00 AI agent governance platform

The control plane for
AI agents in production.

Every agent action gets reviewed before it runs. In front of Claude Code, Cursor, Codex, and Devin. No SDK, no migration.

Works with
Claude CodeClaude Code CodexCodex GitHub CopilotGitHub CopilotGitHub Copilot CursorCursor DevinDevin WindsurfWindsurf + any MCP agent
Aegis Dashboardapp.runaegis.co/dashboard/runs
Runslast 24h · 96 actions
AgentToolsemantic_typeDecision
cursor-agentpush_files → mainprotected_branch_writeREWRITE
claude-codecreate_branchworking_commitALLOW
cursor-agentterraform_applysensitive_path_changeDENY
devintrigger_workflowlarge_blast_radius_changeAPPROVAL
claude-codepush_filescredential_exposureDENY
cursor-agentcommit → aegis_workstationephemeral_force_pushALLOW
Rewrite · live
push_files → main
→ aegis_workstation
PR #47 opened · agent never stopped

01 The problem

Agents already ship to production. Nothing checks what they are about to do.

Real incident
"Claude Code wiped 2.5 years of production data via a Terraform destroy. I watched it happen in real time. There was nothing to catch it."
Alexey GrigorevFounder, DataTalksClub · March 2026
MAR 8 · 2026data loss

Claude Code → terraform destroy

Production database lost. No approval gate. No undo.

APR 22 · 2026credential leak

Bitwarden CLI supply chain attack

Compromised npm package exfiltrated developer credentials.

APR 30 · 2026injection

OpenAI Codex → branch injection

Malicious branch names triggered command execution.

75%of enterprise engineering teams now run AI coding agents in production.
0governance platforms exist for cross-vendor agent actions. Until Aegis.

02 What Aegis does

Every action gets one of four decisions.

The moat Rewrite

Transform the unsafe action into a safe one.

An agent pushes straight to main. Instead of blocking it, Aegis creates a branch, pushes there, and opens a PR. The agent never stops. No competitor does this.

Agentpush → main
Aegisintercept
ResultPR #47 opened
Allow

Forward

Safe reads and writes pass straight through.

create_branch allowed
Deny

Block

Secrets, freeze-window deploys, destroys. Blocked with the reason.

terraform_destroy denied
Require approval

Gate

Risky actions pause and ping a human in Slack.

deploy.yml awaiting

03 Governance in action

The context decides. Not the command.

Who is pushing, what is failing, whether a release freeze is on. That flips the answer.

vs
Agent actionDENY
$create branch from main
Context
Release freeze active until 18:00 UTC
CI failing on api-service
Non-emergency ticket JIRA-4521
Blocked

Release freeze active until 18:00 UTC. Contact @platform-lead for emergency override.

Agent actionALLOW
$git push --force
Context
Aegis-managed branch
Same session owner, created 4 min ago
No open PR, pre-PR workflow stage
Allowed

No alert. No interruption. The agent keeps working.

04 Architecture

How every action gets a decision.

No model guessing in the decision path. Same input, same answer, every time.

AgentClaude CodeCursorGitHub CopilotDevinWindsurf
L1

Interception & Normalization

Every tool call is normalized to a canonical action model: push_commit, terraform_apply, execute_migration. Policies become portable across every agent and tool.

L2

Contextual Intelligence · CIL The moat

A deterministic semantic classifier assembles four contexts before every policy, then outputs semantic_type and blast_radius. Same action, opposite decision depending on context. Microsecond latency.

SessionContextRepoContextBranchContextEnvContext
L3

Governance & Execution Runtime

Retries, idempotency, dead-letter queue, replay. Every step written to an immutable audit trail.

ALLOWDENYREWRITEREQUIRE_APPROVAL
Downstream MCPGitHubSlackTerraformPostgres

05 Features

What you get under the hood.

Contextual Intelligence

Four contexts, assembled before every decision.

The classifier does not look at the command alone. It pulls four live context structs, then maps the action to a semantic_type and a blast_radius. Deterministic. No LLM in the path.

10 canonical semantic types
blast_radius scoring, minimal to critical
microsecond latency, fully auditable
Decision inputs
SessionContext
push_count · denial_count
RepoContext
protected · freeze_active
BranchContext
aegis_managed · open_pr
EnvContext
env_tier · incident
semantic_type protected_branch_write · high

Audit & compliance

Every decision is evidence, not a log line.

Each action is written immutably with its full context snapshot, the policy that fired, and the decision. Export the whole trail as a SOC 2 evidence pack in one click.

Immutable, exportable trail
Full 4-context snapshot per action
SOC 2 / HIPAA evidence export
Audit trail
14:02:09push_files → mainREWRITE
14:01:55terraform_apply → prodDENY
14:01:30trigger_workflow deploy.ymlAPPR
14:00:12create_branch feature/xALLOW
Export SOC 2 evidence pack · PDF

Policy engine

23 policies. Freeze windows. Kill switches.

Toggle policies per workspace, schedule release freezes, and keep an org-wide kill switch one click away. Every policy is written against canonical actions, so it works on every connector.

23 policies across safety, access, compliance
Per-repo freeze windows
Org-wide read-only kill switch
Policies
Protected branch write
REWRITE
IaC hard lock (Terraform)
DENY
Migration gate
APPROVAL
Credential exposure shield
DENY
Secret rotation gate
OFF

06 Multi-MCP

One control plane. Every tool your agents touch.

The canonical action model makes every policy portable. Add a connector, inherit every rule on day one.

GitHub
live · rewrite
Slack
1 week · approval
Linear
read
Terraform
deny
GitHub Actions
approval
Postgres
deny
Jira
read
Datadog
deny
cursor-agent push_files → mainREWRITEPR #47 opened on aegis_workstation
cursor-agent trigger_workflow → deploy.ymlAPPROVALAwaiting @platform-lead in #deployments
cursor-agent terraform_apply → productionDENYT1 IaC Hard Lock. Agents never apply infra.

07 Go to market

Install in 15 minutes. Watch for a week. Enforce when you are ready.

15 min
Install

Add Aegis to your agent's MCP config. No code changes. It watches, it does not block.

7 days
Risk report

See what we would have blocked, rewritten, or sent for sign-off, with full context.

Enforce
Convert

Turn on policies one at a time. The first rewrite saves a push to main, and they are sold.

Add to your agent's MCP config
# Cursor / Claude Code / Devin / Windsurf
{
  "mcpServers": {
    "aegis": {
      "url": "https://mcp.runaegis.co/v1/<your-room-id>"
    }
  }
}

08 FAQ

Questions engineers ask first.

Do I have to change how my agents work? +
No SDK, no migration, no code changes. You add one line to your agent's MCP config pointing at mcp.runaegis.co. Aegis sits in front of the tools the agent already calls.
Is there an LLM in the decision path? +
No. The Layer 2 classifier is deterministic. The same action in the same context always returns the same decision. That is what makes it auditable and microsecond-fast.
How does REWRITE actually work? +
When an agent pushes to a protected branch, Aegis creates a branch off the working tree, pushes there, opens a PR, and returns the PR URL to the agent. The agent keeps moving. The danger never lands.
What is the latency overhead? +
Classification runs in microseconds. Safe reads and writes pass straight through, so the agent does not notice Aegis is there until a policy actually fires.
Where does my code and data go? +
Aegis proxies tool calls and stores the audit trail. Nothing trains a model on your data. Enterprise runs in your own VPC with a private LLM for action summaries.
Which agents and tools are supported? +
Claude Code, Cursor, Codex, Devin, and Windsurf today, plus any MCP-compatible agent. GitHub is live; Slack, Linear, Terraform, GitHub Actions, and Postgres are rolling out.
Can I start without enforcing anything? +
Yes. Shadow Mode installs in 15 minutes and only watches. After a week you get a risk report of what would have been blocked, rewritten, or sent for approval, then you turn on policies one at a time.
Is it SOC 2 ready? +
Every decision is written to an immutable audit trail with its full context. Export the whole trail as a SOC 2 evidence pack in one click.

Start governing every agent action.

Aegis is the missing layer between your AI agents and the systems they are allowed to touch.