The decision database

InvariantDB is the database that records what was true, when, and what the system knew when it acted.

A bitemporal database for AI agents and regulated systems. Every write — every tool call, every approval, every policy change — is captured as a signed receipt with full provenance. Replayable exactly as the data was known at the time, not after the policy changed. Build agents from decisions, not documents. Memory without amnesia.

01The visibility surface

The attack surface is not the new problem. The visibility surface is. Authorized AI agents doing unauthorized things with authorized access — and your governance stack can't tell what they touched.

"An employee pointed an AI tool at customer non-public information. Names. Social Security numbers. Dates of birth. The bank deemed it material. Filed the 8-K voluntarily. This was not an external breach." — SEC 8-K filing, Pennsylvania bank, Q1 2026

The SEC now expects a material determination within days. The question is whether you can make that determination in minutes or months. If your only record of what your AI did is a stream of text logs, the answer is months.

02What we do

Every AI action that touches your data is captured as a receipt:

AgentRun ar-7f3a2c1d
  ├─ ran_as     →  jsmith@carrier.local
  ├─ instance_of →  claims_summarizer_v3 (anthropic, claude-sonnet-4-6)
  ├─ called →   fetch_medical_records()
  │   ├─ touched → DataTouch dt-001
  │   │   ├─ of_field   → Field "medical_record.notes" [PHI]
  │   │   └─ of_record  → Record CL-2026-0417 (claim)
  │   └─ evaluated_by  → Decision d-001
  │       └─ under_policy → Policy HIPAA-PHI v4.3 [active at 14:08:11 EDT]
  │           result: ALLOW · jurisdiction: in-state · confidence: 0.91
  ├─ produced → Output o-9aef12 (summary, 612 tokens)
  │   └─ derived_from → DataTouch dt-001
  └─ sent_to → adjuster_inbox@carrier.local  [no external transmission]

Each receipt is signed (SHA-256 audit chain), bitemporally stamped (valid + transaction time), and queryable as graph data. Forward: what did this agent touch? Reverse: who touched this customer's data?

03The moat: temporal authorization

Every existing policy engine — Cedar, OPA, IAM, Immuta, Purview, Splunk — evaluates against current state. InvariantDB evaluates against the policy version in force at the moment of access.

cypher · the question Splunk can't answer
// Every PHI touch this month under a policy version that's since changed.
MATCH (run:AgentRun)-[:CALLED]->(:ToolCall)
      -[:TOUCHED]->(dt:DataTouch)-[:OF_FIELD]->(:Field {classification:'PHI'})
MATCH (dec:Decision)-[:EVALUATED]->(dt)-[:UNDER_POLICY]->(p:Policy)
WHERE run.started_at >= '2026-04-01'
  AND p.version <> p.current_version
RETURN run.id, p.version AS policy_at_time, p.current_version, dec.allow
Question Splunk / Datadog Immuta · Purview · OPA InvariantDB
What field did the agent read? — text log coarse dataset field-level
Under what policy at the time? no no — current only yes — bitemporal
Tamper-evident receipt? retention limited SHA-256 chain
Reverse query (DSAR / right-of-access)? grep batch one graph query
Did data leave the perimeter? netflow no graph edge per egress

04What's shipped vs. what's roadmap

Plain reading: the substrate is real and demoable today. The wedge product (the MCP recording gateway in front of your agents) and the policy-engine integration are next, not done.

✓ Shipped

  • Bitemporal graph engine — Rust, single-node + Raft cluster
  • Tamper-evident audit chain — SHA-256, 25+ proptest properties + Kani proofs
  • Provenance log — actor, source, reason, request_id per write
  • Agent execution harness — Anthropic + OpenAI, caps, recorder
  • 14-tool MCP server — read-only first pass
  • SDKs — Python (PyO3), Node (napi-rs)
  • Cypher + bitemporal queries — AT VALID, AT RECORDED, OVER VALID BETWEEN
  • Replication + consensus — C2.1 primary-replica, C2.2 Raft (3-node verified)

05Try it

A 1.3-million-operation insurance graph is live on the demo box right now: 536K nodes, 810K edges, 17 edge types, 16 labels. Bitemporal queries, audit chain verification, schema introspection — all running against the same engine.

06Why now

AI agents are touching enterprise data faster than the regulators can write the rules that govern them — and the rules are coming. The 8-K timeline is days, not quarters. DSAR fulfillment is shrinking. HIPAA's accounting-of-disclosures rule already requires field-level provenance most stacks can't produce.

Splunk can tell you a request happened. Cedar can tell you whether it would be allowed now. Neither can tell you whether it was allowed then, under the policy in force at that exact moment. That's the gap we built for.