Secure, monitor, and govern agent behavior on both the request and the response, across every model you call or host, from the major providers to your own proprietary and self-hosted models. Enforced below the application, where agents can't bypass it.
01 · Discover
Altrace surfaces an agent the moment it sends its first request, registered or not, with per-agent model and host visibility, plus an MCP scanner that audits the tools your agents connect to. Passive detection; nothing to instrument.
Unregistered agents are flagged the moment they appear on your network, not days later.
Which model, which host, which tools, attributable to a team and an agent, on every request.
Audit the MCP tool servers your agents connect to before you trust them, for hardcoded credentials, command injection, unsafe permissions, and supply-chain risk. What the scanner finds becomes what the proxy enforces.
Passive detection and per-agent visibility, not a full CMDB. Altrace is content-blind: it classifies, it does not store your data.
02 · Define
Behavioral contracts move governance beyond prompt-based controls. Specify what each agent may touch, and what it must prove before it acts.
An allowlist per agent: which tools it can call, which models it can reach, which destinations it can talk to. Regulated or proprietary data is blocked from leaving to a destination you did not approve, and everything else is denied.
Govern read / write / delete / execute separately. A team can be allowed to read but never delete.
Require an agent to gather evidence before a destructive action, no refund without an order lookup first.
Hold a request pending an operator's approve / deny for the actions that warrant a human in the loop.
03 · Enforce: the centerpiece
Every request passes through an ordered, deterministic decision chain before it reaches a model. Each decision is a declared, reproducible rule, not an opaque model you have to trust.
A 38-stage chain, shown here as category bands. The individual stages and their ordering are proprietary.
Stop any agent instantly, by agent, by team, or globally. New requests blocked synchronously; active streams cancelled. Persists across restarts.
Every request is cost-checked before it reaches the model. Over budget? It's blocked, the model is never called, and nothing is spent.
Inbound requests and outbound responses are both governed, including response-side detection of injection that actually succeeded.
Each streaming fragment is evaluated as it arrives. Sensitive data midstream cancels the stream at the point of violation.
Destructive actions are blocked unless the agent has completed the prerequisite lookups the contract requires. When blocked, the agent receives a machine-readable hint in its provider’s own error format and can self-correct without a human.
Every MCP tool call passes layered enforcement: an authorization registry, a behavioral reputation check, a schema-integrity fingerprint, a supply-chain attestation, and a description-injection scan. Each is a declared rule, and each fails closed.
Session data-flow labels keep data that one provider processed from crossing into another vendor, and block regulated data from leaving to a destination you did not approve.
Agents that repeat the same request pattern within a run are warned, then blocked, then the run is terminated, automatically.
Every block is a declared rule you can read and reproduce, a deterministic enforcement core, with optional ML augmentation for detection signal.
Unbypassable enforcement requires Kubernetes with the init container (kernel-level network rules). Docker is advisory; Fargate uses the gateway model. Response and streaming governance are policy-configurable; request-side classification is on by default.
04 · Credential indirection
Agents authenticate to Altrace with a scoped virtual key. Altrace holds the real provider credential and injects it only at the moment a governed request leaves for the model, so the agent never holds a key it could leak, reuse, or overspend.
Each agent presents a proxy-issued token, never your real provider key. The real key is encrypted at rest and injected at the network boundary.
Restrict a key to specific models, tools, and endpoints. An agent issued a small-model key cannot upgrade itself to a frontier model or call a tool it was not granted.
Give each key its own daily, weekly, or monthly spending cap, enforced before the request reaches the model and independent of team budgets.
Revoke a key and the next request is refused while the agent kill switch fires in the same call. Issue short-lived keys that expire on their own.
Rotate the underlying provider key in HashiCorp Vault or a Kubernetes secret and Altrace swaps it in automatically, with no agent restarts.
Lock a deployment so only Altrace-issued keys are accepted. Any request carrying a real provider key is rejected at the proxy.
Credential indirection runs in your infrastructure. The real key is never sent to any third party.
05 · Monitor
A real console, not a log file. See spend, content labels, and actions per agent, and prove exactly what happened to any auditor.
Spend, traffic, and enforcement actions across every team and agent, in real time.
Every decision cryptographically linked to the last. Insertion, deletion, and reordering are all detectable. Proof, not logging.
Every dollar attributed to a team, an agent, and a cost center, no more mystery AI bills.
Every agent on one screen, with risk level and recent enforcement at a glance.
06 · Detect drift
Altrace builds a behavioral baseline across multiple signals for each agent, and statistical detectors watch the whole fleet for coordinated attacks, synthetic-agent farms, and drift no single request reveals. When behavior deviates, enforcement escalates, and every escalation is a declared rule, not an opaque model.
Escalation is fast; de-escalation is deliberately slower. Behavioral baselines are statistical deviation signals, not semantic understanding.
07 · Built for security teams
The section your security questionnaire is really about, enforced on the control plane.
Client certs verified against your CA; cert identity captured in the audit trail. Fail-closed in production.
A team-scoped token can't reach another team's kill switches, budgets, or credentials.
Revoke a compromised operator token instantly, with a tamper-evident record. Per-IP / per-token lockout.
Restrict the control API to known networks, with explicit forwarded-header trust control.
Every state-mutating control action is fsync-persisted before acknowledgment, then reliably forwarded to your SIEM.
A typed, scriptable control API your security team can audit and integrate against. Kill switches, budgets, credentials, approvals, and audit, every action authenticated and recorded.
08 · Architecture
Altrace sits between your agents and the providers they call. Traffic flows through an enforcement lane; credentials flow through a separate credential indirection lane, so agents never hold real keys.
No code changes
Infrastructure Enforcement · Behavioral Contracts · Credential Indirection · Streaming Scanning
Providers or self-hosted
Kernel-level network rules, via iptables, nftables, or Cilium, force all AI traffic through Altrace. Agents cannot bypass the proxy. This is the only mode with unbypassable enforcement.
Application-level budget and kill-switch enforcement for development, testing, and visibility. Bypassable if the proxy is ignored.
AWS Network Firewall routes egress to an Altrace gateway. Governance for workloads where kernel enforcement isn't available.
Label a namespace and Altrace injects enforcement automatically, through a CNI plugin or an admission webhook. No per-app config.
Works with
As a transparent proxy, Altrace governs traffic on both the request and the response without changing your agent code, so it works with every model you call or host: Anthropic · OpenAI · Azure OpenAI · Google Gemini · AWS Bedrock · self-hosted models (vLLM, Ollama, TGI) · MCP · LangGraph · LangChain · CrewAI · AutoGen · Kubernetes · Docker · any cloud. Your self-hosted endpoints and your own fine-tuned Bedrock models run through the same decision chain as the major providers.
Build with Altrace
Altrace governs your agents as a transparent proxy, with no code changes. When you want richer control, the Python and TypeScript SDKs add the evidence and attribution the proxy can act on.
Mark a tool with @altrace.tool in Python, or wrap it with withEvidence() in TypeScript, and the proxy can require proof of what an agent did before allowing a destructive action.
Attach team, agent, and per-function attribution to every call, so budgets, kill switches, and the audit trail line up with the code that made the request.
Drop-in adapters for LangChain, AutoGen, and CrewAI record tool calls as evidence automatically, with no wrapper classes to write.
The Python SDK is on PyPI. Install it with pip install altrace-ai. The proxy still does the enforcing; the SDK just lets it see more.