Runtime governance engine for AI agents

Run agents in production. Not in fear.

Before your agent touches money, data or production, one in-process Kernel decides what runs, verifies the intent behind it, and encrypts the data the agent shouldn't see.

Every decision logged immutably for:
EU AI ActDORAGDPRPCI DSSAIUC-1FCA Consumer Duty
Read the Docs
03:17:44
Analytics agent called Kernel.check()
03:17:44
Anomalous access pattern detected · First export from this account · Off-hours request (03:17) · Scope: full PII · 50,000 records Agent paused.REQUIRE_HUMAN
⚡ Kernel#security-oncall
⚠️ Unusual data export
50,000 customer records · analyst_temp_04 Off-hours · first-time exporter Full PII scope
03:19:01
On-call → DENIED + ACCOUNT SUSPENDED Contractor offboarded. Access revoked. Logged: identity · timestamp · context preserved
Any task, any context, any policy.
See how policies are built →
How It Works

Decisions enforced. Intent anchored. Data sealed.

A single SDK call around any consequential agent action. Behind it, three checks run before execution. Identical on every Kernel install, signed for every audit.

kernel_integration.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from kernel_sdk import Kernel
 
async def process_invoice():
# Before any consequential agent action
verdict = await Kernel.check(
agent_id="payment-agent-prod",
action="initiate_payment",
context={
"amount": 34800,
"currency": "GBP",
"recipient": "Meridian Supplies Ltd",
"agent_intent": "Process supplier invoice",
},
)
 
if verdict.outcome == "ALLOW":
await execute_payment()
elif verdict.outcome == "REQUIRE_HUMAN":
await await_human_approval(verdict.escalation_id)
else:
log_blocked(verdict.reason)
GUARDRAILS

Immutable. Always runs first.

Cannot be configured off. Kernel covers the full OWASP Agentic Top 10 by default, runs before any policy check, cannot be configured away, and anchors agent intent at creation so mid-session manipulation is caught before execution.

01
Prompt Injection

Hidden instructions in input data redirect agent actions.

02
Tool Abuse

Agent invokes a tool in a way it wasn't authorized for.

03
Data Exfiltration

Agent extracts sensitive data and routes to unauthorized destination.

04
Memory Poisoning

Attacker contaminates agent memory to influence future decisions.

05
Goal Hijacking

Mid-session manipulation that shifts the agent's objective.

06
Denial of Wallet

Runaway loops or attacker-induced calls drain API budgets.

07
System Prompt Leakage

Agent's system prompt exfiltrated through crafted inputs.

08
Supply Chain Attacks

Compromised dependency injects malicious behavior.

09
Agent Impersonation

Attacker spoofs an agent's identity to act on behalf of trusted agents.

10
Cascading Failures

One bad agent decision propagates through dependent agents downstream.

Why open-source guardrails alone aren't enough for regulated production.

Microsoft published the Agent Governance Toolkit under the MIT License in April 2026. Here's what it covers, and the five gaps regulated fintechs hit in production.

Read the post
INTENT ANCHORING

Every action checked against declared intent.

The most sophisticated attacks are agents manipulated mid-session. Kernel anchors agent intent at creation. Mismatch is caught before execution.

01
Intent declared at agent creation
agent.declare_intent(
purpose="Process supplier invoices",
allowed_actions=["read_invoice", "verify_payee", "execute_payment"],
forbidden_actions=["delete_data", "modify_policy"],
)

When the agent is created, it declares its purpose and the actions allowed within that purpose. Kernel stores this intent immutably for the agent's lifetime.

02
Every action evaluated at runtime
read_invoiceAllow
verify_payeeAllow
delete_customer_dataBlocked
Mismatch with declared intent
execute_paymentAllow

Before every action, Kernel checks the action against the agent's declared intent. Matches proceed. Mismatches are stopped at the intent layer, regardless of what the agent thinks it should do.

03
Mismatch logged with full context
payment-agent-prod · 10:14:22
Blocked
delete_customer_data
Action outside declared intent. Possible mid-session compromise.
Intent Mismatch

Every intent mismatch is logged with the action attempted, the declared intent, and a possible-compromise flag. This is your earliest signal that an agent is being manipulated.

DATA ENCRYPTION

Your agent cannot leak what it never saw.

Kernel sits between your data and the agent's context. Each sensitive field is protected at the level you choose:

  • readable plaintext where the agent needs to reason.
  • an opaque token where it only needs to reference.
  • or sealed ciphertext where the agent is a courier and nothing more.

The agent still does the job. The data stays under cryptographic control end-to-end.

MK
Maria Karam · 10:42
Authorize the Meridian Supplies invoice from Friday? £34,800, corporate card.
your.backend.record
supplier_name
Meridian Supplies Ltd
amount_gbp
£34,800.00
supplier_iban
GB29 NWBK 6016 1331 9268 19
card_pan
4929 1234 5678 9211
CLASSIFY
policy.yaml
TRANSFORM
AES-256-GCM
SIGN
Ed25519
pass
pass
tokenise
encrypt
agent.context
supplier_name
Meridian Supplies Ltd
plaintext
amount_gbp
£34,800.00
plaintext
supplier_iban
tok_iban_7f3a2b
tokenised
card_pan
enc:••••9211
sealed
FA
Finance AgentAI· 10:42
Authorized £34,800 to Meridian Supplies Ltd for Friday's invoice. Payment queued via card ending 9211, scheduled tomorrow's batch.

Credentials never leave your infrastructure. Data never leaves your process. Private keys never leave your KMS.

01 · CLASSIFY
BEFORE
How Kernel decides each level
policy.yaml
supplier_name → plaintext
amount_gbp → plaintext
supplier_iban → tokenised
card_pan → sealed
A single policy.yaml maps each field to its protection. Names stay readable. IBANs become tokens. Card numbers are sealed at rest. The classifier runs at every call — no field slips through unlabeled.
02 · TRANSFORM
INSIDE
How sealing actually works
KMS root
└─ KEK
└─ DEK (per record)
└─ Ed25519 stamp
Your KMS holds the root key. Kernel derives a per-record DEK with envelope encryption (AES-256-GCM), signs each operation with Ed25519, and masks PAN last-4 as metadata. The agent never holds plaintext for sealed fields.
03 · SIGN
AFTER
What lands in your audit log
10:42:01 seal card_pan ✓ ed25519:a3f…
10:42:01 tok supplier_iban ✓ ed25519:91c…
10:42:02 read amount_gbp ✓ ed25519:7d2…
10:42:03 decrypt card_pan ✓ ed25519:f48…
Every decision, every encryption, every decryption — Ed25519-signed in your audit trail. Exportable in EU AI Act and DORA formats. A regulator can verify what your agent saw and what it never touched, field by field, call by call.

Limits you set. Policies you shape.

Two layers shaped by you. Enforced by Kernel. Signed in the same audit trail.

CONTROL GROUP

Per-agent class. Configurable thresholds.

Agents don't take breaks. A runaway loop, an unexpected input, or a mid-session compromise can burn through your API budget, process unauthorized transactions, or generate cascading errors, all while you're asleep.

Group your ephemeral agents under a control group policy. Configure quotas, budgets, and circuit breakers per group, not per agent.

POLICY

Your business logic, declared.

Describe your agent in plain English. Kernel generates a YAML/Rego policy.

Kernel ships with pre-built policy templates for the most common regulated agent types. For everything else, describe what your agent does in plain English. Kernel's Policy Agent turns it into a validated, production-ready policy. A human reviews before anything goes live.

payment-agent-prod
Active
Quota Control
47 / 100 calls per hour
47%
Budget Control
£8,400 / £25,000 per day
34%
Circuit Breaker
DENY rate: 2.1%
Healthy
Threshold: 15%

When any limit is hit, the agent doesn't slow down. It stops.

Immutable Log

Audit & Reporting

Every Kernel decision is logged immutably in under a millisecond. Not just the verdict, which governance layer triggered, what the agent declared, which OWASP risk applies, who approved it, the full execution chain.

1 · Audit Trail
Kernel audit log demo, step 1

Queryable by any field. Exportable in EU AI Act and DORA formats on demand.

[ Integrations ]

Any Agent framework. Any MCP client.

OpenAI
Anthropic
Gemini
Vercel AI
LangChain
LangGraph
CrewAI
PydanticAI
CDP
Browser Use
MCP
Playwright
One SDK. Every toolkit. Every call governed from day one.