Aegis — AI Agent Governance Platform
A firewall and observability layer for autonomous AI agents.
Aegis intercepts every tool call an AI agent makes, validates it against a developer-defined policy, and logs the decision — before the action ever executes. If the action is unauthorized, it's blocked. If it's unknown, it's held for human review. If the agent goes rogue, a kill-switch shuts it down instantly.
Think of it as Cloudflare for AI Agents — outbound policy enforcement, governance, and real-time audit for any autonomous system.
The Problem
AI agents (LangChain, LangGraph, CrewAI, AutoGen) are increasingly autonomous. They call APIs, access databases, read files, and make decisions on their own. But there's no standardized way to:
- See what an agent is doing in real time
- Control what actions an agent is allowed to take
- Stop an agent when it deviates from expected behavior
- Audit every decision an agent made after the fact
LLMs are unpredictable. An agent given access to 17 banking tools will try to use whichever ones it thinks are helpful — including accessing SSNs, deleting records, or connecting to external servers — if nothing stops it. Prompt injection attacks can trick agents into calling tools they shouldn't. Autonomous reasoning can lead agents to escalate their own privileges ("I should verify the SSN to be thorough").
Companies deploying agents today are essentially flying blind. Aegis fixes that.
How Aegis Works
The Three-Tier Security Model
Every agent action is evaluated against a policy with three possible outcomes:
| Tier | Who decides? | Can it execute? | Use case |
|---|---|---|---|
| ALLOW | Pre-approved by developer | Always | Vetted, safe actions |
| REVIEW | Human reviewer (dashboard) | Only if approved | Unknown/undeclared actions |
| BLOCK | Pre-denied by developer | Never | Known-dangerous actions |
The developer defines a whitelist of allowed actions. Everything not on the list goes to REVIEW (human approval on the dashboard). Known-dangerous actions like delete_records are hard-BLOCKED — no human can accidentally approve them.
Agent tries to call a tool
│
In allowed_actions? ──── YES ──→ ALLOWED (execute + log)
│ NO
In blocked_actions? ──── YES ──→ BLOCKED (hard deny, logged, alert)
│ NO
Unknown action ─────────────────→ REVIEW (held for human approval on dashboard)
Key Design: All Tools, Policy as Gatekeeper
Every agent receives access to all tools in the platform. The LLM knows they exist and can attempt to call any of them. Aegis policy is the only enforcement layer — not tool availability.
This mirrors real-world security: an employee can see all the doors in the building, but company policy controls which rooms they can enter. The tool registry and the security policy are separate concerns managed by different teams.
# Customer Support agent — knows about all 17 tools, allowed to use 3
DECORATOR = {
"allowed_actions": ["lookup_balance", "get_transaction_history", "send_notification"],
"blocked_actions": ["delete_records", "connect_external"],
}
# access_ssn, access_credit_card, export_customer_list, etc. → REVIEW
Context-Based Policy Enforcement
The same tool behaves differently depending on which agent calls it:
# Same tool, different agents, different outcomes
access_ssn(customer_id=3)
# Under Customer Support → REVIEW (not in allowed list)
# Under Fraud Detection → ALLOWED (SSN access is in its allowed list)
This is powered by Python's contextvars — shared tools resolve the correct agent's policy at call time.
Approach: SDK-First Integration
Aegis is designed as a Python SDK (sentinel-guardrails) that integrates into existing agent code with two decorators and a context manager. No infrastructure changes, no proxy servers, no config files — just pip install and annotate.
from sentinel import agent, monitor, agent_context
# 1. Register agent with policy (persisted to MongoDB)
@agent("SupportBot", owner="alice", allows=["lookup_balance"], blocks=["delete_records"])
class SupportBot: pass
# 2. Wrap any tool with firewall enforcement
@monitor
def lookup_balance(customer_id: int) -> str:
return db.query(f"SELECT balance FROM accounts WHERE customer_id = {customer_id}")
# 3. Use tools under an agent's identity
with agent_context("SupportBot"):
lookup_balance(42) # ALLOWED — logged
delete_records("tmp") # BLOCKED — logged, alert fired, function never executes
The SDK polls MongoDB on every call — no caching. Policy changes (including kill-switch) take effect immediately. Every decision is logged to an audit trail.
Tech Stack
| Layer | Technology | Purpose |
|---|---|---|
| SDK | Python 3.10+, pymongo, contextvars |
@agent and @monitor decorators, policy enforcement, audit logging |
| Backend | FastAPI, pymongo | REST API for dashboard (8 endpoints), reads from shared MongoDB |
| Frontend | React 19, Vite, Tailwind CSS v4, Lucide icons, Motion | Real-time governance dashboard with 5 pages |
| Database | MongoDB Atlas | Agents, policies, audit log, pending approvals, demo bank data |
| Demo Agents | LangChain, LangGraph, Google Gemini | 4 banking agents demonstrating firewall governance |
| Infra | Docker, Docker Compose | Containerized deployment of backend + frontend |
Future Improvements
Agent Manifest Generation (AgentBOM)
Auto-generate an agent_manifest.json from decorator data across the codebase — an Agent Bill of Materials. Documents every agent's identity, capabilities, tools, data access, permissions, and dependencies. Serves as audit-ready documentation and a single source of truth.
Governance Rule Engine
YAML-configurable rules scanned against agent manifests (e.g., "any agent accessing PII must have human approval"). Violations surface on the dashboard with severity levels. An LLM layer enriches each flag with contextual risk explanations.
Policy Learning from REVIEW Events
"Promote to BLOCK" / "Promote to ALLOW" buttons on the approval queue. Over time, the REVIEW tier shrinks as the security team confirms which actions are safe and which are dangerous. The policy evolves from incident data, not guesswork.
Multi-Agent Dependency Graph
Interactive visualization mapping agent-to-agent dependencies, shared tools, and data flows. Click any agent to trace what it calls, what calls it, and what data flows through it.
Analytics Timeline & Violation Breakdown
Time-series charts showing agent behavior trends, violation breakdowns, and anomaly detection. Enables compliance reporting and historical analysis.
Content Inspection (DLP Layer)
Current enforcement is at the tool level — which function is called. A future DLP layer would inspect arguments and return values for sensitive data patterns (SSN, credit card numbers) even through allowed tools. This catches data exfiltration through legitimate channels.
WebSocket Real-Time Events
Replace 2-second polling with persistent WebSocket connections for instant push updates on activity, alerts, and governance violations.
Export & Compliance Reports
One-click export of audit trails, agent manifests, and fact sheets as YAML/Markdown/PDF for SOC2, GDPR, and HIPAA compliance.
Multi-Language SDK Support
Current SDK is Python-only. Future versions would add TypeScript/JavaScript, Go, and Java SDKs, plus a language-agnostic HTTP proxy mode for any runtime.
Log in or sign up for Devpost to join the conversation.