Seven layers between an AI and your ad budget.

The dirty secret of autonomous PPC software is that most of the engineering is not the bidding. The bidding is the interesting part — the Bayesian estimates, the agent coordination, the semantic similarity. But the interesting part is also the small part. The rest of the codebase is what stands between the interesting part and the seller's credit card statement.

We call that part Shield. It is the second of Mirox's four pillars and the one no marketing site can ever do justice. The work is in the gates that never fire, not the ones that do.

This post is the seven gates that ship today, plus Sentinel — the inventory-aware throttle that became the eighth gate after the third week of internal testing on real accounts.

What "safety" means in PPC software

The category uses the word loosely. "Safe bidding" usually means a checkbox in the campaign settings labeled do not exceed daily budget and a tooltip claiming the algorithm is conservative. That is not safety in any sense that survives contact with a real account.

Safety in autonomous PPC means three concrete things:

1. Bounded blast radius. Any single decision, no matter how badly the model is misbehaving, cannot move more than a bounded amount of spend before the system catches itself.
2. Detectable misbehaviour. The system can tell, in near-real time, that something is wrong — before the seller sees it in next month's invoice.
3. Recoverable state. When something does go wrong, the system can pause, the seller can revert, and the original configuration is restored without a support ticket.

Each of the seven layers below answers one of those three.

The seven layers, as they exist today

Layer 1 — Kill switch

A single button in the dashboard. Pressed, it suspends every autonomous bid Mirox is making across every account / marketplace / campaign that belongs to the tenant. The action takes effect in under sixty seconds. There is no confirmation modal, no two-factor pause, no acknowledgement screen. The kill switch is fail-safe by intent — false positives are cheap, false negatives are not.

It also exists at finer granularity. Per marketplace. Per campaign. Per ASIN. The seller chooses the scope. We have watched cohort sellers use the per-campaign toggle as a routine permission tool, not an emergency tool — which is exactly what we hoped.

Layer 2 — ROAS circuit breaker

A rolling ROAS observation. If the trailing window ROAS drops below 0.50 on any campaign Mirox is bidding on, the agents stop proposing bids on that campaign and the kill switch lights up in the dashboard. The trip threshold is configurable per seller; 0.50 is the default and is set deliberately low so the breaker is a last-resort gate, not a hair-trigger.

The window length and the threshold are both surfaced in the decision trace on every bid. Sellers can see the breaker's state and know whether the next bid would clear it.

Layer 3 — Daily spend anomaly gate

A per-account spend baseline computed over the trailing thirty days. If today's spend trajectory exceeds four times the baseline projection — six times in Japan, three times in Brazil and Turkey, reflecting the different volatility profiles those marketplaces actually exhibit — the system auto-pauses for five minutes and emits an incident notification.

Five minutes is the right length to interrupt a runaway loop without disrupting a normal high-velocity campaign launch. After five minutes, the system re-evaluates. If the trajectory has normalised, it resumes; if not, the kill switch lights up.

Layer 4 — SP-API fault gate

The Amazon Selling Partner API is not always healthy. Outages are common; partial degradation is more common. The gate watches the error rate on outbound calls. If the rolling error rate climbs above ten percent over five minutes, the system pauses bidding for five minutes and switches to read-only telemetry.

The reason this matters: bidding into a partially-degraded API is the single most common path to a stale-data decision. The system protects against the stale-data condition explicitly, in the next layer — but pausing first is cheaper than the recovery.

Layer 5 — Optimistic locking + stale-feed cap

Every campaign's state is versioned. Every bid carries a version assertion. If the version asserted at decision time does not match the current state, the bid is rejected by the system before the API call goes out. This is the gate that prevents the "two parallel proposers acting on the same campaign" race condition.

The same versioning gives us the stale-feed cap: if the SP-API feed for inventory or for ASIN performance is older than one hour, the supply multiplier (see Sentinel below) is capped at 0.5 instead of bidding on stale assumptions. We would rather under-bid by half than over-bid into yesterday's reality.

Layer 6 — Recovery floor

If a campaign that Mirox manages goes into a measurable regression — ROAS, conversion rate, impression share — the system enters a recovery state. In recovery, bids are floored at the campaign's historical fifteenth-percentile bid. The floor is held until the regression clears for two consecutive cycles.

The recovery floor is what stops the system from "doubling down" out of a bad day. The opposite mistake of the standard panic mode, which slashes bids and locks the campaign out of the auction entirely. The floor keeps the campaign in the auction at a price the seller has historically been comfortable paying.

Layer 7 — Marketplace gate

Every marketplace has its own thresholds. Japan's spend anomaly is wider because Japanese seasonality is more volatile. Brazil's is tighter because the conversion variance is lower. Currency conversion gates apply on every cross-marketplace decision. Rate limits are tracked per marketplace, not globally.

The marketplace gate is the one that makes "EU-native" a real claim — the system has different defaults for DE, FR, IT, ES, UK, US, and JP, not the same defaults with a language pack. The full per-marketplace configuration is on the EU-native pillar post.

Sentinel — the eighth gate

Sentinel was not in the original seven. It was added as a supporting pillar under Safety in 2026 Q1 after the third week of internal testing on a real account revealed something the seven layers above did not catch.

The seller had four ASINs running. One went into a low-stock state during a marketing-driven traffic spike. Bidding stayed strong — the ROAS was healthy, the spend was below the anomaly threshold, no gate tripped — and the campaign exhausted the remaining stock in eleven hours. The seller paid for the clicks; the product had nothing to ship.

Trellis surveyed 240 sellers on this. The average cost of an avoidable stockout is €18,000 in lost revenue, PPC recovery, and ranking damage. The seven gates above do not see that cost, because none of it crosses an advertising threshold.

Sentinel watches days-of-cover from the SP-API inventory feed. On every bid, Tactician applies a supply multiplier — a sigmoid function of days-of-cover — between 0 and 1. The multiplier rides the bid down as cover thins and restores as inbound shipments land. Below a configurable rationing threshold, the bid floors at a fraction of the unconstrained value rather than going to zero (so the campaign retains ranking) and the system emits a rationing notification. If the SP-API feed goes stale, the multiplier caps at 0.5 by default.

Sentinel is the only layer in the architecture that is not adversarial. The other seven gates exist to protect against the AI's own potential misbehaviour. Sentinel exists to protect against a physical constraint the AI cannot see directly. It is the layer that turned safety from "the AI does not lose your money" into "the AI does not lose your money or your inventory."

What happens when a gate does trip

A trip is not a silent event. The trace for every bid attempted while a gate is in the trip state carries the gate identifier and the threshold that was in force. The seller receives an incident notification, dashboard light, and an email summarising the trip.

The recovery from a trip is documented and small. Most trips clear themselves on the next evaluation cycle. The minority that do not clear get a written incident protocol — drafted by the founder, reviewed by the seller, and resolved before the campaign is unpaused. During the founding cohort program, the response-time commitment on a trip is two hours during business hours and twelve hours outside.

The reason for the long-form treatment of every trip: a tripped gate is a piece of operational data, not a customer-support ticket. We document it the same way an aircraft maintenance log documents an avionics fault. Sellers who have lived inside Pacvue or Perpetua for a year often comment that the incident protocol is the first time they have seen a vendor talk about its own failure modes in writing.

What "seven layers" does not mean

It does not mean Mirox cannot lose your money. No autonomous bidder can promise that; the ones that try are lying. The seven layers mean that unbounded loss is structurally prevented, and that bounded loss is detectable, recoverable, and documented.

It also does not mean the system is more conservative than the alternatives. The gates are calibrated to stay out of the way during normal operation. The trip rate on a healthy account averages well under one trip per week. The instinct that more safety means a less aggressive bidder is wrong here — the gates are silent when nothing is wrong.

Where this pillar leads

Safety is the pillar that buyers ask about second. They ask about transparency first ("how do I know what the AI is doing") and safety second ("what happens when it gets it wrong"). The answers are paired by design — the trace tells you what happened, the gates bound what can happen.

The next two pillars — intelligence and aligned pricing — are about the part of the system that does work when the gates are not firing. Read the intelligence post next, or read about why we will never charge a percentage of your ad spend.