DOOGG GROUP

PUTTING AN LLM IN CHARGE OF A COMPANY — WITHOUT LETTING IT BREAK IT

An architecture note from doo.gg

For a few years now, the question we get asked is no longer "can a model do this work?" — it can. It is: "how do we let it do real work, on real data, with real consequences, without a hallucination turning into a false accounting entry, an email that has already left, a stock count that is wrong?"

The answer we have built is not a smarter model. It is an architecture. Here are its principles — without the secrets that make them run for our clients.

1. A single point of convergence

A useful LLM is an LLM that can act. The danger is exactly the same: it can act. Our first architectural choice is to route every possible action through a single point — a wasp waist, one permissioned crossing between the intelligence and the world.

Concretely: the model does not have ten accesses (database, bank, mail, ERP). It has one. This single point carries the rights, journals every call, and exposes only named operations. We do not secure ten doors; we keep one, and we keep it well. Everything that follows — verification, audit, coordination — becomes possible because the flow converges.

2. The LLM proposes, a deterministic judge disposes

The heart of the system is not the model: it is a deterministic judge placed behind the point of convergence. The LLM does not "do" anything directly. It proposes a document — an order, an entry, a movement — and a deterministic component, hard-coded and tested, signs it or refuses it.

A few rules we hold to be non-negotiable:

The guardrails are code, not instructions. An instruction in a prompt can be worked around; a law that refuses cannot. Nothing is written unless the judge has said yes.
Fail-closed. When in doubt, refuse. An ambiguous document, a balance that does not land to the cent, a missing supporting document → rejection, not approximation.
A missing control is a failure, not a silence. The day someone wires in a new source of entries without its control, verification breaks — it does not turn green by politely ignoring what it cannot see. A tool that does not know it is blind is more dangerous than a tool that fails.
A process can be no greener than its signatory. The displayed state of a chain is capped by the weakest brick that signs it.

Verification never "believes" the model's narrative. It cross-checks. A reconstructed balance must equal the real balance of the external source, to the cent; a document is re-hashable; raw proof is stored alongside the narrative so the judge can confront the figures with their source, not with what the model said about them.

3. Deterministic agents execute — and the human holds the leash

Once a document is signed, it is not the LLMs that touch the outside world. It is deterministic agents — bots that sleep on a state and wake when it is reached, execute a bounded action, and stop.

And on everything irreversible or outbound — a real send, a payment, a definitive entry — the decision stays human. The model prepares, presents the exact consequence (not a reconstructed summary), and waits for a green light. Friction is placed where it protects, and removed everywhere else.

4. We built the system with agents — while distrusting them

The construction itself is an architecture. We coordinate sessions that launch bots, and agents that orchestrate other agents: one decomposes, others execute in parallel, a last one verifies adversarially before committing.

The rule that makes this safe is counter-intuitive: the session that builds a tool never does the real work with it. The author always knows how to use their own creation — they know the undocumented parameter, guess the format, work around the error message without noticing. If they use it and it works, it proves nothing.

The only proof that counts: does a blank session — an agent that has only the documentation and the tools, like all who will follow — carry the task end to end, without being coached? If it stumbles, it is never the session's fault: it is a defect in the documentation, the tool contract, or the law. Every stumble becomes a test, a guard, a line of doc. Then we loop again. As long as a blank session cannot do it alone, the tool is not in production — it is under construction, whatever its author says.

This is also how we audit legacy: we replay the old system in parallel with the new one during the transition, we reconcile old and new by content and by balance, and we cut the old one off only when the two coincide, line by line.

5. Documentation that could rebuild the system

We do not document alongside the system. The documentation is a projection of the system, and it obeys a strict discipline:

One piece of information, a single canonical place. Zero copies. Duplicated documentation diverges and goes stale — stale doc = bug. We point to the source; we do not recopy it.
The map is confronted with the territory. We list what is real, compare it to the map, and whatever exists but is not mapped automatically becomes a work item. This is what keeps the map from lying.
The registry is a view, not a hand-maintained list. "Open work items", for example, are not a checklist: they are a query on the document itself. One source, zero copies, again.

The culmination: a unified repository that gathers, in one place, the guardrails, the business rules, and the map of every process. Published, it would let the entire system be rebuilt — because it does not describe the system, it contains it.

6. Auditability as the keystone

The last principle is the most important, and the least intuitive:

A book that only checks itself is perfectly consistent with its own errors. It balances, it chains, and it lies.

That is why every control cross-checks a source outside the system: the bank, the warehouse, the payment provider, a legal registry. A self-consistent system proves nothing; a system confronted with the outside, to the cent, proves everything else.

And auditability applies to the LLMs themselves: the transcript of a session is the artifact. Every hesitation, every question, every detour is written there — and becomes the raw material for hardening.

In one sentence

The shift we are making is not "trust the model". It is "verify the activity". We do not make the LLM infallible — we make its errors incapable of getting through. A point of convergence to see everything, a deterministic judge to sign everything, bounded agents to execute everything, and auditable documentation that could rebuild everything.

doo.gg — the trust infrastructure for putting LLMs to work.