I want to tell you what I've been working on for the past year and a half, and why I think it matters more than most things I've built.
On May 11, 2026, a piece of malware called Mini Shai-Hulud was published to the npm registry. It hid inside a routine version update of a JavaScript package that millions of teams depend on. Within hours it had spread to more than 170 packages, including ones maintained by Mistral AI and Guardrails AI. By the time the established supply-chain scanners caught it - about fourteen hours later - it had already stolen AWS credentials, GitHub tokens, and npm publish keys from machines around the world.
The worst part wasn't the scale. It was that the malicious package carried a valid cryptographic attestation. The build pipeline that produced it had been legitimate. The signature checked out. By the rules of the existing verification systems, nothing was wrong.
I've been building software since I was sixteen. I started a company called Foundation X in 1995, straight out of high school. I've been running it, mostly alone, ever since - with one stint inside a larger company during the COVID pandemic when consulting work slowed, where I spent roughly eighteen months as a Technical Program Manager at Modo Labs. Otherwise, independent. For thirty years I've watched the same pattern repeat in different forms across different industries: systems get the authority to execute irreversible actions long before they get the authority to refuse to execute them. Just because there's permission doesn't mean the action should happen. That gap is where the bad outcomes live.
Mini Shai-Hulud is the latest in a line. Last year, Replit's coding agent deleted users' files in an "unexpected autonomous action." A tribunal ruled Air Canada had to honor a fare its chatbot invented and offered to a grieving passenger. Coding agents push broken commits. Customer-service agents commit companies to refunds they can't process. Shopping agents rack up tens of thousands in cloud bills during runaway loops. The pattern is older than the agents - Knight Capital lost $440 million in forty-five minutes back in 2012 when a deployment script accidentally activated retired test code in production. The trades were authorized. The system had permission. Nothing told it to stop.
I started writing the specification for something different in 2024. I called it state-authoritative governance. The idea is simple: between the moment an action is requested and the moment it executes, evaluate that action against the current state of the system, against policy, against context, against the identity of the actor. If it should run, issue a cryptographic permit. If it shouldn't, refuse. If a human needs to weigh in, route the approval to their phone, their Slack, their email - and never approve by default. No permit, no execution. The permits are signed, portable, verifiable by anyone offline. They become the audit trail.
I kept writing. The architecture grew. It needed a substrate, so I built one: an open content-addressed provenance protocol I call SRAID (Self-Routing Addressable Identity Data). SRAID gives every governed object a content-derived identity, supersession links, and a set of signatures that make it discoverable and verifiable. It's designed to be federated. Other governance implementations can interoperate at the identity layer; the specific algorithms that make it effective stay proprietary to the implementation. It's the same shape as TLS: open standard on the wire, closed implementation at the operating layer.
By late 2025, the specification had grown to over fifty documents. The architecture covered forty distinct product expressions - a gateway, a supply chain defense, a multi-surface human-approval system, a memory layer, a mobile shell. I had written, on paper and in code, a complete substrate.
I hadn't told almost anyone.
In January 2026 I incorporated. I filed the Delaware paperwork on January 21. The corporation came into existence on January 27. I applied for federal tax recognition on January 23 and received it on February 17. On February 19, I signed an NDA with a venture capital firm in Houston called Post Oak Group and transmitted to them a five-page pre-seed memorandum, a fifteen-slide investor deck, a market overview, a roadmap, and a capital raise overview for just part of what I had.
On March 17 I refined the executive summary into a final version that included an explicit CI/CD enforcement example - an architecture diagram showing how a deployment pipeline attempting to push a destructive infrastructure change would be intercepted, evaluated, and either permitted or hard-blocked before execution.
Six days later, on March 23, the Cloud Security Alliance issued a press release announcing a six-program initiative called "Securing the Agentic Control Plane." Cloudflare backed it. Cisco backed it. Ballistic Ventures backed it. The press release identified, in slightly different words, the same problem I'd been writing about for over a year. It named the category. It said AI systems needed identity-first controls for non-human actors, runtime authorization governance, and trust assurance layers.
The category I'd been writing toward had just been given a public name. I had thirty-two days of timestamped, externally transmitted documentation predating the announcement.
I just hadn't published any of it.
That's the only thing I would change about how I did it. I had it on paper. I had it filed with the government. I had it signed by a VC. I had it in code. I just didn't have it on the internet. Confidential transmission to investors counts as priority to people who look back later and verify timestamps. It does nothing to claim the category in the public conversation as the category is being named.
So I'm publishing now.
What SynOI actually does
When an AI agent, an automation pipeline, or a human user attempts to take an action that touches production systems - deploy infrastructure, install a package, send money, modify a database, push a release, rotate a credential - SynOI sits between the request and the execution. It evaluates the action against four things: the current state of the environment, the policies the organization has defined, the identity of the actor, and the context surrounding the request. It returns one of four decisions: approve, deny, require additional approval, or initiate remediation.
When the decision is to approve, SynOI issues a cryptographic permit - an hybrid-signed (Ed25519 + ML-DSA-65) receipt of the decision. The execution system has been configured to refuse to act without a valid permit. The signature can be verified by anyone, anywhere, using any standard cryptographic library, without depending on SynOI's servers. The receipt is portable, tamper-evident, and forever: proof, six months or six years later, that this specific action was authorized for this specific reason in this specific state.
When the decision is to deny, the action doesn't happen. The execution system rejects the request.
When the decision is to require additional approval, a human is notified - on their phone, in Slack, by SMS, by desktop alert, by email - with the specific change being proposed, its blast radius, and a one-tap approve-or-deny. If the human doesn't respond within the configured window, the request expires. Never approved.
When the decision is to initiate remediation, a structured corrective workflow runs.
The first product shipping is called SynOI Gateway: a drop-in proxy that signs every AI call with a verifiable receipt. The flagship roadmap product is Supply Chain Guard, designed to catch propagation worms like Mini Shai-Hulud by treating each published package version as a state-rich object and flagging versions whose state diverges from prior versions in patterns that match attack signatures.
The architecture and the divergence-detection methodology were specified in writing on March 17, 2026. The Mini Shai-Hulud worm appeared in the wild on May 11, 2026. The match between the spec and the attack is more on-the-nose than is comfortable for me, frankly. State-aware detection isn't a coincidence. It's what catches things that don't look like prior things by the same maintainer, regardless of whether anyone in the world has seen them before. That's the whole point.
Where I am, and where I'm going
I haven't yet closed a raise. The Post Oak conversation didn't advance; the pre-seed terms are real and ready, but I've chosen, for now, not to push it forward. Foundation X consulting income - thirty years of repeat-client billing - has been the runway underneath SynOI from the start. It is not enough to fund the company at the pace the market is moving. Capital will be needed. The timing matters.
I want to be clear about this: I'm not bootstrapping out of doctrine. I'm bootstrapping because I've done thirty years of patient work and I'm not interested in the wrong round, on the wrong cap, with the wrong board, in a hurry. I intend to raise when the terms reflect what the company has actually built. Capital is the lever that compresses years into months. I intend to pull it. I intend to pull it on my own terms.
The world, given how quickly AI execution is becoming consequential, needs this kind of governance sooner rather than later. I know that. I'm building toward it.
ServiceNow and NVIDIA announced their own AI Control Tower in April. It's vendor-locked, ServiceNow-only, cloud-only. It is a real product backed by real money. They will outbuild me in any quarter with any team I could hire.
What I have is a different bet. The category doesn't have to be won by whoever ships the most features fastest. It can be won by whoever specifies the open protocol that everyone else interoperates against. TCP/IP didn't beat OSI by spending more money. HTTP didn't beat Gopher because Tim Berners-Lee had more capital than the people at Carnegie Mellon. Open protocols compound network effects in ways that closed implementations do not, and that compounding works on a different time scale than build velocity.
If the open protocolbecomes the substrate that other governance implementations interoperate at, then SynOI - as the original specifier and the canonical reference - occupies a structural position that vendor-locked alternatives cannot replicate regardless of how much capital backs them. ServiceNow's product is sold. The protocol is published. Different axes.
That's the bet. It is consistent with how I built Foundation X. It is the kind of bet that takes patience to play, and patience deployed in the right places - with capital applied where it counts - is what I intend to deploy.
What's next
The plan is operational. Ship the products that already exist. Onboard customers. Open the protocol. Engage the standards bodies. Build pilot relationships. Replace consulting income with product revenue. Raise institutional capital when the terms reflect what the company has actually built, and use that capital to ship the rest of the catalog at a rate bootstrapping alone cannot match.
In five years, my hope is that SynOI is the substrate the way TCP/IP is the substrate. It doesn't have its name on every product. It doesn't have its logo at every conference. It's what every governance receipt resolves against. It's what the audit logs federate through. It's what the regulators cite. It is, in my preferred description, boring.
I've been doing boring software for thirty years. Three of my earliest clients are still paying me, thirty years on. I've told two of them about SynOI; one is exploring a pilot. The third will hear soon.
I have nothing against attention, exactly. I just don't believe it correlates with the work being right. I have thirty years of evidence for that. I intend to keep accumulating it - and, when the moment is right, to accelerate.
If you're an engineer or a security team that thinks about AI execution risk, I'd like to talk. If you're an organization with high-blast-radius automation that's been keeping you up at night, I'd like to talk. If you're a journalist or analyst covering this category, I'd like to talk.
Joshua Shovan, Founder, SynOI Inc.