Execution-layer governance · Customer-hosted

Govern every agent action
before it executes.

IAM authenticates identities. API gateways route traffic. Track governs the action itself — intercepting every tool call, evaluating it against policy, and cryptographically binding approval to the exact action hash. Before anything runs.

Book a technical walkthrough See the architecture

✓ Deploys in your VPC · Zero agent traffic through Track · 30-min technical walkthrough

Policy Decision · Trace #4e9c

subject

agent:support-assistant

action

"send_email"

resource

to="vendor@ext.com"

context

time=22:47Z · hops=2

inspectors

✓ PII ✓ secrets ✓ injection ! out-of-hours

policy

out-of-hours-external-email

token

ed25519:7c91..a4f3 (pending)

REQUIRE_APPROVAL

webhook · ttl 60s

Why the existing stack is insufficient

Your current controls govern identity and infrastructure.
Agents act on neither.

Every layer in the traditional stack was built for a human in the loop on a slow, deliberate path. Autonomous agents chain tool calls at machine speed, across systems, under a single long-lived identity. The old controls don't fail gracefully — they don't apply.

IAM / PAM

Authenticates identity.

Stateful, long-lived sessions. Assumes the authenticated principal intends every subsequent action. Role-based scopes cannot evaluate the semantics of an individual tool call.

A compromised agent is still authenticated.

API Gateways / WAFs

Route and rate-limit traffic.

Pattern-matches URLs, throttles by IP, blocks known signatures. Has no model of what an agent is trying to accomplish or whether this tool call follows from the last one.

Cannot detect prompt injection, tool-call intent, or delegation abuse.

SIEM / Observability

Records what happened.

Emits logs after an action completes. Alerts minutes or hours later. The damaging tool call — the file written, the email sent, the row exfiltrated — has already executed.

Post-hoc. Provides no enforcement.

The missing layer

IAM authenticates who. Track governs what. Sits in front of the action, not behind it — and fails closed.

How Track works

Five stages. No default-allow. No post-hoc recovery.

Track sits between your agents and the systems they act on. Every tool call — outbound from your agent, or inbound from an external caller — passes through the same five-stage pipeline before anything executes.

01 · INTERCEPT

Intercept

Every tool call enters via a typed adapter and is normalized into a unified action model before evaluation.

HTTP · MCP · GitHub · Shell · Slack
12 adapter types

02 · EVALUATE

Evaluate

12 risk inspectors run in parallel. Encoding evasion is decoded and re-inspected. 30+ policy dimensions matched against YAML rules.

Subject · Action · Resource · Context

03 · ENFORCE

Enforce

One of four explicit decisions: allow, deny, require human approval, or allow under enforced obligations.

Webhook approvals · TTLs · rate caps

04 · BIND

Bind

Approval is cryptographically bound to the exact action hash. Single-byte changes between approval and execution fail closed. No TOCTOU window.

Ed25519 · SHA-256 · 60s TTL

05 · TRACE

Trace

Every decision is recorded in a hash-chained audit log. External timestamps anchor the chain. Independently verifiable.

SHA-256 chain · RFC 3161 · external TSA

→ Outbound · agent initiates a tool call

Tool Call

Agent attempts action

Normalize

Unified action model

Inspect

12 risk inspectors

Policy Engine

30+ YAML dimensions

Bind

Ed25519 one-time token

Trace

Hash-chained audit trail

← Inbound · external system calls into a governed agent

Admit

Session token or reject

Policy Engine

Inbound rules

Inspect

Payload + injection

Delegation

RFC 8693 chain

Authenticate

JWKS / OIDC / API key

External Call

Arrives at node

Enforcement outcomes

Four explicit decisions. No default-allow.

Every tool call receives one of four outcomes — determined by policy, not inferred from silence. Each decision is traceable, token-bound where applicable, and fails closed.

Allow

Passed all checks. Execution token issued. Action proceeds.

Example. Agent calls query_db on a read-only replica within business hours — matches analytics-readonly. Token issued, query runs.

Routine read paths should not require approval friction.

Deny

Blocked before execution. Rejection reason and inspector findings recorded.

Example. Agent calls write_file with path ../../etc/passwd. Path-traversal inspector fires. Request denied; event hash-chained.

Hard denials are non-bypassable and non-silenceable.

Require Approval

Execution paused. Human sign-off requested via webhook. Token issued only on explicit approval.

Example. Agent attempts send_email to an external domain outside business hours. Ops reviews via webhook. Expires if not acted on within TTL.

High-blast-radius actions stay gated on a human, at machine speed.

Allow with Obligations

Permitted under enforced constraints — response masking, sandbox, rate cap, session quarantine.

Example. Agent queries user records; PII fields auto-redacted before response. Obligation is token-bound — post-execution tampering triggers an alert.

Necessary actions ship with structural guardrails, not convention.

Threat scenarios

The attack paths that traditional controls don't see.

Each of the following has been demonstrated in real agent deployments. Each is stopped at the tool-call boundary, before execution.

T1 · INJECTION

Indirect prompt injection

A support agent ingests a ticket. Hidden instructions in the body tell it to forward the full ticket history to an external address.

→

Payload inspector flags injection signatures in tool parameters. Outbound send_email to external domain triggers the REQUIRE_APPROVAL rule. Token never issued without review.

T2 · EXFILTRATION

Data exfiltration via outbound tool call

Compromised agent is coerced into POSTing internal CRM data to an attacker-controlled webhook disguised as a logging endpoint.

→

URL allowlist rule fires. PII inspector flags customer records in the body. Decision: DENY. Event hash-chained with the full payload fingerprint.

T3 · WRITE ABUSE

Unauthorized file or database write

Agent attempts a write to a protected path or production table — either via a crafted parameter or as part of a chained tool call.

→

Path-traversal inspector + capability policy block execution. Token is never issued. The ABAC model makes write_* to production a policy question, not a permission one.

T4 · OUTBOUND ABUSE

Outbound email / API abuse

After a prompt compromise, an autonomous assistant begins issuing outbound requests at machine speed — mass email, API calls, messaging.

→

ALLOW_WITH_OBLIGATIONS enforces per-destination rate caps and session quarantine. Burst patterns trigger automatic scope narrowing. Logs are admissible.

T5 · DELEGATION

Cross-agent delegation escalation

Agent A delegates a read-scoped task to Agent B. Agent B attempts a write under the delegated token — or forges a chain it never received.

→

RFC 8693 delegation chain validated at every hop. Scope can only narrow. Cross-node JWKS confirms the chain is not forged. Write rejected at the delegation stage.

T6 · INBOUND

Malicious inbound payload

An external MCP client or agent sends a request to a governed agent with adversarial instructions embedded in tool parameters.

→

Inbound pipeline runs identity resolution, scope validation, and full inspector suite on external payloads before the handler sees the request.

Deployment & data privacy

Your VPC. Your keys. No agent traffic through Track.

The enforcement node runs inside your cloud account. Agent payloads, tool parameters, and governance decisions stay in your environment. Nothing is routed through Track infrastructure.

Runs in your VPC. Deployed as a sidecar or gateway node. Helm chart provided. Kubernetes-native.
Zero data egress to Track. Tool-call payloads and decision records never leave your environment. Optional anonymized metrics, off by default.
Customer-held signing keys. Ed25519 signing keys live in your KMS. GCP KMS and AWS KMS supported. Key rotation without downtime.
Integrates with your identity. OIDC and JWKS for JWT validation. SPIFFE-ready for workload identity. mTLS between nodes.
Audit trail exports cleanly. Structured events ship to your existing SIEM. Hash-chain is externally verifiable without Track infrastructure.

Deployment topology

YOUR VPC

Agentany framework

→

Track nodeenforcement

→

ToolHTTP · DB · MCP

Policy · YAML

Audit loghash-chained

Webhook · approver

External only

JWKS KMS RFC 3161 TSA

Zero egress by default. JWKS and TSA are pull-only.
Agent payloads never leave your VPC.

Coverage & performance

Measured, not claimed.

Figures below reflect internal test results and framework mappings. We share the methodology and test suite during walkthroughs — no certifications are implied.

10/10

OWASP Agentic Top 10

Verified in the coverage test suite.

MITRE ATLAS techniques mapped

ATLAS v5.5 · mapped to controls and inspectors.

≤20ms

p99 hot-path latency

Cache-warm, measured under load.

Frameworks mapped

EU AI Act, SOC 2, DORA, HIPAA, PCI, ISO 27001, NIST AI RMF.

1,700+

Test cases

680 adversarial / safety-specific.

Bring your threat model.
We'll show you the governed path.

The first call is a 30-minute technical walkthrough. Pick the track that fits — red-team scenario, architecture review, or compliance mapping — and we'll show Track against your actual agent stack.

Book a technical walkthrough contact@tracksec.io

Red-team scenarioWe run a live exploit against an ungoverned agent, then against a Track-governed agent.

Architecture reviewDeployment topology, key management, identity integration, SIEM path.

Compliance mappingHow Track maps to EU AI Act, SOC 2, DORA, HIPAA, and ISO 27001 control families.