A bitemporal database for AI agents and regulated systems. Every write — every tool call, every approval, every policy change — is captured as a signed receipt with full provenance. Replayable exactly as the data was known at the time, not after the policy changed. Build agents from decisions, not documents. Memory without amnesia.
The attack surface is not the new problem. The visibility surface is. Authorized AI agents doing unauthorized things with authorized access — and your governance stack can't tell what they touched.
The SEC now expects a material determination within days. The question is whether you can make that determination in minutes or months. If your only record of what your AI did is a stream of text logs, the answer is months.
Every AI action that touches your data is captured as a receipt:
AgentRun ar-7f3a2c1d ├─ ran_as → jsmith@carrier.local ├─ instance_of → claims_summarizer_v3 (anthropic, claude-sonnet-4-6) ├─ called → fetch_medical_records() │ ├─ touched → DataTouch dt-001 │ │ ├─ of_field → Field "medical_record.notes" [PHI] │ │ └─ of_record → Record CL-2026-0417 (claim) │ └─ evaluated_by → Decision d-001 │ └─ under_policy → Policy HIPAA-PHI v4.3 [active at 14:08:11 EDT] │ result: ALLOW · jurisdiction: in-state · confidence: 0.91 ├─ produced → Output o-9aef12 (summary, 612 tokens) │ └─ derived_from → DataTouch dt-001 └─ sent_to → adjuster_inbox@carrier.local [no external transmission]
Each receipt is signed (SHA-256 audit chain), bitemporally stamped (valid + transaction time), and queryable as graph data. Forward: what did this agent touch? Reverse: who touched this customer's data?
Every existing policy engine — Cedar, OPA, IAM, Immuta, Purview, Splunk — evaluates against current state. InvariantDB evaluates against the policy version in force at the moment of access.
// Every PHI touch this month under a policy version that's since changed.
MATCH (run:AgentRun)-[:CALLED]->(:ToolCall)
-[:TOUCHED]->(dt:DataTouch)-[:OF_FIELD]->(:Field {classification:'PHI'})
MATCH (dec:Decision)-[:EVALUATED]->(dt)-[:UNDER_POLICY]->(p:Policy)
WHERE run.started_at >= '2026-04-01'
AND p.version <> p.current_version
RETURN run.id, p.version AS policy_at_time, p.current_version, dec.allow
| Question | Splunk / Datadog | Immuta · Purview · OPA | InvariantDB |
|---|---|---|---|
| What field did the agent read? | — text log | coarse dataset | field-level |
| Under what policy at the time? | no | no — current only | yes — bitemporal |
| Tamper-evident receipt? | retention | limited | SHA-256 chain |
| Reverse query (DSAR / right-of-access)? | grep | batch | one graph query |
| Did data leave the perimeter? | netflow | no | graph edge per egress |
Plain reading: the substrate is real and demoable today. The wedge product (the MCP recording gateway in front of your agents) and the policy-engine integration are next, not done.
A 1.3-million-operation insurance graph is live on the demo box right now: 536K nodes, 810K edges, 17 edge types, 16 labels. Bitemporal queries, audit chain verification, schema introspection — all running against the same engine.
AI agents are touching enterprise data faster than the regulators can write the rules that govern them — and the rules are coming. The 8-K timeline is days, not quarters. DSAR fulfillment is shrinking. HIPAA's accounting-of-disclosures rule already requires field-level provenance most stacks can't produce.
Splunk can tell you a request happened. Cedar can tell you whether it would be allowed now. Neither can tell you whether it was allowed then, under the policy in force at that exact moment. That's the gap we built for.