Skip to content

The Observer

The Observer is the heart of Kaizen. It does two jobs.

Enforcement (the reflex)

Every action is checked against your policy the moment it happens, in-process, before it runs:

  • Blocklist: block known-bad publishers, destinations, hashes, or tool patterns.
  • Allowlist: allow only an explicit set; everything else is blocked.
  • Correlation: catch dangerous sequences (for example, read sensitive data then connect out).

This path is local, fast, and fail-closed.

Behavioral memory (the judgment)

Separately, the Observer keeps a per-agent memory of what each agent normally does. For the first several observations it simply learns; after that it compares each new action to the agent's baseline.

It flags a genuine change in capability or intent:

  • a kind of action the agent has never done,
  • a tool it has never used,
  • a source it has never used,
  • an outbound connection it does not normally make.

It deliberately does not flag minor variation, like a new account or database within the same kind of task. The decision is a deterministic capability-profile comparison, so every flag is explainable.

Where it runs

The behavioral judgment runs in an isolated service, in your own environment, with one job over its boundary: an action goes in, a verdict comes out. Nothing else crosses, no inbound except the verdict request, egress only to its memory store. Because the Observer reads untrusted agent input, isolating it means a compromised watcher can do nothing.

Same observer, any runtime

The same Observer runs as a local process in development, a container on your infrastructure, or a hardened MicroVM. The definition does not change, only where it runs.