Eight money-out action classes are locked to propose-only in the database schema itself — not a checkbox, not a UI guard. Auditable AI agents whose every action lands on a record you can open, with kill switches, physical tenant isolation, and a human confirming anything that matters.
Anyone can say “human in the loop.” Command welds it into the database: the platform cannot be configuredto move money out on its own — not by us, not by you, not by an agent. Every trust claim on this page names the mechanism that enforces it.
Every AI action in Command is a proposal until a human confirms it — and each proposal declares its undo before you decide. A proposed journal entry carries its reversing entry; a proposed change names what puts it back. Where no clean undo exists, the proposal says so plainly, so confirming is never a leap of faith.
And for the eight money-out classes, confirm is as far as autonomy can ever climb — the database caps them at propose-only no matter how much trust an agent earns elsewhere.
Record bill payment — Hartline Electric · $4,120.00
Most audit logs tell you who-did-what-when and stop there. Command’s audit desk is a first-class, human-viewable surface where every row drills through to the actual artifact— click the event and see the real email that was sent, the real document that was filed, the real journal entry that was posted.
The spine is append-only — touches, agent run steps, and agent definitions can be added to but never rewritten — and failures are first-class red rows, never quietly dropped. That’s what “auditable AI agents” means here: not a report about the record, the record itself.
“Human in the loop” is only as strong as where it’s enforced. Most tools enforce it in the interface — Command enforces it where the data lives.
The money-out lock is the headline; these hold up everything else. Each one is enforced in the runtime and verifiable in a demo.
Kill switches at three scopes, checked when a run is queued and re-checked when the worker claims it. Flip one and agent activity at that scope stops.
Your business lives in its own database schema — the full ontology, not shared tables — and every read runs under row-level security on your identity.
Four tenant roles (owner, admin, analyst, viewer), TOTP two-factor, an optional tenant-wide MFA requirement, and step-up checks on sensitive actions.
A failed read dims its tile and says why — never a fabricated zero. Capped reads are labeled partial. The system tells you what it doesn't know.
How the agents themselves are governed — charters, budgets, run traces, the escalations desk — lives on the AI agents page.
No — structurally, not by policy. Eight money-out action classes (refunds, bill payments, payouts, distributions, retainage releases, tax payments, capital returns, payroll) are platform-locked at the database to maximum autonomy 1: an agent may propose, a human must confirm, forever. It is a database constraint, not a setting — there is no toggle, plan, or configuration that makes the platform auto-pay.
Book a demo and ask the hard questions — watch an agent propose, open the audit trail to the real artifact, and see exactly where the money-out wall holds.