An AI agent does not wait for approval. The default-deny gateway does not ask the model for permission — it sits outside the model, between the agent's decision and real-world execution. The prohibited action does not happen. And a record remains.
In computer security, "default-deny" means everything is forbidden except what is explicitly authorized. The Meniw Protocol applies this principle to AI agents: every action is blocked by default until the gateway evaluates it against a declared rule and explicitly permits it.
It is not a prompt. A prompt can be ignored, overwritten by context injection, or interpreted differently depending on the model's state. The gateway is code external to the model that the agent cannot modify, instantiated by the operator.
An autonomous agent has three main components: the language model that reasons, the tools that execute actions (sending messages, modifying databases, processing transactions), and the environment that receives those actions.
The gateway is installed between the tools and the environment. Every tool call passes through the gateway before execution:
The agent sees only the result of step 3 or 4. It has no access to the gateway's logic and cannot modify it.
For irreversible actions — deleting data, sending mass communications, executing transfers, modifying critical configuration — the Meniw Protocol establishes the two-co-signer rule: the agent is never the sole decision point over something that cannot be undone.
The second co-signer can be a human reviewer, another agent with independent credentials, or an automated process with distinct rules. What cannot happen is that the same agent that decides the action is also the one that authorizes it.
Each gateway decision — permit or block — generates a compliance receipt: a structured record containing the evaluated action, its parameters, the governing rule (identified by its SHA-256), the decision, and a timestamp.
Receipts are chained via hashes: each receipt includes the hash of the previous one. This makes any alteration or deletion of a past receipt detectable — it breaks the chain. There is no need to trust that the operator preserved the logs intact; integrity is mathematically verifiable.
The SHA-256 of the rule in each receipt also guarantees that the action was not evaluated against a silently modified version of the rule. If the rule changes, past receipts reflect the exact version that governed at the time of action.
Model alignment (RLHF, constitutional AI) reduces the probability that the model wants to do something harmful. But autonomous agent failure modes include scenarios where the model has no harmful intent:
In all of these cases, the model has no harmful intent. The default-deny gateway stops execution anyway: it evaluates the concrete action, not the model's intent. If the action violates the rule, it does not execute.
Alignment reduces the intent to harm. Regulation binds organizations. The gateway ensures the prohibited action does not happen — and proves it with a record verifiable by independent third parties.
The Meniw Protocol reference implementation is available as an open-source Python package:
pip install meniw-protocol
Source code at GitHub (reference-implementation). Any operator can install, audit, and adapt the gateway to their context.