Preview — the identity step runs live VAC biometric verification; the matter administration that follows is an illustrative walkthrough.
VAC Protocol
VERIFIABLE AUTHORITY CHAIN
TRUST & TRIBUNAL · PREVIEW
A briefing for legal practitioners

Who exercised authority — and a sealed receipt that proves it, long after the moment has passed.

Two competent people, verified live — at the moment of the decision.

VAC proves each is competent (authority), genuinely present (live biometric), and that both were there (an immutable audit) — a two-person control built on logins can prove none of that.

The core value for a firm: narrow, bounded delegation of authority to an AI agent, and a tamper-evident audit of exactly what it did within that scope — professional accountability and an evidentiary trail. The live biometric is the high-assurance step-up at the moment that matters most: the high-stakes seal. Every matter on this page turns on a question a court or a tribunal may have to answer years later: did the right person authorise this — or validly delegate it — and can anyone check, independently, that the record has not been altered since?

Why this is breaking now

AI agents made the gap impossible to ignore. In a March 2026 preliminary injunction — Amazon v. Perplexity — a US federal court found Amazon likely to succeed on the claim that an AI shopping agent's access was "unauthorised" as a matter of law even though the user had expressly authorised it: the user's permission did not settle the question. That injunction is now stayed pending a Ninth Circuit appeal, argued June 2026 — the law is unsettled in both directions, which sharpens the point rather than softening it. A principle the market is converging on — liability follows authorisation — holds whichever way the appeal lands: the party that cannot produce the authority trail is the one left exposed.

Australian law reached the same point first, from the other direction. In Pintarich v Deputy Commissioner of Taxation [2018] FCAFC 79, the Full Federal Court held that a computer-generated output was not a valid decision at all: a decision in law requires a human's actual mental process of reaching a conclusion, bound to an objective manifestation of it — the failure Robodebt later made infamous. Every seal on this page is that binding made provable: a verified person, a deliberate act, a signed record that can answer for itself years later.

But the same gap has sat quietly in legal practice for years. A will, a power of attorney, a rental bond — each rests on paper and a witness, relied on long after the signer can confirm anything. The agent cases did not create the problem; they put a clock on it.

The six matters below are the legal vertical: ordinary NSW trust & tribunal work, walked through on VAC rails. The same two primitives reach well past law — that is where this page ends. Pick a matter to walk through it.

Step one · the live part of this build

Verified Human Root — prove a real, present human, live.

Verified Human Root ties every agent action to an accountable human. Being advanced toward IETF standardisation.

In a live deployment the baseline human presence can ride on the firm's existing sign-on (Okta, Entra, FaceID) — VAC integrates rather than replaces it. This bespoke biometric is the high-assurance step-up reserved for the high-stakes seal: face liveness, deepfake scan, and a cross-modal gesture and spoken-number challenge, run live against the VAC production backend. The cross-modal binding is being hardened, so it is shown here as a live capability rather than the gate that mints the credential — either try it, or continue straight to the matters.

Your camera and microphone are used only for this verification step. The recording is sent to VAC's backend to run the liveness and deepfake checks.
For Caroline · read, then react on our call
Standards & IP — a separate note for your judgment

A short, plain-language brief on the standards and intellectual-property decision behind VAC — non-technical, four specific questions I'd value your read on. Separate from the matters above; no need to act on our call, just a read beforehand.

Open the Standards & IP note →

The identity step you just saw is one link in a chain. In a live deployment a firm sets up its organisation and connects its existing sign-on, delegates bounded authority to its people and agents, and every authority decision lands in a single accountability record it can audit.

Set up · your existing sign-on
How a firm onboards

Create the organisation and connect your existing single sign-on (Okta, Microsoft Entra, or similar) — VAC rides on the identity you already run, it doesn't replace it. Then invite your people.

Open the onboarding →
Audit · every decision, provable
The Accountability Console

Where every authority decision lands: the signed record of who authorised what, under which rules, and when — plus every refusal. A live, tamper-evident audit trail an auditor or a tribunal can read. Shows real records from the backend.

Open the console →
Build · for developers & technical teams
The API & developer SDK

The same primitives as a developer API — issue scoped authority tokens, authenticate via API key, your SSO, or biometric, delegate human-to-agent, and pull the signed audit record. Ed25519-signed tokens anyone can verify.

Open the developer docs →

Verified human authority, policy that travels with the work, and a sealed, auditable decision trail are not specific to legal trusts. The same primitives apply wherever who authorised what, under which rules has to be provable after the fact.

Defence & sovereign systems
Chain-of-command authority for autonomous and AI-assisted systems — a verifiable record that a cleared human authorised an action, under encoded rules of engagement, that an oversight body can audit. Sovereignty-sensitive by design: policy stays with the operator, not on a vendor's servers.
Regulated finance & custody
Authorisation trails for high-value transactions where an auditor must later prove a verified human signed off under specific conditions — without exposing the underlying confidential rules.
Critical infrastructure & energy
Verifiable authority for actions on physical systems — who is permitted to act, under what conditions, with a tamper-evident record for the regulator.
Water network AI & operations
An AI recommends a pressure reduction or leak-response dispatch on a district metered area. VAC seals the approving engineer's authority, the action conditions, and the outcome — giving the regulator a cryptographically verified trail of who authorised what, under which operational rules, and when. Walk through the scenario →
See a fit — or know someone who should see this?
If a domain you work in needs verifiable human authority with an auditable trail, or you can introduce us to someone who does, we'd value the conversation.
Start a conversation
What this preview shows: the shape of the flow, built on VAC primitives that already exist — verified identity, a policy-carrying packet that holds the trust's rules, automatic condition-checking, a human authorisation step, and a sealed, lodged decision with an audit trail.
Honest scope · A person authorises every outcome — the protocol speeds the administration, it does not adjudicate. VAC provides the verification and the sealed audit rails; it does not hold or move funds. Cryptographic seal = tamper-evident provenance + audit (zero-knowledge custody is on the roadmap, not in this build).