AetherGuard, Inc.
Zero-trust runtime security for autonomous AI agents β no SDK required.
AetherGuard secures AI agents through eight integrated security controls that automatically evaluate every agent action before execution. Together, these controls provide policy enforcement, identity verification, execution governance, and cryptographic assurance for autonomous AI systems.
| Control | Business Description | Primary OWASP Agentic AI Alignment |
|---|---|---|
| π₯ C1. Tool Invocation Firewall | Ensures AI agents can only access approved tools, prevents unauthorized external connections, enforces data classification policies, and blocks sensitive information from being sent to untrusted destinations. | Agent Authorization, Tool Security, Data Protection |
| π C2. Policy Enforcement Engine | Evaluates every agent action against organizational security and compliance policies. If policies cannot be verified, execution is automatically denied (fail-closed). | Policy Enforcement, Governance, Secure Defaults |
| π¦ C3. Secure Execution Controls | Prevents runaway agents through execution limits, session timeouts, resource quotas, recursion detection, and abuse prevention mechanisms. | Resource Management, Agent Containment, Availability |
| π C4. Immutable Provenance | Creates tamper-evident audit records for every AI decision and action, enabling complete traceability for compliance, forensics, and governance. | Audit Logging, Accountability, Non-Repudiation |
| π― C5. Intent-to-Action Validation | Verifies that an agent's requested action matches the user's original intent, helping prevent prompt injection, unintended actions, and malicious task manipulation. | Prompt Injection Defense, Agent Integrity, Intent Validation |
| π C6. Capability Verification | Confirms that each AI agent possesses only approved capabilities using cryptographic verification, preventing unauthorized tools or modified agent profiles from executing. | Identity & Trust Management, Supply Chain Security |
| π€ C7. Human Approval Workflow | Automatically requires human authorization for high-risk or sensitive operations, with configurable approval routing and automatic denial when approvals expire. | Human Oversight, High-Risk Operations, Governance |
| βοΈ C8. AetherSign Cryptographic Assurance | Digitally signs every AI action using enterprise-grade cryptography, providing verifiable integrity and preventing tampering throughout the execution lifecycle. | Integrity Protection, Non-Repudiation, Trust Verification |
- β Prevents unauthorized AI agent actions before execution
- β Enforces enterprise security and governance policies automatically
- β Protects sensitive data from unintended disclosure
- β Ensures every AI decision is fully auditable and cryptographically verifiable
- β Supports human oversight for high-risk business operations
- β Helps organizations implement secure, trustworthy, and compliant AI agents
AetherGuard's security architecture aligns with the key principles of the OWASP Agentic AI framework by providing:
| # | Principle | Controls |
|---|---|---|
| 1 | Agent Authorization & Identity Verification | C1, C6 |
| 2 | Secure Tool Invocation | C1, C3 |
| 3 | Policy-as-Code Enforcement | C2 |
| 4 | Prompt Injection & Intent Validation | C5 |
| 5 | Execution Sandboxing & Resource Controls | C3 |
| 6 | Human-in-the-Loop Governance | C7 |
| 7 | Tamper-Evident Audit Trails | C4 |
| 8 | Cryptographic Integrity & Provenance | C4, C8 |
Together, these controls enable organizations to deploy autonomous AI agents with enterprise-grade security, governance, and operational trust.
π Get started: Sign up at genesis.aetherguard.ai, create a tenant, and grab your API key.
π¦ Prefer Python? Contact AetherGuard AI for SDK
agent-runtime-operating-environment-sdkfor caching, batching, and the full federation layer.
βββββββββββββββββββ HTTPS / JSON ββββββββββββββββββββββββββββββββββββ
β Your Agent β ββββββββββββββββββββββββββΆ β AetherGuard Backend β
β (any language) β Authorization: Bearer ... β β
βββββββββββββββββββ β ββββββββββββββββββββββββββββββ β
β β π₯ C1 Tool Firewall β β
β β π C2 OPA Policy Engine β β
β β π¦ C3 Execution Sandbox β β
β β π C4 Hash-Chain Audit β β
β β π― C5 Intent Validator β β
β β π C6 Capability Verify β β
β β π€ C7 Human-in-the-Loop β β
β β βοΈ C8 AetherSign (ECDSA) β β
β ββββββββββββββββββββββββββββββ β
β + FR-1βFR-11 Advanced Suite β
ββββββββββββββββββββββββββββββββββββ
All 8 security controls + the full advanced suite fire automatically on every tool evaluation.
| Capability | Status | Notes |
|---|---|---|
| π Register agent + publish capabilities | β | Full profile |
| π Update capabilities | β | Auto-increments version, re-signs |
| β | Returns session_id |
|
| π‘οΈ Evaluate tool calls (enforcement + telemetry) | β | All 8 controls + advanced suite |
| π Scan tool output | β | Injection, PII, secrets |
| π€ Human-in-the-loop (HITL) | β | Full approval routing |
| π Session trace + provenance | β | Hash-chain audit |
| π€ Multi-agent delegation (sub-agents) | β | Via parent_session_id |
| π¨ Quarantine / incidents | β | Operational controls |
| π Agent SBOM | β | CycloneDX 1.6, KMS-signed (web portal only) |
| π Federation (SPIFFE + JIT tokens) | β | SDK only |
π‘ Federation (SPIFFE/SVID + ephemeral JIT tokens) is an additional identity layer provided by the SDK. Without it, all security controls (C1βC8) still apply in full β federation is not a prerequisite.
Base URL:
https://agentexample.aetherguard.ai/api/v1/agents
Header:
Authorization: Bearer ag_live_xxxxxxxxxxxx
HTTP 200for all verdict outcomes (ALLOW / BLOCK / PENDING / TIMEOUT)HTTP 4xxfor validation errors, auth failures, and not-found
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β β POST /register Register agent + capabilities β
β β β
β βΌ β
β β‘ POST /session/start Start bounded session β
β β β
β βΌ β
β β’ POST /session/{id}/tool ββββ loop for each tool call β
β β β
β βββ β
ALLOW β execute tool β scan output β
β βββ π« BLOCK β handle violations β
β βββ β³ PENDING β await HITL decision β
β βββ β° TIMEOUT β session expired β
β β β
β βΌ β
β β£ POST /session/{id}/end Close session β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Validates tool names (no wildcards), computes SHA-256 capability hash, signs with KMS ECDSA-P256, persists the profile, and generates the signed SBOM.
POST /register{
"agent_id": "payment-processor-v1",
"agent_name": "Payment Processor",
"version": "1.0.0",
"capability": {
"permitted_tools": ["get_invoice", "process_refund", "send_receipt"],
"data_classifications": ["financial", "pii"],
"permitted_destinations": ["payments.internal", "@company.com"],
"max_tool_calls": 10,
"max_session_secs": 600,
"requires_human_approval": false,
"hitl_timeout_secs": 900,
"hitl_approval_group": null,
"hitl_approval_user": null,
"intent_threshold": 0.72,
"allow_external_network": false,
"output_scanning_enabled": true,
"loop_detection_enabled": true,
"token_budget": {
"max_total_tokens": 50000,
"max_tokens_per_step": 5000,
"max_reasoning_tokens": 25000
},
"owner": "platform-ai-team",
"department": "Engineering",
"framework": "langchain"
}
}π Field reference
| Field | Required | Description |
|---|---|---|
agent_id |
β | Unique identifier within the tenant |
agent_name |
β | Human-readable display name |
permitted_tools |
β | Exact tool names β no wildcards, no regex |
data_classifications |
Permitted PII/PHI categories (pii, phi, financial, confidential, internal) |
|
permitted_destinations |
Allowed domain suffixes (e.g. @company.com) |
|
max_tool_calls |
Hard cap per session (default: 20) | |
max_session_secs |
Session timeout in seconds (default: 300) | |
requires_human_approval |
Gate every tool call through C7 HITL | |
hitl_approval_group |
Only group members can approve | |
hitl_approval_user |
Only this user can approve | |
intent_threshold |
C5 cosine similarity minimum (default: 0.72, set 0 to disable) | |
allow_external_network |
Allow external HTTP destinations (default: false) | |
token_budget |
Optional per-session token budget | |
owner |
Inventory metadata β owning person/team | |
department |
Inventory metadata β business unit | |
framework |
Agent framework (langchain, crewai, autogen, mcp, etc.) |
{
"agent_id": "payment-processor-v1",
"status": "ACTIVE",
"capability_hash": "sha256:a3f5c7d2e9b1084f63cc452bd8e71a90...",
"capability_sig": "base64:MEUCIQD...",
"registration_id": "payment-processor-v1"
}π
capability_hash= SHA-256 of canonical profile JSON
βοΈcapability_sig= KMS ECDSA-P256 signature over that hash
Both verified before every session start (C6)
Rejects if agent has active sessions. Auto-increments version, recomputes hash, re-signs.
PUT /profileSame request shape as register. Response includes new version number.
POST /deregister β { "agent_id": "..." }
POST /reactivate β { "agent_id": "..." }Soft-deregister preserves the profile for audit; blocks new sessions.
Verifies capability integrity (C6), blocks quarantined/deregistered agents.
POST /session/start{
"agent_id": "payment-processor-v1",
"declared_intent": "Process refund for order ORD-123",
"workflow_id": "550e8400-...",
"parent_session_id": null,
"parent_step": null
}| Field | Required | Description |
|---|---|---|
agent_id |
β | Registered, active agent |
declared_intent |
β | Locked at creation; C5 validates every tool call against this |
workflow_id |
UUID to group multi-agent sessions | |
parent_session_id |
Orchestrator's session β triggers FR-11 containment | |
parent_step |
Which step in parent spawned this sub-agent |
{
"session_id": "7f3a9c12-4b8e-4d21-bc7f-1a2b3c4d5e6f",
"tenant_id": "your-tenant-uuid",
"status": "ACTIVE",
"started_at": 1751000400,
"user_intent": "Process refund for order ORD-123"
}πΎ Store
session_idβ every subsequent call requires it.
The core enforcement endpoint. All 8 controls + FR-1βFR-11 advanced suite fire automatically.
POST /session/{session_id}/tool{
"tool": "process_refund",
"params": { "order_id": "ORD-123", "amount": 49.99 },
"reasoning": "Customer requested refund for damaged item",
"tokens_input": 1240,
"tokens_output": 380,
"model": "claude-sonnet-4-6",
"transport_type": "REST"
}π Full field reference
| Field | Required | Description |
|---|---|---|
tool |
β | Tool name to evaluate |
params |
β | Tool parameters (C1 checks for PII) |
reasoning |
Agent reasoning (C5 intent validation) | |
tokens_input |
Input tokens for C3 budget tracking | |
tokens_output |
Output tokens for C3 budget tracking | |
model |
LLM model name (provenance + inventory) | |
transport_type |
REST (default) or MCP |
|
user_id |
Who initiated the request | |
model_version_hash |
SHA-256 of model artifact | |
region |
AWS region of inference | |
input_fingerprint |
SHA-256 of prompt | |
output_fingerprint |
SHA-256 of response | |
policy_check_detail |
{"pii_detected": false, "injection_score": 0.04, "secrets_detected": false} |
{
"allowed": true,
"verdict": "ALLOW",
"violations": [],
"session_id": "7f3a9c12-...",
"step_id": "step-uuid",
"intent_score": 0.87,
"sanitized_params": null,
"hitl_request_id": null,
"evaluated_at": 1751000450
}| Verdict | allowed |
Action |
|---|---|---|
β
ALLOW |
true |
Execute the tool (use sanitized_params if present) |
π« BLOCK |
false |
Do not execute. Inspect violations. |
β³ PENDING |
false |
Awaiting human approval. Poll HITL status. |
β° TIMEOUT |
false |
Session expired. Start a new one. |
When AGENT_PARAM_EGRESS_REDACTION=true (server-side), the engine scrubs secrets/PII from params:
outbound = result["sanitized_params"] or original_params
execute_tool("process_refund", outbound) # use scrubbed versionπ All violation codes
| Code | Control | Trigger |
|---|---|---|
C1_PERMISSION_DENIED |
π₯ Firewall | Tool not in permitted_tools |
C1_DATA_SENSITIVITY_VIOLATION |
π₯ Firewall | PII detected, classification not permitted |
C1_DESTINATION_UNTRUSTED |
π₯ Firewall | Destination not in permitted list |
C1_EXTERNAL_NETWORK_DENIED |
π₯ Firewall | External URL blocked |
C2_POLICY_DENIED |
π Policy | OPA policy denied |
C3_TOOL_CALL_LIMIT_EXCEEDED |
π¦ Sandbox | Tool call cap hit |
C3_TOKEN_BUDGET_EXCEEDED |
π¦ Sandbox | Token limit hit |
C3_LOOP_DETECTED |
π¦ Sandbox | Same tool+params 3+ times |
C3_STUCK_AGENT_DETECTED |
π¦ Sandbox | Repeated BLOCKs on same tool |
C3_CALL_DEPTH_EXCEEDED |
π¦ Sandbox | Nested sub-invocation depth exceeded |
C3_CYCLIC_CONTEXT |
π¦ Sandbox | Repeated context hash or verdict cycle |
C3_MEMORY_POISONING |
π¦ Sandbox | Context replay / unauthorized state mutation |
C3_EXFILTRATION_ATTEMPT |
π¦ Sandbox | Exfil tool, external URL, smuggled payload |
C3_PRIVILEGE_ESCALATION |
π¦ Sandbox | Sub-agent exceeds parent capability |
C3_KILL_CHAIN_DETECTED |
π¦ Sandbox | β₯3 kill-chain stages correlated |
C3_QUARANTINED |
π¦ Sandbox | Agent or parent quarantined |
C5_INTENT_MISMATCH |
π― Intent | Cosine similarity below threshold |
C5_ACTION_CATEGORY_VIOLATION |
π― Intent | Tool category inconsistent with intent |
C7_HUMAN_DENIED |
π€ HITL | Approver denied |
C7_APPROVAL_TIMEOUT |
π€ HITL | No decision within timeout |
C8_SIGNING_FAILURE |
βοΈ AetherSign | KMS signing failed (fail-closed) |
After executing a tool, scan output for injection/PII/secrets before passing to LLM context.
POST /session/{session_id}/scan-output{ "tool": "process_refund", "output": "Refund of $49.99 for john.doe@example.com" }{
"status": "SUSPICIOUS",
"sanitised_output": "Refund of $49.99 for [PII_REDACTED]",
"findings": [],
"pii_findings": [{ "category": "email", "severity": "MEDIUM", "position": 38 }]
}| Status | Meaning |
|---|---|
CLEAN |
β No issues |
SUSPICIOUS |
|
MALICIOUS |
π¨ High-confidence injection, output sanitized |
DISABLED |
βοΈ Scanning disabled in profile |
Always use
sanitised_output, not raw output.
When verdict == "PENDING":
GET /approvals/{hitl_request_id}/status β check decision status
POST /approvals/{hitl_request_id}/decide β submit approval/denial{ "approver_id": "alice@company.com", "approved": true, "notes": "Verified" }Only authorized approvers can decide (HTTP 403 otherwise).
POST /session/{session_id}/endMarks session COMPLETED, flushes provenance chain to immudb.
Pass parent_session_id at session start. FR-11 enforces: child β parent capability.
{
"agent_id": "data-export-agent",
"declared_intent": "Export Q3 data",
"workflow_id": "same-uuid-as-parent",
"parent_session_id": "orchestrator-session-id",
"parent_step": 3
}HTTP 403 PRIVILEGE_ESCALATION_DENIED if child exceeds parent's remaining budget/tools.
GET /workflow/{workflow_id}/trace β full parentβchild graph + chain integrityπ Token exchange (RFC 8693
actchains) and SPIFFE delegation require the Python SDK. REST delegation enforces all privilege containment without federated identity.
GET /session/{session_id}/traceReturns: all steps, verdicts, intent scores, violations, AetherSign signatures,
hash-chain links, risk_score (0β100), risk_level, risk_factors, chain_valid.
GET /session/{session_id}/provenance β immudb-verified recordGET /inventory β full agent grid (all registered agents)
GET /inventory/{agent_id} β complete profile + last session + riskPOST /{agent_id}/quarantine β { "mode": "SOFT|HARD|FULL_LOCKDOWN" }
POST /{agent_id}/release β lift quarantine
GET /quarantined β list quarantined agents
GET /incidents β kill-chain incidents
GET /public-key β KMS ECDSA-P256 public key (no auth)API_KEY="ag_live_xxxxxxxxxxxx"
BASE="https://agent-gateway.aetherguard.ai/api/v1/agents"
AUTH="Authorization: Bearer $API_KEY"
# β Register
curl -s -X POST "$BASE/register" -H "$AUTH" -H "Content-Type: application/json" -d '{
"agent_id": "support-agent-v1",
"agent_name": "Customer Support Agent",
"capability": {
"permitted_tools": ["create_ticket", "lookup_faq", "send_email"],
"data_classifications": ["pii"],
"max_tool_calls": 15,
"max_session_secs": 300,
"intent_threshold": 0.72,
"framework": "langchain"
}
}'
# β‘ Start session
SESSION=$(curl -s -X POST "$BASE/session/start" -H "$AUTH" \
-H "Content-Type: application/json" -d '{
"agent_id": "support-agent-v1",
"declared_intent": "Help customer with billing query for ACC-456"
}' | jq -r '.session_id')
# β’ Evaluate tool call
RESULT=$(curl -s -X POST "$BASE/session/$SESSION/tool" -H "$AUTH" \
-H "Content-Type: application/json" -d '{
"tool": "lookup_faq",
"params": { "query": "how to cancel subscription" },
"reasoning": "Customer asked about cancellation",
"tokens_input": 420,
"tokens_output": 180,
"model": "gpt-4o"
}')
VERDICT=$(echo $RESULT | jq -r '.verdict')
if [ "$VERDICT" = "ALLOW" ]; then
# Execute tool β scan output
curl -s -X POST "$BASE/session/$SESSION/scan-output" -H "$AUTH" \
-H "Content-Type: application/json" \
-d '{"tool":"lookup_faq","output":"Cancel at Settings > Subscription."}'
fi
# β£ End session
curl -s -X POST "$BASE/session/$SESSION/end" -H "$AUTH"| Feature | SDK | REST API |
|---|---|---|
| All 8 security controls (C1βC8) | β | β |
| Advanced controls (FR-1βFR-11) | β | β |
| π€ Multi-agent delegation | β | β |
| π€ HITL approval routing | β | β |
| Local caching (reduced latency) | β | β |
| Request batching | β | β |
| Automatic retry + backoff | β | β |
| SPIFFE/SVID identity | β | β |
| JIT token lifecycle | β | β |
RFC 8693 token exchange (act chains) |
β | β |
Β© 2026 AetherGuard, Inc.
