AGP · AGENT GOVERNANCE PLANE
You need control over what your agents do — before they do it, not after.
Meet AGP — the Agent Governance Plane. Your agents keep working at full speed. Nothing dangerous happens without your say-so.
AGP IN ACTION · FROM A REAL SESSION
That held action didn't vanish. It's waiting — for you:
You just did the most important job in agentic AI: you were the human in the loop. And this card is not a mockup — this exact order was held, approved by a human, and filled through AGP. Real broker, real money, real audit trail. The receipts are below.
ALWAYS ON · EVERY AGENT · EVERY CALL
Every line below is one decision: identity checked, envelope checked, policy evaluated, outcome recorded.
Reads flow. Dangerous writes wait for a human. Everything is attributable — which agent, which tool, which human, which decision.
PROOF · RUN AGAINST REAL SYSTEMS
The gate you use every day — and the two emergency controls you hope you never need. All three exercised live, with real error strings to show for it.
POLICY_HOLD · HTTP 423 An agent placed a real brokerage order. AGP froze it twice — at review and at placement — for explicit human approval. Then, and only then, it filled.
BEHAVIOR_PROFILE_DENIED An agent behaving strangely? Suspend its profile — one action in the console. We did it to a live agent mid-session: its very next call was refused, fail-closed. No restart, no redeploy, no cooperation from the agent. Blast radius capped while you investigate.
MCP -32602: unknown tool A compromised tool server? Yank it from the registry once, and for every agent and every profile at the same moment its tools simply cease to exist — indistinguishable from tools that never existed at all.
THE MODEL · SIX STAGES, ONE PIPELINE
The same pipeline you watched work above — stage by stage.
A governed registry of every tool your agents can reach — each one deliberately onboarded and classified (read / write / delete). If it isn't in the registry, it doesn't exist. Yank a server and it vanishes for everyone at once.
Every agent identity is bound to an envelope that decides which of those tools exist for it. Fail-closed: a new agent sees nothing until granted. Suspend the profile and its next call dies mid-session.
You decide which actions flow, which are denied outright, and which must wait for a human — by tool, by operation type, by agent. Reads glide; irreversible writes meet judgment.
Dangerous actions pause in-flight — HTTP 423, not a Slack ping after the fact. A human approves or denies from the console; the decision and the decider land in the record.
Agents never hold credentials — not a token, not a key. OAuth MCP servers onboard with one consent; secrets stay sealed in AGP and are injected at call time. Disconnect revokes at the provider itself.
Every allow, deny, and hold — which agent, which tool, which decision, which human. The question incident review always asks, answered from a feed on your own infrastructure.
THE FOUNDER
25 years of deep technical expertise building platforms that survive production. Named inventor on 14 patents — and two new provisional patent applications filed at Raksha AI.
"I've spent my career building platforms and applications — and studying every way they fail: edge cases, cascading incidents, systems that weren't resilient at the scale reality demanded. The lesson never changed: you don't hope a system behaves. You engineer it to.
AI agents raise the stakes. They act faster than a human can react — and without controls, everyone is just hoping for the best. Raksha is me carrying everything I've learned about building safe, resilient systems into the layer this era needs: governance for agentic AI. It's open and self-hosted — your environment, your data, nothing phones home."
— Naveen Vandanapu · [email protected]
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh