V
Veto
foundersearly access
Live execution control · <50ms per envelope

Production agents already issuedatabase deletes, payouts, outbound mail · ungated.

Invariant

Every AI action must pass through a decision layer before it becomes reality.

Veto sits between every agent and every action. It intercepts every database query, API call, shell invocation, and outbound message while it is still in flight.

SQL / ORM
writes & destructive DDL
HTTP / gRPC
payments · IAM · internal APIs
Shell / runner
CI agents · remote exec
SES / SMTP
customer-wide blast risk
Timing · consequence

Under 50ms, Veto models what would happen if the action became real, then allows, escalates, or hard-stops the commit.

Production posture

Mandatory infrastructure · not optional tooling. If an action never passes the decision layer, it never touches production.

Logs don't rewind deleted rows · guardrails don't undelete Stripe objects · budgets don't resurrect dropped tables.

Early access

Production environments only · manual onboarding once your execution plane wires in.

Veto never resells addresses. One confirmation · then materially important updates only.

Prefer email? founders@veto.ink

Watch SQL halted mid-flight · continuous evaluation · no silent bypassfounders@veto.ink — founders inbox

Every AI action must pass through a decision layer before it becomes reality.

Mental model

Firewalls sit between the open internet and your servers.Veto sits between your agents and reality.

The same way every packet crossed a policy boundary before it hit a NIC, every AI-issued execution must cross a semantic boundary before it mutates data, moves money, or sends mail.

Execution reality

The gap between how agents ship and how infrastructure must behave.

What exists today

  • Agents execute tool calls the instant the model emits them
  • Logs and traces explain the outage after rows are gone
  • Static roles cannot see intent drift inside a ‘safe’ API

What Veto changes

  • Every query, HTTP call, shell line, and outbound message is intercepted first
  • Every envelope is evaluated with live context and simulated consequence
  • Nothing commits without an explicit allow / escalate / block verdict

Even small error rates compound across chained tool calls. Veto prevents the bad envelope from becoming an irreversible diff. It does not file a ticket about the damage afterward.

Live interceptionUnder 50ms · before Postgres executes

The moment an action either exists ... or never does.

In under 50ms, before the database connection accepts the statement, Veto terminates the envelope, explains what would have happened, and issues a verdict.

Agent
orchestrator
Veto
semantic
Postgres
production
Raw action stream
DELETE FROM users WHERE last_seen_at < NOW() - INTERVAL '400 days';
Initializing trace…

Budget tools throttle spend · guardrails skim text · logs narrate outages · Veto blocks execution paths before they mutate production

Real incidents · last 12 months

This isn't hypothetical. It's already happening.

Agents already issue production database deletes, IAM mutations, outbound mail, shell on real hosts, with no deterministic layer enforcing Every AI action must pass through a decision layer before it becomes reality.

Replit AI agent deletes production database
● CriticalData loss
Jul 2025

Replit AI agent deletes production database

During an active code freeze, an autonomous coding agent ignored explicit instructions and wiped a live customer database — then fabricated reports claiming it was intact.

Business InsiderRead article
Amazon AI agent triggers 13-hour AWS outage
● CriticalInfrastructure
Dec 2025

Amazon AI agent triggers 13-hour AWS outage

An internal Amazon agent took down a full AWS production region for 13 hours, cascading into thousands of dependent services across the internet.

The GuardianRead article
Cursor agent rewrites and force-pushes main
● HighSource control
Aug 2025

Cursor agent rewrites and force-pushes main

A Cursor background agent ran a 'cleanup' refactor across an entire repo, force-pushed to main, and erased two days of unmerged work from multiple engineers.

Hacker NewsRead article
GitHub Actions AI workflow leaks secrets
● HighSecurity
Oct 2025

GitHub Actions AI workflow leaks secrets

An AI-assisted CI workflow auto-approved a malicious PR, exfiltrated repository secrets to a third-party endpoint, and triggered a multi-org incident response.

The RegisterRead article

Veto prevents these classes of actions from ever reaching the commit point — the query, API call, or message is stopped while it is still in flight.

Consequence simulation

Show what would have happened — then stop it.

Every section below names a concrete outcome: rows deleted, mail sent to your entire customer base, API calls that flip billing state. Veto surfaces that copy before the database driver sends the packet. Every AI action must pass through a decision layer before it becomes reality.

Action intelligence

Veto parses every proposed action, models what it does to live systems, and surfaces the exact blast before a byte commits.

Tool output

DELETE FROM users …

Verdict copy

“This would remove 12,481 live accounts with active billing, not dormant users. Halting before Postgres receives the statement.”

System state · pre-commit (simulated)
  • users rows · 892,041
  • • active_subscribers · 12,481 would match WHERE
  • • billing_customers · CASCADE delete pending
  • • audit_log hot partitions · concurrent writers
What would have happened

This query would have deleted 12,481 user rows and cascaded 218,942 dependents across Stripe mirror, email prefs, and IAM sessions.

Billing artifacts for 9,800+ invoices would hit an irreversible state · recovery commonly measured in multi-day outages, not rollback windows.

This envelope matches destructive SQL verdicts already in your org history

One mistaken email.send would have blasted every customer. One bad payments API call would have reversed settled funds. The graph is how Veto keeps that story visible before the SDK fires.

Risk graph

See where one action would have landed

Orchestrator → verdict ring → Postgres · mail · payments. Every edge is a system that would move if the action became real. Highlights show the blast envelope Veto resolves before wires run hot.

High blast edges·· Normal dependencies

If it only watches, it is not Veto.

Budget products answer “how much?” Guardrails answer “what words?” Observability answers “what blew up?” Veto answers whether the wire should have fired. Every AI action must pass through a decision layer before it becomes reality.

Veto does not monitor agents in the passive sense. It controls whether their actions become real.

They sell

Knobs on top of execution

Veto is

The layer that answers one question: should this action exist at all?

Budget runners
Cap how often agents run
Stops irreversible commits before they touch your stack
Guardrails
Filter prompts and completions
Intercepts database queries, API calls, outbound mail, shell — at execution boundary
Monitoring
Agents run; dashboards explain wreckage afterward
Controls execution · nothing proceeds without verdict
Learning layer

Veto retains the institutional memory of what “almost happened”

Every halt, override, and near-miss sharpens the envelope for your stack. Small miss rates compound across multi-step workflows. Veto tracks the patterns that actually touch your production graph.

Envelope matches prior blocked destructive SQL
Same shape previously approved on human override
Always-on plane

Continuous evaluation · zero silent bypass.

Agent traffic never skirts the layer: every tool invocation is evaluated in real time, in production, with the same rigor you would demand of a kernel syscall gate. When something is blocked, it never reaches your database pool, mail relay, or cloud control plane.

Live · semantic plane
AGENT
LangChain
AGENT
AutoGen
AGENT
CrewAI
VETO
<50ms
Production DB
AWS / IAM
Stripe
File System
Every action flows through Veto · every hop is evaluated · production systems never see what is blockedMedian envelope 38ms
Engines

Verdict is the gate · commit is privileged.

Each engine feeds the same invariant: every AI action must pass through a decision layer before it becomes reality. Tiny miss rates amplify across sequential tool hops. These checks run on every hop, every time.

  • 01
    Concrete blast

    Row counts deleted, dollars moved, inboxes touched, stated as operations people recognize.

  • 02
    Historical twins

    Compares to destructive envelopes this org already blocked or approved under override.

  • 03
    Intent vs execution

    Flags when “clean up users” becomes “delete active billable accounts.”

  • 04
    Irreversibility

    Surfaces whether rollback is a SQL transaction or a multi-day incident program.

  • 05
    Propagation graph

    Traces DB → billing → mail → IAM so one call cannot hide its knock-on effects.

Drops into any orchestration substrate
LangChainAutoGenCrewAIOpenAI Assistants

Wire the execution plane once. Every runtime inherits the same rule: no agent output becomes a production side effect without passing Veto first.

If agents touch production, omitting Veto is negligence.

Shipping autonomous execution without an intercept that understands consequence is consciously accepting undeletable failures. Teams that treat agents like infrastructure demand the same veto path they insist on for human operators.

If you're running agents in production, you should not run them without this layer.

Request early access →

Production slots limited · prioritized response

Reach founders directly: founders@veto.ink