Thesis
The stack that gets you approved.
Agents in regulated industries fail security review, not benchmarks. Visca is the whole stack — identity, credentials, runtime, audit — run inside your customer's walls, with its own operators keeping it alive.
Visca · v0.2
visca.ai
Published 2026
Table of Contents
Contents
- 01The approval problemp. 2
- 02One stack, inside the wallsp. 2
- 03Operators in the boxp. 3
- 04Nothing off the recordp. 3
- 05The human rolep. 4
- 06Proven on ourselves firstp. 4
- 07What we sellp. 5
01 · The approval problem
Security review is the bottleneck.
A bank, a hospital, or a government agency cannot approve an agent product stitched together from a dozen SaaS vendors. Each vendor is a data egress path, another contract to negotiate, another breach surface to underwrite.
The model is not the blocker. Agent pilots clear the demo and stall at the review, because the review asks questions the stitched stack cannot answer: who is this agent, what can it touch, where is the record. When the answer spans a dozen vendors, the answer is no.
This paper is for teams building agents for regulated customers — and for teams building them inside.
02 · The stack answer
One stack, inside the walls.
Visca is the whole stack — identity, credentials, runtime, and audit — shipped as part of the builder's product and run inside the customer's perimeter. The agent arrives with the answers security teams demand.
Identity
Every agent is a first-class principal with a recorded human sponsor. Who is this agent has one answer, and a person stands behind it.
Credentials
Scoped, short-lived credentials in place of standing keys. Authority is granted, reviewed, and revoked — what can it touch has one answer, and it expires.
Runtime
Agents execute inside the perimeter, on infrastructure the customer controls. No model call, tool call, or byte of data crosses the wall to make the product work.
Audit
One tamper-evident ledger of every action, every grant, every approval. Where is the record has one answer, and the security team can read it.
One stack means one contract, one deployment, one review. Nothing leaves the perimeter.
03 · The ops answer
Operators in the box.
Self-hosted has always failed on the ops burden. That burden — not architecture — is the reason SaaS won everywhere it was allowed to win: the vendor's ops team kept the system alive so the customer never had to.
Visca ships with its own operators: agents that deploy, upgrade, patch, rotate credentials, and answer incidents — inside the perimeter, under the same identity, credentials, and audit as everything else they share the stack with. Self-hosted, without inheriting an ops team's job.
04 · Total record
Nothing off the record.
Hand-run systems leak history. SSH sessions, console clicks, tribal knowledge — the operations that keep a system alive are exactly the ones that never make the audit log.
A stack operated only by principals acting within scopes, through one governed gateway, closes that gap by construction. Every patch, every credential rotation, every incident recovery lands on the same tamper-evident ledger as the agents' own work — signed, attributable, queryable.
Maintenance itself becomes evidence. The audit trail is not a feature bolted onto the stack; it is how the stack works. There is no off-the-record path, because there is no hand on the box.
05 · The human role
Humans keep three jobs.
Autonomy does not mean absence. It means the human role is narrowed to the decisions that must stay human — and every one of them is recorded.
Declare intent
Humans state what the system is for and what it may pursue. Agents act within that declaration, never beyond it.
Sign approvals
Consequential actions stop at a human gate. The signature, the signer, and the scope go on the ledger.
Hold the kill-switch
Any human with the authority can halt an agent, a workload, or the stack. The halt is itself a recorded act.
Around those three jobs sit deterministic guardrails — policy walls, budgets, circuit breakers — enforced outside the models, where no amount of reasoning can argue past them. In regulated contexts, human approval gates are permanent by design, not a transitional stage to be automated away.
06 · Proven on ourselves first
We ran the gauntlet before asking you to.
A clinical AI product built on this stack is approved and in pilot at Stanford — it passed the security review this paper describes. And the stack runs its own production.
Compliance certifications are targeted, not claimed. The architecture is built so the evidence exists before the auditor asks for it.
07 · What we sell
What we sell.
We don't sell compliance, and we don't sell software that becomes your ops problem.
We sell the stack that gets you approved — and then maintains itself.
visca.ai
About Visca
About Visca.
Visca is the Autonomy Stack for regulated industries — identity, credentials, runtime, and audit for software agents, shipped inside the customer's perimeter and maintained by its own operators. For more information, visit visca.ai.