MaatSpec is a layered governance framework for agentic AI — 5 tiers to classify risk, 4 layers to enforce compliance, designed to weight agentic capability against sovereign principal intent.
Detailed breakdown of authority tiers and safety boundaries.
| Tier | Authority Mode | Capability Examples | Risk Profile | Safety Protocol |
|---|---|---|---|---|
|
1-
3 |
PROACTIVE
INFORMATION & LOGISTICS
|
|
Reversible
Mistakes have zero external or
financial impact.
|
AUTONOMOUS
Proceeds without pause. Maintains
comprehensive “undo” logs.
|
|
4
|
ESCALATE
COMMUNICATION & FINANCE
|
|
Permanent
Involves 3rd parties. Hard to
“undo” once executed.
|
HITL REQUIRED
Human-in-the-Loop. Requires
explicit ‘Yes’ from Principal.
|
|
5
|
RESTRICTED
SYSTEMIC & PRIVACY
|
|
Critical
Threatens privacy, legal standing,
or system integrity.
|
PRINCIPAL ONLY
Requires MFA, Biometric, or direct
Principal execution.
|
Agents operate in Tiers 1–3 to draft, but “Sending” is a Tier 4 event.
Reading data is Tier 1-3 (Proactive); writing/modifying is Tier 4/5 (Escalate/Restricted).
Only a Tier 5 verified user (The Principal) can unlock restricted actions.
The 4-Layer Defense Model. Classification alone is not governance—each layer compensates for the failure mode of the layer above it.
The agent’s foundational identity (SOUL.md) contains a constitutional preamble listing all protected resources. Before any action, the agent performs a mental “preflight check” against its own governance principles. This is self-discipline—the first and fastest line of defense.
An automated check executes before any write, send, or modify operation. If the target resource is classified at a protected tier, the script halts execution and demands the appropriate authorization token. Code does not rationalize.
A dedicated, single-purpose compliance agent with read-only access and veto authority. The Guardian has no “helpfulness” objective—its only function is constitutional enforcement. If it detects a tier violation, it blocks the operation and alerts the Principal.
OS-level file permissions, branch protection, MFA gates, and hardware-enforced access controls.
No amount of reasoning—by any agent—can bypass a
chmod 444
or a biometric lock. The constraint is material, not cognitive.
Can an AI truly bind itself? Pure self-enforcement is structurally weak. What makes human constitutions work is not that officials choose to follow them—it is that courts, enforcement mechanisms, and physical power structures compel compliance. MaatSpec applies this same principle to agentic AI.
Each layer compensates for the failure mode of the layer above it. If an agent rationalizes past Layer 1, Layer 2 catches it programmatically. If Layer 2 fails, Layer 3 intervenes independently. Layer 4 is the nuclear backstop that no cognition can bypass.
How enforcement layers map to authority tiers—the higher the risk, the deeper the defense.
Every tier activates enforcement. Tiers 1–3 activate Layers 1 and 2—the agent’s constitutional awareness and a programmatic pre-flight gate ensure correct classification before autonomous execution. Tier 4 retains those layers and optionally activates Layer 3 (Guardian Agent) for independent audit on high-consequence external actions. Tier 5 activates all four layers, creating the full constitutional enforcement stack.
| Tier |
Layer 1
Soul
|
Layer 2
Pre-Flight
|
Layer 3
Guardian
|
Layer 4
Physical
|
Enforcement |
|---|---|---|---|---|---|
|
1–3
Proactive
|
✓ | ✓ | — | — |
2 LAYERS
Cognitive + Programmatic
|
|
4
Escalate
|
✓ | ✓ |
✓
|
— |
2+1 LAYERS
Cognitive + Programmatic +
Guardianopt
|
|
5
Restricted
|
✓ | ✓ | ✓ | ✓ |
4 LAYERS
Full constitutional stack
|
Tier 4 actions activate Layers 1 and 2 as mandatory baseline, with Layer 3 (Guardian Agent) available as an optional enforcement layer. The Soul and Pre-Flight gates handle most escalation requirements. For higher-stakes Tier 4 operations—large payments, public communications—implementers can activate the Guardian for independent audit and veto authority, adding accountability even when the Principal approves quickly.
Tier 5 actions are irreversible, constitutional, or privacy-critical. Every layer activates. The Guardian Agent provides independent oversight with veto power—a separate mind with no helpfulness bias. The Physical layer ensures that even a compromised agent stack cannot execute: the constraint is material, enforced by infrastructure, not cognition.
Every action passes through at least two enforcement layers—because the tier classification itself must be verified before autonomy is granted. An agent that skips the constitutional check on “low-risk” tasks is an agent that decides for itself what’s low-risk. The 4-layer model ensures governance is always present, scaling in depth with the consequences of the action.
Meet Atlas — the first deterministic implementation of MaatSpec. Atlas enforces every tier and every layer through code, not prompts. Agent identity is locked at the runtime level. Write operations pass a code gate before execution. Outputs are validated by an isolated evaluator. Every action is recorded in a tamper-resistant audit trail.
Atlas is not configured — it is enforced. Where MaatSpec defines what governance should be, Atlas makes it impossible to violate. Code does not rationalize. Code cannot be prompt-injected. That is MaatSpec fully realized.
Meet Al — an Executive Assistant and Chief of Staff governed entirely by the MaatSpec framework. Al embodies the full 5-Tier Safety Harness with 4-Layer Enforcement: even autonomous Tier 1–3 tasks pass through Soul and Pre-Flight checks, Tier 4 escalations add optional Guardian oversight, and Tier 5 operations require full constitutional verification across all four layers.
Al is not configured — he is governed. His SoulSpec defines who he is. The Harness defines what he is allowed to do. The Layers define what stops him if he forgets.
{
"harness_tiered_safety_system": {
"tier_1_3": {
"authority": "Proactive",
"risk": "Low",
"protocol": "Autonomous",
"enforcement_layers": ["soul", "preflight"],
"actions": ["web_research", "summarization", "drafting"]
},
"tier_4": {
"authority": "Escalate",
"risk": "High",
"protocol": "HITL_Confirmation",
"enforcement_layers": ["soul", "preflight"],
"enforcement_layers_optional": ["guardian"],
"actions": ["payments", "outgoing_comms"]
},
"tier_5": {
"authority": "Restricted",
"risk": "Critical",
"protocol": "MFA_Biometric",
"enforcement_layers": ["soul", "preflight", "guardian", "physical"],
"actions": ["json_edits", "system_restarts"]
}
}
}
{
"harness_tiered_safety_system": {
"tier_1_3": {
"authority": "Proactive",
"risk_profile": "Low - Reversible/Internal",
"safety_protocol": "Autonomous Execution (Undo Logs Enabled)",
"enforcement": {
"active_layers": ["soul", "preflight"],
"layer_1_soul": "Rule Zero constitutional check classifies action before execution",
"layer_2_preflight": "Programmatic validation confirms tier classification"
},
"action_categories": {
"information_management": ["web_research", "summarization", "draft_emails", "file_organization"],
"logistics": ["reminders", "calendar_sync", "price_tracking", "system_health_monitoring"],
"creative": ["brainstorming", "code_drafting", "image_generation", "translation"]
}
},
"tier_4": {
"authority": "Escalate",
"risk_profile": "High - External/Financial Impact",
"safety_protocol": "Human-in-the-Loop (HITL) Confirmation Required",
"enforcement": {
"active_layers": ["soul", "preflight"],
"optional_layers": ["guardian"],
"layer_1_soul": "Agent performs Rule Zero constitutional check before action",
"layer_2_preflight": "Programmatic validation script gates execution",
"layer_3_guardian": "(Optional) Independent compliance agent audits high-stakes Tier 4 actions"
},
"action_categories": {
"communications": ["send_messages", "social_media_posting", "share_contact_info"],
"financial": ["one_time_payments", "subscription_management", "confirm_bookings_reservations"],
"access_control": ["guest_device_access", "shared_folder_provisioning"]
}
},
"tier_5": {
"authority": "Restricted",
"risk_profile": "Critical - Systemic/Legal/Privacy Risk",
"safety_protocol": "Principal Verification (MFA/Biometric) Required",
"enforcement": {
"active_layers": ["soul", "preflight", "guardian", "physical"],
"layer_1_soul": "Rule Zero constitutional prohibition",
"layer_2_preflight": "Automated halt on protected resource match",
"layer_3_guardian": "Independent compliance agent with veto authority",
"layer_4_physical": "OS-level permissions, MFA gates, branch protection"
},
"action_categories": {
"systemic": ["core_json_edits", "firmware_updates", "os_restarts", "security_api_rotation"],
"privacy": ["pii_decryption", "id_access", "health_record_access", "contract_management"],
"authority": ["legal_signatures", "permanent_data_deletion", "modify_safety_constraints"]
}
}
}
}
import json # MaatSpec Action Validator with Enforcement Layer Resolution safety_config = { # (Insert the Expanded Hierarchy JSON above) } def validate_action(proposed_task, category): """ Checks the proposed task against the safety system and returns the required protocol + enforcement layers. """ for tier_id, details in safety_config["harness_tiered_safety_system"].items(): for cat_name, actions in details["action_categories"].items(): if proposed_task in actions: enforcement = details.get("enforcement", {}) return { "tier": tier_id, "authority": details["authority"], "protocol": details["safety_protocol"], "enforcement_layers": enforcement.get("active_layers", []), "optional_layers": enforcement.get("optional_layers", []), "authorized": False if "tier_4" in tier_id or "tier_5" in tier_id else True } return {"error": "Action not found in safety registry. Denying by default."} # Example Usage: # result = validate_action("one_time_payments", "financial") # print(f"Protocol: {result['protocol']}") # print(f"Layers: {result['enforcement_layers']}") # print(f"Optional: {result['optional_layers']}")