If there's one architectural decision behind everything else in Steelmoth, it's this: the part of the system that's clever is never the part that grants permission.

The model proposes. A separate component — small, dumb, auditable — decides whether the proposal is allowed. The clever part can be tricked, mistaken, novel-prompted into doing things it shouldn't. The deciding part can't, because it isn't reasoning. It's just checking the proposal against the rules.

The model proposes. The system decides.

This sounds like a small thing. In practice it's the whole product. Every promise we make — about injection resistance, about scoped memory, about the audit log meaning what it says — rests on that one separation.

What that buys you.

A clever prompt can't talk Steelmoth into acting outside your rules. A poisoned email can't either, because the part that reads the email isn't the part that has authority. And if Steelmoth ever claims it did something, the claim is checked against what actually happened — because the claim and the doing are also separate.

More from the team

On naming an operator.

We changed the name because we changed our minds about what we were building. A note on why "Steelmoth" — and why it matters that an operator have a name at all.

Field notes Apr 10, 2026

Invites open: wave one.

Steelmoth is now opening to a first wave of operators. A note on who we're working with first and why the cadence is deliberate.

Apr 28, 2026·Engineering

Authority is not cleverness.

If there's one architectural decision behind everything else in Steelmoth, it's this: the part of the system that's clever is never the part that grants permission.

The model proposes. A separate component — small, dumb, auditable — decides whether the proposal is allowed. The clever part can be tricked, mistaken, novel-prompted into doing things it shouldn't. The deciding part can't, because it isn't reasoning. It's just checking the proposal against the rules.

The model proposes. The system decides.

This sounds like a small thing. In practice it's the whole product. Every promise we make — about injection resistance, about scoped memory, about the audit log meaning what it says — rests on that one separation.

What that buys you.

A clever prompt can't talk Steelmoth into acting outside your rules. A poisoned email can't either, because the part that reads the email isn't the part that has authority. And if Steelmoth ever claims it did something, the claim is checked against what actually happened — because the claim and the doing are also separate.

More from the team

May 12, 2026Field notes

On naming an operator.

We changed the name because we changed our minds about what we were building. A note on why "Steelmoth" — and why it matters that an operator have a name at all.

Apr 10, 2026Announcement

Invites open: wave one.

Steelmoth is now opening to a first wave of operators. A note on who we're working with first and why the cadence is deliberate.

IndexDismiss

I

Home

The shape of the thing.

II

How it works

A day with Steelmoth.

III

Security & trust

Six things that have to be true.

IV

News & field notes

What we're shipping and why.

V

Request invite

Thirty-minute walkthrough on your inbox.

VI

About

Canary Builds, Australia.

VII

Contact

Reply within one business day.

Appearance

DarkLight