An autonomous agent will do exactly what it decides to do next.
Govern that decision before it executes.
When you hand an AI agent real tools — shell access, a database, an API key, the authority to message other agents — its next action is no longer a suggestion you review. It runs. Containment.ai places a deterministic checkpoint in front of every agent action: each one is evaluated against your policy before it executes, with a fixed, auditable decision. No probabilistic fallback. No second model asked to grade the first one's judgment.
Deterministic, pre-execution control over autonomous agent actions — no LLM judging an LLM.
The problem with "trust the model"
The common pattern for agent safety is to ask the model — or a second model — whether an action looks safe. That is a probability, not a control.
An agent that can act is an agent that can act wrongly: drop a table, push to production, email a customer, spend money, exfiltrate a secret, or instruct another agent to do any of those. The failure mode that matters is not "the model said something false" — it is "the model did something it should not have."
The dominant mitigation today is an LLM-as-judge: a second prompt asks a model to score whether the first model's proposed action is acceptable. This inherits every weakness of the thing it is supposed to contain. It is non-deterministic — the same action can be approved on Monday and blocked on Tuesday. It is promptable — the content being judged can argue with the judge. And it produces no evidence an auditor will accept, because "a model felt it was probably fine" is not a control an SOC 2, HIPAA, or NIST AI RMF assessor can test.
The fix is to move the decision out of the model and into a deterministic policy layer that the agent cannot talk its way past.
How it works
Containment.ai sits in the path of the agent's actions and renders one fixed decision per action, against versioned policy, with a tamper-evident record.
Every action, before it runs
Agent traffic to LLM providers (OpenAI, Anthropic, Bedrock, Azure OpenAI) is intercepted at the call boundary by our proxy; tool calls and inter-agent dispatch are mediated through a control layer rather than fired directly. The action is held until a decision is made — it does not execute first and apologize later.
Against policy, deterministically
The action is checked against your organization's versioned policy and a catalog of content-class detectors. Given the same input and the same policy version, the decision is always the same — reproducible, explainable, and testable. No model is asked for its opinion of the outcome.
One verb, fully logged
The decision is one of five AARM-aligned verbs (below). Whatever the outcome, an audit record is written with the policy that matched, the signal that triggered it, and the verb returned — the evidence an assessor can actually test. Fail-closed by default: a policy-fetch outage blocks, it does not silently allow.
Specific decisions, not "safe / unsafe"
Real governance needs more than a binary. Containment.ai aligns to the decision verbs defined by AARM R4 — the Cloud Security Alliance runtime-governance specification — so every action resolves to a specific, auditable outcome. We ship four today (ALLOW, DENY, MODIFY, DEFER); STEP_UP is on the roadmap.
ALLOW
The action matches policy and carries no flagged content. It proceeds, and the decision is logged.
DENY
The action violates policy. It is blocked at the boundary; the agent receives a structured error and the action never executes.
MODIFY
The action is allowed through with the sensitive portion redacted. The agent keeps working; the bytes that matter never leave.
STEP_UP (on the roadmap)
A sensitive action triggers a step-up authentication challenge; the action holds until a human completes the challenge. This verb is on our roadmap and not yet shipping.
DEFER
A borderline action is paused for human review in an approval queue. The audit record captures the original signal and the approval outcome.
Five verbs, one record each
Every verb writes a decision to an append-only audit log with full context — the same evidence trail across every action your agents take.
For the standard itself — what AARM requires, and where our coverage matches it and where it does not — see the AARM product page.
The controls that make it deterministic
Governance you can test, not a model you have to trust. Three properties carry the weight.
No LLM judging an LLM
Decisions come from versioned policy and deterministic detectors, not from a second model's opinion. The same action and policy version always produce the same verb — so a control can be tested and an outcome can be defended.
Mediated dispatch
Agents do not message each other directly. Inter-agent work flows through a mediated dispatch layer, so a single compromised or confused agent cannot quietly recruit the others. Coordination is observable and governable, not a private back-channel.
Compartmentalization
Each agent gets only the tools and data its role requires. A research agent cannot reach billing; a content agent cannot touch production. Least authority is enforced by configuration, not by asking the agent to behave.
We run a ten-agent company under these controls
Containment.ai's own business-execution team is a roster of autonomous agents — growth, revenue, customer success, product, engineering, research, plus an orchestrator and an independent output-evaluator — operating against live systems every day. They run under exactly the controls described above: mediated dispatch instead of direct agent-to-agent messaging, per-agent tool compartmentalization, and deterministic guardrails on what each agent may do. External communications are draft-only, production systems are read-only, and every agent identifies as AI.
We are not going to claim it never goes wrong. It does. The honest part is what happens next: we publish our postmortems — including our own failures — and feed the fixes back into the guardrails. The system that governs our agents is the system we are selling, and we operate it in the open rather than asking you to take the architecture on faith.
Who this is for
Teams shipping autonomous agents to production
You are moving agents from a demo to a system that touches real data, real tools, and real money. You need a control plane that decides what each action is allowed to do — and produces evidence you can show an auditor.
CISOs and compliance owners
Your frameworks — SOC 2, HIPAA, NIST AI RMF, the EU AI Act — ask for testable controls and a tamper-evident record. "A model reviews it" does not satisfy that. A deterministic decision with an audit trail does.
Multi-provider, multi-framework shops
Your agents span more than one LLM provider and more than one agent framework. You want one policy plane across all of them at the call boundary, instead of re-implementing governance inside every app.
Regulated and mission-critical environments
When the cost of a wrong action is a breach, a fine, or a safety event, probabilistic safety is not enough. You need a checkpoint the agent cannot argue past — and, for the highest-assurance end, our High-Assurance Gateway.
What we are — and what we are not
Honest scope. Where we are the right layer, we say so. Where another layer is, we say that too.
What we do
- Deterministic, pre-execution decisions on agent actions at the LLM-call boundary.
- A catalog of content-class detectors — PHI, MNPI, export-controlled text, secrets, PII, source-code leakage, prompt injection, and more.
- Real-time redaction (MODIFY) so an agent keeps working while sensitive bytes are stripped.
- Mediated dispatch and per-agent compartmentalization across a multi-agent system.
- An append-only audit record for every decision, designed for SOC 2, HIPAA, and ISO 27001 evidence needs.
What we don't claim
- We are not an in-process execution sandbox or privilege-ring runtime — that is a different, complementary layer.
- We mediate the LLM-call boundary and dispatched tool calls; direct raw HTTP, local filesystem, and shell from inside agent code are out of scope for the proxy and are tracked as gaps.
- We do not claim "AARM Core conformant." We publish an alignment attestation with per-requirement status — see the AARM page.
- No invented customers, no invented metrics. Our proof point is our own ten-agent team, operated in the open.
Where it fits in the stack
Agent Governance is the runtime control plane for your agents' actions. It sits alongside the rest of the Containment.ai platform.
AI Chat Firewall
Governs people using AI chat assistants in the browser. Agent Governance governs the autonomous agents acting on their own.
Agent Governance
This product. Deterministic, pre-execution decisions on every agent action, aligned to the five AARM verbs.
High-Assurance Gateway
For air-gapped and cross-domain deployments where the same decisions must run under DoD/NSA cross-domain rigor.
See a decision render in real time
Start free, or book a 30-minute demo. We will run a real agent action through the five verbs against your own test policy — and show you the audit record it writes.
Evaluating against Microsoft AGT or another agent-runtime tool? See the honest side-by-side →