Prevent, don't just record.
Discovery and runtime monitoring tell you what an agent did. Aegis decides — at the gateway, default-deny, with formal Cedar policy — what an agent can do.
Runtime control plane for autonomous AI agents
Aegis sits between your agents and the models and tools they call: identity checks, Cedar policy decisions, human approval on consequential actions, and a tamper-evident record of every decision along the way.
Self-hostable. OpenAI-compatible. Built on Cedar — the same policy language AWS uses for Bedrock AgentCore.
Why Aegis
Most "AI security" tools either watch agents from the side or lock you into a single cloud. Aegis is the in-line control plane: every model and tool call it carries is authorized before it happens, under one consistent policy model across LLMs, MCP servers, and downstream agents.
Discovery and runtime monitoring tell you what an agent did. Aegis decides — at the gateway, default-deny, with formal Cedar policy — what an agent can do.
Issuing an agent a credential doesn't stop the agent from misusing it. Aegis ties workload identity to enforced policy, human approvals, and tamper-evident policy decisions.
Microsoft governs Microsoft agents. AWS governs Bedrock agents. Aegis governs the agents you actually run — route them through it, and one policy model covers OpenAI, Anthropic, your own models, and any MCP tool.
Where Aegis fits
Route your LLM and MCP traffic through Aegis, and every model call and tool invocation gets an identity check, a Cedar policy decision, optional human approval, and a tamper-evident decision record. You register your agents, route traffic, author the policy, and set up reviewers — that's the integration surface.
An actual policy
Aegis policies are written in Cedar — the same formally-verifiable policy language AWS uses inside Bedrock AgentCore. Product, platform, security, and compliance can all read the same rule. The policy analyzer can answer "can agent X take action Y on resource Z?" with a mathematically grounded yes or no.
// Allow the dispute agent to read case data...
permit(
principal == Aegis::Agent::"DisputeBot-v1",
action in [Aegis::Action::"mcp:tools:call"],
resource in Aegis::ToolGroup::"dispute_context"
);
// ...but forbid reads of fraud investigation notes.
forbid(
principal == Aegis::Agent::"DisputeBot-v1",
action == Aegis::Action::"mcp:tools:call",
resource == Aegis::Tool::"get_fraud_notes"
);
Why now
OpenAI, Anthropic, Google, Microsoft, AWS, and Block put agent protocols under neutral governance — MCP in the new Agentic AI Foundation, A2A in the Linux Foundation. Agent traffic is consolidating onto two wire protocols Aegis already enforces.
High-risk AI deployments now need demonstrable runtime control, human oversight, and audit. Release-time review can't answer what an autonomous agent did in production.
Gartner projects 15% of daily business decisions will be made by agentic AI without human intervention. Every one of them needs an identity, a policy, and a record.
Inside the product
Aegis records every policy decision with the agent's identity, the action, the resource, and the policies evaluated — and HMAC-chains each record for tamper evidence. Smart Policy masks flagged sensitive content at source, and the approval and workflow records are preserved alongside each decision for inspection.
Control points in practice
Here is what those control points look like in practice — illustrated with a real dispute-remediation flow run against a live Aegis instance. DisputeBot-v1 starts with a workload identity, gets the context it needs, gets denied access to records it should not see, and pauses on a credit action that needs a human — while Aegis preserves audit evidence of every step, each policy decision in a tamper-evident chain. This is the current Aegis proof flow, not an aspirational diagram.
The same control pattern fits benefits-eligibility decisions in public-sector agencies student-record access in education seller payouts and refunds in marketplaces customer-support credits in regulated enterprises
The Aegis IDP issues a workload JWT for DisputeBot-v1. Owner, scope, and the dispute workflow are bound to the credential before any tool call.
Case lookup, customer history, and transaction details pass the Cedar policy check for this workflow and reach the agent.
The deny policy dispute-forbid-fraud-notes blocks the read. The denied attempt is
captured with full request context.
The proposed $254.97 credit crosses a threshold. Aegis pauses execution and routes the action to a card-ops operator with policy and context attached.
Identity, allowed reads, denied reads, approval decisions, approver roles, and outcomes are captured — every policy decision in a tamper-evident chain.
What teams can evaluate
Aegis sits as a control layer in front of model and tool access. Onboarding a workflow is the same four-step integration surface described above: register the agent, route its traffic, author the Cedar policy, and set up its reviewers. These six control surfaces are what a pilot evaluates.
The control plane runs inside your environment — policies, decision records, and approval data stay inside your boundary.
Place policy in front of model and tool access without rebuilding every application workflow that needs it. On implemented paths, Aegis keeps bounded credentials from reaching the agent — impersonation-capable customer keys stay customer-held.
Use explicit, declarative rules that product, platform, risk, and compliance stakeholders can read together.
Send actions to the right reviewer when policy thresholds, data sensitivity, or business risk require it.
Every Cedar policy decision is HMAC-chained at write time, so any alteration is detectable.
Adopt the controls around one AI agent first. Evaluate the model, then decide where the same pattern should apply next.
Where Aegis is today
The first proof point is governed dispute remediation: a real AI agent, a Cedar deny policy on sensitive context, human approval routing on a credit action, and audit evidence — with tamper-evident policy decisions — across the full sequence. Concrete enough to evaluate against your own workflow controls.
Where it extends
The same primitives — identity, policy, approval, and evidence — carry over to public-sector services, education operations, marketplace workflows, and other regulated operations. Each new workflow gets its own policy and reviewer design, and that design work is exactly what a design-partner engagement covers.
We're in structured pilot conversations with product, platform, and control teams in regulated sectors. Everything on this page describes what ships today.
Design partner fit
The best pilot conversations are with platform, security, operations, or control teams across public sector, education, marketplaces, and regulated enterprises that already know which AI agent they want to deploy, but need a stronger answer for policy enforcement, human review, and audit before it reaches production.
Built by someone who has lived the problem
Founder & CEO, Aegis
Previously at Cisco and JPMorgan Chase, working in software engineering and security controls across large-scale enterprise and regulated banking systems. I have seen how compliance review operates at scale — and exactly how it breaks down when AI agents start crossing data boundaries and triggering operational changes.
Aegis is the platform I would have wanted: runtime identity, policy, and audit that gives product teams a deployment path and gives control functions a defensible answer.
Stay in the loop
Send us a note with what you're trying to govern. We'll reach out when Aegis is relevant to your deployment timeline — no sales sequence, just useful updates.
Pilot conversation
Bring the workflow, the systems it touches, the actions that require approval, and the audit questions your team has to answer. We'll scope the pilot around that concrete operating problem in one focused conversation.