Before you let kids onto a playground, you build the walls so they can't wander into traffic, you put down soft flooring so a fall is recoverable, you post a supervisor, and you keep a record of who came in. The Foundation is the AWS equivalent of all that. Every AI cartridge inherits it for free.
Six safety features make up the Foundation. None of them are negotiable, and none of them are configured per cartridge. They run for the whole playground.
Decide what traffic can leave the playground and what cannot. Only four outside systems are allowed: Salesforce, Monday, GitHub, GitBook. Anything else hits the wall and stops.
AWS: Network Firewall + DNS Firewall + VPC private subnetsEvery piece of data the playground stores is encrypted. Customer tokens, API credentials, audit logs. If something fell off a ride, it bounces; it doesn't shatter. The keys are managed by AWS and we control who can use them. We use three separate keys (one per trust zone) so a compromise of one role does not leak the others. Deeper dive on the three safes →
AWS: KMS Customer Managed Keys (one per trust zone) + Secrets Manager + S3 + DynamoDB encryptionNobody enters without checking in at the gate. Each user signs in and gets a wristband that says what they can do. Operators can see everyone, executives can see a summary, regular users see just their tools.
AWS: Cognito + Cognito groups + per-cartridge JWT verificationEvery action on the playground is recorded. Who accessed which data, which AI model answered which question, how much each ride cost, how long every action took. Tamper-resistant, retained for years.
AWS: CloudTrail (data + management events) + CloudWatch Logs + GuardDutyAn automated supervisor checks every scheduled job every 30 minutes. If a job that should have run didn't run, the supervisor emails the operator. The supervisor itself is supervised by AWS service health checks. Things don't quietly stop working.
AWS: EventBridge Scheduler + watchdog Lambda + SES alertsA hard rule that says "no ride is allowed to do these things, ever, no matter what." For example, no cartridge can publish a public Lambda URL. No role can grant itself more permissions. The boundary applies before any cartridge-specific permission is even considered.
AWS: IAM Permission Boundary on every role + SCPs at the org level| Layer | State today |
|---|---|
| Encryption | Enforced. Every data store uses our keys. |
| Identity | Enforced. Every request is JWT-verified, every admin endpoint group-checked. |
| Permission boundary | Enforced. New roles inherit it automatically. |
| Audit cameras | Enforced. Always on, always recording. |
| Supervisor | Enforced. Watchdog runs every 30 minutes against scheduled jobs. |
| Network walls | Warning-only today. The walls notice when something tries to leave but don't yet block it. The flip to enforcement (Step 5) is the next major substrate milestone, deliberately sequenced after we observe what real traffic looks like. |
The order matters. Ship cartridges, observe for N days what they actually call, confirm only expected traffic shows up in the alert logs, then flip to enforcement. This is the same pattern airline crash investigators use: prove what's normal before declaring what's an anomaly. Doing it backwards causes false positives and operator distrust of the system.
A cartridge author writes their app. The Foundation hands them:
This is what "compounds" means. Every cartridge benefits from every Foundation improvement automatically.
The Foundation is built but not finished. Next iterations:
Foundation engineering depth lives in Step 2 (identity), Step 3 (network), Step 4 (substrate complete), Step 4.5.a (data governance CMKs), Step 4.5.b (3-layer browser-to-Lambda defense), and Step 6.k (scheduled jobs and watchdog).