An LLM guesses.
RAG paraphrases.
Ctrl AI cites a signed contract.
Same question. Three architectures. Watch how each builds its answer — and why only one of them cannot make the answer up.
14-day free trial · No credit card required · Cryptographic receipts on every invocation
Stateless AI breaks at three places.
ChatGPT Teams, Copilot, Glean, custom RAG — they all share the same shape: a chat box that takes a prompt, generates a paragraph, forgets when the tab closes. A colleague has memory, commitments, and doesn't make things up. The architecture has to deliver these by construction, not by prompt-engineering.
No memory of company state
Every conversation starts from zero. The agent doesn't know what's currently in flight, who owns what, what was decided last week.
No commitment to outcomes
The agent answers the immediate question. It has no concept of standing objectives. It cannot pursue work between prompts.
No structural prevention of hallucination
Even RAG-with-citations is the LLM reading prose and generating prose — the interpretation step is where freelancing happens.
Ctrl AI's answer: three atoms — Capability, Case, Goal. Skills, memory, direction. Everything an agentic company needs.
The HOW — five ways the agent is allowed to act.
Every Capability is signed, typed, and callable. The implementation is one of five kinds. Click any kind to see a real, working example: same six-part anatomy, different mechanism inside.
- •Pure function · no LLM in the loop
- •Reproducible · same inputs → same outputs
- •Sandboxed Deno runtime
Sarah{ "tripCost": 2500,
"destination": "domestic" }function approver(cost) {
if (cost <= 2000) return "manager";
if (cost <= 5000) return "dept_head";
if (cost <= 25000) return "vp";
return "cfo";
}{ "approver": "dept_head",
"threshold": 2000 }Deterministic. Code in a sandbox. Math, threshold checks, lookups.
The WHAT-IS-HAPPENING — anything in flight, with a typed memory.
A Case is durable per-decision state with an append-only event log. A hire, a deal, an escalation, a loan, a vacation request. Pick any one — the same shape: live state on one side, event log on the other, every event references a signed Capability invocation.
| Name | Sarah Chen |
| Start date | 2026-06-01 |
| Team | Finance |
| schen@acme.com | |
| Laptop | ordered |
| JIRA | created |
| Welcome kit | sent |
- Day 0createdHire(Sarah Chen) · Finance
- Day 0invokedprovision_email · schen@acme.com
- Day 4gateprovision_jira · ⌃ Sarah approved
- Day 7invokedsend_welcome_kit · receipt #6184
Cases come in every shape — same architecture
Whatever your team works on that has structure and a lifecycle — that's a Case. Click any tab above to switch the live example.
The WHY — standing directives the agent pursues, on every horizon.
From a single hire today to a quarterly revenue target to your company's open-ended commitments — every Goal has the same typed shape: title, success criteria, horizon, signed owner. Some criteria carry expressions that auto-evaluate after every relevant Capability invocation. The agent measures progress without you typing.
Goals across every horizon · click to inspect
Selected goal · full anatomy
⌃ Sarah due Sep 30, 2026Hit Q3 revenue target $4.5M ARR
Quarterly revenue commitment. Mix of new logos and expansion.
outputs.forecastArr >= outputs.targetArr * 0.8Whenever a linked Capability is invoked, every auto criterion is evaluated against the typed output. Matches flip the criterion automatically.
The natural hierarchy
Goals surface. Capabilities act. Cases remember.
User opens /ask. The prelude already knows what's in motion.
SarahnotesYour active goals:
- Close Q3 books by April 5 · 3 days · 71% complete · 7 unmatched invoices
- Onboard Mark Liu by April 12 · 8 days · 30% · laptop ordered, JIRA pending
- Hit Q3 revenue target · 64 days · forecast 84% of target · 5 deals in pipeline
Highest-leverage right now: 5 of the 7 unmatched invoices fit our standard reconciliation pattern. I've drafted resolutions, awaiting your sign-off. Approving moves Q3-close from 71% → 90%. Want to walk through the 5 quick approvals first?
"The LLM produces only prose narration. Every factual claim traces back to a typed Capability invocation, cited inline. The synthesis turn is rhetoric, not knowledge."
This is the rule that makes hallucination structurally hard rather than statistically less likely. Every Ctrl AI answer ships with one of five trust levels — click any to see what it actually looks like.
compute-travel-expense-pre-approval · receipt #4912An invocable Capability matched and ran cleanly. Post-conditions passed.
Every Ctrl AI answer ships with one of five trust levels. The agent never silently freelances. The visitor learns to read the gradient at a glance.
Verifiable by anyone. Offline. Forever.
Every successful Capability invocation produces an Ed25519-signed receipt anchored in a tamper-evident transparency log. External auditors verify any answer offline against your published key. The Trust Portal at /portal/<your-org> is a public artifact procurement reviewers walk through with a recipe — no contract, no demo call.
Sarah+
MarkCryptographically binds the Capability slug, inputs, outputs, invocation timestamp, and the signers' keys. Two people stand behind every destructive answer.
# 1. Pin the publisher's key $ curl \ https://ctrlai.com/.well-known/ctrlai/receipt-keys # 2. Fetch the receipt + inclusion proof $ curl \ https://ctrlai.com/api/receipts/01KQ…GAPXC # 3. Verify offline · no network $ ctrlai-verify receipt.json --jwks keys.json ✓ signature valid (ed25519) ✓ inclusion proof verifies ✓ tree-head matches pin (18,342) receipt verified · trust=verified
External auditors verify against your org's published key without contacting your servers. Transparency-log anchoring proves history hasn't been rewritten since their last pin.
No login required. Procurement opens it, sees the transparency-log head, the recent signed receipts feed, and the verify-it-yourself recipe. Compliance evidence stops being a contract artifact and becomes a URL.
/ask is just the simplest mode.
The same three primitives serve every shape of work — proactive agents, multi-step procedures, cross-department reasoning, and your company as a typed API for other AI tools.
Triggers
Long-running cases
- Day 0open caseuserHire(Sarah Chen) · Finance
- Day 0invokedagentprovision_email · provision_laptop
- Day 4resumeuser · new sessionwhat's next on Sarah's onboarding?
- Day 4loaded stateagent8 events · email ✓ · laptop ✓
- Day 7invokedagentsend_welcome_kit · receipt #6184
Cross-system orchestration
Multi-agent
Self-improvement loop
- Coverage gaps observedNeural-trust answers · failing post-conditions
- Daily proposal passAggregator drafts candidate Capability specs
- ⌃ owner reviews + signsSpec → typed schema · post-conditions · runtime
- Catalog densifiesNext gap is rarer · trust gradient shifts toward Verified
Company-as-MCP
{ "mcpServers": { "ctrlai-acme": { "url": "https://ctrlai.com/api/mcp/acme", "headers": { "Authorization": "Bearer ctrlai_pk_…" } } } }
Stateful + directed + verified.
None of the four feature buckets is novel in isolation. The combination is the architecture.
| Concern | ChatGPT Teams / Copilot | RAG / Glean | Custom agent frameworks | Ctrl AI |
|---|---|---|---|---|
| Memory across sessions | ✕ | ✕ | ~ | ✓Cases hold typed state + event log |
| Standing objectives between prompts | ✕ | ✕ | ✕ | ✓Goals drive selection, triggers, prelude |
| Hallucination prevention | ✕ | ~ RAG cites prose | ~ tools but no governance | ✓Capabilities are the only fact source |
| Audit trail | Conversation history, brittle | Citation refs, brittle | Logs | ✓Cryptographic receipts + Case events |
| What the AI is allowed to do | Implicit | Implicit | Tool list, unsigned | ✓Finite catalog of signed Capabilities |
| Action vs answer | Mostly answers | Answers only | Acts, no governance | ✓Acts on triggers · destructive ops gated |
Three primitives. Three plans.
Every plan ships Capabilities, Cases, and Goals. You pick the governance depth.
Starter
Solo founders + small teams getting their first 20 Capabilities signed.
- ✓Up to 50 signed Capabilities
- ✓Cases + Goals, full audit log
- ✓Public Trust Portal
- ✓Standard data connectors
- ✓Inference at pass-through cost (no provider account needed)
Professional
Operating teams: Triggers, MCP server, BYOK, dual-signature.
- ✓Everything in Starter
- ✓Triggers (cron, threshold, webhook, goal-state)
- ✓Public MCP server endpoint
- ✓Dual-signature on destructive Capabilities
- ✓BYOK (Anthropic, OpenAI, Gemini)
- ✓Self-improvement aggregator
Enterprise
Regulatory-grade. VPC, on-prem, sector compliance, dedicated CSM.
- ✓Everything in Professional
- ✓On-prem or VPC deployment
- ✓SOC 2 Type II · Basel III · sector-specific
- ✓Domain-level access control + data residency
- ✓Custom connector development
- ✓SLA + dedicated CSM
All plans include AES-256-GCM encryption at rest, audit logging, and Ed25519-signed receipts anchored to a transparency log.
Frequently asked questions
Skills. Memory. Direction.
Sign your first Capability, open your first Case, commit to your first Goal — in a 30-minute trial.
14-day free trial · No credit card required