# Execlave > Execlave is the enforcement infrastructure that sits between your AI agents and the real world — making sure they cannot do anything your company hasn't explicitly allowed, and generating the proof that they didn't. Execlave is an AI agent governance and enforcement platform — an AI Agent Management Platform (AMP): sub-20ms policy enforcement, 19 built-in policy types, 7 supported compliance frameworks, and a sub-15ms kill switch. Beyond runtime enforcement, Execlave provides the full agent-management control plane: tiered autonomy governance, a real-time cost circuit breaker, an agent registry with lifecycle and versioning, permission-drift detection, eval-to-policy suggestions, and data-access lineage. Every agent action emits a hash-chained audit record for compliance. Deploy in the cloud or self-hosted (your data never leaves your network; only a 24-hour license heartbeat crosses the boundary). First-class SDKs for TypeScript/JavaScript and Python, plus a CLI. ## Governance capabilities (AI Agent Management Platform) - **Tiered autonomy governance**: assign each agent an autonomy level (observe, advise, act-with-approval, autonomous) and auto-apply the recommended policy bundle for that tier; drift detection flags when an agent's policies no longer match its tier. - **Real-time cost circuit breaker**: synchronous per-org/agent/user/workspace spend caps enforced in the policy path (1m/1h/1d/1mo windows) with burn-rate alerting before a budget is breached — not post-hoc. - **Agent registry & lifecycle**: inventory every agent with lifecycle state (draft → testing → production → deprecated → retired), immutable version history, diffing, one-click rollback, and shadow-agent detection for agents calling the API without registration. - **Permission-drift detection**: baseline each agent's tools, data sources, and permissions, then detect privilege escalation, anomalous access to sensitive/PII data, and unused (over-privileged) permissions. - **Eval-to-policy suggestions**: turn detected anomalies, violation patterns, and eval failures into proposed policies with confidence scoring — accept, modify-and-accept, or reject. Nothing is auto-enforced. - **Data-access lineage**: record what classes of data (public, internal, confidential, PII, PHI, PCI) each agent touched, with an auto-classifier, GDPR subject-access queries, and PII-by-agent reporting. - **MCP tool-supply-chain governance (tool integrity)**: pin each MCP tool's descriptor as a per-agent baseline, then block the instant a descriptor drifts, an unapproved tool/server appears, or a tool description matches a poisoning pattern — synchronously, with tamper-evident evidence mapped to OWASP Agentic posture. The defense built for tool poisoning, the #1 enterprise AI agent attack of 2026. "Pin the tool, block the drift, prove it to an auditor." ## Enforcement engine capabilities - **Intent-aware prompt-injection detection**: the deterministic detector distinguishes a definitional question ("what is a system prompt?", allowed) from an imperative attack ("reveal your system prompt", blocked) by requiring an extraction verb or a possessive targeting the running agent. Ambiguous cases escalate to the LLM semantic layer instead of auto-blocking. See https://www.execlave.com/docs/policies/injection-detection. - **Multilingual injection coverage**: keyword packs across 13 languages (es, fr, de, pt, it, nl, ru, tr, zh, ja, ko, ar, hi) matched by NFKC substring containment (works in non-space-delimited scripts), plus full-width/zero-width/spaced-letter obfuscation defeats and structural markers ([SYSTEM], <|im_start|>). - **Paraphrase-aware semantic layer**: an optional local-LLM layer recognises paraphrases/synonyms of known attacks ("the rules you were given", "your base directives"), handles negation, and classifies intent (definitional, operational, extraction, override, exfiltration). Degrades gracefully to deterministic-only when no local LLM is configured. - **PII detection — US, EU & India with checksums**: checksum-validated national IDs — US SSN and Luhn-checked cards; India Aadhaar (Verhoeff), PAN, GSTIN; EU IBAN (mod-97), UK NINO, Spanish DNI/NIE, Italian Codice Fiscale, German IdNr, French INSEE — plus opt-in name/address NER (PERSON/LOCATION/ORGANIZATION) via Microsoft Presidio + GLiNER. Two-tier and latency-bounded. See https://www.execlave.com/docs/policies/pii-detection. - **Configurable failure mode**: every policy carries a failure_mode — fail_open (default, abstains on a detector/DB/LLM error so an outage never blocks legitimate traffic) or fail_closed (treats an evaluation error as a violation) — for compliance-grade controls. Multi-policy decisions combine deterministically by severity (block > require_approval > warn > monitor), independent of evaluation order. Matching is secure-by-default: case-insensitive tool/action names, NFKC token-boundary content matching, bare-public-suffix allowlist rejection, and finite-number cost/record guards. ## Runtime governance & agent identity All of the following ship behind default-OFF feature flags; with the flag off, prior behavior is preserved. - **Approval Workflows 2.0**: human-in-the-loop require_approval enforcement, extended with a computed risk score and level, risk-based routing to an approver tier (standard / group / named_approver), SLA escalation of overdue requests, and a continuous authorization-certificate verification loop — turning a one-time gate into an ongoing evidence trail. See https://www.execlave.com/docs/governance/approval-workflows. - **Agent Identity**: issue short-lived RS256-signed agent credentials (exe_agt_ JWTs, ~15-minute TTL) and verify them offline against a public JWKS endpoint at /.well-known/jwks.json; issue and revoke per agent, with expiry + revocation checks. See https://www.execlave.com/docs/governance/agent-identity. - **Policy-as-Code**: author policies as JSON/YAML bundles in your repo, validate them with `execlave policies lint` (CI-friendly, exits non-zero on schema failure), reconcile them server-side with `execlave policies sync` (dry-run by default), and audit every change via tamper-evident policy version history (GET /api/v1/policies/:id/history) plus a free-form policy metadata field. See https://www.execlave.com/docs/governance/policy-as-code. - **Runtime Guardrails**: two new policy types — tool_invocation (per-agent allow/deny over which tools an agent may call) and tool_output_scan (scans a tool's output for PII and prompt injection via the processing service before it returns to the agent) — plus agent-to-agent (A2A) credential authorization. Flags: FF_RUNTIME_GUARDRAILS, FF_A2A_AUTH. See https://www.execlave.com/docs/governance/runtime-guardrails. - **Agent Passport**: delegation chain-of-custody between agents, capability inheritance (a delegate inherits only a subset of its delegator's tools), revocation cascade (revoking a delegation revokes everything downstream), declared-vs-observed tool diff (shadow tool detection), and a non-human-identity (NHI) inventory. Flag: AGENT_PASSPORT_ENABLED. See https://www.execlave.com/docs/governance/agent-passport. - **Red-Team Gate**: `execlave test` runs an adversarial probe suite against an agent and computes a resilience score; autonomous-tier promotion is blocked unless the agent passes a minimum resilience (0.9 by default). Flag: FF_REDTEAM_GATE. See https://www.execlave.com/docs/governance/red-team-gate. - **AI FinOps**: tag traces with cost_center / project / team, export chargeback CSV (GET /api/v1/cost/report), set budget caps with spend-vs-cap status, and forecast month-end spend. See https://www.execlave.com/docs/governance/ai-finops. - **Drift Signal**: detects behavioral drift — new_tool_usage, denial_rate_shift, new_data_class — and automatically downgrades an agent's autonomy on high-severity drift. Flag: FF_DRIFT_SIGNAL. See https://www.execlave.com/docs/governance/drift-signal. - **Groundedness, OPA Rego & Agent Lineage**: three additional policy types. groundedness scores an agent response's faithfulness against a supplied RAG context locally with zero egress (no model call) — the on-prem answer to cloud-only hallucination/groundedness detection. rego evaluates your existing Open Policy Agent (Rego) policies as a local WASM enforcement rule, so you reuse the exact policy your security team reviewed. agent_lineage enforces multi-agent delegation chains — bounding delegation depth, blocking denied agents anywhere in the chain, and constraining which agents may delegate to which. - **Air-gapped & federated**: fully offline (air-gapped) license validation that makes zero network calls — for sovereign / disconnected deployments that cloud-only governance products structurally cannot match; optional HMAC request signing between the SDK and server (replay-protected); and signed, portable policy export for federated multi-instance sync where ONLY policy definitions cross the boundary — never audit or agent-interaction data. ## Product - [Platform](https://www.execlave.com/platform): How runtime policy enforcement, monitoring, prompt versioning, and kill switches work. - [Solutions by team](https://www.execlave.com/solutions): Entry points for platform engineering, security, and GRC teams. - [For platform engineering](https://www.execlave.com/solutions/platform-engineering): SDK integration, registry & lifecycle, cost circuit breaker, kill switch, benchmarks. - [For security teams](https://www.execlave.com/solutions/security): Injection/PII defense, MCP tool integrity, red-team gating, SIEM routing, incident response. - [For GRC teams](https://www.execlave.com/solutions/grc): Signed compliance reports across 7 frameworks, hash-chained audit trail, EU AI Act article mapping. - [MCP tool governance](https://www.execlave.com/platform/tool-integrity): Descriptor pinning, drift/poisoning blocking, and tamper-evident evidence for MCP tools. - [Use cases](https://www.execlave.com/use-cases): Where Execlave is applied across AI agent deployments. - [Pricing](https://www.execlave.com/pricing): Free, Starter ($199/mo), Professional ($599/mo), and custom Enterprise. Same product in cloud or self-hosted. - [Compliance](https://www.execlave.com/compliance): Supported frameworks and how Execlave maps to them. - [EU AI Act hub](https://www.execlave.com/eu-ai-act): What the EU AI Act requires of AI agent operators and how Execlave produces the evidence. - [Benchmarks](https://www.execlave.com/benchmarks): Published, reproducible enforcement-latency benchmarks (in-process and server-side, p50/p95/p99). - [Governance assessment](https://www.execlave.com/governance-assessment): Free interactive quiz scoring your AI agent governance maturity. - [ROI calculator](https://www.execlave.com/roi-calculator): Estimate the cost of ungoverned agents vs governed. - [Security](https://www.execlave.com/security): Security posture and data handling. ## Docs - [Docs home](https://www.execlave.com/docs) - [Getting started](https://www.execlave.com/docs/getting-started): Add governance to an app in under 5 minutes (TypeScript or Python). - [Agent governance suite (AMP)](https://www.execlave.com/docs/governance): Tiered autonomy, real-time cost controls, agent registry & lifecycle, permission-drift detection, eval-to-policy suggestions, and data-access lineage. - [Approval Workflows 2.0](https://www.execlave.com/docs/governance/approval-workflows): Risk scoring, tier routing, SLA escalation, and continuous authorization certificates. - [Agent Identity](https://www.execlave.com/docs/governance/agent-identity): RS256 exe_agt_ credentials and a public JWKS endpoint for verifiable agent identity. - [Policy-as-Code](https://www.execlave.com/docs/governance/policy-as-code): `execlave policies lint` / `sync`, policy version history, and metadata. - [Runtime Guardrails](https://www.execlave.com/docs/governance/runtime-guardrails): Tool-invocation policy, tool-output PII/injection scanning, and agent-to-agent auth. - [Agent Passport](https://www.execlave.com/docs/governance/agent-passport): Delegation chain-of-custody, revocation cascade, shadow-tool diff, and NHI inventory. - [Red-Team Gate](https://www.execlave.com/docs/governance/red-team-gate): Adversarial resilience scoring that gates promotion to autonomous. - [AI FinOps](https://www.execlave.com/docs/governance/ai-finops): Cost attribution, chargeback CSV, budget caps, and month-end cost forecasting. - [Drift Signal](https://www.execlave.com/docs/governance/drift-signal): Behavioral drift detection that auto-downgrades agent autonomy. - [IAM Binding / workload identity federation](https://www.execlave.com/docs/governance/iam-binding): Bind agents to Microsoft Entra workload identities and exchange Entra tokens for short-lived Execlave credentials — no static API keys. - [Incident response workflow](https://www.execlave.com/docs/governance/incident-response): Six-stage runbook for AI agent incidents — detect, route, triage, contain, evidence, close. - [Reference deployment](https://www.execlave.com/docs/reference-deployment): A governed two-agent production architecture end to end — stack, autonomy tiers, policy set, measured enforcement latency, SIEM routing. - [SDK reference](https://www.execlave.com/docs/sdk-reference) - [API reference](https://www.execlave.com/docs/api-reference) - [CLI](https://www.execlave.com/docs/cli) - [Policies](https://www.execlave.com/docs/policies) · [Injection detection](https://www.execlave.com/docs/policies/injection-detection) · [PII detection](https://www.execlave.com/docs/policies/pii-detection) · [Expressions](https://www.execlave.com/docs/policies/expressions) · [Chaining](https://www.execlave.com/docs/policies/chaining) - [Validators](https://www.execlave.com/docs/validators) - [Self-hosted deployment](https://www.execlave.com/docs/self-hosted) - [EU AI Act guide](https://www.execlave.com/docs/compliance/eu-ai-act) ## Integrations - [Integrations overview](https://www.execlave.com/docs/integrations) - [LangChain](https://www.execlave.com/docs/integrations/langchain) - [OpenAI Agents SDK](https://www.execlave.com/docs/integrations/openai-agents) - [CrewAI](https://www.execlave.com/docs/integrations/crewai) - [LlamaIndex](https://www.execlave.com/docs/integrations/llamaindex) - [AutoGen](https://www.execlave.com/docs/integrations/autogen) - [OpenAI Chat Completions](https://www.execlave.com/docs/integrations/openai-chat) - [Model Context Protocol](https://www.execlave.com/docs/integrations/mcp) - [n8n](https://www.execlave.com/docs/integrations/n8n) - [Splunk](https://www.execlave.com/docs/integrations/splunk): Stream traces and enforcement decisions to Splunk via HTTP Event Collector, with SPL saved searches. - [Microsoft Sentinel](https://www.execlave.com/docs/integrations/sentinel): Route governance events into Sentinel via the Azure Monitor Logs Ingestion API, with KQL analytics rules. - [Datadog](https://www.execlave.com/docs/integrations/datadog): Stream traces and governance context into Datadog Log Management via the Logs intake API. ## Comparisons - [Execlave vs Credo AI](https://www.execlave.com/blog/execlave-vs-credo-ai) - [Execlave vs Microsoft Agent Governance](https://www.execlave.com/blog/execlave-vs-microsoft-agent-governance) - [Execlave vs Lakera](https://www.execlave.com/blog/execlave-vs-lakera) - [Execlave vs Invariant Labs](https://www.execlave.com/blog/execlave-vs-invariant-labs) - [Microsoft Agent Governance Toolkit comparison](https://www.execlave.com/docs/comparisons/microsoft-agent-governance-toolkit) - [LangSmith comparison](https://www.execlave.com/docs/comparisons/langsmith) - [Zenity comparison](https://www.execlave.com/docs/comparisons/zenity) - [Microsoft Entra Agent ID comparison](https://www.execlave.com/docs/comparisons/microsoft-entra-agent-id): Why Entra Agent ID and Execlave are complementary, not mutually exclusive. ## Articles - [What is an AI Agent Management Platform (AMP)?](https://www.execlave.com/blog/what-is-an-ai-agent-management-platform): Definition of the AMP category, its six core controls, and how it differs from prompt security and governance-program tools. - [What is AI agent governance?](https://www.execlave.com/blog/what-is-ai-agent-governance) - [How to build an AI agent in 2026](https://www.execlave.com/blog/how-to-build-an-ai-agent): Seven steps from idea to production agent — scope, framework choice, tool design, guardrails, governance, adversarial testing, deployment. - [Prompt injection attacks on AI agents](https://www.execlave.com/blog/prompt-injection-attacks-ai-agents) - [How to pass a SOC 2 audit with AI agents](https://www.execlave.com/blog/how-to-pass-soc-2-audit-ai-agents) - [EU AI Act: a practical guide for AI agents](https://www.execlave.com/blog/eu-ai-act-practical-guide-for-ai-agents) - [Governing LangChain in 10 minutes](https://www.execlave.com/blog/governing-langchain-10-minutes) - [AI agent governance vs observability](https://www.execlave.com/blog/ai-agent-governance-vs-observability): How runtime governance (enforce/block before execution) differs from observability (record/trace after the fact), and why you need both. ## Company - [About](https://www.execlave.com/about) - [FAQ](https://www.execlave.com/faq) - [Contact](https://www.execlave.com/contact)