Skip to content

Introduction

Frank Yglesias Bertheau edited this page Jul 7, 2026 · 3 revisions

ᚾ NornGate — Introduction

Welcome to NornGate — the gated runtime for AI agent fleets. NornGate is a deterministic, fail-closed runtime that verifies every consequential action before any side effect occurs. Each decision is explicit, auditable, and controlled.

NornGate inserts control before execution. It does not inspect side effects after the fact.


ᚦ What NornGate does

Most agent systems let actions happen immediately: a retrieval hits storage, a message reaches an API, a workflow mutates state. When something fails, teams often lack a clear approval path or audit trail.

NornGate inserts a required five-gate pipeline in front of those actions. Every request must clear all five gates — G0 → G4, in order — before any side effect is committed.

flowchart LR
    R(["Agent request"]) --> G0["G0 · Ingress<br/>authN · keys · rate-limit · allowlist"]
    G0 --> G1["G1 · Policy<br/>ABAC / RBAC evaluation"]
    G1 --> G2["G2 · Approval<br/>human / automated consent"]
    G2 --> G3["G3 · Sandbox<br/>isolated dry-run · no side effects"]
    G3 --> G4["G4 · Commit / Arbitration<br/>conflict resolution → commit → ledger"]
    G4 --> C(["Side effect committed<br/>billable outcome recorded"])
    G0 -. deny .-> D["Denied<br/>verdict written to Urd"]
    G1 -. deny .-> D
    G2 -. deny .-> D
    G3 -. deny .-> D
    G4 -. conflict .-> D
Loading
Gate Name What it checks
G0 Ingress Authenticates the caller; validates API keys; enforces rate limits and network allowlists.
G1 Policy Evaluates ABAC/RBAC rules against agent identity, resource type, and request context.
G2 Approval Requires explicit human or automated consent for high-risk actions.
G3 Sandbox Executes the action in a temporary environment with no permanent side effects.
G4 Commit / Arbitration Applies deterministic conflict resolution when agents target the same resource, then commits the verified side effect and records the outcome.

Silence means no. If a gate cannot explicitly approve the action, the action stops. There are no implicit approvals — a timeout or missing decision becomes a denial. See The Five Gates.

Worked scenarios

  • High-risk action with manual approval — a production model update requires a human approval step at G2 before execution continues.
  • Policy evaluation with ABAC input — G1 evaluates request context, agent attributes, and resource attributes together, and passes only on a matched rule.
  • Arbitration conflict — when two agents try to write the same record, G4 applies a deterministic winner; the loser is denied, not queued into a race.

Example — a request is denied. The audit ledger records the exact reason. A policy denial for a role that may not touch model resources:

GET /v1/audit?gate=policy&decision=deny&from=2026-07-05T11:00:00Z
[
  {
    "id": "audit_7f3",
    "gate": "policy",
    "decision": "deny",
    "reason": "agent.role 'user' cannot access resource type 'model'",
    "requestId": "req_abc",
    "timestamp": "2026-07-05T11:32:00Z"
  }
]

End-to-end multi-agent workflow. A three-agent flow that gathers evidence, scores risk, then requests a final action — each stage bound to the realm that matches its trust posture:

  1. Midgard (app.*) handles user-facing intake.
  2. Alfheim (alfheim.*) retrieves required context quickly at the edge.
  3. Jotunheim (jotun.*) runs untrusted scoring inside the sandbox (G3).
  4. Asgard (asgard.*) owns the final protected approval path (G2 → G4).

ᛉ Why the gated model matters

AI agents can read, write, execute, and decide. That power needs boundaries. NornGate gives teams a reliable control point before execution, so it can:

  • enforce policy before side effects
  • capture every decision in an audit trail
  • isolate risky work before it reaches production systems

It also prevents race conditions, reduces accidental data mutation, and supports regulated workflows. The platform is default-deny: if a gate cannot confirm, it denies.


ᛇ Platform design

NornGate uses Norse cosmology as a system model, not just as branding. The names map to concrete controls, trust boundaries, and recovery patterns.

ᛖ Yggdrasil — the control spine

Yggdrasil is the shared control spine. Requests pass through one observable path so traffic can be watched, metered, and refused. In practice:

  • consistent routing between trust zones
  • a single place to enforce runtime controls
  • distributed tracing across the whole request path

ᛟ The Nine Worlds — trust zones

The realms map to trust zones — subdomain = trust zone — so your topology becomes your threat model.

Realm Subdomain Trust posture
Asgard asgard.* Control plane. Highest trust.
Vanaheim vanir.* External integrations. Federated trust.
Alfheim alfheim.* Edge tier. Low latency.
Midgard app.* User-facing services.
Jotunheim jotun.* Untrusted execution. Full sandboxing.
Muspelheim muspel.* GPU-heavy compute.
Niflheim nifl.* Cold storage. High durability.
Svartalfheim forge.* Build and artifact systems.
Hel hel.* Dead-letter and failed work.
Valhalla valhalla.* Completed job archive and baselines.

On the count. This is ten realms: the nine cosmological worlds of the Eddic sources, plus Valhalla — traditionally Óðinn's hall within Asgard rather than a world of its own, promoted here to a tenth operational realm for completed-job archival. Full detail in The Nine Worlds.

flowchart TB
    Y{{"Yggdrasil · control spine<br/>route · meter · refuse · trace"}}
    Y --- ASG["Asgard · asgard.*<br/>control plane · highest trust"]
    Y --- VAN["Vanaheim · vanir.*<br/>external integrations"]
    Y --- ALF["Alfheim · alfheim.*<br/>edge · low latency"]
    Y --- MID["Midgard · app.*<br/>user-facing"]
    Y --- JOT["Jotunheim · jotun.*<br/>untrusted · full sandbox"]
    Y --- MUS["Muspelheim · muspel.*<br/>GPU compute"]
    Y --- NIF["Niflheim · nifl.*<br/>cold storage"]
    Y --- SVA["Svartalfheim · forge.*<br/>build / artifacts"]
    Y --- HEL["Hel · hel.*<br/>dead-letter"]
    Y --- VAL["Valhalla · valhalla.*<br/>completed archive"]
Loading

ᛈ The Norns — the system record

  • Urd — a centralized, append-only, hash-chained audit ledger; every gate decision lands here.
  • Verdandi — live metrics and latency.
  • Skuld — forecasting and anomaly detection.

See Monitoring & Observability.

ᚺ Ragnarök — failure planning

Recovery is tested before it is needed. Typical drill goals: simulate gate failure, storage corruption, and network partition.

$ norngate-cli drill ragnarok --target=prod --duration=15m
[INFO] starting drill target=prod duration=15m
[INFO] injecting policy timeout delay=30s
[INFO] corrupting cold-storage shard=nifl-03 damage=1%
[INFO] isolating midgard -> asgard network path
[INFO] restoring from checkpoint checkpoint_2026-07-05T12:00:00Z
[INFO] verifying hash chain and audit continuity
[INFO] drill complete recovery_time=12m34s data_loss=0

A DR path that has never been exercised is a hypothesis, not a control. See Disaster Recovery (Ragnarök Drill).


ᛜ Key properties

Property Technical meaning
Deterministic The same input and state produce the same outcome.
Fail-closed Missing approval means denial, not bypass.
Auditable Every gate decision is written to Urd, a centralized append-only ledger secured by a signed hash chain.
Framework-agnostic Agents can run in any language or stack.

These properties are enforced by the runtime, not left to application code alone.


ᚹ Who it is for

  • AI engineers building multi-agent systems with strict control requirements.
  • Platform and security teams operating LLM services at scale.
  • Regulated or high-risk environments that need traceable enforcement.
  • Teams that need clear answers to what an agent did and who approved it.

ᚱ Next steps


Iconography

Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — not emoji. The full set is on Home; the runes used here:

Rune Name Gloss Marks
Nauðiz need, necessity, constraint the platform mark
Thurisaz thorn, gateway, warding force what NornGate does / the gates
Algiz protection, defense why the gated model matters
Eihwaz the yew, the world-tree axis platform design
Ehwaz horse, conveyance, movement between Yggdrasil — the spine
Othala enclosed estate, boundary trust zones
Perthro the lot-cup, fate, the well of Urd the Norns
Hagalaz hail, disruption, the necessary crisis Ragnarök
Ingwaz enclosure, completion key properties
Wunjo kinship, fellowship who it is for
Raidō the ride, the road next steps

Sources. Snorri Sturluson, Prose Edda (Gylfaginning — the Norns, Yggdrasil, Valhalla, Ragnarök) and the Poetic Edda (Völuspá — the Nine Worlds). Rune meanings follow the Elder Futhark tradition.

Clone this wiki locally