RENEX · Read — Enable — Execute
The Consent Layer
Founding principles for agents that take real, consequential actions, and the layer that has to exist before they can.
The Authority Gap
AI agents are no longer experimental. They are operating inside real systems, against real data, on behalf of real people who have every reason to assume that something consequential will not happen without their knowledge and consent. That assumption is currently unfounded. Access control systems were designed for people and grant authority to sessions, not to the humans behind them. Audit systems record what happened, not who was responsible for allowing it to happen. Neither was designed to answer the question that matters most when an agent acts: was a real, accountable human present at this moment, and are they bound to its outcome? Today the answer is no. The agent acts. The human learns about it afterward, if at all. The gap is not one of visibility. It is one of authority, and it is architectural.
Currently every layer in the stack records what an agent did after the fact. None impose themselves between the agent and the system, and bind a person to the agents actions.
Served Dark by Default
The tool surface available to an agent must be declared explicitly by the system designer and served dark by default. What has not been declared does not exist for the agent. Absence is not denial. An agent cannot reason about, enumerate, or act against a surface it cannot see. This is not a configuration choice. It is a structural requirement.
The level of exposure of consequential data and internal processes to AI agents working within a system must always belong to the system designer and be tunable to their level of risk tolerance. The default level must always be no exposure unless explicitly allowed. Even when accessing adjacent processes, the system allowing AI access must be granular enough to eliminate exposure at the atomic level.
Granularity at the atomic level is the only defensible default. A system that exposes broad surface and asks the designer to restrict downward places the burden of safety on the designer's knowledge of every possible failure mode before any agent has interacted with the system. A system that exposes nothing and asks the designer to declare upward places the burden on intent. Intent is auditable. Unknown failure modes are not.
Undeclared capability is dark, not denied; nothing to enumerate, probe, or talk the agent into. Limiting scope controls what the agent knows.
Scope Doesn't Prevent Action Alone
The second requirement follows directly from the first. Bounding what an agent can see does not bound what it can do within that surface. An agent operating within a declared surface can still execute consequential actions autonomously, without meaningful human review, at a speed and volume that makes oversight nominal rather than real. The surface may be scoped correctly and the execution still unaccountable. AI agents must never mutate consequential data without accountable and auditable human intercession.
Scope limits what an agent can see. It does nothing about what the agent does inside that surface.
The Consent Chain
The largest risk factor in AI operations interacting with real data is twofold. First, the agent cannot bear legal, financial, or organizational accountability for the consequences of its actions. When something goes wrong, the absence of a responsible party is not a recoverable condition. Second, a sequence of actions can each individually clear authorization and still, in combination, produce an outcome no human approved. The access control system has no way to see the aggregate.
Therefore, before any real action is taken against consequential data, an opportunity for review and veto authority must be engineered in such a way as to make bypassing the checkpoint impossible. The consent chain leading to that review event must be auditable, must include the contents of the review itself, and must be unfalsifiable and unique to the event it governs. An identifier linking the real person granting delegate authority to the agent must be attached to the audit artifact. Accountability requires a named human. Auditability requires proof that the human was real, present, and informed at every intercession point in the chain. A chain with gaps in the record of human intercession is not a consent chain. It is a log.
A named human has to own the outcome. Unforgeable proof they were present and informed has to hold at every checkpoint, not just the first.
Execution Belongs to the System
AI agents must never perform system operations or mutate data themselves directly. That must only happen through system designer authorized system events and data flows.
The distinction is not semantic. An agent that acts directly against a system is an unaccountable actor. The accountability gap is not recoverable after the fact. The requirement is architectural: execution must belong to the system, not the agent. The boundary between them must be demonstrably impenetrable, not assumed. What the agent produces is a proposal. What the system executes is an authorized event. Those must never be the same thing.
The agent only ever proposes. Whether anything actually happens is the system's to decide; staged, approved, fired exactly once.