Skip to content

The two-stage brain

Kaizen decides in two stages. Most checks never need a model; the few that do get one, in your boundary, with your key.

How the two stages flow

Stage 1: the deterministic floor

Runs on every action. It compares the action to the agent's learned baseline and its declaration: a tool it never used, a destination it never connected to, something it never declared. This is cheap, instant, and does not false-positive, so it is always on and it scales.

Stage 2: the reasoning judge

Runs selectively, when Stage 1 flags something, or as a session-end review. It takes the whole sequence of recent actions, the declaration, and the learned baseline, and asks the question rules cannot: does this behavior match what the agent is for? A single action is easy to rule-check; a sequence against a stated purpose needs reasoning.

The judge returns a verdict with its reasoning and a confidence, never a bare flag. Confidence is feed-aware: high when the action came from ground truth (the egress proxy or a sandbox), advisory when it came from a cooperative SDK hook that an agent could in principle route around.

Bring your own model

The judge calls your model with your key. Configure it in the console under Settings → Reasoning model (provider, model, base URL, key). The key is encrypted at rest and never returned, and the judge runs in your boundary, only the verdict leaves. Without a key configured, Kaizen runs the deterministic floor alone; you opt into the judge.

Why two stages

We learned this the hard way: an always-on LLM judge false-positives (it flagged "a new database" as malicious). So the deterministic floor is the gate that never sleeps, and the model is reserved for the contextual, sequence-level questions where it is actually better than a rule. It is asynchronous and fail-open, if the model is slow or down, the floor still protects you.