Runtime governance for AI agents, enforced in your own infrastructure. Altrace is the control layer beneath every agent, enforcing on both the request and the response, across the model providers you call and the proprietary models you run. Stop any agent before it acts, cap what it can spend and reach, and keep a tamper-evident record of everything it did.
“An emergency brake and a flight recorder for every AI agent you run.”
Works with every model you call or host. Enforces on every request and response.
Anthropic · OpenAI · Azure OpenAI · Google Gemini · AWS Bedrock · Self-hosted models · MCP · LangGraph · CrewAI
The governance gap
AI agents can
Most organizations cannot
88%
of organizations with AI agents have experienced a security incident
Gravitee 2026
14%
have full security governance over their AI agents
Gravitee 2026
73%
of CISOs cite AI agent risk as a critical concern
CSA 2026
One control layer, four jobs
01
See every agent, including the ones you never authorized. Shadow-agent detection the moment an unregistered agent sends its first request.
Platform overview →02
Declare what each agent is allowed to do, tools, models, destinations, actions, evidence prerequisites. Move beyond prompt-based controls.
Platform overview →03
Stop, limit, and govern every request below the application, where agents can’t bypass it. Kill switches, hard budgets, content governance.
Platform overview →04
Watch every decision, with a tamper-evident record of exactly what happened, cost, content, and action, attributable per agent.
Platform overview →The difference
On Kubernetes, kernel-level network rules make the proxy unbypassable. Your data never leaves your infrastructure, and every decision is written to a tamper-evident audit trail.
Proof, not promises
Real 2026 agent failures, and the Altrace control that would have stopped each one.
The Kiro incident
December 2025, Amazon’s Kiro agent autonomously deleted and recreated a production AWS environment without approval, causing a 13-hour outage.
Stopped by: evidence grounding + approval gates
The $82,000 API key
February 2026, a stolen API key ran up $82,314 in Gemini charges in 48 hours, part of an estimated $400M in unbudgeted agent spend that quarter.
Stopped by: hard budget limits + kill switch
The OpenClaw incident
2026, an agent deleted 200+ emails from a researcher’s inbox. She typed “STOP” repeatedly. It kept going. There was no kill switch.
Stopped by: instant global / team / agent kill switch
Credential indirection
Altrace issues each agent a scoped, revocable key of its own. The real provider key stays encrypted inside Altrace and is injected at the network boundary, so a compromised agent can never leak a key it never had.
Each agent gets a proxy-issued token, not your Anthropic, OpenAI, or Bedrock key. The real key is encrypted at rest and never reaches the agent process.
Lock a key to specific models, tools, endpoints, and a spending cap. A contractor’s agent cannot upgrade itself to a frontier model or call a tool it was never granted.
Revoke a key and the next request is refused, while the agent’s kill switch fires in the same action. Two independent stops, no grace period.
Rotate the underlying provider key in HashiCorp Vault or a Kubernetes secret and Altrace picks it up automatically, with no agent restarts.
Issue a key that expires in an hour for a one-off task. Expiry is enforced at the proxy, not on the honor system.
Lock the deployment so only Altrace-issued keys are accepted. Any request carrying a real provider key is rejected at the proxy.
How credential indirection works →
The controls your security questionnaire asks about, mutual TLS, team-scoped RBAC, token revocation, IP allowlisting, and durable SIEM delivery, live on the platform page.
Data-flow governance
Altrace governs where data is allowed to go, so regulated or proprietary content never reaches a provider or endpoint you did not approve.
Allowlist the providers, endpoints, and tools each agent may reach. A prompt carrying regulated or proprietary data is blocked from any destination you did not approve.
Per-session data-flow labels keep data that one provider processed from crossing into another vendor inside the same session.
Classification returns yes or no labels, never extracted or stored text. Your data stays in transit between your agents and the model.
Compliance evidence, not checkbox claims
EU AI Act (Aug 2, 2026) · SOC 2 (Evidence-Ready) · NIST AI RMF · ISO 42001 · HIPAA · OWASP LLM & MCP
View all frameworks →