Enterprise

The control plane for agent risk.

Govern every agent across LangChain, LangGraph, CrewAI, MCP, and custom runtimes — with dashboards, Cedar enforcement, signed evidence, and regulator-ready exports for MAS, APRA, RBI, the EU AI Act, and ISO 42001.

Book a DemoTry Open Source
Runtime PDP
p99 ≤ 10ms

Cedar 4.5 policy decisions enforced inline at the AgentCore Gateway, SLO-bound, default-deny.

Audit retention
7 years

S3 Object Lock Compliance mode. ECDSA-P384, SHA-384, RFC 3161 dual TSA, Merkle-anchored.

Regulator coverage
8 frameworks

MAS · APRA · RBI · OJK · BNM · BSP · EU AI Act Title III · NIST AI RMF + ISO 42001.

CI integrations
SARIF 2.1.0

GitHub Actions, GitLab CI, CircleCI, Jenkins — PR comments with AIVSS deltas against the prior run.

Enterprise internals

From StackSet install to a regulator-ready posture.

AgentGuardian is the control plane for AI agent risk. The four blocks below describe what the platform does once the data plane is live in your AWS account: how operators see posture, author and enforce policy, and how the platform connects to the agent frameworks and CI systems already in your estate.

Control Plane

Dashboards, RBAC, and tenancy.

  • Cognito + SAML SSO with External-ID hardened IAM and per-tenant CMKs
  • Role model: Org Admin, Security Engineer, GRC Reviewer, Auditor Read-Only, with per-role probe and report scopes
  • Multi-tenant SaaS, single primary region per geography, customer-resident data plane installed via CloudFormation StackSet with PrivateLink
Posture Dashboards

AIVSS, drift, and tier coverage.

  • Time-series AIVSS posture across every registered agent, with severity-weight breakdown and tier-weight overlay
  • Drift detector: surfaces a posture-score delta against the prior scan with the specific specialists that caused the delta
  • Coverage panel: probe-by-probe heatmap across ASI01-ASI10, OWASP-LLM specialists, and the mutator matrix
Policy

The Cedar 4.5 policy editor and runtime PDP.

  • In-platform Cedar policy editor with linting, simulation, and AIVSS-aware test fixtures
  • Policy decision point at the AgentCore Gateway with p99 latency under 10ms enforced by SLO
  • Versioned policy bundles with two-person review, KMS-signed deploy, and rollback by hash
Integrations

Agent frameworks, MCP, and CI.

  • First-class adapters: LangChain, LangGraph, CrewAI, OpenAI Agents SDK, AutoGen, Google ADK, AWS Strands, MCP servers, custom HTTP
  • CI integrations: GitHub Actions, GitLab CI, CircleCI, Jenkins, with SARIF 2.1.0 upload and PR comment AIVSS deltas
  • Source integrations: AgentCore Gateway, AWS Bedrock, CloudTrail Lake sweep for agent-call evidence
Inside the console

The executive AIVSS rollup, agent breakdown, and posture trend.

Operators land on a posture summary scoped to their RBAC tier. Org Admins and Security Engineers see the full estate; GRC Reviewers see the regulator-pack drafts; Auditor Read-Only sees the immutable evidence and audit-log view with no write paths.

Posture · last 30 daysorders-estate · tenant_prod
AIVSS 67 · down 4.1
Agents
247
T1 critical
2
↓ 1
T2 high
11
↑ 2
Drift alerts
1
support-rag
AIVSS posture trend
30d ago15dtoday
Top agents by AIVSS
payments-orchestratorT18.9
shadow-extract-svcT18.4
kyc-routerT26.7
support-ragT25.6
claims-botT33.1
.agentguardian.yaml

Declarative scope, budget, and rules of engagement.

Every agent registered with the platform is pinned to a contract file under version control. The control plane reads it to decide which probes run, against which targets, with which budget — and what is in scope for the regulator pack.

agent: payments-orchestrator
tier: T1
scope:
  framework: langgraph
  endpoint: bedrock://agentcore/payments-v3
  tools: [stripe, postgres, internal-fraud]
roe:
  banned_targets: [prod-customer-pii]
  redact: [card_number, cvv]
budget:
  max_calls: 4000
  max_usd: 18.50
probes:
  - asi01_prompt_injection
  - asi04_tool_invocation_abuse
  - asi09_memory_poisoning
  - mutators: [bon, flipattack, manyshot, h_cot]
report:
  frameworks: [mas_airg, apra_cps_230]
  sarif: true
Lints in the editor. Diffs visible in the audit log. Versioned alongside the Cedar policy bundle.
Cedar 4.5 · Policy Decision Point

Author, simulate, and ship policy.

The Cedar editor is in the console. Policies are linted in-line, simulated against AIVSS-aware test fixtures generated from the latest scan, reviewed by two humans, signed by KMS, and shipped as a versioned bundle. The runtime PDP at the AgentCore Gateway enforces the active bundle with a p99 latency under 10ms.

Cedar 4.5 source · payments-orchestrator
// rule: gate any tool call that touches PII on a T1 agent
forbid (
  principal in Agent::"payments-orchestrator",
  action == Action::"InvokeTool",
  resource in ToolGroup::"data-egress"
)
when {
  principal.tier == "T1" &&
  context.aivss >= 7.0 &&
  context.probe_evidence contains "asi01_prompt_injection"
};

// rule: hard cap denial-of-wallet budgets per agent / 24h
forbid (
  principal in Agent::"*",
  action == Action::"ModelInvoke",
  resource in Model::"bedrock"
)
when { context.usd_24h >= principal.budget.max_usd };
LINT · okSIM · 12 / 12 fixtures passBUNDLE v4.1.3 · sha256 4a7c…b819
Promotion lifecycle

Shadow → canary → enforce.

  • ShadowPDP evaluates every request; nothing blocked. Decisions logged for review against historical traffic.
  • CanaryBlock for a configurable percentage of principals. Drift detector watches false-positive rates against the previous bundle.
  • EnforceDefault-deny, fail-closed, SLO-bound p99 ≤ 10ms. Rollback by hash with two-person review.
Every transition is a hash-chained audit-log entry. Rollback restores the previous bundle in one click.
Integrations

Frameworks, MCP, CI, and the AgentCore Gateway.

AgentGuardian ships first-class adapters for the agent frameworks teams already run, with a thin custom-HTTP shim for everything else. CI integrations stream SARIF 2.1.0 into the platform and post AIVSS-delta comments back on the pull request.

Agent frameworks

Adapters

  • LangChain
  • LangGraph
  • CrewAI
  • OpenAI Agents SDK
  • AutoGen
  • Google ADK
  • AWS Strands
  • MCP servers
  • Custom HTTP
CI / VCS

Pipelines

  • GitHub Actions
  • GitLab CI
  • CircleCI
  • Jenkins
  • SARIF 2.1.0 upload
  • PR comment · AIVSS delta vs prior run
  • Signed-bundle export · cosign / KMS
  • Webhooks · Slack channel digest
Source telemetry

AWS

  • AgentCore Gateway (PDP host)
  • AWS Bedrock model invocations
  • CloudTrail Lake sweep · agent-call evidence
  • KMS · CMK signing + verify
  • S3 Object Lock evidence archive
  • PrivateLink for tenant access
  • Splunk · Sentinel · Chronicle · Elastic SIEM out
Evidence + Audit

Signed evidence and a tamper-evident audit chain.

Every finding produced by a probe is sealed into an evidence record carrying the probe ID, the OWASP / MITRE ATLAS / CSA category, the AIVSS vector, and the deterministic reproduction trace. Every operator action against the control plane lands in an append-only hash-chained log signed by a KMS-backed Merkle root.

Evidence Packs

KMS-signed, dual-TSA, S3 Object Lock.

  • Per-finding evidence: probe ID, ATLAS technique ID, CSA category, AIVSS vector, reproduction trace
  • Cryptographic posture: ECDSA-P384, SHA-384, RFC 3161 dual TSA, PAdES-LTA, FIPS 140-3, per-tenant CMK plus ECDSA-P384 signing key
  • Retention: S3 Object Lock Compliance mode, seven-year default, regulator-pack export structured per framework
Audit Log

Append-only with a tamper-evident chain.

  • Append-only audit log of every scan, policy change, evidence-pack export, and RBAC mutation
  • Hash-chained entries with periodic Merkle root signing and dual-TSA timestamps
  • External auditor read-only role with CSV and JSONL export, no platform write access
Cryptographic posture: ECDSA-P384 signing · SHA-384 hashing · RFC 3161 dual TSA (DigiCert primary, GlobalSign secondary) · PAdES-LTA Level on PDF/A-3 · S3 Object Lock Compliance 7-year retention · FIPS 140-3 KMS endpoints in regulated regions · per-tenant CMK plus per-tenant ECDSA-P384 signing key.
Regulator-pack export

Seven templates, eight frameworks, deterministic rebuilds.

Each pack rebuilds deterministically from raw findings plus the active policy bundle, with the framework version pinned by hash. Auditors can verify the signature offline with the AgentGuardian Verifier CLI. A sample pack ships for each regulator as a signed PDF with the underlying JSONL evidence trail.

MAS AIRG
Singapore — AI Risk Governance
Monetary Authority of Singapore
APRA CPS 230 + 234
Australia — Operational risk + info security
incl. 30-Apr-2026 AI letter
RBI FREE-AI
India — Responsible AI framework
Reserve Bank of India
OJK Tata Kelola
Indonesia — FS AI governance
Otoritas Jasa Keuangan
BNM RMiT
Malaysia — Risk Mgmt in Tech
Bank Negara Malaysia
BSP Project Sapiens
Philippines — Central bank AI
Bangko Sentral ng Pilipinas
EU AI Act
Title III — High-risk obligations
European Union
NIST AI RMF · ISO 42001
Global — Risk framework + AIMS
NIST · ISO/IEC
Per-finding evidence: probe ID · ATLAS technique ID · CSA category · AIVSS vector · reproduction trace · KMS signature · dual-TSA timestamp · pack hash · framework version hash.
Tiers · AWS Marketplace SaaS contract

Three tiers. Annual upfront. Pay through AWS.

Standard, Professional, and Enterprise — sized by agents under management, regulator packs included, and support window. Billed via AWS Marketplace, drawing down committed spend. The OSS core remains free and Apache-2.0 under every tier.

Standard · AWS Marketplace

Standard

Up to 200 agents under management
  • Up to 200 agents
  • Discovery + AIVSS scoring
  • Two regulator packs
  • Cedar policy editor in shadow + canary mode
  • Annual upfront via AWS Marketplace
  • Email support
Talk to Sales
Professional · Featured

Professional

Up to 2,500 agents under management
  • Up to 2,500 agents
  • Full runtime enforcement at the AgentCore Gateway
  • Five regulator packs
  • Continuous scheduled evaluations
  • SARIF 2.1.0 upload + PR comment deltas
  • 24×5 support
Talk to Sales
Enterprise · Customer-resident

Enterprise

Unlimited agents under management
  • Unlimited agents
  • All 8 regulator-pack templates
  • Custom Cedar policy authoring + review
  • Dedicated solution architect
  • 24×7 support with custom SLA and incident-response window
  • Customer-resident data plane
Talk to Sales

All tiers include the AgentGuardian OSS core (PyPI: agent-guardian) for local red-teaming and CI/CD. Move up as agent count and regulator scope grow.

Trust posture

A compliance roadmap, and a clear list of what this is not.

Compliance roadmap
  • SOC 2 Type IQ4 2026 · auditor engaged
  • SOC 2 Type IIQ2 2027
  • ISO/IEC 27001:2022Q3 2027
  • ISO/IEC 42001 AIMSSelf-attest 2026 · third-party Q1 2028
  • HIPAA BAAQ3 2028 · on request
  • FedRAMP ModeratePath identified · gov-customer triggered
  • Pen testingQuarterly stage 1 · semi-annual thereafter
Open differentiation
  • AIVSS formulaPublished with severity and AARS weights
  • Deterministic stub modeReproduce every finding offline, no model calls
  • Zero telemetryOSS core ships no phone-home
  • Apache-2.0 OSS corePyPI: agent-guardian (rc2 live)
  • Customer-owned keysPer-tenant KMS CMK; Glacien is Sign/Verify only
  • Reproducible packsHash-pinned framework version + raw findings
What AgentGuardian is not
  • Not a runtime guardrailWe do not classify or block model output as a content filter
  • Not a chatbot moderation toolWe do not score support conversations for tone or PII redaction
  • Not a model-evaluation harnessWe do not benchmark base-model quality; the OSS harness is adversarial-swarm red-teaming for agents
  • Not an MLOps platformWe do not train, fine-tune, host, or version base models

Bring AgentGuardian into the control plane.
Walk a regulator through it.

We will run a posture sweep against a sample of your agents, ship a signed evidence pack for the framework you care about, and hand you the Cedar policy bundle that would have caught the finding at runtime.

Book a DemoTry Open Source