Robotics / Solutions / Pre-actuation gate
Solution

Pre-Actuation Authorization Gate: Verify Every Robot Action Before Motion

A pre-actuation authorization gate is a deny-by-default checkpoint that requires cryptographic authorization before a robot executes a physical action. It sits at the perception-to-action boundary, so an unsigned, replayed, or out-of-policy command never reaches the actuator, even after a vision-language-action model has been fooled.

ACTION RECEIPTunverified
robotur-10e · cell-7
actionarm.move → pose_4
algML-DSA-65 · post-quantum
digest0x9f2a4c1be7…
sealed to the RankShield Network ✓
post-quantum signature ✓
RFC 6962 inclusion proof ✓
Verify independently
DEMONSTRATION · ANYONE CAN CHECK A RECEIPT AGAINST THE PUBLIC LOG

Key takeaways

What is a pre-actuation authorization gate?

A pre-actuation authorization gate is a policy-decision point that intercepts a robot's high-consequence commands and authorizes each one cryptographically before the actuator is allowed to move. "Pre-actuation" is the load-bearing word: the check happens after perception and planning have produced a command, but before that command becomes torque, force, or motion in the physical world. It is the last software boundary between a decision and a moving machine.

The mental model most robotics teams start with is detection: watch the robot, learn what normal looks like, and raise an alert when something goes wrong. That model is reactive by construction. By the time an anomaly is visible in telemetry, the arm has already swung, the gripper has already closed, or the mobile base has already entered a restricted aisle. A gate inverts the order. It assumes nothing is authorized until proven, and it proves authorization before the physical event rather than characterizing it afterward.

Concretely, the gate is a small, fast decision that runs in the command path and returns one of two verdicts: allow or deny. Allow lets the actuation command proceed. Deny stops it and records why. There is no third "warn and continue" state for high-consequence motion, because a warning that still lets the actuator fire is indistinguishable, physically, from an allow.

This is the core building block of the wider RankShield Robotics platform, which pairs the gate with per-robot cryptographic identity and tamper-evident action provenance. The gate is what turns an identity into an enforced privilege: an identity that is never checked at the moment of action provides confidentiality, not control. Placing the check at the actuation boundary is what makes the identity mean something the instant it matters.

Honest scope up front: the gate governs the command path. It authorizes or denies the action a robot is about to take. It does not replace a functional-safety e-stop, and it cannot certify that a spoofed sensor reading is false. It can constrain the action that a manipulated model produces, and it can sign the provenance of the input, but it is not a substitute for the safety-rated hardware that exists to stop a machine unconditionally.

How does the gate block an injected or spoofed command?

The gate blocks injected and spoofed commands by refusing to authorize any actuation request that does not carry a valid signature from an enrolled robot and fall within that robot's policy, regardless of how the command was generated. This is why the gate is effective against VLA prompt injection and robot hijack: it does not try to decide whether the model's reasoning was manipulated. It only decides whether the resulting action is authorized.

Consider the injection case documented by researchers at UC Santa Cruz and CHAI in early 2026, where misleading text placed in a robot's field of view can steer a vision-language-action model into issuing commands the operator never intended. The attack succeeds at the model layer: the perception system is genuinely fooled. But the command the fooled model emits still has to cross the actuation boundary, and at that boundary the gate asks a different set of questions than the model does. Was this command signed by the robot's hardware-rooted key? Is that robot enrolled and active? Is the specific action, meaning this force, this region, this end-effector state, permitted by policy for this robot right now? If the injected command asks the robot to do something outside its authorized envelope, it is denied even though the model "wanted" it.

Spoofing and replay are handled by the same logic. A cloned or counterfeit robot cannot forge a valid signature because no two robots share a key, so its commands fail verification at the gate. A captured-and-replayed command fails because the gate binds authorization to freshness and context rather than treating a previously valid message as perpetually valid. An operator whose credentials were stolen is constrained to the policy envelope those credentials carry.

The critical distinction: the gate does not make the model injection-proof. Nothing at the action layer can un-fool a perception model. What the gate does is sever the link between a fooled decision and an unauthorized physical outcome. The injection may still occur; the unauthorized motion does not. That is a fundamentally different and more durable guarantee than trying to detect every possible manipulation of the model's input.

Does the gate add latency to real-time control?

The gate targets high-consequence actuation commands, not every low-level control-loop tick, and it is designed to stay off the tightest real-time paths so safety-rated control timing is preserved. The concern is legitimate. A robot's inner control loops can run at hundreds or thousands of hertz, and inserting a cryptographic check into every one of them would be both unnecessary and harmful. So the gate does not do that.

The right way to think about it is that not every command is high-consequence. A balance controller adjusting joint torque a thousand times a second is not making a security decision on each tick; it is executing an already-authorized behavior. The security-relevant events are coarser: begin this task, move into this region, apply this grasp force, hand off to this operator, enter autonomous mode. The gate authorizes those consequential transitions, and the fast inner loops run underneath an already-granted authorization.

Command typeFrequencyGated?
Inner control-loop tick (torque, balance)100 Hz to kHzNo: runs under an existing authorization
Task or trajectory startPer taskYes
Entry into a restricted region or force envelopePer transitionYes
Operator handoff or mode changeOccasionalYes
Emergency stop / quarantineOn demandEnforced independently

On the gated events, the work is a signature verification and a policy evaluation. Post-quantum signature verification with the composite ML-DSA scheme RankShield uses is fast, and policy evaluation is a bounded lookup, so the added cost is measured against the cadence of consequential decisions rather than the control loop. The functional-safety e-stop path is never placed behind the gate; it must remain unconditional. In short, the gate is engineered so that the timing budget it consumes lives where consequential authorization decisions already happen, not on the real-time control paths that safety certification depends on.

What happens if the gate fails: does it fail safe?

The gate fails closed: if it cannot positively authorize an action, it denies it. This is a deliberate inversion of how many software checks behave. A permissive system fails open, allowing when in doubt, because availability is the priority. A gate protecting physical motion cannot make that trade, because a false allow is a machine moving without authorization, which is exactly the outcome the gate exists to prevent.

Fail-closed means an actuation command proceeds only when the gate can affirmatively verify all four conditions:

  • Valid signature. The command carries a signature that verifies against the robot's enrolled, hardware-rooted public key. An unsigned or badly signed command is denied.
  • Enrolled and active identity. The robot is a known, non-revoked member of the fleet. A robot that has been suspended, revoked, or never enrolled is denied.
  • Fresh dead-man liveness. The robot's liveness heartbeat is current. If liveness has lapsed, which can signal that the robot is compromised, partitioned, or under attacker control, high-consequence actions are denied and the robot can be quarantined. This is the same primitive behind the platform's dead-man and kill credentials.
  • In-policy action. The specific action is permitted for this robot's role and context. An out-of-envelope force, region, or mode is denied even when everything else checks out.

An important boundary: fail-closed at the authorization layer is not a replacement for functional-safety fail-safe at the hardware layer. If the gate itself is unreachable, the robot's safety-rated controls, meaning the certified e-stop, the safety PLC, and the force limits, remain the mechanism that brings the machine to a safe state. The gate constrains what an authorized-but-manipulated command path can do; the safety system constrains what any failure can do. RankShield is explicit that these are complementary layers. The gate makes unauthorized motion require a positive cryptographic grant; it does not, and should not, become a single point that could inhibit a safety-rated stop.

When does a robot action require human-in-the-loop approval?

The gate can require human-in-the-loop confirmation or M-of-N authorization for the highest-risk actions, so that a single fooled model or a single compromised operator cannot unilaterally trigger consequential motion. Policy decides which actions rise to this threshold; the gate enforces it at the actuation boundary like any other condition.

Not every action warrants a human in the loop. Most do not, and requiring one everywhere would defeat the autonomy that makes robots useful. The tiering is by consequence. Routine, well-bounded actions inside a robot's normal envelope pass on cryptographic authorization alone. A defined set of high-risk actions, such as those involving high force near people, entry into a safety-critical zone, override of a normal constraint, or an irreversible operation, can be configured to require an additional, independent grant before the gate will allow them.

Action tierExampleAuthorization required
RoutinePick-and-place inside the authorized workcellValid signature + policy
ElevatedEnter a shared-space aisle among peopleSignature + policy + fresh liveness
High-riskHigh-force operation near a person; constraint overrideAbove + human-in-the-loop confirmation
CriticalFleet-wide privileged change; irreversible operationAbove + M-of-N independent approvals

M-of-N authorization means the action requires a threshold of independent approvals, say two of three designated approvers, rather than any single authority. This directly counters the failure mode where one credential is stolen or one operator is coerced: the attacker would need to compromise a quorum, not a single key. Because the gate is cryptographic, "human approval" here is not a checkbox in a dashboard that can be forged; it is an independent signature that becomes part of the authorization the gate verifies. And because every one of these decisions is logged, the record of who approved a high-risk action, or who was denied, is itself tamper-evident, which matters for the accountability questions insurers, auditors, and regulators ask after an incident.

How does the gate log every allow and deny decision?

Every authorization decision the gate makes, both allows and denies, is written as a leaf in an append-only Merkle transparency log built on RFC 6962, and returned as an inclusion-proof receipt that anyone can verify without trusting RankShield. The verdict is not just enforced; it is proven, and the proof survives even if the robot is later compromised.

This closes the loop that detection tooling leaves open. A conventional robot log lives on the robot or in an operator database, and whoever compromises that system can edit or delete it. A transparency-log receipt cannot be altered after the fact without breaking the cryptographic chain, and independent witnesses can co-sign the log's state so that no single party, including RankShield, can rewrite history. The receipt for a given action includes an inclusion proof: mathematical evidence that this exact decision exists at a fixed position in an append-only log.

Denials matter as much as allows. When the gate refuses an injected or out-of-policy command, that refusal is recorded with the same rigor as an approval. The result is a verifiable timeline that answers three questions after any event: what did this robot do, what was it prevented from doing, and can we prove the record was not tampered with? That is what makes the output usable as forensic and compliance evidence rather than a self-attested claim.

The practical payoffs follow directly. After a suspected hijack, an incident team can reconstruct the exact sequence of authorized and denied actions instead of arguing over an editable log. A regulator asking an operator to prove a robot acted within policy, the kind of evidence obligation appearing in the EU Machinery Regulation 2023/1230 and in ISO 10218:2025's cyber-risk-assessment requirements, can be answered with verifiable receipts. An insurer pricing a fleet, or adjudicating a claim, can rely on cryptographic posture evidence rather than a checklist. The gate is where the decision is enforced; the transparency log is where the decision becomes durable proof. Ready to see it on your robots? Request early access.

Frequently asked questions

Does a pre-actuation authorization gate stop prompt injection against a robot?

It stops the unauthorized action, not the injection itself. If a vision-language-action model is fooled by a doctored sign or object, the command it produces still has to pass the gate. An out-of-policy or unsigned actuation command is denied at the actuator boundary even though the model was manipulated, so the injection does not translate into unauthorized motion.

Does the gate add latency to real-time robot control?

It is designed not to. The gate authorizes high-consequence actuation events, task starts, region and force transitions, mode and operator changes, rather than every inner control-loop tick. Fast control loops run underneath an already-granted authorization, and the safety-rated e-stop path is never placed behind the gate, so certified control timing is preserved.

What does deny-by-default mean for a robot?

It means no physical action is permitted unless it is positively authorized. The gate must verify a valid per-robot signature, an enrolled and active identity, fresh dead-man liveness, and an in-policy action before the actuator moves. If any check cannot be affirmatively satisfied, the gate fails closed and denies the action rather than allowing it.

Does the gate replace my functional-safety e-stop?

No. The gate governs the authorization of commands in the software command path; it constrains what a manipulated or unauthorized command can do. The functional-safety e-stop, safety PLC, and force limits remain the certified mechanism that brings the machine to a safe state under any failure. The two are complementary layers, not substitutes.

How does the gate handle a stolen operator credential?

A stolen credential is constrained to the policy envelope it carries, and high-risk actions can be configured to require M-of-N independent approvals so a single compromised credential cannot unilaterally trigger consequential motion. Every attempt, allowed or denied, is sealed to a tamper-evident transparency log for after-the-fact accountability.

Keep exploring

Put the gate in front of your actuators.

Deny-by-default authorization, human-in-the-loop for high-risk actions, and a verifiable receipt for every decision, piloted on a bounded set of robots in weeks.

Request early access