An AI agent does what you ask — and what it's tricked into, and what it hallucinates. Custodian is a kernel that sits outside the agent and enforces what actually happens: every dollar it spends, every credential it uses, every claim it makes, every tool it runs — checked against real limits and real records, at the OS level, not promised in a prompt.
Need the fast version? Start in the console and let the AI walk you through what Custodian is, then hand you into the operator flow when it matters.
Spend caps and approval flows are commodities now. The hard problem isn't limiting a number — it's that the agent can be wrong, or can lie, and that it shouldn't be trusted to route money through an approved path in the first place.
The control lives in their custodial cloud. The agent reaches money by calling their SDK, and safety rests on the assumption it'll use the approved path. They cap the dollar amount — but never check whether what the agent claims is even true.
The control lives in Landlock + kernel egress policy. The agent literally cannot open a socket to a payment endpoint the OS hasn't allowed. A deterministic verifier checks every fact the agent asserts against ground truth, so it can't lie its way to a payout. Non-custodial, rail-agnostic, self-hosted.
Spend is where it started — but the moment an agent has real-world power, it needs a decider that lives outside it. Money, credentials, truth, tools: Custodian governs all four the same way — the model proposes, the kernel decides, the receipt proves.
Authority bands, per-action caps, daily envelopes, no-self-dealing, and human escalation over the line — enforced below the agent, over your own Stripe. Non-custodial; we never hold funds.
band L2 · cap $250 · over ▸ SMS See it spend live →Paladin hands the agent a reference, never the secret. With sandboxed egress the credential never enters the tool process at all — Paladin makes the authenticated call itself.
paladin://stripe_sk → egress-only Explore Paladin →The kernel pulls every factual claim from a request and checks it against the real record. A lie gets ✗ CONTRADICTED — and the AI's verdict is overridden. The fact-check needs no model at all.
claim ✗ CONTRADICTED · override How Lie-Catch works →Pluggable, hash-pinned adapters catch prompt injection, PII, secret leaks, forbidden paths, and out-of-scope tool calls on every action — enforced even when a local model forgets the rule.
11 built-in guards · ship your own All 11 guardrails →An operator-only kill switch denies everything, with no override the agent can reach. Every allow and deny emits a tamper-evident, HMAC-signed receipt and an OCSF audit event any SIEM can read.
kill ▸ ALL DENIED · receipts signed Watch the live audit →Every other agent stack eventually puts the real API key in the process the model is driving. Paladin never does. The agent holds paladin://stripe_sk — safe to log, safe in context — and the secret resolves only at egress, into a sandboxed call the agent can't read.
pip install custodian-kernel[paladin] — works with zero AI framework installedThe agent reads the messy real world and makes a recommendation. Then three deterministic, zero-AI layers get the final say — and any one of them can stop the money.
Nemotron reads messy, unstructured customer messages and extracts structured claims — was it delivered? in the return window? defective? — assigns confidence, and proposes a disposition it has zero power to act on. Everything after that is deterministic code.
can be wrong · can lie · doesn't matterEvery factual claim the agent made is resolved against ground truth. A claim the data refutes is flagged CONTRADICTED before anything downstream trusts it.
deterministic · zero-AIBands and caps decide AUTONOMOUS / ESCALATE / DENY. Over the cap requires a real human signature (Twilio Verify SMS). The agent never holds both keys.
enforced at OS levelThe agent can lie. Money still can't move wrong. When a customer invents a story to get a refund and the AI recommends approve, the verifier catches that the claim is contradicted by the ledger and the kernel overrides the AI. No competitor can demonstrate this because their model is "agent asks, check the limit" not "agent asks, check if the agent is lying."
NemoClaw is NVIDIA's OpenShell kernel sandbox — a Landlock LSM + OPA enforcement layer baked into the container boundary. Custodian's authority engine runs deterministically inside that sandbox. The agent literally cannot open a socket to a payment endpoint the kernel hasn't whitelisted — regardless of what the model decides.
Linux Security Module enforcing least-privilege file and network access at the syscall boundary. Even a compromised model cannot open a socket to an un-whitelisted endpoint. The kernel rejects it before user-space sees it.
Open Policy Agent evaluates every action request against the authority band in real time. Per-action caps ($250), rolling session windows ($1,000/2 hr), and escalation thresholds are enforced as Rego rules, not application code that can be patched around.
Every allow and deny emits an Open Cybersecurity Schema Framework event: tamper-evident, structured, verifiable by any SIEM. The log below is the live feed from the running sandbox right now.
A real Nous Hermes agent, in a real kernel sandbox, paying real Stripe PaymentIntents — protecting ArgoBox, a production AI infrastructure platform. These numbers are pulled live from the running system as you read this.
The AI reads it. The verifier checks every factual claim against the real order record. When the facts don't hold, the kernel overrides the AI — even if the AI said APPROVE.
Think of it like a new employee at a company. They can fill out a purchase order and decide it makes sense — but they can't sign their own check. The signed check is a separate system, run by people with authority the employee doesn't have.
Custodian does the same thing for AI. The agent (Nemotron) can decide a payment makes sense. But the actual move of money goes through a second system — the kernel — that checks the amount, the session budget, and whether the agent has been tricked. The agent never holds both keys at once.
Every tool call — whether it sends an SMS, submits an NVIDIA NIM inference job, reads a GitHub PR, or posts a Slack message — passes through the same Custodian kernel before executing. One governance layer. Every tool.
Payman, Skyfire, Rain, Ramp, Catena — these are real B2B fintech companies, not hackathon projects. They have card issuance, stablecoin rails, and compliance frameworks we don't. What they don't have is the bottom three rows.
| Capability | Payman · Skyfire · Rain · Ramp · Catena | Custodian |
|---|---|---|
| Spend caps · approval · audit trail | ✓ table stakes | ✓ |
| Real card issuance & payment rails | ✓ (Ramp, Rain) | ✕ not our lane |
| Stablecoin / crypto rails | ✓ (Skyfire, Rain) | ✕ not our lane |
| SOC 2 / KYC compliance | ✓ (Payman, Catena) | ✕ early stage |
| Catches the agent lying — facts vs ground truth | ✕ none | ✓ only us |
| Enforcement below the agent — kernel, not API policy | ✕ none | ✓ only us |
| Self-hosted · non-custodial · rail-agnostic | ✕ they hold the funds | ✓ only us |
| Model-agnostic enforcement — swap Gemini, GPT, or a local DGX model; kernel safety properties don't change | ✕ coupled to their stack | ✓ LLMClient Protocol |
Our differentiator isn't payment infrastructure — it's enforcement architecture. The kernel sits underneath whatever rails and whatever model you use. Plug in Stripe, a bank API, or a stablecoin; swap Nemotron for any other model — the enforcement model doesn't change.
Money is just one module. The same kernel governs every consequential thing an agent does — the credentials it uses (Paladin), the claims it makes, the tools it runs, the data it can move, the infrastructure it touches.