Newsletter

GAB-OI: The Missing Boundary Between AI Agents and the Real World

Ande Turner

4 min read

Ande here.

I got to my 26th iteration, about 20 hours of compute, and I decided it was time to publish what I have rather than keep polishing in private. Not because it is perfect, but because I think a lot of people are quietly rebuilding the same missing layer in their own heads, their own codebases, and their own incident reviews.

The short version is this: we keep giving “agents” the ability to touch the world, and then we act surprised when the world gets messy.

So I wrote GAB-OI.

GAB-OI is a Governed Agent Boundary. It is a closed-world gateway spec that sits between an OI-style agent and anything the agent can affect, like tools, files, networks, money, and people. The boundary’s job is not to be clever. Its job is to be strict, legible, and verifiable.

Below is the W5H1 for two things:

  1. the process of creating the spec, and
  2. what the spec is actually trying to do.

The process of creating GAB-OI (W5H1)

What did I do?

I wrote a governance and conformance spec for an agent gateway, then red-teamed it, then rewrote it, then red-teamed it again. Over and over. The “iteration count” is not a flex, it is evidence that every time you think you have a clean model of agent safety, a new edge case appears. If you do not hunt them, they will find you later.

Why did I do it?

Because the failure mode I kept seeing is not “the model is evil.” It is that the system has no clean boundary between words and actions. People talk about safety, policy, alignment, guardrails. Then a tool call fires. Then something goes wrong. Then nobody can answer the basic questions: what was requested, what was allowed, why was it allowed, and what exactly happened.

I wanted a design where accountability is not a moral stance. It is an artifact.

Who was it for?

First, for me, because I am building systems where governance cannot be hand-waved. But also for anyone building agents who will eventually need to justify their decisions to someone outside the engineering team: users, auditors, partners, regulators, customers, and sometimes their own future selves.

When did it become “real”?

When the spec stopped being a manifesto and started being a test suite in spirit, even if not in code. The moment you can say “this must deny” and write a conformance vector for it, you are no longer debating vibes. You are defining behaviour.

A lot of my iterations came from forcing myself to treat ugly realities as first-class:

  • network partitions mid-action
  • retries that duplicate tool invocations
  • partial completion with unclear state
  • delegated permissions that look harmless in isolation
  • slow drift where a system becomes permissive because it is “annoying” to deny

The spec is where those realities are forced to face rules.

Where did the work live, conceptually?

At the boundary between an agent substrate and execution. Not inside the model. Not in a prompt. Not in an operator’s good intentions. At the choke point where requests become actions.

How did I build it, practically?

By committing to a few discipline rules and then letting them shape everything:

  • Closed-world assumption: if it is not explicitly allowed, it is denied.
  • Deterministic evaluation: same inputs should produce the same decision.
  • Fail-stop semantics: uncertainty should halt, not improvise.
  • Receipts: every meaningful decision produces a record that can be audited later.
  • Conformance mindset: if you cannot test it, you cannot claim it.

Iteration happened because each new rule creates its own attack surface. You patch the hole, then you patch the patch.

What GAB-OI is (W5H1)

What is it?

GAB-OI is a specification for a gateway that mediates all agent actions. It defines:

  • how an agent requests an action
  • how policy is evaluated
  • how authority is represented (capabilities, scopes, constraints)
  • how delegation works without becoming an escalation ladder
  • how failures, partitions, and resumption are handled
  • what gets logged, what gets receipted, and what must be verifiable

It is intentionally not “a model behaviour guide.” It is system governance.

Why does it exist?

Because agents are not just chat. The second an agent has tools, it becomes a process that can cause real changes. Once real change is possible, you need three things:

  1. Permission that is explicit Not “it seems okay,” not “the user probably wanted it,” not “the model sounded confident.” Explicit, scoped authority.
  2. Decisions that are reproducible If the gateway behaves differently today than it does tomorrow for the same request, you cannot audit it. You cannot improve it. You cannot defend it.
  3. Proof that survives the argument A receipt is not a marketing claim. It is a record that can be checked.

Who is it for?

Builders, primarily. People shipping agentic systems. People integrating tools. People who have already had the sinking moment where a system did something “reasonable” and yet everyone still lost trust because there was no clear accountability trail.

Secondarily, it is for anyone who has to evaluate agent systems from the outside. If you are not technical, your instinct is still correct: “show me what stops it.” GAB is an answer that can be shown.

When should you care?

When your system can do any of the following:

  • send messages or emails
  • write to files or databases
  • browse, scrape, or exfiltrate data
  • execute commands
  • move money or trigger purchases
  • act on behalf of a person in a way that creates consequences

If it can touch anything that matters, the boundary matters.

Where does it sit?

Between the agent and the world. It is the mediator. The agent can propose. The gateway disposes. Tools do not run because the model said so. Tools run because the boundary allowed it under a capability that can be inspected.

How does it work, at a high level?

The core mechanics are boring on purpose:

  • The agent submits a structured request.
  • The gateway checks the request against policy and capability scope.
  • The gateway either allows with constraints, denies, or degrades to a safer mode.
  • The gateway emits a receipt: what was requested, what decision was made, why, and under what authority.
  • If the network breaks mid-flight, that break becomes a governance event with defined resumption semantics, not a silent gap.

The idea is to remove the grey zone where an agent can “kind of” do something because nobody wrote down what “kind of” means.

The subtle claim I am making

GAB-OI is not an ethics essay. It is a bet that the next phase of AI is not won by sounding safe, but by being structurally governable.

If you want agents in real environments, you need something like this. Not necessarily my version, but a version that can survive contact with real failure modes and real incentives.

A capable agent without a governed boundary is a promise with legs. A governed agent boundary is a system you can actually point to when someone asks, “what stopped it?”

Read more

Sacred Geometry: From Token to Metaverse within the Universally United Unionisation that is Totality

Definition Sacred Geometry (in our arc): the disciplined progression of universally invariant form… beginning at the smallest unit of symbolic distinction (the token) and unfolding through symmetry, reflection, discretisation, and recomposition… until it becomes metaverse-class structure inside a single coherent union (Totality). Explanation A token is not a number… it’

By Ande