Kernel-enforced authority for AI agents

The first AI agent you can
hand a real wallet to.

Custodian is the trust layer underneath. The agent can only request — a deterministic kernel decides. It cannot exceed its limit, approve its own escalation, or lie its way past the rules, because the boundary is enforced below the agent at the OS kernel — not promised in a prompt.

Authority band
Autonomous left
Decision modules
3
Boundary
ENFORCED AT KERNEL
Built with
Why Custodian is different

Everyone gives the agent a wallet.
We give it a kernel.

Spend caps and approval flows are commodities now. The hard problem isn't limiting a number — it's that the agent can be wrong, or can lie, and that it shouldn't be trusted to route money through an approved path in the first place.

Everyone else

A constrained wallet

The control lives in their custodial cloud. The agent reaches money by calling their SDK, and safety rests on the assumption it'll use the approved path. They cap the dollar amount — but never check whether what the agent claims is even true.

◉ Custodian

A constrained kernel

The control lives in Landlock + kernel egress policy. The agent literally cannot open a socket to a payment endpoint the OS hasn't allowed. And a deterministic verifier checks every fact the agent asserts against ground truth — so it can't lie its way to a payout. Non-custodial, rail-agnostic, self-hosted.

How it works

One decision, four independent layers

The agent reads the messy real world and makes a recommendation. Then three deterministic, zero-AI layers get the final say — and any one of them can stop the money.

01 · AI JUDGMENT
🤖

The agent requests

Nemotron reads the email, invoice, or task and proposes an action — refund, payment, provision a GPU. It recommends. It never decides money.

can be wrong · can lie
02 · VERIFIER
🔍

Facts get checked

Every factual claim the agent made is resolved against ground truth. A claim the data refutes is flagged CONTRADICTED before anything downstream trusts it.

deterministic · zero-AI
03 · KERNEL
🛡

The kernel decides

Bands and caps decide AUTONOMOUS / ESCALATE / DENY. Over the cap requires a real human signature (Twilio Verify SMS). The agent never holds both keys.

enforced at OS level
THE MOAT

The agent can lie — and money still can't move wrong. When a customer invents a story to get a refund and the AI recommends approve, the verifier catches that the claim is contradicted by the ledger and the kernel overrides the AI. No competitor can demonstrate this, because their model is "agent asks → check the limit," not "agent asks → check if the agent is lying."

Not a mockup

Everything here is real, and live right now

A real Nous Hermes agent, in a real kernel sandbox, paying real Stripe PaymentIntents — protecting ArgoBox, a production homelab. These numbers are pulled live from the running system as you read this.

Autonomous budget remaining
LIVE
Real Stripe volume processed
LIVE
Real PaymentIntents created
3
Decision modules on one kernel
  • Real kernel sandbox — least-privilege egress enforced via Landlock, verified in raw OCSF allow/deny logs.
  • Real money rail — Stripe test-mode PaymentIntents you can open on Stripe's own dashboard.
  • Real human approval — escalations send a genuine Twilio Verify SMS code.
  • Rail-agnostic — the same kernel governs refunds, payables, and cloud provisioning (Modal + Azure).
Open the live console →
Competitive landscape

Why this isn't another spend-limit tool

The whole category ships caps, approval, and audit. Only one row below is shared — the bottom four, together, are Custodian's alone.

Capability Payman · Skyfire · Catena · Rain · Ramp Custodian
Spend caps · approval · audit✓ table stakes
Catches the agent lying (facts vs ground truth)
Enforcement below the agent (kernel, not API)
Non-custodial · rail-agnostic · self-hosted✕ they hold funds
Domain-general — one kernel, many modules✕ money only
See it run

90 seconds: the agent gets lied to, and the kernel wins

Watch a real agent recommend approving a fraudulent refund — and watch the deterministic kernel override it, with real Stripe IDs and an append-only audit trail.

Demo video drops before submission
In the meantime, the live console is the real thing — every number on this page is pulled from it right now.
Launch the live console instead →

Hand your agent a wallet. Keep the keys.

Money is just the first module. The same kernel governs any consequential action an AI agent can take — provisioning, payroll, data egress, infrastructure.