Frequently asked questions.

Enforcement decisions complete in under 20ms at p50 and under 30ms at p99 on a local deployment with 10 concurrent connections. Your agent's user-facing latency is dominated by model inference, not Execlave.

Yes. Self-hosted deployment is included on every paid plan and the free tier. You get the same Docker images we run in our cloud, plus a JWT license key. Your data never leaves your network. See the self-hosted page for details.

SOC 2 Type II, ISO 27001, EU AI Act, GDPR, HIPAA, PCI DSS, and NIST AI RMF. Compliance reports are generated from your actual audit log — not from a questionnaire — and map to the specific controls each framework requires (CC6.1, A.9.1, Art. 14, Art. 30, §164.308, etc.).

Those tools focus on input/output validation at the prompt layer. Execlave is the governance layer one level deeper: it sits between the agent and the systems it can act on (tools, APIs, databases, files). Prompt validation catches some attacks; tool-level enforcement catches all of them, plus produces the audit trail your compliance team needs. They are complementary, not competing.

Yes. Beyond runtime enforcement, Execlave provides the full agent-management control plane: tiered autonomy governance, a real-time cost circuit breaker, an agent registry with lifecycle and versioning, permission-drift detection, eval-to-policy suggestions, and data-access lineage. These are the controls Gartner and Forrester associate with the emerging AI Agent Management / Agent Control Plane category — available today, in cloud or self-hosted.

Yes. Execlave baselines each agent’s tools, data sources, and permissions, then continuously detects drift: privilege escalation (new tools or domains it was never granted), anomalous access to sensitive or PII data, and unused over-privileged permissions it no longer needs. High-severity drift fires a notification through your configured channels, and the permission posture is included in compliance reports.

Yes. The real-time cost circuit breaker enforces spend caps synchronously in the policy path — per organization, agent, user, or workspace, across 1-minute, 1-hour, 1-day, and 1-month windows. It can warn, block, or pause the agent when a cap is hit, and burn-rate alerting warns you when projected spend will breach a budget before it actually does, rather than reconciling after the bill.

Yes to both. You assign each agent an autonomy level — observe, advise, act-with-approval, or autonomous — and Execlave applies the recommended policy bundle for that tier, flagging drift when an agent’s policies no longer match its level. Separately, eval-to-policy suggestions turn detected anomalies, violation patterns, and eval failures into proposed policies with confidence scoring; you accept, modify-and-accept, or reject — nothing is auto-enforced.

The Execlave audit chain is the only place where every action your agents took on customer data is recorded in a tamper-proof, auditor-acceptable format. After 90 days of use, removing Execlave doesn't just remove a tool — it removes your compliance evidence. Most customers treat this as a feature. We treat it as honesty.

You do. In cloud mode, your data is encrypted at rest, isolated by organization via Postgres Row-Level Security, and never used to train any model. In self-hosted mode, we never see your data — it lives entirely on your infrastructure. We can prove this because the only thing that crosses the boundary in self-hosted is a license heartbeat (no customer data, just a fingerprint and a timestamp).