PRIVATE BETA · COHORT 02 / FOR AI LABS & TIER-1 INSTITUTIONS

Your agents stop one step short of execution.
We're the layer after that.

Frontier-lab agents draft, escalate, flag, and screen — awaiting human approval before anything moves money. That posture is tenable for the launch. It will not survive the 2027 RFP cycle.

Blockdaemon is the policy and signing primitive that lets agentic systems act inside regulated institutions. On-premise. MPC-secured. Regulator-verifiable. Six years operating this layer at institutional scale.

bd-execution-layer · session.0x7af2 v0.7.1
Operating the execution layer for
BNY JPMorgan Goldman Sachs Citi Visa Fidelity DTCC
[ 01 ] By the numbers // production scale, six years
AUM secured
$110B+
Across regulated institutions
Institutions served
400+
Banks · custodians · asset mgrs
MPC in production
6yrs
Zero key compromise events
Platform uptime
99.9%
ISO 27001 certified
[ 02 ] The problem the existing stack cannot solve // the initiator is no longer trusted

HSMs and policy engines were built for a world where the application calling the signing operation is trusted. The trust boundary is "did this call come from our authorized application server."

That assumption collapses the moment an LLM is in the loop. The application server is now hosting an agent that can be prompt-injected, hallucinate counterparties, and compose technically valid but semantically catastrophic transactions.

The HSM happily signs — as far as it knows, the right service made the right call. Bolted-on prompt filters are not effective challenge in the SR 11-7 sense. They are product hygiene. What passes a Big Four audit is categorically different.

International Monetary Fund · April 2026
"Financial institutions must invest in technical architectures that separate agentic reasoning from payment execution."
— IMF Fintech Note 2026/003
The PRA, BoE, and FCA have named agentic AI in payments and markets as 2026 supervisory priorities. The window for "we'll figure it out later" has closed.
[ 03 ] The primitive // four properties, on-premise
01 / SIGNING
MPC threshold signing — initiator untrusted by design
The key never exists in one place. Signing requires a coordinated protocol across independent parties — different machines, operators, jurisdictions, clouds. No single party can unilaterally cause a signing to occur. A sentence the CRO can say to a regulator.
FROST GG20 N-of-M quorum
02 / POLICY
Agent-aware policy — natively, not bolted on
Policy is a function of agent identity, model version, prompt-chain attestation, intent provenance, and approval flow. Each MPC participant evaluates independently before contributing its share. Bypassing policy means compromising multiple independent parties simultaneously.
Know-Your-Agent Model attestation Intent provenance
03 / DEPLOYMENT
On-premise, customer-controlled keys
The signing infrastructure runs inside the institution's perimeter. The bank attests to the controls — not the AI vendor. Satisfies OCC third-party risk, DORA ICT obligations, and the SR 11-7 effective-challenge requirement that the control function be separable from the model.
On-prem VPC-isolated Air-gap optional
04 / ATTESTATION
Cryptographic attestation — Big Four auditable
For every agent-initiated action: a verifiable record of which policy was in force, what the agent's intent was, who attested, and which control gate fired. The artifact a Big Four auditor and a Basel examiner both accept. Not "we logged it" — provably enforced at the moment of signing.
Merkle-attested SOC 2 Type II Basel-ready
[ 04 ] Architecture // separating reasoning from execution
AGENT LAYER · INITIATOR UNTRUSTED Claude · GPT · in-house agents · third-party agents prompt-injection surface · hallucination surface · non-deterministic outputs CLD GPT IH policy-bound intent BLOCKDAEMON EXECUTION LAYER · ON-PREMISE 01 · IDENTITY Know-Your-Agent ▸ agent ID ▸ model version ▸ prompt chain ▸ intent hash 02 · POLICY Distributed eval ▸ counterparty ▸ velocity limits ▸ quorum rules ▸ jurisdiction 03 · MPC SIGNING Threshold quorum ▸ no key in one place ▸ N-of-M parties ▸ jurisdictional split ▸ FROST / GG20 04 · ATTESTATION Audit artifact ▸ merkle proof ▸ policy snapshot ▸ regulator export ▸ Big-4 ready CUSTOMER-CONTROLLED KEYS · VPC-ISOLATED · AIR-GAP OPTIONAL attested action PAYMENTS & SETTLEMENT Wires · FX · DvP SWIFT · CHIPS · Fedwire · on-chain CUSTODY & STAKING Vaults · 50+ chains Institutional · self-custody · RWA ISSUANCE & OPS Mint · Burn · Reserves Stablecoins · tokenized funds · MiCA

The AI vendor is not in the signing path. The bank attests to the controls. We provide the primitive that makes the attestation possible.

[ 05 ] What the existing stack does not catch // concrete agent failure modes

General agent guardrails stop a hallucinated email. They do not stop a $40M wire. Threat model, verifiability requirements, audit posture, and regulatory exposure are categorically different.

Agent
Attack vector
What we catch at the signing boundary
Treasury rebalancing
Prompt-injected via attacker-controlled invoice PDF or vendor email; steered into draining reserves to an attacker address.
Counterparty allowlists, velocity limits, intent-provenance verified independently by each MPC party before any share is contributed.
SOX 404 · OCC TPRM
FX / securities settlement
Misrouted instruction without upstream trade attestation — single point of failure for entire post-trade chain.
Settlement instructions cryptographically bound to attested upstream trade lineage. No lineage, no signing.
DORA · SR 11-7 · Basel III
Portfolio rebalancing
One prompt-injection or model regression produces fiduciary breach applied across every account simultaneously.
Position limits, concentration rules, and best-execution constraints enforced at the signing boundary — not in the prompt.
Inv. Advisers Act · MiFID II
Stablecoin mint / burn
Compromised data feed or prompt triggers unauthorized mint — one injection away from a depeg event.
Mint operations bound to attested reserve proofs. Distributed signing across compliance, ops, and treasury.
MiCA Title III/IV · GENIUS Act
[ 06 ] The compliance surface // what we satisfy out of the box
SR 11-7
Effective challenge
Separable, independent control function able to stop the model. Bolted-on prompt filters do not qualify. Our policy layer does.
DORA
ICT third-party resilience
Testable control surface for every agent-initiated action. Auditor can demonstrate what the control did during an incident — not just what the model output was.
OCC TPRM
Third-party risk
Bank attests to controls itself, not the AI vendor. On-premise deployment satisfies the third-party risk obligation directly.
MiCA
Stablecoin governance
Article 34 and 36 obligations on mint/burn governance, demonstrably enforced at the cryptographic signing layer.
GENIUS Act
Reserve attestation
Monthly reserve reports cryptographically tied to signing events. CFO can certify without an "and we let the LLM mint" footnote.
SEC / IAA
Fiduciary duty
Policy enforced at execution, not just prompted. CCO has a verifiable record per trade — what passes a Big Four audit.
// ACCESS REQUEST · COHORT 02

Engage early.

Private beta cohort for AI labs, Tier-1 banks, and asset managers planning agent-initiated execution. Architecture conversations with our platform engineering team — not sales decks.

5-day reply SLA NDA available No marketing list
A human replies within 5 business days. No newsletter, no list.

Request received.
Expect a reply from platform engineering within 5 business days.

HSMs were built for a world where the initiator is trusted. MPC is the only architecture where the initiator can be untrusted by design — which is the world we're in the moment an LLM is in the loop.