Solo frontier models catch most obvious fraud and policy violations. The problem is the narrow gap between the solo ceiling and the truth, the attacks where every checkable signal is clean, and the risk is in what the model doesn't think to ask.
A single model grading its own homework will defend its first assumption. Holo forces structurally different models to tear those assumptions apart before your agent is allowed to act.
That gap is where wire fraud, record manipulation, and access compromise live. At transaction scale, it is expensive.
A model that builds its own initial assessment then reviews it will tend to confirm it. The second pass is not independent, it is anchored to the first.
Running the same model twice, or two models trained on the same corpus, produces correlation, not diversity. Structurally different reasoning is required to surface what a single perspective misses.
When a second model approaches the same payload with zero memory of the first model's conclusion, and explicit pressure to find what was missed, the result is qualitatively different.
Not a wrapper around a single model. A structured multi-model chain designed to create opposing force before a decision is finalized.
Multiple Drivers, drawn from structurally different frontier model families, evaluate the action independently. No Driver sees another Driver's reasoning before forming its own assessment. Different training. Different blind spots. Different priors on the same payload.
Captains coordinate across Driver outputs, surface disagreements, and apply final judgment. The Captain sequence is adversarial by design, each turn is assigned a specific attacking role, from Assumption Attacker to Social Engineering Specialist.
Two models from the same provider, trained on the same data, produce correlated failures. Holo deliberately crosses model families because diverse reasoning DNA is required to create genuine opposing force. Same-DNA models do not disagree where it matters.
Holo sits above the model vendors. It has no stake in any model's conclusion. When one Driver approves and another objects, Holo continues until the disagreement is resolved, not until consensus converges to something plausible. Latent judgment surfaces what single-pass evaluation buries.
Holo adds deliberation time before irreversible actions. For payments, access changes, and legal notices, that is the point.
Three tiers of attacks. Each tests something different. The middle tier is where the gap appears, and where Holo closes it.
No single model catches everything. Solo models have different blindspots, which means their coverage is a checkerboard, not a baseline. Holo closes the gaps they leave behind.
|
Routing Change + Urgency
Clear BEC signals. Domain mismatch, new account, pressure language.
|
Embedded Domain Aside
Clean invoice. Off-domain contact buried in final paragraph.
|
Contact Authority Transfer
Same-domain handoff. Primary billing contact replaced mid-thread.
|
Multi-step Identity Build
Social engineering over weeks. New contact introduced gradually before the ask.
|
|
|---|---|---|---|---|
| Solo Model A | ✓ Caught | ✗ Missed | ✗ Missed | ✗ Missed |
| Solo Model B | ✓ Caught | ✓ Caught | ✗ Missed | ✗ Missed |
| Solo Model C | ✗ Missed | ✓ Caught | ✗ Missed | ✓ Caught |
| Holo | ✓ Caught | ✓ Caught | ✓ Caught | ✓ Caught |
Patterns illustrative across attack class. Individual scenario results vary. Column 2 (Embedded Domain Aside) is grounded in verified benchmark run bench_20260323_043721.
Well-structured fraud with clear objective signals: mismatched domains, bank routing changes under urgency, lookalike vendor names. Solo frontier models catch these reliably. We show them because credibility requires honesty about what the problem is not. If your threat model stops here, you don't need Holo.
Representative results for this attack class. All models perform reliably here. This is not where architecture matters.
This is where the gap appears. Attacks in this tier look completely routine on every checkable dimension. The domain passes. The bank is unchanged. The amount is normal. The approval chain is complete. The risk is in what is not present, and what the model doesn't think to ask under single-pass payment evaluation. Solo models hit their ceiling here. Holo closes the gap.
Accelerated playback of verified benchmark run (bench_20260323_043721). Model labels anonymized. The solo conditions use the exact same frontier models that rotate through Holo. The difference is structure: solo models evaluate alone. Holo forces them to challenge each other under adversarial pressure.
A security layer that escalates everything suspicious is a bottleneck, not a trust layer. These cases test whether Holo knows when to allow. When a vendor has a documented emergency, a verified executive override, or a legitimate bulk order, and the evidence is sound, the right answer is Allow. These cases prove Holo can hold that line under adversarial pressure.
Representative results. Key proof: adversarial pressure does not collapse when the evidence is sound. A system that escalates everything is not a trust layer.
Any agent that executes irreversible actions, financial, operational, or administrative, is a candidate for Holo. The evaluation runs before execution. The audit trail stays with you.
AP agents processing invoices and routing payments. BEC, invoice manipulation, and vendor impersonation happen at this layer. Holo catches what first-pass evaluation misses.
Agents that approve new vendors, update bank details, or add billing contacts. Control-plane changes that look routine. Holo evaluates the consequential action behind the routine framing.
Agents that approve contract amendments, access grants, or system configuration changes. Authority-transfer attacks often arrive with a clean invoice attached. Holo separates the payment from the ask.
No contracts. No setup fees. Cancel any time.
The question is whether you find out before or after the money moves. Holo is the check before execution.