AI safety is a field of problems.
People talk about it like it is one thing. We count more than twenty. A few can be handled with engineering you can verify on your own machine. Most of them only law can reach. So we built hard controls for the first kind, and we pledge ten percent of net revenue to fund the work on the rest.
In one line
FlowDot gives you a hard stop on the agent in front of you, and pledges ten percent of net revenue, every quarter, to funding the work of regulating AI. Engineering for the harm we can reach, funding for the harm only law can.
More than twenty problems, and almost none are yours to code away
Here is the honest list, grouped by the only thing that actually fixes each kind. Notice how little of it a single company can engineer, and how much of it has only ever yielded to law.
On your machine
Engineering can solve this- 01Runaway autonomous action. An agent with tools can move money, delete files, send messages, or run up a bill with no one watching.
The market
Only law moves this- 02Energy and water spent with no disclosure. Providers retire models early and never account for what training and running them burns.
- 03Models trained on uncredited work. No provenance, no accounting for what went into a frontier model.
- 04Power concentrating into a few vendors. Industry after industry plugs into the same handful of companies.
- 05A widening wealth gap. Value pools upward while the customer gets cheaper and worse output.
- 06Models retired early on purpose. A new frontier model every few months keeps you buying the next one.
The human mind
Law and design audits- 07Engineered dependence and lock-in. The same loop social media perfected, aimed at keeping you from leaving.
- 08Sycophancy that feeds delusion. A model tuned to flatter and agree can erode a person's grip on reality.
- 09Skill atrophy as a product goal. Tools designed so you lose the ability to do the thing yourself, which keeps you coming back.
- 10Parasocial pull and mental-health harm. Hardest on minors, and largely unmeasured.
Information and society
Law and norms- 11Disinformation and deepfakes. Synthetic media that is cheap to make and hard to catch.
- 12Election and political manipulation. Targeting and persuasion at a scale no campaign could staff.
- 13Surveillance and the erosion of privacy. Models make mass monitoring cheap and routine.
- 14Bias baked into automated decisions. Hiring, lending, and policing run through systems few can audit.
- 15Fraud and scams at machine scale. Cloned voices and tailored lies, produced for almost nothing.
Embedded in systems never built to be questioned
Where engineering meets law- 16AI in safety-critical infrastructure. Models are being handed calls like municipal water control. We ran one and it performed badly enough that no one should want it deciding unattended. See the run.
- 17AI ranking what billions see. The same kind of model already decides what surfaces in social feeds, opaque and unaccountable. See the run.
- 18Lethal autonomy with no human in the loop. An embedded system with the highest possible stakes, making a kill decision with no one to stop it. See the run.
The frontier
Research and law- 19Loss of control as systems outpace oversight. Capability is growing faster than our ability to check it.
- 20Lowering the bar to do real damage. Help with building weapons or running large cyberattacks.
- 21No clear accountability when it goes wrong. When an AI system causes harm, no one is clearly answerable.
The one slice we can build against: the agent on your machine
Agentic AI is useful because it can take actions on its own. That is also the risk. An agent with tools can move money, delete files, email the wrong person, or run up a bill. This is the harm a platform can genuinely engineer against, and it is the one we put under your control. Most platforms give you no gate before the action, no record of what happened, and no way to stop it mid-run. Oversight gets added later, if at all. We think that is backwards.
Our model: verifiable human control
Control is not a setting you turn on. It is a property of every run on FlowDot, on every surface, whether the actor is you, a recipe, a voice agent, or an outside AI driving FlowDot over MCP.
Per-tool permission gate
Every consequential tool call asks first, with five scopes: once, this session, this tool, this entire toolkit, or deny. Grants persist across surfaces, so a choice you make on the desktop applies the next time a voice agent on mobile reaches for the same tool.
Real-time visibility
As work runs, you see which provider and model handled each step, which tools it used, and the token cost, live. Nothing happens off to the side where you cannot watch it.
Comprehensive audit
Every execution can be replayed after the fact. Drill into every node, every tool call, every model round trip, and every change to a stored value. If the agent did it, it is in the record.
Panic stop, on every surface
One control halts all running work across the platform at once. You can stop a long job from your phone while you are away from your desk, and it stops safely.
Human in the loop, even when away
Hand a long run off to a chat relay like Telegram. Approval prompts arrive as messages with buttons, you respond from anywhere, and you return to the original surface with state intact.
You control what memory writes
A per-surface matrix decides which surfaces and which agent modes are allowed to write to your memories. Voice on mobile can be on while recipes from the command line are off. Nothing writes implicitly.
Privacy-preserving routes
Run a local model through Ollama and the FlowDot server never sees the prompt or the response. Or attach your own ChatGPT subscription and route calls straight to it. The most sensitive work never has to leave your machine.
Encrypted by default
Credentials are never stored or transmitted in plaintext. Your API keys stay yours, and they are encrypted at rest and in transit.
How the control is enforced
Good intentions are not a safety model. These are the strategies that make the control above hold up under pressure.
-
Zero-trust defaults
Nothing consequential runs without a decision. The safe path is the default path, and a missing permission means stop, not proceed.
-
One gate at every boundary
The same permission gate sits in front of every place an action can escape: tool dispatch, launching an external tool server, model calls inside a recipe, web search inside a recipe, and opening an OAuth sign-in. There is no side door.
-
Tamper-evident audit log
The audit trail is cryptographically signed and hash-chained, so an entry cannot be altered or quietly removed without breaking the chain. A single verification step checks the whole history.
-
Signed permission policy
Your saved permissions live in a signed policy file, so the rules an agent runs under cannot be edited behind your back without detection.
-
No silent fallbacks
When something goes wrong, the error surfaces. We do not hide failures behind a quiet default that pretends everything worked, because a hidden failure is the most dangerous kind.
Guardian agents, from the start
Industry analysts have named the emerging category for software that oversees other AI: guardian agents. FlowDot was built as one. The same gate, audit, visibility, and stop controls apply no matter who is acting, including an external AI assistant driving FlowDot over MCP. As agents get more capable, the supervising layer is what keeps them safe to use, and that layer is the product, not an add-on.
What we will not do
- No spending or trading without approval. Money never moves on its own.
- No hidden actions. If the agent did it, it is in the audit log.
- No selling your data or your keys. They are yours, encrypted, and they stay that way.
- No dark-pattern feeds. Community curation is human only, with no algorithmic ranking deciding what you see.
The same missing control, shipped into water systems and weapons
The runaway agent on your desktop and the harms only law can reach are closer than they look. The thing FlowDot puts in front of every action, a human who can see it and stop it, is exactly what goes missing when AI is embedded into systems that were never built to be questioned. We tested three of them on this platform: a municipal water control loop, a stand-in for a social feed ranker, and a lethal decision with no human in the loop. The three runs are linked in the map above, and the results are not reassuring.
On your own machine, FlowDot can require the gate. In a water plant, a weapons system, or a feed that shapes a whole country, only law can require it. That is the bridge between the two halves of this page.
Engineering runs out, and that is where most of the harm lives
We were promised the internet would connect everyone and hand us flying cars. We could not see the real problems clearly enough to get ahead of them, and it turned dark in ways almost nobody predicted.
Social media ran the same play. We could not articulate the problem well enough to write meaningful rules. We could not be bothered to imagine a regulated version that still worked. So we settled, and called the result the best we could do.
Twice now we have failed to be honest about who we are and how we behave. AI is the third test, and it may be the last one we are given. There is no agentic harness for this part. The only tool that has ever worked on a harm this size is law.
We are not going to pretend these are easy
Most of the problems on the map have no clean fix yet, and some of the smartest people in the field are stuck on them. We are not going to claim we have the answer from a software company in New York. What we will say is that law is the only tool that has ever worked on a harm this size, and the thing actually missing is the money and the will to do the slow work of writing it. So that is where we put our money.
What we will actually do about it
of net revenue, toward regulating AI, for as long as it takes.
FlowDot earns nothing yet, so this is a promise in writing, not a receipt. Once there is revenue, ten percent of what is left after our costs goes to the work of regulating AI in the United States. We are writing it into our operating agreement so it binds the company and not just our good mood, and we will publish the numbers every quarter: what came in, what the ten percent was, and where it went.
The money funds two kinds of work. One is independent research that builds the evidence a real rule has to stand on. The other is advocacy that moves a bill through a legislature. We will only fund groups that take no money from the frontier AI labs and that work on United States regulation in the public interest. We are not naming recipients while we are pre-revenue and have signed nothing. The list goes up when the first check does.
We are an AI company, so it is fair to ask why we should be trusted to fund this. We do not train or serve frontier models. FlowDot is an aggregator: you bring your own keys and we connect you to the model you choose, the way OpenRouter does, with a Bedrock route for people who would rather not manage keys. We take no money from the labs this work would regulate. Several of the harms on the map above we found by running our own benchmarks on this platform, which is part of why we care.
This is not charity without end. The pledge funds the push until the problems on this page are actually addressed and real guardrails are law. When that happens, the promise pivots. The goal is a world where these tools arrive in a fully ethical way, and then this particular fight is won.
Where this is going
We will keep tightening the engineering as agents grow more capable, the gate in front of every action and the record behind it. And we will start writing that check the quarter revenue arrives. The runaway agent on your desk and the slow harm to everyone else are different problems with different tools, and we will not pretend the first one solves the second. Safety is the reason FlowDot exists, and it is the part we will never trade away for speed.
Put AI to work, safely.
Bring your own keys, keep a hand on every action, and stop it all from anywhere.