Prevent, don't just record.
Discovery and runtime monitoring tell you what an agent did. Aegis decides — at the gateway, default-deny, with formal Cedar policy — what an agent can do.
Runtime control plane for autonomous AI agents
Govern every action your AI agents take.
Aegis sits between your agents and the LLMs and tools they call. Workload identity, Cedar policy decisions, human approvals, and a tamper-evident audit chain — enforced at the protocol layer, not bolted on after the fact.
Self-hostable. OpenAI-compatible. Built on Cedar — the same policy language AWS uses for Bedrock AgentCore.
For platform, security, and compliance teams putting AI agents into regulated production
Live dispute-remediation reference flow runs end-to-end on this build
AI agent
DisputeBot-v1
Workload
wl_disputebot · card-ops automation
Action
Issue $254.97 customer credit
Review trigger
Credit threshold reached
01
Workload identity verified
JWT credential issued by Aegis IDP, scope matches the dispute workflow.
02
Customer and transaction context allowed
Cedar policy permits case data for this remediation task.
03
Fraud investigation notes denied
demo-dispute-forbid-fraud-notes blocks the read; denial recorded.
04
Credit action paused for human approval
Threshold crossed. Operator receives policy, context, and proposed action.
Built on standards
- Cedar AWS-validated policy engine
- OAuth 2.1 + JWT Workload identity, default-deny
- OpenAI-compatible Drop-in for existing apps
- MCP & A2A Protocol-native enforcement
- HMAC audit chain Tamper-evident by design
- Self-hostable Runs in your VPC
Why Aegis
Identity, policy, and audit — built for the way agents actually run.
Most "AI security" tools either watch agents from the side or lock you into a single cloud. Aegis is the in-line control plane that authorizes every model and tool call before it happens, with one consistent policy model across LLMs, MCP servers, and downstream agents.
Identity is layer one, not the product.
Issuing an agent a credential doesn't stop it from misusing one. Aegis ties workload identity to enforced policy, human approvals, and a replayable audit chain.
Govern every cloud, every agent.
Microsoft governs Microsoft agents. AWS governs Bedrock agents. Aegis governs the agents you actually run — across OpenAI, Anthropic, your own models, and any MCP tool.
Where Aegis fits
One control plane between your agents and everything they touch.
Drop Aegis in front of your LLM and tool traffic. Every model call and MCP tool invocation passes the workload identity check, the Cedar policy decision, and optional human approval — and lands in the same audit chain. No SDK rewrites, no per-agent instrumentation.
Your agents
- Customer-support bot
- Internal copilot
- Workflow agent
Aegis control plane
- Workload identityOAuth 2.1 + JWT
- Cedar policyDefault-deny, formal
- Human approvalSlack / portal routing
- HMAC audit chainReplayable, tamper-evident
LLMs & tools
- OpenAI / Anthropic
- Self-hosted models
- Internal MCP servers
- Third-party APIs
An actual policy
The rules are inspectable, not a black box.
Aegis policies are written in Cedar — the same formally-verifiable policy language AWS uses inside Bedrock AgentCore. Product, platform, security, and compliance can all read the same rule. The policy analyzer can answer "can agent X take action Y on resource Z?" with a mathematically grounded yes or no.
- Default-deny. Every model and tool call is checked.
- Versioned, reviewable, diff-friendly — like code, because it is.
- One language across LLM traffic, MCP tools, and A2A calls.
// Allow the dispute agent to read case data...
permit(
principal == Aegis::Agent::"DisputeBot-v1",
action in [Aegis::Action::"mcp:tools:call"],
resource in Aegis::ToolGroup::"dispute_context"
);
// ...but forbid reads of fraud investigation notes.
forbid(
principal == Aegis::Agent::"DisputeBot-v1",
action == Aegis::Action::"mcp:tools:call",
resource == Aegis::Tool::"get_fraud_notes"
);Why now
The control gap is widening — and getting regulated.
OpenAI, Anthropic, Google, Microsoft, AWS, and Block formalized MCP and A2A as the agent protocol standard. Agent traffic is consolidating onto two wire protocols Aegis already enforces.
High-risk AI deployments now need demonstrable runtime control, human oversight, and audit. Release-time review can't answer what an autonomous agent did in production.
Gartner projects 15% of daily business decisions will be made by agentic AI without human intervention. Every one of them needs an identity, a policy, and a record.
Inside the product
What enforcement looks like at runtime.
The audit log captures every policy decision — allow, deny, approval — with workload identity and full request context attached. Every record is HMAC-chained for tamper-evidence.
Every AI workflow has control points
A governed workflow, end to end.
Here is what those control points look like in practice — illustrated with a real dispute-remediation flow run against a live Aegis instance. DisputeBot-v1 starts with a workload identity, gets the context it needs, gets denied access to records it should not see, pauses on a credit action that needs a human, and lands every step in a tamper-evident audit chain. This is the current Aegis proof flow, not an aspirational diagram.
The same control pattern fits customer-support refunds healthcare prior authorisation insurance claim adjudication internal access & copilot tooling any agent that touches sensitive data or triggers operational change
Worker starts with a scoped workload identity
The Aegis IDP issues a workload JWT for DisputeBot-v1. Owner, scope, and the dispute workflow are bound to the credential before any tool call.
Customer and transaction context are allowed
Case lookup, customer history, and transaction details pass the Cedar policy check for this workflow and reach the worker.
Fraud investigation notes are denied at the gateway
The deny policy demo-dispute-forbid-fraud-notes blocks the read. The denied attempt is captured with full request context.
Credit action pauses for human approval
The proposed $254.97 credit crosses a threshold. Aegis pauses execution and routes the action to a card-ops operator with policy and context attached.
The decision trail is replayable
Identity, allowed reads, denied reads, approval decision, approver role, and final outcome are preserved in the HMAC-chained audit log for later inspection.
What teams can evaluate
Concrete control surfaces for a pilot conversation.
Aegis sits as a control layer in front of model and tool access. Adopting it for a workflow involves workload registration, gateway routing, Cedar policy authoring, and reviewer setup for that workflow — not a drop-in install. The surfaces below are what a pilot evaluates around.
Self-hostable control plane
The control surface is designed to run inside the customer environment so sensitive workflow data stays in boundary.
Gateway enforcement
Place policy in front of model and tool access without rebuilding every application workflow that needs it.
Inspectable Cedar policies
Use explicit, declarative rules that product, platform, risk, and compliance stakeholders can read together.
Human-in-the-loop routing
Send actions to the right reviewer when policy thresholds, data sensitivity, or business risk require it.
Tamper-evident audit log
Keep an HMAC-chained record of identity, access, policy decisions, approvals, denials, and outcomes.
Workflow-first adoption
Adopt the controls around one AI agent first. Evaluate the model, then decide where the same pattern should apply next.
Where Aegis is today
Start with one governed workflow.
The first proof point is governed dispute remediation: a real AI agent, a real Cedar deny policy on sensitive context, real human approval routing on a credit action, and a real HMAC-chained audit log across the full sequence. Concrete enough to evaluate against your own workflow controls.
- Workload identity issued by the Aegis IDP
- Default-deny Cedar policy on sensitive records, exercised end to end
- Operator approval routing for credit and other write actions
- Replayable audit trail across allowed, denied, approved, and completed steps
Where it extends
Same control pattern, more regulated workflows.
The same primitives — identity, policy, approval, audit — are designed to apply across additional regulated agent workflows. Pilot one, and the same controls become reusable for the next, instead of a new bespoke review process each time.
Aegis is being evaluated through structured pilot conversations with regulated product, platform, and control teams. Treat the public site as an honest read of what is shipped today, not a claim of current customer deployments.
Design partner fit
For teams with a real AI workflow and a real approval problem.
The best pilot conversations are with regulated product, platform, operations, or control teams that already know which AI agent they want to deploy, but need a stronger answer for policy enforcement, human review, and audit before it reaches production.
- You have a sensitive workflow where AI can assist but should not act unchecked.
- You need runtime proof of what the worker accessed, attempted, and completed.
- You want to evaluate controls around a concrete pilot, not a generic AI policy deck.
DC
Built by someone who has lived the problem
Dorin Ciobanu
Founder & CEO, Aegis
Previously at JPMorgan Chase, working in software engineering and security controls inside regulated banking systems. I have seen how compliance review operates at scale — and exactly how it breaks down when AI agents start crossing data boundaries and triggering operational changes.
Aegis is the platform I would have wanted: runtime identity, policy, and audit that gives product teams a deployment path and gives control functions a defensible answer.
Stay in the loop
Not ready for a pilot conversation?
Send us a note with what you're trying to govern. We'll reach out when Aegis is relevant to your deployment timeline — no sales sequence, just useful updates.
Email us at [email protected]
No newsletter, no drip campaign. A real reply from the founder.
Pilot conversation
Scope the workflow you want to control.
Bring the workflow, the systems it touches, the actions that require approval, and the audit questions your team has to answer. Aegis can be evaluated around that concrete operating problem in a focused pilot conversation.