Closed preview  ·  Autonomous System Accountability Platform

AI agent compliance,
governance & control.

AEGIS is the enterprise platform for autonomous AI agents — signed behavioral contracts declared up front, enforced at every action, and proved in a tamper-evident record. Agentic agent drift is blocked, not just logged.

$ pip install aegis-sdk && aegis.protect(openai_client) copy
Book a briefing Read the architecture
Aligned with
EU AI Act OCC SR 11-7 NIST AI RMF SOC 2 NSA MCP CSI
aegis · zone 1 · enforcement plane p99 14.2 ms
A
agent · refund-bot
tier 2 · monitored · aim v3.1 · kid_8e2a
EVALUATING
AIM capability check  ·  billing.refund0.4 ms
Injection classifier (L1–L5)3.1 ms
Parameter validator  ·  schema OK0.6 ms
Per-AIM rate limiter  ·  14 / 120 min0.2 ms
Behavioral baseline  ·  Δ 0.08async
Output inspector  ·  PII redacted (2)2.4 ms
ALLOW  ·  ccr block 81,446 sealed rcpt_01HJ4K
01  /  The problem

Autonomous agents are outpacing the controls around them.

Endpoint security tools, network firewalls, and secrets managers were not designed for systems that reason, improvise, and act autonomously. The controls that govern human access don't govern AI agent behavior.
RISK · 01

Agents exceed their authorized capability.

Prompt injection, misconfiguration, or compromised reasoning routes lead an otherwise legitimate agent to take actions it was never meant to take — Existing controls see the connection. They don't see what the agent does with it.

RISK · 02

Audit trails can't be trusted.

Logs written by the application itself can be altered, replayed, or quietly dropped by the same process that produced them. An audit that the actor can rewrite is not an audit.

RISK · 03

Shadow AI apps reach production data.

Applications built outside sanctioned infrastructure connect directly to production databases with no governance layer in path — discovered only after a breach, by detection rather than design.

02  /  What AEGIS does

Three pillars. One platform.

Three capabilities — compliance evidence, behavioral governance, and runtime enforcement — delivered through one platform. The CISO, the CRO, and the compliance officer each have a different question to answer about their AI agents. AEGIS answers all three.
PILLAR 01

Compliance

"Prove your AI agents did exactly what they were authorized to do."

Tamper-evident, cryptographically verifiable audit record of every agent action. Built on the CCR ledger — KMS-signed, SHA-256 hash-chained, INSERT-only. Any deletion or modification cryptographically breaks the chain. Satisfies the tamper-evident record-keeping requirement across SOC 2, NIST AI RMF, EU AI Act, and OCC SR 11-7.

PILLAR 02

Governance

"Did the agent stay inside the contract you signed for it?"

Signed behavioral contracts enforced at runtime. Every agent declares what it will do before deployment — permitted tools, data sources, CLI commands, output classes, rate limits — and every action is checked against that declaration before execution. Purpose drift is blocked, not just logged.

PILLAR 03

Control

"Stop the bad action before it reaches the network."

Real-time enforcement at the boundary between AI agents and the systems they access. Proxy-layer data access, injection detection, rate limiting, CLI interception, MCP security. Actions outside the declared scope do not execute — before they reach the network, not after.

03  /  The category

Layer 4 in the enterprise AI security stack.

Network controls, identity platforms, and PAM operate at provisioning time. AEGIS enforces capability and behavior at runtime — for every action, on every agent, continuously.
L1Network Control SASE, firewall, API gatewaywho can reach what
L2Identity Platform IdP, agent identity, JIT/ZSPwho is acting
L3Secrets Management Vault, PAM, KMSwhat credentials they hold
L4Runtime behavioral governance AEGIS · what AI agents actually dowitnessed at every action

One platform vs. a three-product stack

Control layerWhat it governsWhat it cannot govern
Network firewall / SASE Who can reach the network; outbound LLM API traffic inspection. What an authorized agent does once inside; whether actions are consistent with the agent's declared purpose.
AI identity platform Who the agent is; just-in-time privilege grant and automatic revocation (zero standing privileges); non-human identity credential abstraction Whether actions match declared purpose; behavioral baseline anomaly detection; query-level content inspection; tamper-evident record. Requires a second platform for runtime enforcement.
SOC correlation Unified incident view across AI security, network, and endpoint signals — required to correlate AI agent events with broader breach indicators. Purpose alignment enforcement, behavioral baselines, proxy-layer data access control. A third product and license; without it, the other two produce isolated, uncorrelated signals.
Secrets manager / PAM Who holds credentials; rotation and expiry. Whether the agent uses those credentials appropriately for its declared purpose.
Database proxy Who can connect to the database. Whether the caller is an AI agent; what its declared purpose is; whether this query fits that purpose.
AEGISLayer 4 · runtime governance What AI agents are authorized to do, are doing, and have done — verified against a signed purpose declaration, enforced enforced before every action, proved in a tamper-evident record. What AI agents are authorized to do, are doing, and have done — verified against a signed purpose declaration, enforced before every action, proved in a tamper-evident record.
The real primary competitor

Doing nothing.

The most common state AEGIS replaces is not a competing product — it is the absence of AI agent governance entirely. Most enterprises deploying AI agents in 2026 have:

  • No signed behavioral contracts per agent
  • No real-time enforcement of declared scope
  • Mutable log stores that an administrator can alter
  • No proxy between AI agents and data sources — credentials live in the AI application
  • No audit record that satisfies "prove your AI agent did exactly this"

If your AI agents are operating today without signed behavioral contracts, enforced scope limits, and a tamper-evident audit record, you already have a gap — one your next examiner, auditor, or incident investigator will find before you do. 'Doing nothing' is not a defensible posture under SR 11-7, SOC 2, or any emerging AI governance framework. The only question is whether you close that gap on your terms or theirs. AEGIS closes it on yours.

04  /  Buyers

Who buys AEGIS — and why now.

AEGIS is purchased and championed by different buyers depending on what drives the mandate. The compliance/governance/control framing reaches all four.
PRIMARY · ALL INDUSTRIES

CISO

Security budget

AI agents are a new attack surface your existing tools weren't built to cover. Credential theft at the AI layer, prompt injection, behavioral drift, and ungoverned MCP server connections are all CISO-owned problems — and none of them appear in your EDR, SIEM, or DLP today.

Prompted by Board AI risk question · AppSec security review finding · competitor incident
PRIMARY · FINANCIAL SERVICES

CRO & MRM

Operational risk budget

Banks under OCC SR 11-7 already govern models — inventory, documentation, monitoring, audit trail. AI agents are being examined under the same framework. AEGIS is SR 11-7 governance extended to the agent runtime layer: the AIM is model documentation, the CCR is the audit trail, the Fusion Engine is ongoing behavioral monitoring.

Prompted by MRM framework extension to AI agents · regulatory examination prep · audit finding
CHAMPION · INTERNAL

AppSec

Coverage gate

AppSec finds the gap in AI application security reviews: no signed behavioral contract, no enforced scope limit, no audit trail that holds up. AEGIS turns that finding into a production gate — enforcement that runs before every agent action, with tamper-evident proof it ran. Security findings become shipped requirements instead of deprioritized backlog items.

Prompted by AI application security review · production-gate policy · developer security mandate
CO-SPONSOR · EU REGULATED

CCO

COMPLIANCE

EU AI Act Article 14 requires human oversight for consequential AI decisions. GDPR Article 22 requires documented safeguards for automated processing. When your regulator asks for evidence that governance ran at the moment the agent acted — not a policy that says it should have — AEGIS is the answer.

Prompted by EU AI Act deadline (August 2026) · regulatory audit · legal counsel inquiry
05  /  Outcomes

Five outcomes. Structural, not policy.

Every guarantee below is enforced by architecture — separated zones, INSERT-only grants, deterministic checks, defined failure behavior. Not promises in a policy document.
01

Capability containment

Every action is checked against a signed behavioral contract before execution. An agent cannot exceed its declared scope — regardless of how its reasoning is manipulated. Blocked before execution, not detected after.

02

Tamper-evident audit

Every action writes to a hash-chained, append-only ledger signed by cryptographic keys outside the application layer. The audit record cannot be altered by the application itself. Structurally immutable, not policy-protected.

03

Credential isolation

AI applications are never issued direct database credentials. AEGIS is the only path to governed data sources. Rogue AI apps cannot obtain working credentials. By design, not by detection.

04

Compliance evidence

Every enforcement decision automatically produces a tamper-evident record that satisfies OCC SR 11-7, GDPR Article 30, SOC 2, NSA MCP security requirements, and EU AI Act Article 14. Proof that governance ran — not a policy that says it should have.

05

Defined failure behavior

Every component has a defined failure mode — no silent fail-opens. Under any failure, AEGIS either enforces from cache or fails closed. Degradation is always observable, always logged. Failure is predictable, never silent.

06  /  How it works

From action to evidence in five hops.

Instrument an agent in under 15 minutes. Every action thereafter passes through the same pipeline.
1

Intercept

The AEGIS SDK lives inside the agent process. It sees full reasoning context, internal session state, and complete tool-call history before any request leaves the process. One import. Unconditional coverage.

SDK · Python primary · TypeScript secondary
2

Authorize against the AIM

The agent's signed AIM declares its tier, permitted tools, data sources, and CLI commands. The capability check runs before execution and is deterministic — no probabilistic logic, no ML, no false negatives.

Zone 1 · AIM capability checker
3

Inspect

Eight enforcement components run in sequence — injection classifier, parameter validator, output inspector, CLI interceptor, MCP gateway, rate limiter, behavioral scorer, data-source proxy. Each can stop the action before the next runs.

p99 < 15 ms · sub-4 ms classifier
4

Seal

Decision and outcome hashed, linked to the prior block, and signed by a KMS-managed key. INSERT-only DB grants make immutability structural — no UPDATE, no DELETE.

Zone 2 · hash-chained CCR
5

Anchor

Daily global anchor hashes published to a customer-controlled external location — WORM store, transparency log, notary. Retroactive tampering becomes detectable even by a fully-compromised AEGIS.

External trust root · enterprise tier
refund_agent.py aim.yaml ccr_record.json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
import aegis from openai import OpenAI # one import, full governance client = aegis.protect(OpenAI()) def refund(order, actor): # declarative witness — actor, intent, payload receipt = aegis.witness( event="billing.refund", actor=actor, resource=order.id, payload={"amount": order.total}, ) if receipt.decision == "allow": return stripe.refunds.create( charge=order.charge_id, amount=order.total, ) # deny / require-review paths handled by the AIM raise aegis.DenyError(receipt.rationale)
07  /  Agent Identity Manifest

Every agent carries a signed contract.

The AIM is the behavioral contract every agent carries before it can act — declaring exactly what it can do, what data it can access, what tools it can call, and what it can output. Cryptographically signed. If the capability isn't in the contract, the action doesn't happen. No exceptions.

Four-tier trust model

0
Blocked
Agent suspended. No actions execute. Retained for forensic review.
DENY ALL
1
RestrictedNew or remediated agents. Strict deny defaults; no fail-open path.
STRICT
2
Monitored Standard production tier. Full enforcement. Deterministic deny on any cache miss.
DEFAULT
3
Trusted Established agents with verified behavioral history. Fail-open is available but exceptional — opt-in per agent, requires CRITICAL alert and a signed audit record on every invocation.
OPT-IN

Capability scoping

Every capability must be explicitly declared — tool access, data sources, CLI commands, MCP servers, API endpoints, output classes. No wildcard grants. No default-allow. What isn't declared is blocked, not rate-limited.

Schema versioning

When the AIM schema changes, missing or unrecognized fields fail closed — never open. Schema upgrades ship with explicit migrations. The contract never silently degrades.

Bulk-query declaration

High-volume data operations must be explicitly declared in the AIM. Undeclared bulk queries are blocked at the proxy layer, not rate-limited.

Signature integrity

AIM signatures are tied to a specific key ID so keys can rotate without breaking historical records. An AIM that fails signature verification is denied unconditionally — regardless of tier, regardless of the agent's history.

08  /  Architecture

Five trust zones. Separated by design.

No single component can simultaneously take an enforcement action, write the audit record, and sign that record. Zone separation is enforced at the database-grant and credential level — not a code convention.
Architecture · 5 trust zonesaegis-core v2.4.1
0Key custody
HSM / KMS & Credential Vault
Signing keys and real data-source credentials. No raw key material leaves this zone. Signing and credential retrieval are mediated service calls, not key handoffs. 
HSMKMSRS256kid rotation
1Enforcement plane
Eight-component enforcement pipeline
Every agent action passes through 8 enforcement components in sequence — AIM capability checker, injection classifier, parameter validator, output inspector, CLI interceptor, MCP gateway, per-AIM rate limiter, behavioral scorer. All stateless. All fail-closed.
p99 < 15 msstatelessfail-secure
2Audit & state
Hash-chained CCR ledger & AIM registry
Append-only, hash-linked, signed. Application DB role has INSERT-only grants — no UPDATE or DELETE exists for any application principal. Immutability is structural.
INSERT-onlySHA256 chainWAL buffer
3Intelligence
Behavioral intelligence & analyst copilot
Session review, policy evolution, threat intel, analyst copilot. Cannot enforce, write audit records, or sign anything. Failure here has zero effect on enforcement.
asyncread-onlyproposes never applies
4Control plane
Dashboard, RBAC, admin API
Privileged actions require step-up re-auth and dual-control approval. The control plane can be fully unavailable while Zone 1 continues enforcing from cache.
dual-controlstep-upno hot path
Fusion Engine

Cross-agent kill-chain detection

A stateful service that tracks behavior across agents and sessions — separate from the stateless enforcement plane. Detects coordinated attack patterns and anomalies that only become visible across multiple agents or over time. Horizontally scalable without touching the enforcement plane.

Deployment

Hub-and-spoke + MCP Tunneling

Three deployment modes: single-region SaaS, multi-region with Zone 1 replicas per region, or hub-and-spoke with Zone 1 inside each customer VPC and Zones 0/2/3/4 at a customer-designated hub. MCP Tunneling lets agents reach private-network MCP servers without inbound ports while AEGIS governs every connection.

Self-protection invariant

Three independent compromises

To both act and erase evidence of acting, an attacker must compromise three structurally separated zones simultaneously. Zone 1 cannot write the ledger. Zone 2 cannot sign. Zone 0 keys never leave custody.

Anthropic MCP Tunneling · May 2026

Tunneling solves transport.
AEGIS solves governance.

MCP Tunneling enables Claude agents to reach private-network MCP servers over an outbound-only encrypted connection — no inbound ports, no VPN, no firewall rule changes. AEGIS Zone 1 operates as the enforcement layer for every tunneled connection, identically to on-prem MCP traffic.

  • Outbound-only security. MCP Tunneling eliminates the inbound attack surface. AEGIS governs what agents do once connected — capability enforcement, manifest verification, replay detection, injection scanning.
  • Multi-environment enforcement. Zone 1 replicas sit inside each VPC; Zones 0/2/3/4 at the hub. Agents in any cloud reach private MCP servers at sub-15 ms.
  • Regulated-industry use cases. Patient-data and trading MCP servers stay inside regulated VPCs; AEGIS enforces AIM boundaries, rate limits, manifest integrity, and tamper-evident audit on every connection.
  • Manifest change detection. Hash verification applies unconditionally to tunneled servers. Any manifest change suspends traffic until operator re-approval.
09  /  Enforcement plane

Eight layers in the action path. Independent. Layered.

Each layer is independent — failure of one degrades gracefully while enforcement continues. The most critical components have no probabilistic logic and no ML in the hot path.
L1

AIM capability checker

Deterministic binary authorization against the signed manifest before every action. No probabilistic logic, no ML, no false negatives. The most critical component.

latency · 0.4 ms · always-on
L2

Injection classifier + parameter validator

distilBERT + ONNX on CPU. Five-layer defense: structural delimiters, source tagging, ML classification, behavioral divergence, response analysis. Parameter validator blocks all MCP calls if unavailable.

p99 · 4 ms · CPU only
L3

Output inspector

Three-pass post-action: PII redaction, indirect-injection scan of MCP responses, AIM output-class compliance. Uncertainty resolves to redaction — never disclosure.

latency · 2.4 ms · 3 passes
L4

CLI interceptor (AEGIS Shell)

AST-level command interception for shell access. The only component that never fails open for any tier under any condition. An unparseable command does not run.

never · fails open
L5

MCP security gateway

AIM-gated connections. Manifest hash verification with automatic traffic suspension on any change. Per-replica nonce cache for replay defense. All server responses pass through the output inspector before re-entering the agent context.

4 functions · per-session
L6

Per-AIM rate limiter

Token bucket per (agent_id, tool_name). Default 120 req/min, burst 20. Sustained breach signals the Fusion Engine. Per-replica — no hub coordination in the hot path.

latency · 0.2 ms · per-replica
L7

Behavioral scorer

Continuous scoring against each agent's 14-day baseline. Does not block the hot path — verdict attaches asynchronously. Can suspend or kill a session on sustained anomaly.

async · off hot path
L8

Data source proxy

AI-application-only proxy to databases and APIs. Legacy apps untouched. AI apps receive short-lived proxy tokens — never direct credentials. Three-layer rogue-app defense: no credentials issued to AI apps; stolen tokens rejected on AIM mismatch; network policy restricts DB port to the proxy IP only.

structural · not detection
10  /  Audit ledger

The CCR. Tamper-evident by construction.

Every action writes to a hash-chained, cryptographically signed Contextual Compliance Record. The application has no path to UPDATE or DELETE. Immutability is structural, not policy.
CCR · production chain VERIFIED · integrity 100%
block 81,44214:21:30 Z
sha256: a3f9ce2c8d4b7e10…1b7c142e0
vault.read·svc-billing·SEALED
block 81,44314:21:42 Z
sha256: 91d8b0f48c2…e5520af1
model.invoke·svc-inference·SEALED
block 81,44414:21:58 Z
sha256: 7e1b94c2af3…a09d4ef3
user.role.update·jordan@·REVIEW
block 81,44514:22:08 Z
sha256: c4af621003…3b6712d8
deploy.prod·cd-pipeline·SEALED
block 81,446 — pending14:22:10 Z
prev c4af621003…3b6712d8 → sealing in 0.2 s
billing.refund·alex@·QUORUM 3/5
last anchor · 14:00 UTC·rcpt_01HJ4K·WORM store
01

Hash-chain integrity

Each record SHA256-linked to its predecessor. Deleting, reordering, or altering any record breaks the chain — detected on the next verification pass.

02

KMS-managed signing

RS256 signatures with keys held in HSM/KMS. Key ID (kid) in every record enables rotation without invalidating historical records.

03

Continuous verification

Background verifier runs continuously in a separate trust context. Any chain break generates a non-suppressible CRITICAL incident.

04

External anchoring

Enterprise tier: daily global anchor hashes published to a customer-controlled WORM store, transparency log, or notary. Retroactive tampering detectable even by a fully-compromised AEGIS.

05

Write-ahead buffer

CCR writes complete before the result returns to the agent. WAL-buffering ensures durability — if the audit store is temporarily unavailable, enforcement continues, a CRITICAL alert fires, and records replay in order on recovery, preserving chain integrity.

06

Decision rationale

Every consequential enforcement decision includes a human-legible rationale: which signals triggered, which policy applied, what threshold was crossed. Suitable for regulator, auditor, and disputed-action review.

11  /  Agent Registry

One registry. Three questions, answered.

— What AI agents are running right now? — What is each agent declared to do, and is it behaving within scope? — Are there any agents or applications operating outside the registry?
Agent Registry · live inventory
workspace · northwind-prod  /  chain integrity 100% · last anchor 14:00 UTC
Registered AIMs
142 active
Tier 3 (trusted)
6 opt-in only
Bootstrapping
11 14 d window
Shadow agents
7 review
24h blocks
218 all logged
Applications → source
orders-svc
node 18 · fp:a3f9
VERIFIED
support-bot
python 3.11 · fp:91d8
VERIFIED
underwriting-agent
k8s · fp:7e1b
VERIFIED
unknown · 10.42.0.94
no AIM presented
SHADOW
Agents → governed flow
refund-bot · t2
14 / 120 · DRIFT 0.08
GOVERNED
research-agent · t2
42 / 120 · DRIFT 0.41
ANOMALY
claims-triage · t3
8 / 60 · DRIFT 0.04
GOVERNED
data-export · t1
bulk undeclared
BLOCKED
Data sources → destination
postgres · billing
proxy in path
PROTECTED
snowflake · claims
proxy in path
PROTECTED
mongo · ops
partial coverage
PARTIAL
redis · cache-3
no proxy
UNPROTECTED
AGENT TIER OWNER STATUS RISK ALERTS LAST SEEN
refund-botaim v3.1 · kid_8e2a T2 billing-platform ACTIVE 0.08 0 14:22 Z
claims-triageaim v2.4 · kid_5d11 T3 claims-ops ACTIVE 0.04 0 14:22 Z
research-agentaim v1.8 · kid_3a76 T2 data-science ACTIVE 0.41 2 14:21 Z
underwriting-agentaim v4.0 · kid_b921 T2 risk-analytics ACTIVE 0.11 0 14:22 Z
data-exportaim v0.9 · kid_c1e4 T1 analytics BOOTSTRAPPING 0.18 1 14:20 Z
support-botaim v3.0 · kid_9f72 T2 support-eng ACTIVE 0.06 0 14:22 Z

Per-agent detail · application binding fingerprints · credential lifecycle · shadow detection · incident workflow — all in the control plane

12  /  Trust model

Ten adversaries. Modeled, not assumed.

AEGIS is the highest-value target in any environment it protects. The self-protection architecture assumes AEGIS will be attacked — and is designed so that three independent compromises are required to both act and erase evidence of acting.
AdversaryPrimary controlResidual risk
A — Compromised agentDeterministic AIM check (Zone 1); agent has no path to Zones 0 or 2.Over-provisioned AIM (customer configuration risk)
B —Prompt Injection-via-logsCCR content tagged untrusted; analyst copilot cannot take actions; full provenance on every claim.Misleading advisory text (no action path)
C — Malicious insiderZone separation; dual-control on destructive actions; all admin actions logged to immutable ledger.Two-party collusion (forensically evident)
D — Infrastructure / DB attackerHSM/KMS keys (never on disk); CCR hash-chain detects tampering; INSERT-only DB grants prevent silent rewrite.Superuser + key compromise simultaneously
E — Model poisonerHuman review gate; label-distribution drift detection; shadow-mode evaluation; signed models; rollback.Novel slow-poison below drift threshold
F — Availability attackerReserved enforcement budget; per-agent fairness load shedding; fail-closed under overload.Sustained volumetric DDoS (shared with infra)
G — Rogue AI appdata source proxyProvisioning-as-gate: no AI app receives direct DB credentials; three-layer defense (no creds / proxy rejects / network policy).Un-migrated legacy service account credentials
H — Credential thiefdata source proxyToken scoping; AIM enforcement; behavioral anomaly detection; short TTL.Theft + use within TTL from consistent IP
I — Lateral movementdata source proxyPer-data-source AIM capability check; new-destination behavioral detection.Over-scoped AIM
J — Query exfiltrationdata source proxyVolume ceiling; query behavioral scoring; output inspection; bulk-query AIM declaration required.Bulk-legitimate vs. bulk-malicious ambiguity

Accent rows: adversaries specific to the Data Source Proxy Layer (G–J)

13  /  Resilience

Every failure mode is defined.

If a behavior is not in the degradation matrix, it is a bug. Tier 3 is the only tier where fail-open is ever permitted — opt-in only, with CRITICAL alert and signed ENFORCEMENT_FAIL_OPEN audit record.
AIM capability checkerCRITICAL
Falls back to cached AIM. T1/T2: deny. T3: allow with CRITICAL alert (opt-in only). Signature invalid: deny unconditionally, all tiers.
CLI interceptor (AEGIS Shell)NEVER fails open
All tiers. Under all conditions. An unparseable command does not run.
Injection classifierDEGRADE
Falls to the deterministic structural rules (always available). ML classification degrades; injection defense never disables entirely.
Parameter validatorFAIL CLOSED
Unavailable → block all MCP invocations, all tiers, no exception. No fail-open path exists.
Output inspectorDEGRADE
Resolves uncertainty to redaction, never disclosure. Indirect injection scanning remains active under all ML failures.
MCP nonce cacheFAIL CLOSED
Cache unavailable → block all MCP traffic until restored. No cached-allow fallback for replay detection.
CCR ledgerWAL BUFFER
WAL absorbs unavailability. Enforcement does not halt on audit outage. Records replay in order on recovery, preserving chain integrity.
Intelligence planeZERO IMPACT
Failure has zero effect on enforcement. Copilot degrades to raw data display; all Zone 1 components continue unaffected.

14-day bootstrap window · per-agent fairness shed · sustained shed fires capacity alert — never silent

14  /  Compliance

Audited. Anchored. Aligned with the frameworks your regulators enforce.

AEGIS governs itself under the same standards it sells. Every consequential decision produces a human-legible rationale suitable for regulator, auditor, and disputed-action review.
REGULATION
EU AI Act
Article 14

Human oversight: AEGIS-powered intelligence proposes; never applies. Model updates require human approval before deployment.

ALIGNED
FINANCIAL SERVICES
OCC SR 11-7
Model risk

AIM = model documentation. Behavioral baselines = ongoing performance monitoring. CCR = tamper-evident model activity log. Agent Registry = model inventory.

ALIGNED
FRAMEWORK
NIST AI RMF

GOVERN: AIM = governance documentation per agent. MEASURE: Fusion Engine behavioral baselines = ongoing risk measurement. MANAGE: Zone 1 enforcement = runtime risk management at the action layer.

ALIGNED
ATTESTATION
SOC 2 Type II

Tamper-evident CCR with hash-chain. Every enforcement decision, admin action, and Copilot session in the immutable record.

IN PROCESS
GUIDANCE
NSA MCP CSI
(May 2026)

All 9 recommendations addressed. 7 built-in from initial design; 6 targeted enhancements added in direct response to the CSI publication.

13 / 14 ADDRESSED

Also aligned · SEC / FINRA AI guidance · multi-tenant isolation with auditable contribution record

SIEM & Syslog

Eight forwarding formats.
One authoritative record.

RFC 5424 Splunk HEC Elastic ECS QRadar LEEF CEF Kafka Webhook JSON syslog

Every forwarded event carries a ccr_record_id linking back to the authoritative tamper-evident CCR record. PII redaction rules that govern CCR output apply identically to the syslog stream — the forwarder cannot be configured to bypass redaction.

Adjacent · complementary

GRC platforms document. AEGIS enforces.

GRC platforms and model governance tools are complementary, not competitive. They occupy different layers of the stack — AEGIS is the runtime enforcement layer
PlatformWhat it governsRelationship to AEGIS
ServiceNow GRC / IRM Risk register, control library, audit workflows. AI governance module manages AI use cases as IT assets and tracks model metadata. Documentation and workflow management. Complementary. ServiceNow is the policy documentation layer; AEGIS is the runtime enforcement and proof layer. CCR events populate ServiceNow audit workflows.
OneTrust Data privacy, consent, GDPR/CCPA, data inventory, privacy impact assessments. AI governance handles AI use case intake and bias documentation. Policy-centric, assessment-driven. Adjacent. OneTrust governs the data the AI accesses. AEGIS governs what the AI agent does with that data at runtime. Different regulatory questions.
MetricStream Enterprise GRC, operational risk, audit management. Strong in financial services. AI governance is assessment and documentation oriented. Complementary. MetricStream captures the operational risk framework; AEGIS produces the enforcement evidence that makes the framework provably true at the AI agent layer.
Credo AI · Arthur AI AI model risk — fairness, bias, accuracy, model cards, responsible AI assessments. Purpose-built for model-layer governance. Different layers. Credo / Arthur evaluate whether your models are fair and safe. AEGIS governs what deployed agents do with those models — whether the agent acts within its declared scope.
AEGISruntime enforcement AI agent runtime behavior — enforced at execution, recorded in a tamper-evident ledger. The white space. GRC platforms document what AI agents are governed by. AEGIS enforces it at the moment of execution and produces cryptographic evidence that enforcement happened.
15  /  FAQ

Questions, answered.

The category is new. These are the questions security, risk, and platform teams ask first — and the answers we give in the briefing.

What is runtime behavioral governance for AI agents?

Runtime behavioral governance enforces what an AI agent is authorized to do at the moment it acts — for every action, on every agent — rather than only at provisioning time. AEGIS declares a signed behavioral contract for each agent up front, enforces it before every action executes, and proves the outcome in a tamper-evident record.

Does AEGIS align with NSA security guidelines for AI?

Yes — and most of it was built in before the guidance existed. When the NSA published its Cybersecurity Information Sheet on MCP Security (CSI U/OO/6030316-26, May 2026), AEGIS already addressed 7 of the 13 applicable recommendations by design. Six additional controls were implemented in direct response to the publication: message replay detection, parameter validation against declared tool schemas, indirect prompt injection scanning of MCP responses, MCP server manifest change detection with automatic traffic suspension, per-agent rate limiting, and AIM-as-RBAC as the authoritative access control layer.

How is AEGIS different from network firewalls, identity platforms, and PAM?

Network controls, identity platforms, and PAM operate at provisioning time — they govern who is acting and what credentials they hold. AEGIS sits above those controls — it enforces capability and behavior at runtime, governing what they were never designed to govern. It does not replace those controls; it governs the surface they cannot reach.

Does AEGIS replace my existing security stack?

Network controls, identity platforms, and PAM operate at provisioning time — they govern who is acting and what credentials they hold. AEGIS sits above those controls — it enforces capability and behavior at runtime, governing what AI agents actually do once connected. It does not replace those controls; it governs what they were never designed to govern.

How does AEGIS prove what an AI agent did?

Every consequential decision is written to the CCR — a tamper-evident audit ledger with a hash-chain. Enterprise tier can publish daily global anchor hashes to a customer-controlled WORM store, transparency log, or notary, making retroactive tampering detectable even by a fully-compromised system.

How does AEGIS support OCC SR 11-7 and EU AI Act compliance?

AEGIS maps directly to regulatory frameworks: the AIM serves as model documentation, behavioral baselines provide ongoing monitoring, the CCR is a tamper-evident model-activity log, and the Agent Registry is a model inventory — aligning with OCC SR 11-7. For EU AI Act Article 14, AEGIS-powered intelligence proposes but never applies; model updates require human approval before deployment. It is also aligned with NIST AI RMF and SEC/FINRA AI guidance.

How do I instrument an AI agent with AEGIS?

Instrument an agent in under 15 minutes with one import: pip install aegis-sdk, then wrap your client with aegis.protect(). Every action is then governed by the agent's signed behavioral contract and witnessed in the audit record.

What happens if AEGIS fails?

Every component has a defined failure mode — no silent fail-opens. Under any failure, AEGIS either enforces from cache or fails closed. The CLI interceptor (AEGIS Shell) never fails open under any condition: an unparseable command does not run. Degradation is always observable and always logged.

Closed preview · 2026

Make agent governance
a property of your system.

Get a technical briefing with the founding team.

NO PROCUREMENT GAUNTLET · ENGINEER-LED CALLS 
Book a briefing Request the architecture paper