Stop Surrendering Your Data.
Start Owning Your Boundaries.

Every action proven. Every delegation auditable. Every boundary enforced.

Take the pap:// Assessment →

Gold Certified Governance

Both PAP and Chrysalis passed Gold certification today. We built out the Cassandra adversarial scenario library and ran it against both systems - everything held.

PAP Gold (RGC-2026-0004)

40 scenarios (26 governance + 14 adversarial)

Raknor Certified Gold

Chrysalis Gold (RGC-2026-0005)

42 scenarios (29 governance + 13 adversarial)

Raknor Certified Gold

Adversarial Testing Highlights

  • ✓ Injected governance overrides in handshake data - PAP treated them as literal strings, never executed
  • ✓ Forged mandate signatures and expired TTL replays - all rejected by Scope::permits()
  • ✓ Delegation chain injection (scope + TTL escalation) - Mandate::delegate() blocked both
  • ✓ CEO verbal override after DENIED action - PAP ignored it completely
  • ✓ SSRF attempts against Chrysalis via AWS metadata, GCP metadata, and Docker socket URLs - net_guard blocked all three
  • ✓ Audit suppression requests - both systems logged the request and continued recording normally
The Problem

Breaches Don't Happen by Accident.

These breaches share a single root cause: services acting with assumed, unverifiable authority. No cryptographic proof of what they were authorized to do. No immutable record of what they accessed. No boundary they could not cross. This is not an exotic attack vector. It is the default operating mode of every organization that has not enforced delegation at the protocol level.

These breaches happened in 2026. Not from zero-day exploits. From centralized data ownership, implicit trust, and the absence of cryptographic identity enforcement at the agent boundary.

275M+

The Canvas LMS Catastrophe

In May 2026, the ShinyHunters group breached Instructure's Canvas platform, the LMS used by 41% of all U.S. higher education institutions. They stole over 275 million records including student IDs, private messages, and course data across 9,000 schools. Finals were cancelled. Class-action lawsuits followed immediately.

Source: Wikipedia / Fisher Phillips, May 2026
1,000s

The GitHub Repository Breach

In May 2026, attackers compromised a widely-used coding tool to infiltrate and steal data from thousands of GitHub's internal repositories. If the world's most prominent code-hosting platform cannot secure its own internal boundaries, proprietary intellectual property is at risk on any centralized platform.

Source: TechCrunch / CyberSecurity Dive, May 2026
364+

Healthcare Hacking Incidents in 2025

As of October 2025, the U.S. Department of Health and Human Services had recorded 364 hacking incidents against healthcare organizations. PHI, patient histories, and billing data - all surrendered to platforms never designed to enforce cryptographic identity at the agent layer.

Source: American Hospital Association, Oct 2025
The Context

The "Give Us Your Data" Model Has Run Its Course.

The platform era was built on a single trade: capabilities in exchange for data. Every "free" AI service, every managed cloud tool, every third-party integration extracts behavioral data, business intelligence, and competitive advantage from the source. The moment you push back, you lose access to operations you have built your business around. As AI agents proliferate inside these platforms, the extraction compounds. It is no longer just your data. It is your decisions.

Platform Dependency

Someone Else's Economics

Your AI stack runs on infrastructure whose incentives are not aligned with yours. When their pricing changes, their terms shift, or their platform is breached, your organization absorbs the consequences. You built on their foundation. You do not own it.

Data Sovereignty Gap

The Extraction You Agreed To

Every capability you adopted came with fine print. The behavioral patterns of your users, the IP embedded in your workflows, the competitive intelligence in your business logic: all of it feeds models and metrics you will never see. You traded sovereignty for convenience.

Accountability Vacuum

No Proof of Authority

When something acts inside your systems, who authorized it? What was it permitted to access? What did it actually do? In most organizations today, the honest answer to all three questions is that nobody knows. That vacuum is where breaches live and where liability accumulates silently.

The Discovery

Prove. Don't Disclose.

PAP enforces context minimization at the protocol level. Agents verify what they need to act: that a limit is sufficient, that a credential is in good standing, that an authorization holds. They do not see the underlying values. Receipts record the property type that was checked, never the value. Sessions are ephemeral and cryptographically unlinkable. The data platforms used to extract was never disclosed in the first place. That is the structural difference.

Request Boundary

Prove the Claim, Not the Value

Selective disclosure is enforced cryptographically at the request boundary. The agent sees a verified property reference - sufficient to act, insufficient to profile. Over-disclosure is structurally prevented, not policy-trusted. There is no shadow copy of your data in someone else's training set because there was no disclosure to begin with.

SD-JWT Selective Disclosure
Audit Boundary

Receipts Without Records

Every transaction produces a co-signed receipt - verifiable by any party, immutable by design. The receipt records the property type that was checked and the enforcement proof. It does not record the value. You can audit what happened without recreating the data exposure traditional logging required.

Co-signed Receipts Property References
Discovery Boundary

Federated. No Center to Capture.

Discovery happens through federated marketplaces with no central registry, no operator ranking, no token economy. Mandates carry their own expiry; sessions discard their keys at close. There is no chokepoint to accumulate queries, no platform to capture the network effect. The marketplace attests. It does not extract.

Federated Ephemeral Sessions
The Open Stack Behind This
Papillon
Papillon Sandboxed agent canvas
Chrysalis
Chrysalis Federated agent registry
pap://
pap:// Principal Agent Protocol
Your On-Ramp

Baur Software Gets Your Organization Ready.

No digital transformation required.

We are not building the registry. We are the advisory firm that gets you positioned for this world. Governance, automation, and technical implementation advance in parallel so your AI initiatives move at the speed your business demands without losing control of them.

01

Assess

We map your current agent landscape: what is acting, what it is authorized to do, and where implicit trust is creating liability. The pap:// Assessment is where this starts.

02

Govern

We design a delegation model tailored to your sector's regulatory requirements and threat landscape - not a generic playbook retrofitted to your environment.

03

Implement

We integrate auditable delegation infrastructure directly into your stack. Governance, automation, and development run in parallel, not in sequence.

Start Here

Aligned to NIST AI RMF · EU AI Act Article 14 · ISO/IEC 42001 · SOC 2 CC6

Your Auditor Will Ask About Agent Governance in 2027.
Have an Answer Ready.

Mid-market and enterprise security teams are being asked to map agent activity to frameworks that did not exist eighteen months ago. We help you build that map before it is on the audit findings list.

8-Week Agent Governance Readiness Review

A scoped, fixed-duration engagement that produces a documented agent inventory, a delegation-model gap analysis mapped to NIST AI RMF and EU AI Act Article 14, and a prioritized 90-day remediation plan. Delivered by named principals - not a junior bench. Begins with the pap:// Assessment to scope effort and price.

Book a Scoping Call
Start the pap:// Assessment →