Aigentical — Govern every AI agent. Anywhere it runs.

The agentic turn

AI security was built for a chat interface. Agents take actions.

Agents now delete data, issue refunds, and modify production. Actions happen outside the model’s context — tool calls, MCP, A2A delegation — where content classifiers can’t reach.

Chat-era AI security

Designed for prompts & responses

Built for text in, text out
GenAI gateways + in-context content classifiers
Stops jailbreaks, PII leaks, toxic output
Doesn’t reach tool calls, deletes, refunds, A2A

Agentic-era governance

Designed for the actions the agent takes

Tool calls, MCP, A2A delegation, blast radius
Cryptographic primitives — HITL, HMAC audit, claim-pinned identity
Stops delete-prod, refund-fraud, RAG-poisoning, mosaic exfil
A new layer — complementary to your existing guardrails

Aigentical in one frame

The agent flows through the proxy. The rules live out of band.

Every LLM, MCP, vector-DB, and A2A call routes through one governance pipeline. The agent can’t disable what it can’t reach.

Agent

LangChain · CrewAI · MCP · Cursor

›

Aigentical Proxy

Policy Enforcement Point · 10 layers · 4 tiers, in-path

›

Providers

LLMs · vector DBs · MCP tools · A2A peers

The proxy is the Policy Enforcement Point (PEP); the out-of-band control plane — blast radius, cryptographic approvals, reputation, immutable audit — is the Policy Decision Point (PDP). A Zero Trust split the agent can’t reach or collapse.

IP Shield

Intellectual-property leak detection

RAG Firewall

Vector-DB filter · mosaic exfil

Input Shield

Jailbreak + injection scanner

Policy Engine

CEL · ALLOW / DENY / APPROVE

MCP Intercept

Per-tool-call pipeline

Cryptographic HITL

Approval the agent can’t forge

Output Shield

PII + credential rule packs

Reputation

Per-agent behavioral trust

Audit Chain

HMAC-keyed · SIEM forward

L10

A2A Trust

min(chain) · max depth

Deploy anywhere

One pipeline. Every surface an agent touches.

Zero-to-low-friction deployment — point a base_url, drop in a sidecar, or gate at admission. The same layers run on every tier: cloud, on-prem, or air-gapped, with no agent rewrite.

T1 · network

Proxy

Point a base_url. Every LLM + MCP call routes through it.

T2 · library

SDK

@govern gates functions in-process. Python + TypeScript.

T3 · protocol

MCP Intercept

Tool calls governed inside the protocol, with the nonce gate.

T4 · runtime

Wasm Sandbox ROADMAP

Capability-scoped runtime — denies any ungranted call.

Six insertion surfaces, one stateful pipeline: SDK · decorator · proxy · MCP · K8s admission webhook · sidecar. Add a surface, not a rewrite.

Hero capability

Cryptographic human-in-the-loop. Bypass is a math problem.

Most HITL is a workflow checkbox an agent can talk its way around. Ours is a cryptographic primitive: a high-risk action freezes until a person approves, and the agent has no material to forge the result.

Can’t forge — the execution token is an HMAC of a server-side nonce the agent never sees.
Can’t reuse — single-use, 60-second TTL, consumed on first verify.
Can’t wait it out — the approval window and the execution window are independent.
Attributable — every approval is recorded in a tamper-evident audit chain.

# agent requests a sensitive action

wire_payment(amount=50000)

# policy → require approval

decision: REQUIRE_APPROVAL

nonce: <256-bit, server-side only>

# payment frozen — waiting on a human

status: PENDING_APPROVAL

→ human clicks Approve

execution_token = HMAC(server_key, nonce)

ttl: 60s · single-use

# the agent never held the key.

Non-human identity

Your IAM authenticates the agent at the door. We govern every action it takes after.

Authentication is the front door. The risk is the action. Aigentical consumes your identity signal and makes the agent’s identity enforceable at every call.

We consume

Your identity stack, unchanged

No rip-and-replace — we sit on top of the IAM you already run and make it enforceable at every agent action.

SPIFFE / SPIRE · mTLS · OIDC & SAML SSO (Okta, Entra, Keycloak)
SCIM provisioning · bring-your-own key custody (your KEK or HashiCorp Vault)
Additive to Okta / CyberArk / SailPoint — not a replacement

We add

Runtime authorization

Per-action verdict + reason, every call
Least agency: blast-radius ∩ allowlist ∩ reputation
Delegation trust = min(chain) — privilege can’t launder

We pin

Claim-pinned identity

Strongest-signal-wins resolver chain
Env-pinned tokens — a dev token can’t act in prod
A spoofable header can’t impersonate a cert

Procurement becomes “Aigentical and your identity stack,” never “or.” Zero migration — you keep what you have.

Competitive stance

Bring your own guardrails. We’re the brain.

We don’t replace your detectors — we consume their verdicts. Every catch, ours or theirs, runs one closed loop: audit, reputation penalty, pattern capture, alert. Defense-in-depth that compounds.

Detectors feed in

NeMo, Lakera, provider refusals, your classifiers
One endpoint — trust-weighted ingestion
Their detection compounds inside one brain

We catch directly

Tool calls, MCP, A2A, blast radius
Cryptographic HITL on high-risk actions
What guardrails were never built for

The closed loop

Tamper-evident audit + reputation drop
Mosaic session risk + pattern capture
Real-time SOC alert across all detectors

Audit-ready

Evidence your auditors and your board can read

Every decision pins its policy version into a tamper-evident chain, forwarded to your SIEM. Mapped to the frameworks your program already runs on.

SOC 2 CC6/CC7 EU AI Act Art. 12 & 14 NIST AI RMF ISO 42001 HIPAA §164.312 PCI-DSS 10 GDPR Art. 30/32 Forrester AEGIS MITRE ATLAS

Get started

Deploy governance in hours, not quarters.

Map your agent inventory, deploy the proxy in staging with zero code changes, and watch governance run on your own agent traffic.

Book a technical deep dive sangeet@aigentical.ai →