IDv4: Aegis

Runtime control plane for autonomous AI agents

Agents act; Aegis governs the irreversible.

Aegis sits between your agents and the models and tools they call: identity checks, Cedar policy decisions, human approval on consequential actions, and a tamper-evident record of every decision along the way.

Self-hostable. OpenAI-compatible. Built on Cedar — the same policy language AWS uses for Bedrock AgentCore.

For platform, security, and operations teams deploying AI agents into regulated workflows A live dispute-remediation reference flow runs end-to-end today
Live policy decision Dispute remediation
Approval pending
AI agent DisputeBot-v1
Workload wl_disputebot · card-ops automation Action Issue $254.97 customer credit Review trigger Credit threshold reached
01 Workload identity verified JWT credential issued by Aegis IDP, scope matches the dispute workflow.
02 Customer and transaction context allowed Cedar policy permits case data for this remediation task.
03 Fraud investigation notes denied dispute-forbid-fraud-notes blocks the read; denial recorded.
04 Credit action paused for human approval Threshold crossed. Operator receives policy, context, and proposed action.
Cedar policy decision hash 87b1…f42c
Chain HMAC-chained
Approver role Card-ops operator
What it's built on
  • Cedar AWS-validated policy engine
  • OAuth 2.1 + JWT Workload identity, default-deny
  • OpenAI-compatible Point your base URL at Aegis
  • MCP & A2A Protocol-native enforcement
  • Tamper-evident decisions HMAC-chained Cedar records
  • Self-hostable Runs in your VPC

Why Aegis

Identity, policy, and audit — built for the way agents actually run.

Most "AI security" tools either watch agents from the side or lock you into a single cloud. Aegis is the in-line control plane: every model and tool call it carries is authorized before it happens, under one consistent policy model across LLMs, MCP servers, and downstream agents.

vs. observability platforms

Prevent, don't just record.

Discovery and runtime monitoring tell you what an agent did. Aegis decides — at the gateway, default-deny, with formal Cedar policy — what an agent can do.

vs. identity-only NHI tools

Identity is layer one, not the product.

Issuing an agent a credential doesn't stop the agent from misusing it. Aegis ties workload identity to enforced policy, human approvals, and tamper-evident policy decisions.

vs. cloud-native governance

Govern the agents you run, whatever cloud they run on.

Microsoft governs Microsoft agents. AWS governs Bedrock agents. Aegis governs the agents you actually run — route them through it, and one policy model covers OpenAI, Anthropic, your own models, and any MCP tool.

Where Aegis fits

One control plane between your agents and everything they touch.

Route your LLM and MCP traffic through Aegis, and every model call and tool invocation gets an identity check, a Cedar policy decision, optional human approval, and a tamper-evident decision record. You register your agents, route traffic, author the policy, and set up reviewers — that's the integration surface.

An actual policy

The rules are inspectable, not a black box.

Aegis policies are written in Cedar — the same formally-verifiable policy language AWS uses inside Bedrock AgentCore. Product, platform, security, and compliance can all read the same rule. The policy analyzer can answer "can agent X take action Y on resource Z?" with a mathematically grounded yes or no.

  • Default-deny. Every model and tool call routed through Aegis is checked.
  • Versioned, reviewable, diff-friendly — like code, because it is.
  • One language across LLM traffic, MCP tools, and A2A calls.
cedar dispute_remediation.cedar
// Allow the dispute agent to read case data...
permit(
  principal == Aegis::Agent::"DisputeBot-v1",
  action in [Aegis::Action::"mcp:tools:call"],
  resource in Aegis::ToolGroup::"dispute_context"
);

// ...but forbid reads of fraud investigation notes.
forbid(
  principal == Aegis::Agent::"DisputeBot-v1",
  action == Aegis::Action::"mcp:tools:call",
  resource == Aegis::Tool::"get_fraud_notes"
);

Why now

The control gap is widening — and getting regulated.

Dec 2025 — AAIF formed

OpenAI, Anthropic, Google, Microsoft, AWS, and Block put agent protocols under neutral governance — MCP in the new Agentic AI Foundation, A2A in the Linux Foundation. Agent traffic is consolidating onto two wire protocols Aegis already enforces.

2026 — EU AI Act enforcement

High-risk AI deployments now need demonstrable runtime control, human oversight, and audit. Release-time review can't answer what an autonomous agent did in production.

By 2028 — 15% of decisions agentic

Gartner projects 15% of daily business decisions will be made by agentic AI without human intervention. Every one of them needs an identity, a policy, and a record.

Inside the product

What enforcement looks like at runtime.

Aegis records every policy decision with the agent's identity, the action, the resource, and the policies evaluated — and HMAC-chains each record for tamper evidence. Smart Policy masks flagged sensitive content at source, and the approval and workflow records are preserved alongside each decision for inspection.

Aegis Policy Decisions view showing a denied agent action — the workload identity, action, resource, and every policy evaluated are recorded, with Smart Policy masking sensitive content at source
Policy Decisions: a denied agent action captured with workload identity, the policies evaluated, and a link to the originating task — a tamper-evident decision record, not reconstructed after the fact.

Control points in practice

A governed workflow, end to end.

Here is what those control points look like in practice — illustrated with a real dispute-remediation flow run against a live Aegis instance. DisputeBot-v1 starts with a workload identity, gets the context it needs, gets denied access to records it should not see, and pauses on a credit action that needs a human — while Aegis preserves audit evidence of every step, each policy decision in a tamper-evident chain. This is the current Aegis proof flow, not an aspirational diagram.

The same control pattern fits benefits-eligibility decisions in public-sector agencies student-record access in education seller payouts and refunds in marketplaces customer-support credits in regulated enterprises

01

The agent starts with a scoped workload identity

The Aegis IDP issues a workload JWT for DisputeBot-v1. Owner, scope, and the dispute workflow are bound to the credential before any tool call.

02

Customer and transaction context are allowed

Case lookup, customer history, and transaction details pass the Cedar policy check for this workflow and reach the agent.

03

Fraud investigation notes are denied at the gateway

The deny policy dispute-forbid-fraud-notes blocks the read. The denied attempt is captured with full request context.

04

Credit action pauses for human approval

The proposed $254.97 credit crosses a threshold. Aegis pauses execution and routes the action to a card-ops operator with policy and context attached.

05

Every step is preserved as audit evidence

Identity, allowed reads, denied reads, approval decisions, approver roles, and outcomes are captured — every policy decision in a tamper-evident chain.

What teams can evaluate

Concrete control surfaces for a pilot conversation.

Aegis sits as a control layer in front of model and tool access. Onboarding a workflow is the same four-step integration surface described above: register the agent, route its traffic, author the Cedar policy, and set up its reviewers. These six control surfaces are what a pilot evaluates.

01

Self-hostable control plane

The control plane runs inside your environment — policies, decision records, and approval data stay inside your boundary.

02

Gateway enforcement

Place policy in front of model and tool access without rebuilding every application workflow that needs it. On implemented paths, Aegis keeps bounded credentials from reaching the agent — impersonation-capable customer keys stay customer-held.

03

Inspectable Cedar policies

Use explicit, declarative rules that product, platform, risk, and compliance stakeholders can read together.

04

Human-in-the-loop routing

Send actions to the right reviewer when policy thresholds, data sensitivity, or business risk require it.

05

Tamper-evident policy decisions

Every Cedar policy decision is HMAC-chained at write time, so any alteration is detectable.

06

Workflow-first adoption

Adopt the controls around one AI agent first. Evaluate the model, then decide where the same pattern should apply next.

Where Aegis is today

Start with one governed workflow.

The first proof point is governed dispute remediation: a real AI agent, a Cedar deny policy on sensitive context, human approval routing on a credit action, and audit evidence — with tamper-evident policy decisions — across the full sequence. Concrete enough to evaluate against your own workflow controls.

  • Agent identity issued by the Aegis IDP
  • Default-deny Cedar policy on sensitive records, exercised end to end
  • Operator approval routing for credit and other write actions
  • Audit evidence across allowed, denied, approved, and completed steps

Where it extends

Governed workflows across regulated sectors.

The same primitives — identity, policy, approval, and evidence — carry over to public-sector services, education operations, marketplace workflows, and other regulated operations. Each new workflow gets its own policy and reviewer design, and that design work is exactly what a design-partner engagement covers.

We're in structured pilot conversations with product, platform, and control teams in regulated sectors. Everything on this page describes what ships today.

Design partner fit

For teams with a real AI workflow and a real approval problem.

The best pilot conversations are with platform, security, operations, or control teams across public sector, education, marketplaces, and regulated enterprises that already know which AI agent they want to deploy, but need a stronger answer for policy enforcement, human review, and audit before it reaches production.

  • You have a sensitive workflow where AI can assist but should not act unchecked.
  • You need runtime proof of what the agent accessed, attempted, and completed.
  • You want to evaluate controls around a concrete pilot, not a generic AI policy deck.
DC

Built by someone who has lived the problem

Dorin Ciobanu

Founder & CEO, Aegis

Previously at Cisco and JPMorgan Chase, working in software engineering and security controls across large-scale enterprise and regulated banking systems. I have seen how compliance review operates at scale — and exactly how it breaks down when AI agents start crossing data boundaries and triggering operational changes.

Aegis is the platform I would have wanted: runtime identity, policy, and audit that gives product teams a deployment path and gives control functions a defensible answer.

Stay in the loop

Not ready for a pilot conversation?

Send us a note with what you're trying to govern. We'll reach out when Aegis is relevant to your deployment timeline — no sales sequence, just useful updates.

Email us at [email protected] No newsletter, no drip campaign. A real reply from the founder.

Pilot conversation

Scope the workflow you want to control.

Bring the workflow, the systems it touches, the actions that require approval, and the audit questions your team has to answer. We'll scope the pilot around that concrete operating problem in one focused conversation.