AI Agent Governance · Adversarial Truth · Signed Evidence

Govern every AI agent your enterprise depends on.

The AI agent governance platform built on adversarial truth.

Discover every agent. Classify risk with AIVSS. Red-team continuously with an eleven-agent adversarial swarm. Enforce policy at runtime. Generate signed evidence your auditor can verify.

Built by Glacien · APAC-built · AWS-native · Apache 2.0 swarm available

Book a DemoTry the open-source red-teaming swarm
Built by GlacienAPAC-builtAWS-nativeApache 2.0 swarm
Trusted by enterprise security and AI platform teams

Currently in design-partner phase with banking, healthcare, and public-sector teams across APAC.

Audiences

Who's this for?

AgentGuardian is built around the three roles accountable for AI agents in regulated enterprises — each gets the artefacts and controls their function actually needs.

For CISOs

See your real AI attack surface.

Find every AI agent in your environment. Test continuously against agentic threats — goal hijack, tool misuse, memory poisoning, supply chain — the full OWASP ASI01–10.

See CISO use case
For Chief Risk Officers

Prove your AI governance is real.

Generate signed evidence packs mapped to your governance framework. Hand them to your auditor, your board, your regulator — cross-mapped to EU AI Act, NIST AI RMF, ISO 42001, MAS, APRA.

See Risk use case
For Chief AI Officers

Ship agents without security becoming the blocker.

Inventory agents across every platform. Run AIVSS in CI/CD. Enforce policy before agents act. Move from pilot to production without an audit standoff.

See Platform use case
Platform

One platform. Full agent lifecycle. Six capabilities.

A single control plane covering the full lifecycle — from discovery and AIVSS classification to continuous red-teaming, runtime enforcement, monitoring, and signed evidence.

Discover

Find every AI agent — sanctioned and shadow — across SaaS, cloud, homegrown frameworks, MCP servers, and endpoints. AI Bill of Materials included.

Classify

Score every agent with AIVSS — the OWASP-aligned scoring system that combines CVSS with ten agentic risk amplification factors. One number, comparable across releases and frameworks.

Red-team

Test continuously with an eleven-agent adversarial swarm. Goal hijack, tool misuse, memory poisoning, supply chain, code execution, A2A, drift — full OWASP ASI01–10 mapped to MITRE ATLAS.

Enforce

Apply runtime policy before agents act — tool calls, data access, model egress, agent-to-agent messages, human approval gates. Cedar-based policy engine.

Monitor

Track behavioural drift, tool anomalies, memory poisoning indicators, identity risk, cost spikes. SOC- and SIEM-ready event streams.

Evidence

Generate signed PDF/A-3 evidence packs with hash-chain anchoring. Cross-mapped to EU AI Act, NIST AI RMF, ISO 42001.

Adversarial Truth

Most platforms infer risk from configuration.
We derive it from adversarial truth.

Other platforms look at how your agents are configured — permissions, tool inventory, identity scope, posture. They produce risk scores from posture signals.

AgentGuardian does something different. Every classification, every AIVSS score, every finding in every evidence pack starts from an actual adversarial attack run against the actual deployed agent — its actual goal, its actual tools, its actual memory, its actual framework.

The eleven specialist red-team agents that run those attacks are open source. Apache 2.0. Inspectable on GitHub. Reproducible from pip install agent-guardian. The same swarm that powers AgentGuardian's classifications also runs on a developer's laptop in CI/CD.

That's adversarial truth — risk derived from what an attacker can actually do, not from what the configuration suggests they might do. And it's governance an auditor can verify, because the methodology isn't a black box.
How It Works

Three layers. One signed result.

AgentGuardian runs as a control plane in the cloud and a data plane inside your environment. Your regulated telemetry, prompts, tool calls, and evidence stays on your side. The eleven-agent swarm runs scans on demand or on a schedule, produces an AIVSS score, and writes a signed evidence pack to your customer-resident storage.

Glacien-hosted

Control Plane

Sees signed manifests only — metadata, never payloads.

  • Console
  • Tenant management
  • Policy authoring
  • Dashboards
  • Billing
manifests · signatures
Customer-resident

Data Plane

Inside your VPC. Regulated telemetry never leaves.

  • Agent discovery
  • 11-agent swarm
  • Runtime enforcement
  • KMS signing
  • Audit ledger
  • Evidence storage
scans · enforcement
Customer estate

Target Agents

LangChain, LangGraph, AutoGen, CrewAI, Bedrock, Vertex AI, custom.

  • Tool-calling agents
  • Memory-bound agents
  • A2A flows
  • MCP servers
  • Custom REST endpoints
inference endpoints

What happens during a scan.

Four phases. The swarm discovers your agent, attacks it, scores the result, and emits a signed evidence pack.

Phase 01 · Inventory
Map the attack surface.

Discovery agent traces every tool, memory binding, identity boundary, and framework hook of the target.

customer-support-agentLangGraph
tools4
memoryconversation
A2A1 binding
Phase 02 · Swarm
Eleven specialists fire in parallel.

Recon, goal-hijack, tool-abuse, privilege, supply-chain, code-exec, memory-poison, A2A, cascade, trust-exploit, drift.

ASI01 goal-hijack2 / 47
ASI02 tool-abuse3 / 38
ASI04 memory-poison1 / 22
ASI07 cascade0 / 31
Phase 03 · AIVSS
Score on 0–100.

OWASP-aligned scoring. CVSS base metrics combined with ten agentic risk amplification factors.

67 / 100
findings9
critical2
high3
Phase 04 · Evidence
Sign and emit.

PDF/A-3 + PAdES-LTA, hash-chain anchored, machine-readable JSON sidecar, framework mapping.

EP-2026-Q1-0007
EU AI Act · NIST · ISO 42001
✓ Signed · sha256:4f8a…

From discovery to signed evidence — in one scan.

Evidence Pack

The artefact your CRO actually wants.

Every AgentGuardian scan produces a signed evidence pack: PDF/A-3 + PAdES-LTA signature, RFC 3161 timestamp, hash-chain anchored, machine-readable JSON sidecar, cross-framework mapping. Hand it to your Internal Audit team. Hand it to your regulator. Hand it to your Board Risk Committee.

  • Executive summary
  • Agent inventory in scope
  • AIVSS risk classification
  • OWASP ASI01–10 evaluation results
  • Runtime policy decisions
  • Approval and exception history
  • Cross-framework mapping appendix
  • Signature manifest + verification instructions
AgentGuardian · Evidence Pack✓ Signed
EP-2026-Q1-0007
Issued: 2026-05-12 · Issuer: AgentGuardian · Customer-resident KMS
Agents in scope
147 · 9 high-risk
Framework mapping
EU AI Act · NIST AI RMF · ISO 42001
OWASP scorecard
92 / 100
Approvals logged
412
sha256: 4f8a92e1c0b3d7a9e2f4c1b8d6a0e3f7c9b2a1e8d4c7f0b3a6e9d2c5f8b1a4e7
Download a real sample packSee the JSON schema
Integrations

Works with the agent frameworks your team already uses.

AgentGuardian connects to any agent that exposes an inference endpoint — first-class support across the frameworks your platform team is already shipping with.

Framework / Platform
Status
LangChain
Supported
LangGraph
Supported
OpenAI Agents SDK
Supported
AutoGen
Supported
CrewAI
Supported
Anthropic Claude API
Supported
AWS Bedrock + AgentCore
Supported
Google Vertex AI + ADK
Supported
Azure OpenAI + Foundry
Supported
Strands
Supported
MCP servers
Supported
Custom REST endpoints
Supported

Don't see your framework? AgentGuardian connects to any agent with an inference endpoint. See the full integrations list →

Open Source

Test your AI agents while you build them.

Glacien releases the eleven-agent adversarial swarm as an open-source Apache 2.0 Python package, free for any developer. Use it locally during build. Run it in CI/CD as a security gate. The same engine powers AgentGuardian Enterprise — so what developers see locally is what the security team sees in the platform.

AgentGuardian Open · Apache-2.0

What developers get.

Free for developers, researchers, and security engineers.

The eleven specialist red-team agents (recon, goal hijack, tool abuse, memory poisoning, supply chain, code execution, A2A, cascade, trust exploit, drift), the AIVSS engine, probes mapped to OWASP ASI01–10 + MITRE ATLAS + CSA Agentic RT, a local UI, and a CI/CD gate.

  • Eleven specialist red-team agents
  • AIVSS v0.5 scoring engine
  • OWASP ASI01–10 + ATLAS probes
  • Local single-page UI
  • PDF + HTML + JSON + SARIF reports
  • CI/CD gate (--fail-under)
$ pip install agent-guardian
$ agent-guardian scan ./my_agent.py
$ agent-guardian serve
View on GitHubRead the Docs
AgentGuardian Enterprise · SaaS

What the platform adds.

Same attack engine. Centralised, governed, evidenced.

The platform doesn't add a different swarm. It adds discovery across your estate, scheduling, runtime enforcement, signed evidence packs, audit log, SSO, and customer-resident deployment around the same eleven-agent core.

  • Centralised inventory + discovery
  • Scheduled + continuous scans
  • Runtime policy enforcement
  • SAML SSO · SCIM · MFA · RBAC
  • Signed PDF/A-3 evidence packs
  • Audit log · exceptions · approvals
  • Customer-resident data plane
  • AWS Marketplace procurement
Explore PlatformBook Enterprise Demo

Why we open-sourced it: adversarial methodology shouldn't be a black box. Apache 2.0 means anyone can read the code, reproduce a scan, and verify the methodology.

Compliance & Framework Coverage

Maps to the frameworks your governance team already uses.

Every Evidence Pack carries a cross-mapping appendix tailored to whatever framework set you operate under — plus your internal audit standard, your board risk policy, and your own AI governance framework if you have one.

AI Frameworks

  • EU AI Act
  • NIST AI RMF
  • ISO/IEC 42001
  • ISO/IEC 23894
  • CVSS v4.0 + AIVSS v0.5

Security Frameworks

  • MITRE ATLAS
  • OWASP Agentic Top 10
  • OWASP LLM Top 10
  • CSA Agentic RT

Regional Regulators

  • MAS Singapore
  • APRA Australia
  • RBI India
  • OJK Indonesia
  • BNM Malaysia · BSP Philippines

Plus your internal audit standard, your board risk policy, and your own AI governance framework. The Evidence Pack's cross-mapping appendix is tailored to whatever framework set you operate under.

See the full compliance mapping
Pricing

Pick the plan that fits your environment.

All plans include the open-source red-teaming swarm. Move up as agent count and governance scope grow.

Starter
For a single team

Running AgentGuardian against pre-production agents.

Includes
  • Up to 5 agents
  • 11-agent adversarial swarm
  • AIVSS scoring
  • OWASP ASI01–10 + ATLAS tags
  • PDF + JSON + SARIF reports
  • Slack / email support
Request pricing
Professional · Most popular
For platform & security teams

Running AgentGuardian across multiple production agents.

Everything in Starter, plus
  • Up to 50 agents
  • Scheduled + continuous scans
  • Runtime policy enforcement
  • SAML SSO + SCIM
  • Signed PDF/A-3 evidence packs
  • Priority support + 99.9% SLA
Request pricing
Enterprise
For enterprise-wide governance

Customer-resident deployment, full audit, multi-team rollout.

Everything in Professional, plus
  • Unlimited agents
  • Customer-resident data plane
  • SOC 2 Type II
  • 7-year immutable audit log
  • Dedicated customer-success manager
  • AWS Marketplace procurement
Talk to Sales

All plans include the open-source red-teaming swarm. See full pricing comparison →

FAQ

Frequently asked questions.

How is AgentGuardian different from a runtime guardrail like Lakera or Prompt Security?
Runtime guardrails sit in front of a model and block harmful prompts at inference time. AgentGuardian governs the full agent lifecycle — discovery, classification, continuous red-teaming, runtime enforcement, monitoring, and signed evidence. Runtime enforcement is one of six capabilities; the differentiation is that every score and every evidence pack is derived from an actual adversarial attack against the live agent, not from posture inference.
Does AgentGuardian access our prompts, tool calls, or production data?
No. AgentGuardian deploys as a control plane in Glacien-hosted infrastructure and a data plane inside your environment. Regulated telemetry — prompts, tool calls, evidence packs, logs, KMS keys — stays in your VPC. The control plane only sees signed manifests, metadata, and the artefacts you choose to share.
Which agent frameworks do you support?
LangChain, LangGraph, OpenAI Agents SDK, AutoGen, CrewAI, Anthropic Claude API, AWS Bedrock and AgentCore, Google Vertex AI and ADK, Azure OpenAI and Foundry, Strands, MCP servers, and any custom REST endpoint that exposes an inference API. See the integrations grid above or the docs for the current list.
How do you produce an AIVSS score?
AgentGuardian runs an eleven-agent adversarial swarm against the target. Each specialist agent attacks one OWASP ASI01–10 category. Probes that fire are evaluated for severity using OWASP AIVSS v0.5 (which combines CVSS base metrics with ten agentic risk amplification factors). The final score is a weighted aggregate, 0–100, and is reproducible from the same target plus the same probe versions.
Can we run AgentGuardian air-gapped or on-premise?
The standard deployment is customer-resident data plane plus Glacien-hosted control plane. Fully air-gapped on-premise is on the roadmap. Contact sales for current status.
What evidence does the Evidence Pack actually contain?
Executive summary, agent inventory in scope, AIVSS risk classification, OWASP ASI01–10 evaluation results, runtime policy decisions, approval and exception history, cross-framework mapping (EU AI Act, NIST AI RMF, ISO 42001, MAS, APRA, etc.), signature manifest with PAdES-LTA signature and RFC 3161 timestamp, and step-by-step verification instructions.
How does AgentGuardian integrate with our SIEM, SOC, and ticketing tools?
Runtime decisions, policy violations, and drift alerts emit as SIEM-ready events (CEF, ECS, or native connectors for Splunk, Sentinel, Chronicle, Elastic). Finding tickets can post to Jira, ServiceNow, or any webhook target. Evidence packs export to S3-compatible storage or your existing GRC system.
Is the open-source red-teaming swarm the same as the platform's swarm?
Yes. Same agents, same probe library, same AIVSS scoring formula. The platform adds discovery, scheduling, runtime enforcement, evidence packs, audit log, SSO, and customer-resident deployment — not a different attack engine. That's intentional: the methodology shouldn't be a black box.

Govern the agents your enterprise
is about to depend on.

AI agents are becoming part of business operations, security workflows, customer experience, and regulated decision-making. AgentGuardian helps you discover them, test them, control them, monitor them, and prove they are governed — with adversarial truth, not posture inference.

Book a DemoTry the open-source swarmDownload Sample Evidence Pack