Per-client governed boundaries
Each client is its own sealed estate, with its own proof and its own approvers.
The controls that make AI safe to hand out are the same ones that let you say yes on a client's behalf — and keep the line between clients sharp.
Boundaries set per client.
You decide, client by client, which tools Cuttlefish may reach, what it may change, and where its data is allowed to go. A connection scoped to one client's network stays on that network. New permissions start off; you grant exactly what you intend, and you can take any of them back at once — for one client, without touching the rest.
Evidence packs an auditor accepts.
For any meaningful step, Cuttlefish keeps a plain, tamper-proof record of what it used, what it changed, who approved it, and where the result went — scoped to the client it belongs to. Keys, raw addresses, and private details stay hidden, so you can hand a client their evidence pack without exposing anything you shouldn't.
Approval paths that actually move.
When a step changes something real, Cuttlefish pauses and shows a clear card: what it's about to do, what it affects, and whether it can be undone. You allow, deny, adjust, or run it as a test first. For the biggest actions it asks once more — and when you're between client sites, you can approve or deny from your phone with the instruction sealed end to end.