§ DOCUMENTATION
Agent Governance Suite
Tiered autonomy, real-time cost controls, an agent registry, permission-drift detection, MCP tool-supply-chain governance, eval-to-policy suggestions, and data-access lineage — the controls that make Execlave an AI Agent Management Platform.
Every feature on this page is additive and backwards-compatible. Each is released behind an organization feature flag and rolled out gradually, so enabling one never changes the behaviour of your existing agents, policies, or SDK calls.
Tiered Governance Templates
Declare a single autonomy_level per agent and Execlave applies a curated bundle of controls for that tier. Any policy that does not fit the tier is flagged as a transparent “tier override” with an audit trail — uniform governance is the #1 cause of agent-project failure, so each tier gets the controls it actually needs.
| Level | Intent | Representative controls |
|---|---|---|
observe | Read-only, lightweight | injection scan, PII access (warn) |
advise | Read-only + quality gates | + quality threshold, output classifier |
act_with_approval | Writes, human-gated | + action approval, access control (block) |
autonomous | Writes + guardrails | + cost & budget caps, external-call & record-count limits |
# Pythonexe.register_agent(agent_id="support-bot", autonomy_level="act_with_approval") // TypeScriptexe.registerAgent({ agentId: 'support-bot', autonomyLevel: 'act_with_approval' });Real-Time Cost Circuit Breaker
1m / 1h / 1d / 1mo windows. Burn-rate alerts warn you before a cap is breached. If the cache backing the counters is ever unavailable the breaker fails open, so it never blocks legitimate traffic.POST /api/v1/cost-budget-rules{ "scope": "agent", // org | agent | user | workspace "scopeId": null, // null = applies per-entity (per agent here) "window": "1h", // 1m | 1h | 1d | 1mo "capUsd": 10, // dollars "action": "block", // warn | block | pause_agent "warningThresholdPct": 80, "burnRateAlertEnabled": true}| Action | Behaviour |
|---|---|
warn | Surfaces the rule in warnings; request continues. |
block | Denies the request and audits cost_circuit_breaker.tripped. |
pause_agent | Blocks and flags the agent for pause. |
Agent Registry & Lifecycle
One inventory of every agent with its lifecycle state (draft → testing → production → deprecated → retired), version history with diff and one-click rollback, and automatic detection of shadow agents (calling the API without being registered) and orphaned agents (registered but idle). Versioning is automatic on every create/update — your existing calls are unchanged. Optionally tag deploys from CI:
# Python — optional, additiveexe.report_agent_metadata(agent_id="bot-1", version_label="v2.1.0", git_commit="abc123") // TypeScriptexe.reportAgentMetadata({ agentId: 'bot-1', versionLabel: 'v2.1.0', gitCommit: 'abc123' });Permission Drift Detection
Capture a baseline of each agent’s effective permissions and let Execlave watch for drift continuously — auditor-ready evidence of least-privilege for HIPAA, GDPR, and CCPA.
| Drift type | What it catches |
|---|---|
privilege_added | New tool, data source, or domain since baseline (critical for delete/PII grants). |
privilege_removed | A permission disappeared — usually intentional. |
unused_detected | Granted but never invoked in N days — over-privilege. |
anomalous_access | Agent touched a resource it had never used before. |
Open events appear on the drift dashboard and flow into compliance reports; high and critical events can notify your configured channels.
Eval-to-Policy Suggestions
Observations — cost spikes, repeated PII leaks, novel external domains, eval failures — become suggested policies, scored by confidence. You stay in control: review the rationale and evidence, then accept, modify-and-accept, or reject. Nothing is ever auto-applied, and every decision is audited. Push your own eval failures via POST /api/v1/policy-suggestions/eval-failure.
Data Access Lineage
// TypeScript — annotate what data a run touched (metadata only, never values)trace.dataAccess = [{ source: 'postgres://prod/customers_db', resourcePath: 'users', fields: ['email', 'phone'], classifications: ['pii.email', 'pii.phone'], recordCount: 42, purpose: 'answer support question',}];MCP Tool Integrity
Pin a per-agent baseline of approved (server, tool, descriptor hash) tuples, then diff the live descriptor on every enforce call. A changed hash, an unapproved tool or server, or a poisoned description is blocked (or routed for approval) the instant it happens — the defense built for tool poisoning, the highest-leverage MCP attack of 2026. Enabled with the tool_integrity policy type; gated by the FF_TOOL_INTEGRITY flag and fail-open, so it never blocks legitimate traffic on an internal error.
| Event type | What it catches | Severity |
|---|---|---|
unapproved_tool | A tool or server not in the pinned baseline was presented. | high → critical |
descriptor_drift | A pinned tool’s descriptor hash changed since the baseline. | high → critical |
poisoning_suspected | A description matched injection / exfiltration patterns. | critical |
unused_tool | A baseline tool never seen in a tool call over the lookback window. | low |
# Python — pin the approved MCP tool descriptors for an agentexe.report_tool_baseline(agent_id="ops-agent", descriptors=[ exe.tool_descriptor(server="github", tool="read_file", descriptor=tool_def),]) // TypeScript — enforce diffs the live descriptor against the pinned baselineawait exe.enforcePolicy({ agentId: 'ops-agent', toolDescriptors: [exe.toolDescriptor({ server: 'github', tool: 'read_file', descriptor: liveDef })],}); // throws ToolIntegrityError if the descriptor drifted or the tool is unapprovedDrift events appear on the /dashboard/governance/tool-integrity board with one-click re-pin after a reviewed update, and roll into the OWASP-Agentic tool-misuse posture in compliance reports. See the Tool Integrity overview for the threat model and how it compares to MCP gateways and prompt firewalls.
Incident Response & SIEM
Policy violations are first-class trace statuses that stream into your security stack: Splunk (HEC + SPL saved-search pack), Microsoft Sentinel (Logs Ingestion API + KQL analytics rules), or any OTLP backend. The full detect-triage-contain-evidence runbook is documented in the incident response workflow.
IAM Binding — Workload Identity Federation
Federate agent identity from Microsoft Entra ID: an Azure workload exchanges its Entra-issued token for a short-lived Execlave agent credential, so no long-lived Execlave secret ships with the agent and your IdP lifecycle governs issuance. Setup, the exchange flow, and the security model are documented in IAM Binding.
Rollout & availability
These features are gated per organization and enabled during staged rollout. If a governance dashboard or API returns 404, the feature is not yet enabled for your org — contact support to join the rollout. SDK additions (autonomy_level, report_agent_metadata, dataAccess) are safe to adopt now: older servers simply ignore them.