AGP · AGENT GOVERNANCE PLANE

Your AI agents are acting in production. Right now.

An unsafe action fires. Nothing steps in.

Production data — gone. No approval. No undo. No "why."

Customer data walks out. The headlines tell you first.

One wrong message, a thousand customers. Seconds.

What stands between your agents and your systems?

You need control over what your agents do — before they do it, not after.

Meet AGP — the Agent Governance Plane. Your agents keep working at full speed. Nothing dangerous happens without your say-so.

your agents
AGP
your systems
 

AGP IN ACTION · FROM A REAL SESSION

That held action didn't vanish. It's waiting — for you:

⏸ HELD FOR APPROVAL apr_9c608df94b86
agentclaude-desktop-agent
actionrobinhood__place_equity_order
orderBUY 5 × MRVL · limit $246.07 · $1,230.35
policytrades require human approval

You just did the most important job in agentic AI: you were the human in the loop. And this card is not a mockup — this exact order was held, approved by a human, and filled through AGP. Real broker, real money, real audit trail. The receipts are below.

ALWAYS ON · EVERY AGENT · EVERY CALL

Governance is a runtime, not a policy doc.

Every line below is one decision: identity checked, envelope checked, policy evaluated, outcome recorded.

Reads flow. Dangerous writes wait for a human. Everything is attributable — which agent, which tool, which human, which decision.

PROOF · RUN AGAINST REAL SYSTEMS

Three controls. Three receipts.

The gate you use every day — and the two emergency controls you hope you never need. All three exercised live, with real error strings to show for it.

THE GATE — every day
POLICY_HOLD · HTTP 423

An agent placed a real brokerage order. AGP froze it twice — at review and at placement — for explicit human approval. Then, and only then, it filled.

THE EMERGENCY BRAKE — one action
BEHAVIOR_PROFILE_DENIED

An agent behaving strangely? Suspend its profile — one action in the console. We did it to a live agent mid-session: its very next call was refused, fail-closed. No restart, no redeploy, no cooperation from the agent. Blast radius capped while you investigate.

THE KILL SWITCH — org-wide
MCP -32602: unknown tool

A compromised tool server? Yank it from the registry once, and for every agent and every profile at the same moment its tools simply cease to exist — indistinguishable from tools that never existed at all.

Read the walkthroughs in the docs →

THE MODEL · SIX STAGES, ONE PIPELINE

Everything an action passes through.

The same pipeline you watched work above — stage by stage.

01 — Tool governance

A governed registry of every tool your agents can reach — each one deliberately onboarded and classified (read / write / delete). If it isn't in the registry, it doesn't exist. Yank a server and it vanishes for everyone at once.

02 — Behavior profiles

Every agent identity is bound to an envelope that decides which of those tools exist for it. Fail-closed: a new agent sees nothing until granted. Suspend the profile and its next call dies mid-session.

03 — Policies you define

You decide which actions flow, which are denied outright, and which must wait for a human — by tool, by operation type, by agent. Reads glide; irreversible writes meet judgment.

04 — Human approvals

Dangerous actions pause in-flight — HTTP 423, not a Slack ping after the fact. A human approves or denies from the console; the decision and the decider land in the record.

05 — Credential custody

Agents never hold credentials — not a token, not a key. OAuth MCP servers onboard with one consent; secrets stay sealed in AGP and are injected at call time. Disconnect revokes at the provider itself.

06 — Audit with attribution

Every allow, deny, and hold — which agent, which tool, which decision, which human. The question incident review always asks, answered from a feed on your own infrastructure.

THE FOUNDER

Naveen, founder of Raksha AI

Built by Naveen Vandanapu.

25 years of deep technical expertise building platforms that survive production. Named inventor on 14 patents — and two new provisional patent applications filed at Raksha AI.

"I've spent my career building platforms and applications — and studying every way they fail: edge cases, cascading incidents, systems that weren't resilient at the scale reality demanded. The lesson never changed: you don't hope a system behaves. You engineer it to.

AI agents raise the stakes. They act faster than a human can react — and without controls, everyone is just hoping for the best. Raksha is me carrying everything I've learned about building safe, resilient systems into the layer this era needs: governance for agentic AI. It's open and self-hosted — your environment, your data, nothing phones home."

— Naveen Vandanapu · [email protected]

Stand between your agents
and your systems.

from zero to governed · minutes
$curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh