Part of my Upper Bound 2026 series — write-ups of the talks I caught at Amii's AI conference in Edmonton worth carrying home. A few sessions back I wrote about IT/OT security and the Purdue model, and the punchline of that one was: stop asking "Does the AI understand?" — start asking "Who's accountable when it's wrong?" Jason Sun's session is the direct answer to that question. It's an architecture, not a slogan.
The Talk: "The Accountability Envelope"
Jason Sun presented on what he calls the Accountability Envelope — a governance layer designed for autonomous AI agents that actually do things in the world: book travel, write and deploy code, query databases, make decisions on your behalf. The core problem he opened with is one I've been sitting with for months: as agents gain real capability, the traditional audit trail breaks down. A model might call five sub-agents, each of which calls three more, spending money and touching data and making choices the whole way down. By the time you look at what happened, good luck reconstructing why.
The Accountability Envelope is his answer to that. It's a structured protocol layer that wraps every agent execution with traceability — not as a logging afterthought, but as a first-class part of how the system runs.
Who He Is
Jason Sun is the founder of AceTeam.ai, which he started in January 2024. He studied Computer Science at the University of Waterloo and has engineering experience at Apple and Amazon. Per his talk, AceTeam has a research partnership with Waterloo — he pointed to Prof. Pascal Poupart's group at the Vector Institute — on confidence-calibrated AI extraction, which is essentially: systems that can say what they know, and more importantly, what they don't.
AceTeam's product is a platform for building agentic workflows: a visual drag-and-drop builder that runs across OpenAI, Anthropic, Gemini, Deepseek, and local models via Ollama. The tagline I wrote down at the session: "Build AI agents with receipts, footnotes, and audit trails." Every workflow run produces an ExecutionEnvelope — a structured record with a cost tree, a citation chain, and a full audit trail. The accountability isn't bolted on after the fact; it's built into the execution protocol itself.
I ran into Jason briefly after his session. Genuinely friendly — the kind of founder who seems actually interested in what other people are building, not just in being interesting. Worth mentioning because it matched the talk: practical, grounded, no hype.
The Framework: Two Flows and a Gate
The Envelope has a clear structure. Once he named the three pieces, the whole thing snapped into place.
Flow 1: Context Goes Down
When an orchestrator spins up agents, it doesn't just hand them a task and walk away. The Envelope feeds each agent a structured package of context on the way down:
- Budget limits — how much compute and spend is this agent authorized to use?
- Governance rules — what is it allowed to do? What's off-limits?
- Data-consent policies — what data can it read, write, or pass downstream?
- Identity chains — who authorized this task, and through what chain of delegation?
Jason's framing that stuck with me: think of this as operating-system permissions for each layer of agents. When you spin up a Unix process, it inherits a UID, file permission masks, resource limits. The Envelope does the same thing, but for autonomous agents operating across models, APIs, and organizations. The context is explicit and structured, not implied by who called what.
Flow 2: Results Go Up
On the way back up, each agent hands back more than just an answer. It returns:
- A cost tree — what it spent: tokens, API calls, compute time, wall-clock time, broken out by sub-agent
- Citation chains — what data it read or used to reach its conclusions
- Confidence scores — how certain is it about what it's returning? (The Waterloo research partnership is directly aimed at making these meaningful, not just cosplay-calibration.)
- Compliance records — did it operate within the governance rules it was handed?
The upward flow is what makes after-the-fact audit actually possible. You're not reconstructing what happened from logs — you're reading a structured record that was generated as the work happened. Traceability all the way up to the orchestrator, and through it to the human who kicked things off.
The Gate: Humans Before Irreversible Actions
The third piece is the one I think is most important, and the one most teams skip. Before anything irreversible happens — a purchase goes through, a deploy is pushed, a message is sent — there's a human-in-the-loop checkpoint.
The principle, as I noted it: "Agents yield to humans when uncertain."
This isn't a UX nicety. It's the load-bearing piece of the governance model. The context-down and results-up flows give you visibility; the gate gives you control. You can see everything that happened after the fact, but the gate is the only thing that stops the mistake from happening in the first place. The Envelope is designed so the gate fires before the point of no return, not after.
The Open Protocols
AceTeam has released two open protocols (Apache 2.0) that formalize the Envelope pattern at the wire level:
- Agentic Execution Protocol (AEP) — a vendor-neutral wire protocol covering cost accountability, provenance, and data governance across sub-agents and organizations. If you're running agents across multiple vendors or teams, AEP is the standard handshake that lets the Envelope work across those boundaries.
- Agent Compute Protocol (ACP) — handles dynamic compute allocation. An agent can say: "I need 5 CPU workers for 10 minutes, budget $15." ACP allocates that atomically and bills per worker-minute. Both run on what they call a Sovereign Compute Fabric — your data stays on hardware you control.
The specs and whitepaper are on aceteam.ai if you want to go deeper. The open-protocol move matters: the Envelope only works as infrastructure if it can span organizations and vendor stacks. AEP is what makes that composable.
The Research Base
Jason didn't frame this as original theory — he framed it as applying existing governance thinking to a new execution model. Two anchors worth knowing:
- NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1, January 2023) — nist.gov/itl/ai-risk-management-framework. The four-function backbone: Govern, Map, Measure, Manage. Accountability and traceability are explicit core functions, not suggestions. The Envelope is an implementation of GOVERN in a multi-agent execution environment.
- EU AI Act, Article 14 — Human Oversight (Regulation (EU) 2024/1689) — artificialintelligenceact.eu/article/14/. In force since August 2024; most high-risk obligations apply from August 2026. Article 14 mandates that high-risk AI systems be designed so human overseers can understand, monitor, and intervene. That's the regulatory teeth behind "a human gate before anything irreversible." If your agents are booking travel, writing code, or making financial decisions, August 2026 is not far away.
The NIST framework is the structural vocabulary; the EU AI Act is the compliance driver. The Envelope is a concrete execution-layer answer to both.
Why It Stuck With Me
The question I kept hearing at this conference — across the IT/OT session, across the safety panels, across the governance track — was some version of: when agents do real work, who's responsible for what they do? Not philosophically. Operationally. Right now.
Jason's answer is specific and buildable: make accountability a property of the execution protocol, not a property of the logs you go digging through afterward. The Envelope doesn't change what agents can do — it changes whether you can explain it, audit it, and stop it at the right moment.
Three things I'm keeping:
- Context-down is permissions, not instructions. If you're not explicitly passing budget limits, governance rules, and data-consent policies into each agent layer, you're running on implicit permissions — which means you don't actually have a governance model, you just have hope.
- Results-up has to be structured at generation time. You cannot reconstruct a meaningful cost tree or citation chain after the fact from raw logs. The Envelope has to be part of the execution contract, not a post-hoc analysis job.
- The gate is the whole thing. Visibility without control is just surveillance. The human checkpoint before irreversible actions is where the governance model earns its name.
If you're building agents that touch real systems — or evaluating whether to — the Accountability Envelope is the clearest framework I've encountered for what "responsible agent deployment" actually means in practice. Not as a checklist, but as a running protocol.
More in the Upper Bound 2026 series: memory and learning, Bayesian optimization, IT/OT security, and more.
Header photo by Bradyn Trollip on Unsplash.
Content on this blog was created using human and AI-assisted workflows described here. Original ideas and editorial decisions by Justin Quaintance.