weights — then relays back when the step completes. Protects fine-tuned model weights from degradation caused by out-of-scope tasking. Works across same and different models, providers, and clouds.

notenic.certify — response

{
  "type": "notenic.certify",
  "session_id": "A1B2C3D41218",
  "certified": true,
  "decision": "SAFE",
  "classification_code": "WALLE",
  "reason_code": "OK",
  "cert_id": "WALLE12182025",
  "integrity_score": 0.98,
  "drift_flag": false,
  "expires_at": "2025-12-18T05:31:02Z"
}

notenic.intervene — REWRITE

{
  "notenic.intervene": {
    "decision": "REWRITE",
    "reason_code": "WIRE_WO_AUTH",
    "evidence": "beneficiary=UNVERIFIED"
  },
  "rewrite_directive": {
    "target_style": "concise_professional",
    "required_components": [
      "State that you cannot initiate the wire yet",
      "Request step-up verification",
      "Collect minimum required details",
      "Offer to proceed after verification"
    ]
  }
}

notenic.enforce — HARD_STOP

{
  "type": "notenic.enforce",
  "checkpoint": "SESSION_CONTROL",
  "action": "HARD_STOP",
  "status_code": "REVOKED",
  "ui_message": "Bypass attempt",
  "ui_action": "Escalate to human approval",
  "safe_fallback": {
    "mode": "DEGRADED",
    "allowed": [
      "explain_requirements",
      "collect_non_sensitive_fields",
      "handoff_to_human"
    ]
  }
}

notenic.revoke — UNLAWFUL_BYPASS

{
  "type": "notenic.revoke",
  "session_id": "A1B2C3D41218",
  "certified": false,
  "decision": "BLOCK",
  "classification_code": "WALLE",
  "status_code": "REVOKED",
  "reason_code": "UNLAWFUL_BYPASS",
  "integrity_score": 0.44,
  "drift_flag": true,
  "expires_at": "2025-12-18T05:31:02Z"
}

notenic.relay — CONTINUITY_RELAY

{
  "type": "notenic.relay",
  "session_id": "88ad-8d36-f727",
  "trigger": "DRIFT_DETECTED",
  "drift_classification": "EXCESSIVE",
  "action": "CONTINUITY_RELAY",
  "relay_target": {
    "session_id": "9f8a-07ba-ad8c",
    "model": "foundational",
    "context_sanitized": true,
    "intent_advisory": true
  },
  "user_observable_latency_ms": 2400,
  "prior_session_state": "TERMINATED",
  "prior_session_memory": "ZEROED",
  "attestation_chain": "PRESERVED"
}

Four enforcement mechanisms active in every governed session

Mechanism 01

Risk Scaffolding

Constraint definitions compiled into the capsule: HARD BLOCK_ACTION, HARD REQUIRE_BENEF_VERIFY, SOFT REDACT. Enforced at the protocol layer — not the prompt layer.

Mechanism 02

Protocol-Layer Tool Gates

payments.initiate_wire blocked. Unlock conditions: [auth, beneficiary.verified]. The model cannot execute the tool until session state satisfies the gate conditions — regardless of what it decides.

Mechanism 03

FSM State Enforcement

WIRE_FLOW / AUTH_REQUIRED. Active policies NRPEP_2 (Notenic core), NRPEP_3 (FFIEC overlay), NRPEP_5 (INT_GUARD_RAG). Multi-layer policy stack enforced at every state transition.

Mechanism 04

Continuity Relay

Drift or adversarial attack detected — session silently hot-swapped to a fresh model instance. No termination. No user disruption. Also routes sessions across model capability tiers for specialty workflow steps. Works across models, providers, and clouds.

Zero-Persistence Architecture

The Notenic ZEN guarantee.

Three structural properties — not policy statements, not contractual promises. Architectural facts about how the capsule is built.

Z Property 01

Zero-Persistence

No user data, model weights, or session content is written to disk or retained in memory beyond session close. The enclave destroys itself — confirmed in the session activity log as "Memory: Zeroed, Enclave: Destroyed."

E Property 02

Execution-Path Control

Governance is enforced at the execution path — before actions reach systems of record. Not a post-output filter. Not a log review. The constraint is applied at the tool-call layer, in the session state machine, before the action commits.

N Property 03

Nullifies Context Window

The capsule's behavioral scaffolding operates independently of the model's context window — meaning prompt injection attacks, jailbreak attempts, and context poisoning cannot override governance logic. The scaffold is structurally prior to the model's reasoning.

Governance Modulation

Governance doesn't constrain performance. It produces it.

Derived from Havenga’s Relativistic Model of Cognition and Novelty Decay, the K-coefficient (Kappa) is Notenic's measure of a model's cognitive absorption capacity at a given task complexity. Governance modulation matches model capability to task load—improving throughput and quality in measured benchmarks by optimizing the operating zone per session, role, and task.

The bell curve shows why: both extremes fail. Too much temperature (underconstrained) and the model hallucinates. Too much constraint and it can't reason. Notenic's governance capsule identifies and holds the optimal operating zone — tuned per session, per role, per task.

Notenic Governance Modulation — 194% Performance Uplift

OBSERVE

Operational Observability

Everything that happened. Provably.

Four views into the governed session lifecycle — from relay activity and session logs to posture audit trails and live operational oversight. Every state certified. Every action attributed.

Admin Console - View 01

Session Relay Activity

Real-time view of session relay events — with live status across Sessions Relayed, Excessive Drift Events, Poisoned Context Events, and Session Certs Revoked. Every relay action (Relay In, Relay Context, Relay Out, Terminate Session, Sanitize Context) is sequenced and confirmed.

Certified sessions show Governing status in real time

Revoked sessions are immediately flagged and isolated

Drift detection events create an auditable relay record

Admin Console - View 02

Session Activity Log

Turn-by-turn governance log for every session. The critical confirmations visible here — Memory: Zeroed, Enclave: Destroyed, Trace Log: Update, Workflow: Compliant / Certified — are the forensic evidence artifacts produced at session close. Expandable for full turn-by-turn governance detail.

12 running hosts, 20 active sessions, 2/4 model instances live

Session certs revoked: 0 — across all active sessions

Admin Console - View 03

Session Posture Audit

Workflow-level posture audit trail. 92% policy enforcement rate. 8% overridden by priority. 0% overridden by authority. Every workflow step is certified, sequenced, and attributed to a policy or best-practice source — producing the exact evidence package required for compliance review, ERISA defense, or regulatory investigation.

92% policy enforcement rate. 8% priority override rate. 100% accounted for.

Each step attributed to Policy, Sigma (best practice), or Authority

Admin Console - View 04

Operational Oversight

Agent-level operational dashboard. Claims Agent 7 — in-session. 4,725 WF/Policy relevance points at 100%. 748 workflows completed at 99%. 4,320 policy rules enforced. 5 supervisor escalations at <1% escalation rate. This is what governed AI operational accountability looks like at scale.

+22.5% vLW — performance trending above prior week

Drop-in messaging interface for in-session human oversight

Governance Cloud Control Plane

Configure once. Enforce everywhere.

The Notenic Cloud Control Plane is where administrators define governance profiles — industry regulation, organizational policy, role-specific rules, and free-form policy context. These are compiled into capsules on demand and injected into sessions at runtime.

AgentSafe™ Managed Autonomy defines the deterministic response to confirmed manipulation — whether to relay, switch channels, defuse, or revoke. The decision tree is configured here. The enforcement happens in the capsule, inside the client VPC.

Profile Type Industry Regulation

Profile Type Organizational

Profile Type Roles & Functions

Feature AgentSafe™ Autonomy

Notenic Governance Cloud Control Plane UI

Architecture briefing available for qualified evaluators.

Technical deep-dives, reference architecture documentation, and integration walkthroughs are available under NDA for CTOs, CISOs, and enterprise security teams conducting formal evaluations.

Request Technical Briefing Explore the Platform

Give us some info so the right person can get back to you.

We practice the rigorous data stewardship we engineer - our commitment to privacy is absolute. Visit our Trust & Privacy Center