Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / ARX — AI Workforce Infrastructure

Documentation

ARX — AI Workforce Infrastructure

arxsec-site / OVERVIEW.md

arxsec-site repo-root OVERVIEW.md

ARX is the operating model for the digital workforce. The same way Workday is the system of record for human employees, ARX is the system of record for AI agents — the platform that gives every agent your enterprise hires the five things every human employee gets on day one.

Take any of those five things away and you don't have an employee. You have a stranger with access. Right now, every AI agent your enterprise has deployed is a stranger with access. ARX fixes that — not by adding more reviews, but by changing the layer of the problem. Workforce infrastructure underneath the agents makes the questions security has to answer answer themselves.

The five pillars

Every digital employee runs through the same five primitives. The CHRO's vocabulary, applied to the digital workforce.

1. Onboarding — the badge. An identity issued at hire, scoped to the role, never embedded in agent code. Short-lived per-call tokens (15-min TTL) minted from a per-agent root credential encrypted with the customer's KMS key. Customer's auditor verifies the credential's scope from the manifest the executive team signed off on — not from a vendor questionnaire.

2. Supervision — the manager. A named human who approves what the agent shouldn't decide alone. Manager queue with SLA-driven auto-escalation (4h default for medium-risk, 1h for high, 15min for critical), bulk-approve UX for low-risk classes, Slack/Teams notifications with deep-links back to the workforce console. The gate lives in the connector, not the agent — there's nothing for the agent to route around.

3. Evaluation — the performance review. Continuous behavioral comparison against the agent's declared role manifest. Drift surfaces as a performance event, not a security alert. Quarterly cohort-level review on the same cadence the CHRO already uses for human employees.

4. Records — the personnel record. A hash-chained, witness-signed history of every action, streamed to the customer's S3 bucket. Each entry's entry_hash = SHA256(prev_hash || canonical_event_json). Witness signed every 5 minutes via the customer's KMS. The customer's auditor verifies integrity locally with arxctl verify-chain from infrastructure they control. Tampering with any past entry breaks every subsequent hash.

5. Termination — the defined exit. One-button revoke across every connector, runtime halted in a single transaction, exit attestation generated automatically. Reversible within 14 days; irreversible thereafter. Cohort-level termination cascades to every member.

The CISO concerns the prior framing called "governance" — policy enforcement, drift detection, audit — are the Supervision and Records pillars. They're real and they ship. They're just not the whole product anymore.

What ARX can create

Up to 252 agent instantiations per customer — 14 functions × 6 levels × 3 universal shapes:

  • Research — pulls, synthesizes, briefs. Read-mostly. Output is a document or structured finding. *Example: account deep-dive researcher pulling from Salesforce + Gong + Snowflake.*
  • Production — makes a thing. Drafts the artifact. Output is the artifact. *Example: PR drafter that reads a Linear ticket + the affected files and opens a draft PR.*
  • Coordination — routes, schedules, hands off, escalates. Multi-system orchestration. Output is a state change. *Example: incident router that pages on-call + opens a war room + reassigns the ticket + schedules a postmortem.*

Plus Atlas in a special non-matrix cell (executive.ceo-aide): the customer-private business analyst the executive team operates from.

Per customer at steady state: typically 10,000–20,000 agents, instantiated wave-by-wave from cohort templates. The 14 functions: Engineering, Product, Design, Sales, Marketing, Customer Success, Customer Support, Finance, Accounting, Legal, HR / People, Operations, IT, Security. The 6 levels: IC, Senior IC, Manager, Senior Manager, Director, VP+.

The Apple ecosystem analog

ARX ships rudimentary stock agents the way Apple ships Calendar, Mail, and Notes — deliberately simple, sufficient for day-1 deployment, explicitly *not* the destination. The framework is the moat; the agents are commodity.

| Source | What it is | Distribution | |---|---|---| | arx-reference (stock) | Built by ARX, ships with the platform. 37 framework-conforming today across 8 functions. | Bundled in the engagement | | partner-built | Built by Sierra, Harvey, Decagon, Hippocratic, Cresta, etc. — same manifest framework, richer LLM + connector implementations. | Sold + supported by partner; ARX collects no margin | | customer-built | Built by the customer's own engineering team for the long tail (~215 cells we don't ship stock). | Customer-owned | | community | Open-source community contributions. | No support guarantee |

Every agent — stock, partner, customer-built — runs through the same five pillars and shows up on the same Roster. The customer's CHRO doesn't care who built it.

What's in the box today

37 framework-conforming stock agents + Atlas + ~13 legacy reference agents. Each is a complete, runnable FastAPI service: drop into any environment, pip install -r requirements.txt, uvicorn app.main:app, and it serves POST /act, POST /execute, GET /status. Dockerfile builds. Manifest passes the validator.

| Function | IC × R/P/C | Manager × R/P/C | |---|---|---| | Engineering | ✓✓✓ | ✓✓✓ | | Sales | ✓✓✓ | ✓✓✓ | | Customer Success | ✓✓✓ | ✓✓✓ | | Finance | ✓✓✓ | ✓✓✓ | | Marketing | ✓✓✓ | — | | Operations | ✓✓✓ | — | | Customer Support | ✓✓✓ | — | | Legal | ✓✓✓ | — |

Live coverage map: reference-agents/INDEX.md. Manifest framework: reference-agents/MANIFEST_FRAMEWORK.md.

What's deliberately simple about stock agents

The "rudimentary" qualifier is structural, not aspirational:

| Layer | Stock | What real production needs | |---|---|---| | Connector calls | _FIXTURES dict returning canned data | httpx calls to the customer's actual Salesforce / Workday / GitHub / etc. with real per-agent OAuth | | Synthesis | Hardcoded compose_summary strings | LLM calls against the customer's chosen provider with real prompts, citations, RAG against ingested docs | | Outputs | Schema-shaped placeholder JSON | The actual artifact (a real PR, a real follow-up email, a real QBR deck) | | Personalization | None — same response per fixture | Tuned to the specific human attached, the customer's tone, the domain context |

This is by design. ARX's claim is *the operating model* (the five pillars, the manifest, supervision, audit chain, termination posture). Agent intelligence is the customer's choice — partner like Sierra/Harvey, customer's own engineering, or whatever the next 18 months of LLM evolution makes possible. ARX shouldn't be in the business of building the smartest agent for every cell.

What customers actually do at install time

Three paths, all working today:

1. Install stock as-is for low-stakes cells. A Cisco-shape customer installs engineering-ic-research-codebase-explainer for their 800 engineering ICs. The agents work — they explain code from the customer's GitHub Enterprise — but they're noticeably less polished than what Cursor or Cognition could ship. The customer accepts the rudimentary version because it's the day-1 baseline, and they swap in something richer over the next quarter.

2. Install stock + customer-built shells around it. The customer's own engineering team forks sales-ic-production-followup-drafter, swaps the _FIXTURES for real Gong + Salesforce calls, swaps the placeholder synthesis for a real LLM call against their tuned prompt, ships it. The manifest, the FastAPI shell, the audit/credential/termination plumbing — all reused. They write maybe 200 lines of new code. Ten engineers can build out the modal-cell coverage in a sprint.

3. Install partner-built variants from the catalog. Sierra ships a sales-ic-production-followup-drafter-sierra that conforms to the same manifest framework but uses Sierra's tuned model + Sierra's Gong integration. The customer browses /catalog, filters to partner-built, clicks Install, picks the 800 humans to bind, hits go. The partner-built variant runs through the same five pillars + manager queue + audit chain as the stock one.

Typical Cisco-shape mix in production: ~20% stock, ~30% partner-built, ~50% customer-built. Stock is a starting point, not an end state.

Atlas — the customer-private business analyst

Atlas is the first agent ARX deploys in any engagement, and it stays for the life of the relationship. Not just a CEO assistant — the single source of truth across the customer's digital workforce. Five capabilities:

  • Brief. The CEO's morning brief, generated automatically from every system Atlas can read. Top 5 things they need to know, sourced + cited.
  • Decide. Synchronous Q&A with citations. *"What's our deal-cycle time on enterprise deals over $1M in the last two quarters, vs Q4 2025?"* Atlas pulls from Salesforce + Snowflake + Gong, returns a structured answer with line-level citations.
  • Probe. Continuous "what's slipping?" sweeps every 30 minutes — pipeline, OKRs, KPIs, customer health, eng release velocity. Surfaces deltas before the human chain-of-command would notice.
  • Coach. The operational handoff layer between the executive team and the rest of the digital workforce. CEO drafts an instruction; Atlas routes it through the supervision pillar to the right cohort of agents and assembles the output.
  • Audit. Reviews personnel records of the digital workforce on the executive's behalf. Quarterly cadence. Recommends cohort consolidation, agent retirement, manager reorganizations.

Beyond CEO aide, Atlas is the customer's full-time business analyst + workforce architect. It produces the manifest set — the document that defines the customer's digital workforce. Atlas analyzes the customer's environment, the human roster, the operating processes, the consultant interview transcripts, the earnings calls, the board decks, the M&A diligence rooms, the analyst reports, and produces the manifests that say *who should be hired, what shape they should be, what their scope is, who they report to.* Those manifests are the input to the bulk-instantiation pipeline that creates the digital workforce. The CHRO + CFO + CISO sign off on Atlas's manifest set the same way they sign off on a human-headcount plan.

Atlas also serves as the customer's operating cadence: the morning brief is the executive team's start-of-day; the probe is the watch; the audit is the quarterly performance cycle; the coach is how every executive instruction flows into action. Three months in, Atlas is the surface the customer's executives operate from for everything — and the digital workforce flows through it.

Spec: docs/atlas/atlas-spec.md. Auditor-facing NetworkPolicy: docs/atlas/network-policy.yaml.

What Atlas runs on

Atlas is customer-private by construction. It runs entirely inside the customer's environment with three technical guarantees enforced by the deployment artifact, not by contract:

  1. No exfiltration to ARX. A Kubernetes NetworkPolicy default-denies egress; the allow-list contains only customer-declared internal endpoints + the customer's chosen LLM. Zero ARX domains in the allow list, ever. Auditor verifies via kubectl -n arx-atlas get networkpolicy atlas-egress-lock -o yaml.
  2. No data ingress from ARX. Image distribution is pull-from-customer-mirror. ARX publishes signed images to GHCR; customer's CI mirrors before deploy. Customer pins the digest in their Helm values. The chart's atlas.validateImage helper refuses any ARX-controlled registry at install time.
  3. No telemetry. The chart exposes no field that points Atlas at an ARX-controlled observability endpoint. Customer's own SRE stack scrapes Atlas via Prometheus / Datadog / Splunk.

Deployment options:

  • Helm chart on Kubernetes (production, default). Single-replica or HA. Cosign-signed image, customer mirrors via private registry. PersistentVolumeClaim for vector memory + ingested document cache. Pod hardened: non-root user (uid 10001), readOnlyRootFilesystem, dropped ALL Linux capabilities, seccomp RuntimeDefault.
  • Docker Compose (smaller estates, <5,000 employees). Same artifact, same egress posture; the NetworkPolicy is replaced with Docker network rules.

LLM provider: the customer's CIO chooses. Anthropic on the customer's contract, OpenAI on the customer's contract, the customer's own locally-hosted model — Atlas calls whichever endpoint the Helm values point at. ARX never holds the customer's LLM credentials and has no preferred provider.

Audit destination: the customer's own S3 bucket in the customer's region with the customer's KMS key. Atlas's actions are written to a hash-chained log, witness-signed every 5 minutes via the customer's KMS. The customer's auditor verifies integrity locally with arxctl verify-chain from their own laptop. ARX never reads from this bucket.

Release pipeline: atlas/RELEASING.md. Helm values: atlas/charts/atlas/values.customer.example.yaml.

How Atlas integrates with everything

Atlas reads through the same connector framework every other agent uses, but with a default read-only posture and the broadest possible scope. Three integration surfaces:

1. Internal systems (read-only by default; write scope only on explicit per-operation approval):

| Category | Connectors | |---|---| | Documents | SharePoint, Confluence, Notion, Box, Google Drive | | Issue trackers | Jira, Linear | | Code | GitHub, GitLab, Bitbucket | | Communication | Slack, Microsoft Teams, M365 | | Sales | Salesforce, HubSpot | | HR | Workday, BambooHR | | Finance | NetSuite, Sage Intacct, QuickBooks | | Data warehouse | Snowflake, BigQuery, Databricks |

2. Unstructured corpora (uploaded by the customer's chief of staff or operations team into Atlas's working memory):

  • Consultant interview transcripts (BCG, McKinsey, Bain, in-house)
  • Earnings call transcripts and analyst reports
  • Board decks and committee materials
  • M&A diligence room contents
  • Customer-call recordings (transcribed before ingest by the customer's own tooling)

3. Time-series feeds (push, customer-defined webhooks):

  • KPI streams (revenue, ARR, NPS)
  • Pipeline movement (CRM stage changes)
  • OKR / objective updates
  • Industry / market signals the customer subscribes to

The integration model is uniform. Every read flows through the connector framework's per-agent auth wrapper (Atlas has its own per-agent credential scoped to its declared systems). Every read is recorded in Atlas's personnel record on the same hash-chained audit. Atlas can read across silos that no human in the customer's organization can — but every read is logged, attributed, and bounded by what the manifest declared. Atlas sees what the executive team should see, on infrastructure the executive team controls, with attribution the executive team's auditor can prove independently.

What ARX does NOT do

Three explicit gaps to set expectations:

  • ❌ ARX does not turn "I need an agent that does X" into a working agent today. The framework + scaffolders + Atlas-produced manifests *make this fast for an engineer* (~30 min for a manifest, ~1-3 days for the implementation), but it's not a no-code generator.
  • ❌ ARX does not auto-tune prompts or auto-swap LLMs. That's the customer's choice and the customer's contract.
  • ❌ ARX does not ship UI for end users. The agent's "user" is typically an IC who interacts via Slack/Linear/etc., not via an ARX-branded surface.

What Atlas *can* do today:

  • ✅ Generate the manifest set for a customer based on analysis of their org chart + processes — Atlas's role as business analyst / workforce architect.
  • ✅ Draft the scope + approval rules + reporting chains so a customer engineering team has a one-page spec to build against.
  • ✅ Recommend cohort consolidation when the Audit capability sees overlap.

Bought by

| Role | Decides | Validates | |---|---|---| | CEO | Whether the enterprise treats AI as labor or as a security threat. The category-level call. | — | | CHRO | Workforce composition, hiring cadence, manager structure. | The personnel records, the termination procedure, the manager queue UX. | | CFO | The engagement fee + retainer. Pay-for-performance true-up. | Cost-to-serve metrics, productivity-gain measurement, FTE-equivalent rollups. | | CISO | None of the above (with one exception). | The credential model (Onboarding pillar), the audit chain (Records pillar), the supervision posture (Supervision pillar). Same role security plays for human employees. |

CISO is not the buyer; CISO is the validator.

Status

| Component | State | |---|---| | 5 workforce pillars | All shipped. INV-004 (compliance inheritance) and INV-005 (per-agent credential scope) cryptographically meaningful end-to-end. | | Cell × Shape coverage | 37 stock framework-conforming templates across 8 functions. Long tail = ecosystem. | | Atlas | Helm chart + cosign release pipeline + 5 capability modules + admin UI. Production-real connectors + LLM wiring is the next implementation slice. | | 72-hour runbook | Operationally executable end-to-end (Window 1 PROVISION + Window 2 VALIDATE + Window 3 GO-LIVE). | | Catalog + submission pipeline | Browse + install + 4-stage review state machine. |