Watch the structural difference

An LLM guesses.
RAG paraphrases.
Ctrl AI cites a signed contract.

Same question. Three architectures. Watch how each builds its answer — and why only one of them cannot make the answer up.

See it live (90s tour)Start free trial
Same question·What's our travel approval threshold for trips over $2,000?
Generated answer
Awaiting prompt…

14-day free trial · No credit card required · Cryptographic receipts on every invocation

The problem

Stateless AI breaks at three places.

ChatGPT Teams, Copilot, Glean, custom RAG — they all share the same shape: a chat box that takes a prompt, generates a paragraph, forgets when the tab closes. A colleague has memory, commitments, and doesn't make things up. The architecture has to deliver these by construction, not by prompt-engineering.

No memory of company state

Every conversation starts from zero. The agent doesn't know what's currently in flight, who owns what, what was decided last week.

No commitment to outcomes

The agent answers the immediate question. It has no concept of standing objectives. It cannot pursue work between prompts.

No structural prevention of hallucination

Even RAG-with-citations is the LLM reading prose and generating prose — the interpretation step is where freelancing happens.

Ctrl AI's answer: three atoms — Capability, Case, Goal. Skills, memory, direction. Everything an agentic company needs.

01 — Capability

The HOW — five ways the agent is allowed to act.

Every Capability is signed, typed, and callable. The implementation is one of five kinds. Click any kind to see a real, working example: same typed anatomy, different mechanism inside.

The five implementation kinds · click to inspect

Selected capability · typed contract

Deterministic

v1
compute-travel-expense-pre-approval
verified

Decides which approver a trip needs based on a typed cost ladder. Same inputs always produce the same outputs.

312 invocations· last invoked May 6
When to use
  • Pure function · no LLM in the loop
  • Reproducible · same inputs → same outputs
  • Sandboxed Deno runtime
Input · 2 fields
  • Trip Coststringrequired

    currency

  • Destinationstringrequired

    domestic | international

Output · 2 fields
  • Approverstringrequired

    manager | dept_head | vp | cfo

  • Thresholdstringrequired

    currency

Post-conditions · 2
  • errorapprover in {manager, dept_head, vp, cfo}
  • errorthreshold > 0

How it runs

/api/capabilities/compute-travel-expense-pre-approval
invoke "compute-travel-expense-pre-approval"
{ "tripCost": 2500,
  "destination": "domestic" }
sandbox · Deno
function approver(cost) {
  if (cost <= 2000) return "manager";
  if (cost <= 5000) return "dept_head";
  if (cost <= 25000) return "vp";
  return "cfo";
}
typed output (8 ms)
{ "approver": "dept_head",
  "threshold": 2000 }
post-conditions 2 of 2 · receipt signed
trust verified
Every successful invocation is signed and anchored to a tamper-evident transparency log.

Deterministic. Code in a sandbox. Math, threshold checks, lookups.

Browse the live Capability Library
02 — Case

The WHAT-IS-HAPPENING — anything in flight, with a typed memory.

A Case is durable per-decision state with an append-only event log. A hire, a deal, an escalation, a loan, a vacation request. Pick any one — the same shape: live state, event log, every event references a signed Capability invocation.

Cases come in every shape · click to inspect

Selected case · live state + event log

Hire(Sarah Chen)

in progressHirelifecycle: in progress
Current statelive
NameSarah Chen
Start DateJun 1, 2026, 12:00 AM
TeamFinance
Emailschen@acme.com
Laptopordered
JIRAcreated
Welcome Kitsent
updated May 6, 8:49 AM
Events· 4
  1. createdagent
    TextHire(Sarah Chen) · Finance
  2. invokedagent
    invocation inv_case_xy7_1
    Textprovision_email · schen@acme.com
  3. gateagent
    Textprovision_jira · ⌃ Sarah approved
  4. invokedagent
    invocation inv_case_xy7_3
    Textsend_welcome_kit · receipt #6184
Open a real Case in the demo
03 — Goal

The WHY — standing directives the agent pursues, on every horizon.

From a single hire today to a quarterly revenue target to your company's open-ended commitments — every Goal has the same typed shape: title, success criteria, horizon, signed owner. Some criteria carry expressions that auto-evaluate after every relevant Capability invocation. The agent measures progress without you typing.

Goals across every horizon · click to inspect

Selected goal · full anatomy

Hit Q3 revenue target $4.5M ARR

activequartercriticalsigned

Quarterly revenue commitment. Mix of new logos and expansion.

Due Sep 30, 20262/3 criteria · 67%
Success criteria · 2/3
Related Capabilities · 2
lookup-crm-pipeline-summarysummarize-renewal-risk
Events
No events yet.

The natural hierarchy

Company DNA
open · always-on
Quarter goal
3 months
Sprint / week
1–4 weeks
Today
hours · days
Now / asap
this turn · ephemeral
Every Goal nests under another. Quarter goals decompose into sprint goals decompose into today goals — the agent surfaces the highest-leverage rung on every /ask.
Inspect a real Goal's criteria
Composition in /ask

Goals surface. Capabilities act. Cases remember.

User opens /ask. The prelude already knows what's in motion.

Sarahnotes

Your active goals:

  • Close Q3 books by April 5 · 3 days · 71% complete · 7 unmatched invoices
  • Onboard Mark Liu by April 12 · 8 days · 30% · laptop ordered, JIRA pending
  • Hit Q3 revenue target · 64 days · forecast 84% of target · 5 deals in pipeline

Highest-leverage right now: 5 of the 7 unmatched invoices fit our standard reconciliation pattern. I've drafted resolutions, awaiting your sign-off. Approving moves Q3-close from 71% → 90%. Want to walk through the 5 quick approvals first?

Under the hood (one /ask turn)
prelude active goals, in-flight cases, related capability slugs ranked
tool invoke_capability("reconcile-invoice", inputs, case_id)
· post-conditions checked · receipt signed · CaseEvent appended
auto-eval Goal criteria expressions evaluated; matched ones flip met
synthesis prose with [cap:reconcile-invoice#inv_84] citations · trust: verified
One minute later: a quarter-horizon Goal moved 19 percentage points without a single typed question.
04 — The architectural commitment
"The LLM produces only prose narration. Every factual claim traces back to a typed Capability invocation, cited inline. The synthesis turn is rhetoric, not knowledge."

This is the rule that makes hallucination structurally hard rather than statistically less likely. Every Ctrl AI answer ships with one of five trust levels — click any to see what it actually looks like.

Verifiedtrust level
For a $2,500 domestic trip, the approver is your department head. The next tier kicks in at $5,000 (VP-level).
Source: compute-travel-expense-pre-approval · receipt #4912
When this trust level fires

An invocable Capability matched and ran cleanly. Post-conditions passed.

Five honest answer modes

Every Ctrl AI answer ships with one of five trust levels. The agent never silently freelances. The visitor learns to read the gradient at a glance.

05 — Verifiable receipts

Verifiable by anyone. Offline. Forever.

Every successful Capability invocation produces an Ed25519-signed receipt anchored in a tamper-evident transparency log. External auditors verify any answer offline against your published key. The Trust Portal at /portal/<your-org> is a public artifact procurement reviewers walk through with a recipe — no contract, no demo call.

1The receipt
Capability receipt signed
Capability
send-customer-renewal-email
Invoked
2026-05-12T09:00:01Z · 720ms
Signers
Sarah+Mark
Trust
verified · post-conditions 2/2
Signature
ed25519:7d3f…8b91
Log entry
tree-size 18,342 · index #4912
Root hash
8a4d…f102 (chained)

Cryptographically binds the Capability slug, inputs, outputs, invocation timestamp, and the signers' keys. Two people stand behind every destructive answer.

2Verify it yourself · 3 lines
~/audit
# 1. Pin the publisher's key
$ curl \
  https://ctrlai.com/.well-known/ctrlai/receipt-keys

# 2. Fetch the receipt + inclusion proof
$ curl \
  https://ctrlai.com/api/receipts/01KQ…GAPXC

# 3. Verify offline · no network
$ ctrlai-verify receipt.json --jwks keys.json
  ✓ signature valid (ed25519)
  ✓ inclusion proof verifies
  ✓ tree-head matches pin (18,342)
  receipt verified · trust=verified

External auditors verify against your org's published key without contacting your servers. Transparency-log anchoring proves history hasn't been rewritten since their last pin.

3Trust Portal · public
ctrlai.com/portal/acme public

Transparency log status

Total signed actions
18,342
Log size
18,342
all anchored
Latest entry
30s ago
Current root hash
8a4d3f7c91b8e0f24a9c5d1e6f3b7a8c2d1e0f9a4b3c2d1e6f8a4d3f7c91f1024c

Pin this hash. If it changes for any historical entry, the log was rewritten — and our published Ed25519 key chain will tell you exactly where. Live JSON.

Recent verified actions

showing 5 of 18,342
Send customer renewal emailsend-customer-renewal-email@v3
S.K. (author)M.C. (auditor)·30s ago·log #4912
Verified
Lookup CRM pipeline summarylookup-crm-pipeline-summary@v2
J.M. (author)·2m ago·log #4911
Verified
Compute customer healthcompute-customer-health@v1
J.M. (author)·12m ago·log #4910
Verified
Validate business reasonvalidate-business-reason@v4
S.K. (author)·31m ago·log #4909
Verified
Evaluate business expenseevaluate-business-expense@v2
S.K. (author)M.C. (auditor)·1h ago·log #4908
Verified
3-step verify recipectrlai.com/portal/acme#verify

No login required. Procurement opens it, sees the transparency-log head, the recent signed receipts feed, and the verify-it-yourself recipe. Compliance evidence stops being a contract artifact and becomes a URL.

Compliance evidence on demand
Auditor asks for proof. You hand them a URL. They verify offline.
Cannot be rewritten
Append-only chained-hash log. Any tampering breaks the chain anyone has pinned.
Portable across vendors
Receipts and the published key outlive Ctrl AI. Your audit trail is yours.
Open the live Trust Portal
06 — The agentic operating layer

/ask is just the simplest mode.

The same three primitives serve every shape of work — proactive agents, multi-step procedures, cross-department reasoning, and your company as a typed API for other AI tools.

Mode B

Triggers

Signals
Capability invoked
cron · daily 0900
recompute-pipeline-summary
webhook · stripe.refund > $1k
evaluate-refund-request
threshold · health-score < 50
summarize-renewal-risk
goal-state · 3d to deadline
assess-blockers
Capabilities fire on signals from the world — not user prompts.
Mode C

Long-running cases

  1. Day 0open caseuser
    Hire(Sarah Chen) · Finance
  2. Day 0invokedagent
    provision_email · provision_laptop
  3. Day 4resumeuser · new session
    what's next on Sarah's onboarding?
  4. Day 4loaded stateagent
    8 events · email ✓ · laptop ✓
  5. Day 7invokedagent
    send_welcome_kit · receipt #6184
Multi-session decisions accumulating in a Case. Resume in any session.
Mode D

Cross-system orchestration

1
validate-business-reason
✓ reasonable
2
compute-pre-approval
✓ approver = dept-head
3
⏸ gate · ⌃ Sarah
approved via Slack magic-link
4
update-crm-record
✓ side effect confirmed
destructive
5
send-customer-email
✓ Resend providerId msg_4912
destructive
all 5 receipts chained · root receipt covers the whole procedure
Composed procedures with gates and external writes. Every destructive step pauses for a human.
Mode E

Multi-agent

⌃ Sales · asking agent
invoke consult_agent("legal", "review-clause")
⌃ Legal · called agentdepth 1
invoke review-vendor-contract
{ verdict: "clean", risks: [] }
⌃ Sales · resumes
"Legal cleared the contract. Ready to send."
trust = min(Sales · Legal) · both signers on the receipt
Department agents call each other through consult_agent. Trust = worst-case across signers.
Mode F

Self-improvement loop

  1. Coverage gaps observed
    Neural-trust answers · failing post-conditions
  2. Daily proposal pass
    Aggregator drafts candidate Capability specs
  3. ⌃ owner reviews + signs
    Spec → typed schema · post-conditions · runtime
  4. Catalog densifies
    Next gap is rarer · trust gradient shifts toward Verified
Coverage-gap rate 18% Y14% Y3 · the moat compounds
Coverage gaps propose new Capabilities. The catalog sharpens itself — daily.
Mode G

Company-as-MCP

~/Library/Application Support/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "ctrlai-acme": {
      "url": "https://ctrlai.com/api/mcp/acme",
      "headers": {
        "Authorization": "Bearer ctrlai_pk_…"
      }
    }
  }
}
Reachable from
Claude Desktop
Same dispatcher
Same audit
Destructive
blocked
Your verified Capabilities become MCP tools. Claude Desktop, Cursor, Code call your governed contracts.
Watch the agent run on a real question
Versus everything else

Stateful + directed + verified.

None of the four feature buckets is novel in isolation. The combination is the architecture.

ConcernChatGPT Teams / CopilotRAG / GleanCustom agent frameworksCtrl AI
Memory across sessions~Cases hold typed state + event log
Standing objectives between promptsGoals drive selection, triggers, prelude
Hallucination prevention~ RAG cites prose~ tools but no governanceCapabilities are the only fact source
Audit trailConversation history, brittleCitation refs, brittleLogsCryptographic receipts + Case events
What the AI is allowed to doImplicitImplicitTool list, unsignedFinite catalog of signed Capabilities
Action vs answerMostly answersAnswers onlyActs, no governanceActs on triggers · destructive ops gated
Pricing

Three primitives. Three plans.

Every plan ships Capabilities, Cases, and Goals. You pick the governance depth.

Starter

$12/ user / month

Solo founders + small teams getting their first 20 Capabilities signed.

  • Up to 50 signed Capabilities
  • Cases + Goals, full audit log
  • Public Trust Portal
  • Standard data connectors
  • Inference at pass-through cost (no provider account needed)
Start free trial
Most popular

Professional

$25/ user / month

Operating teams: Triggers, MCP server, BYOK, dual-signature.

  • Everything in Starter
  • Triggers (cron, threshold, webhook, goal-state)
  • Public MCP server endpoint
  • Dual-signature on destructive Capabilities
  • BYOK (Anthropic, OpenAI, Gemini)
  • Self-improvement aggregator
Start free trial

Enterprise

Customfrom $40 / user / month

Regulatory-grade. VPC, on-prem, sector compliance, dedicated CSM.

  • Everything in Professional
  • On-prem or VPC deployment
  • SOC 2 Type II · Basel III · sector-specific
  • Domain-level access control + data residency
  • Custom connector development
  • SLA + dedicated CSM
Contact sales
14-day free trial
No credit card required on any plan.
Annual plans save 20%
Commit to a year, pay 10 months.
Inactive seats billed at 20%
Members idle 90+ days drop automatically. Reactivate any time.
BYOK on Pro & Enterprise
Your Anthropic/OpenAI/Gemini key. Pay the provider directly.

All plans include AES-256-GCM encryption at rest, audit logging, and Ed25519-signed receipts anchored to a transparency log.

Frequently asked questions

Skills. Memory. Direction.

Sign your first Capability, open your first Case, commit to your first Goal — in a 30-minute trial.

Start free trial Take the live tour

14-day free trial · No credit card required