Book a call →
For CISOs & Security Teams

AI agents are a new execution surface. Agent OS is the zero-trust control plane for that surface.

Every action passes through a deterministic policy engine — not a second LLM. Schema validation, identity resolution, risk classification, and rule evaluation in under 50ms. The executor trusts the signed artifact. Not the agent.

Request architecture review → Read the open standard →
policy-engine · rule evaluation
// Evaluating action against policy ruleset v2.4.1
schema_valid: true
identity_chain: resolved
risk_level: HIGH
rules matched:
→ env == "production"
→ executor == "aws.ecs"
→ require_human_approval: true
decision: HELD
eval_time_ms: 38
artifact_sig: sha256:a3f9c21...
// Blast radius contained at policy layer
// Agent cannot escalate or retry
Security architecture

Zero trust, applied to AI execution.

🚫
No implicit agent trust
Agents hold zero direct execution rights. Every action requires a declared intent artifact that passes schema validation and policy evaluation before any executor receives a command.
⚙️
Deterministic — not probabilistic
The policy engine is rule-based YAML, not a second LLM. No false negatives from model drift. No probabilistic safety scoring. Every evaluation is reproducible and auditable.
🔗
Cryptographic assurance
Approvals produce SHA-256 signed receipts bound to commit SHA. Records are tamper-evident. W3C PROV-JSON export for chain-of-custody. Optional C2PA manifest.
📦
Blast radius containment
Executor scope is bounded at declaration. A compromised agent cannot exceed its stated intent. Blocked actions are terminal — no retry, no escalation path through the agent.
📡
SIEM integration
Structured JSON logs compatible with Splunk, Elastic, and Microsoft Sentinel. Every provenance record includes actor identity, scope, risk classification, approval chain, and hash.
📋
Framework compliance mapping
ISO 42001, SOC 2 CC6.1, ISO 27001 A.9.4, NIST AI RMF GOVERN function, EU AI Act Art. 9 & 12. Mapped controls available on request.
Security questions

What CISOs ask us.

01
"If the agent is compromised, what is the blast radius?" — Contained at the policy layer. The executor trusts the signed artifact, not the agent. A compromised agent can only act within its declared intent, which has already been evaluated against your policy rules.
02
"Is the policy engine deterministic or probabilistic?" — Fully deterministic. YAML rule evaluation. No LLM involvement in the policy decision. Every evaluation is reproducible, auditable, and sub-50ms.
03
"How does the identity model work?" — Every action carries an actor identity chain: user initiator, agent ID, organisation scope, and role permissions. The identity is validated at the gateway before any policy evaluation proceeds.
04
"Can the audit trail be tampered with?" — No. Records are SHA-256 signed at the moment of decision, bound to a commit SHA. Any post-hoc modification is cryptographically detectable. W3C PROV export for chain-of-custody verification.
05
"How does this integrate with our SIEM?" — Structured JSON output compatible with standard SIEM ingestion. Field mapping documentation available. Splunk, Elastic, and Sentinel tested integrations available.
06
"Is the standard open or proprietary?" — Open standard, Apache 2.0. The DEO schema, enforcement model, and provenance chain specification are all published. No vendor lock-in on the record format.
Architecture review

A technical conversation, not a sales call.

We'll walk through your agent deployment architecture, your existing security controls, and how Policy Gateway integrates. Direct answers to hard questions.

Request review →

We'll also send you the full compliance framework mapping document.