Skip to content
Back to home

§ DOCUMENTATION

Agent Governance Suite

Tiered autonomy, real-time cost controls, an agent registry, permission-drift detection, MCP tool-supply-chain governance, eval-to-policy suggestions, and data-access lineage — the controls that make Execlave an AI Agent Management Platform.

Every feature on this page is additive and backwards-compatible. Each is released behind an organization feature flag and rolled out gradually, so enabling one never changes the behaviour of your existing agents, policies, or SDK calls.

§ 01

Tiered Governance Templates

Declare a single autonomy_level per agent and Execlave applies a curated bundle of controls for that tier. Any policy that does not fit the tier is flagged as a transparent “tier override” with an audit trail — uniform governance is the #1 cause of agent-project failure, so each tier gets the controls it actually needs.

LevelIntentRepresentative controls
observeRead-only, lightweightinjection scan, PII access (warn)
adviseRead-only + quality gates+ quality threshold, output classifier
act_with_approvalWrites, human-gated+ action approval, access control (block)
autonomousWrites + guardrails+ cost & budget caps, external-call & record-count limits
# Pythonexe.register_agent(agent_id="support-bot", autonomy_level="act_with_approval") // TypeScriptexe.registerAgent({ agentId: 'support-bot', autonomyLevel: 'act_with_approval' });
§ 02

Real-Time Cost Circuit Breaker

Synchronous, multi-window spend caps enforced before the model call — a runaway agent is stopped mid-burst, not after the next billing cycle. Set caps per organization, agent, user, or workspace over 1m / 1h / 1d / 1mo windows. Burn-rate alerts warn you before a cap is breached. If the cache backing the counters is ever unavailable the breaker fails open, so it never blocks legitimate traffic.
POST /api/v1/cost-budget-rules{  "scope": "agent",      // org | agent | user | workspace  "scopeId": null,        // null = applies per-entity (per agent here)  "window": "1h",        // 1m | 1h | 1d | 1mo  "capUsd": 10,           // dollars  "action": "block",     // warn | block | pause_agent  "warningThresholdPct": 80,  "burnRateAlertEnabled": true}
ActionBehaviour
warnSurfaces the rule in warnings; request continues.
blockDenies the request and audits cost_circuit_breaker.tripped.
pause_agentBlocks and flags the agent for pause.
§ 03

Agent Registry & Lifecycle

One inventory of every agent with its lifecycle state (draft → testing → production → deprecated → retired), version history with diff and one-click rollback, and automatic detection of shadow agents (calling the API without being registered) and orphaned agents (registered but idle). Versioning is automatic on every create/update — your existing calls are unchanged. Optionally tag deploys from CI:

# Python — optional, additiveexe.report_agent_metadata(agent_id="bot-1", version_label="v2.1.0",                          git_commit="abc123") // TypeScriptexe.reportAgentMetadata({ agentId: 'bot-1', versionLabel: 'v2.1.0',                          gitCommit: 'abc123' });
§ 04

Permission Drift Detection

Capture a baseline of each agent’s effective permissions and let Execlave watch for drift continuously — auditor-ready evidence of least-privilege for HIPAA, GDPR, and CCPA.

Drift typeWhat it catches
privilege_addedNew tool, data source, or domain since baseline (critical for delete/PII grants).
privilege_removedA permission disappeared — usually intentional.
unused_detectedGranted but never invoked in N days — over-privilege.
anomalous_accessAgent touched a resource it had never used before.

Open events appear on the drift dashboard and flow into compliance reports; high and critical events can notify your configured channels.

§ 05

Eval-to-Policy Suggestions

Observations — cost spikes, repeated PII leaks, novel external domains, eval failures — become suggested policies, scored by confidence. You stay in control: review the rationale and evidence, then accept, modify-and-accept, or reject. Nothing is ever auto-applied, and every decision is audited. Push your own eval failures via POST /api/v1/policy-suggestions/eval-failure.

§ 06

Data Access Lineage

Record which data each run touched — source, fields, classification, record count — as first-class spans for EU AI Act Article 10 evidence. Field names are stored; field values never are. Don’t want to annotate? An auto-classifier infers classifications from field-name patterns, so you get value without an SDK change.
// TypeScript — annotate what data a run touched (metadata only, never values)trace.dataAccess = [{  source: 'postgres://prod/customers_db',  resourcePath: 'users',  fields: ['email', 'phone'],  classifications: ['pii.email', 'pii.phone'],  recordCount: 42,  purpose: 'answer support question',}];
§ 07

MCP Tool Integrity

Pin a per-agent baseline of approved (server, tool, descriptor hash) tuples, then diff the live descriptor on every enforce call. A changed hash, an unapproved tool or server, or a poisoned description is blocked (or routed for approval) the instant it happens — the defense built for tool poisoning, the highest-leverage MCP attack of 2026. Enabled with the tool_integrity policy type; gated by the FF_TOOL_INTEGRITY flag and fail-open, so it never blocks legitimate traffic on an internal error.

Event typeWhat it catchesSeverity
unapproved_toolA tool or server not in the pinned baseline was presented.high → critical
descriptor_driftA pinned tool’s descriptor hash changed since the baseline.high → critical
poisoning_suspectedA description matched injection / exfiltration patterns.critical
unused_toolA baseline tool never seen in a tool call over the lookback window.low
# Python — pin the approved MCP tool descriptors for an agentexe.report_tool_baseline(agent_id="ops-agent", descriptors=[    exe.tool_descriptor(server="github", tool="read_file", descriptor=tool_def),]) // TypeScript — enforce diffs the live descriptor against the pinned baselineawait exe.enforcePolicy({  agentId: 'ops-agent',  toolDescriptors: [exe.toolDescriptor({ server: 'github', tool: 'read_file', descriptor: liveDef })],});  // throws ToolIntegrityError if the descriptor drifted or the tool is unapproved

Drift events appear on the /dashboard/governance/tool-integrity board with one-click re-pin after a reviewed update, and roll into the OWASP-Agentic tool-misuse posture in compliance reports. See the Tool Integrity overview for the threat model and how it compares to MCP gateways and prompt firewalls.

§ 08

Incident Response & SIEM

Policy violations are first-class trace statuses that stream into your security stack: Splunk (HEC + SPL saved-search pack), Microsoft Sentinel (Logs Ingestion API + KQL analytics rules), or any OTLP backend. The full detect-triage-contain-evidence runbook is documented in the incident response workflow.

§ 09

IAM Binding — Workload Identity Federation

Federate agent identity from Microsoft Entra ID: an Azure workload exchanges its Entra-issued token for a short-lived Execlave agent credential, so no long-lived Execlave secret ships with the agent and your IdP lifecycle governs issuance. Setup, the exchange flow, and the security model are documented in IAM Binding.

§ 10

Rollout & availability

These features are gated per organization and enabled during staged rollout. If a governance dashboard or API returns 404, the feature is not yet enabled for your org — contact support to join the rollout. SDK additions (autonomy_level, report_agent_metadata, dataAccess) are safe to adopt now: older servers simply ignore them.

Agent Governance Suite — Execlave Docs