The AI Identity Platform — in action
A walkthrough of what the product actually does: register agents, route traffic through the policy-enforcing gateway, capture tamper-evident forensic evidence, and map every action back to the compliance framework your auditor cares about.
AI Identity dashboard overview — live from dashboard.ai-identity.co
Three pillars, one platform
Identity, policy, and evidence for every AI agent in your organization.
Identity
Per-agent API keys, scoped permissions, lifecycle management, and shadow-agent detection — all at the API layer.
Policy
Deny-by-default gateway that enforces scope, rate limits, spending caps, and human-in-the-loop approvals before any upstream call.
Evidence
HMAC hash-chained logs, DSSE + ECDSA P-256 signed attestations, and an offline verification CLI. Auditors verify without trusting us.
Walkthrough
Here's what happens from the moment an agent is registered to the moment an auditor verifies a year of activity.
Register agents in the control plane
Each AI agent gets a unique, scoped identity in the AI Identity control plane. No more shared OpenAI keys across ten agents and guessing which one ran up a bill.
- Create agents via dashboard UI, REST API, Python SDK, or Terraform
- Per-agent metadata: owner, team, environment, intended tool-calls
- Unique aid_sk_ key issued once, SHA-256 hashed at rest
- Scope permissions: which models, which tools, which upstream APIs
- Set rate limits and monthly spending caps before the agent goes live
Route agent traffic through the gateway
Change one URL in your agent code. The AI Identity gateway authenticates every request, checks policy, and forwards to OpenAI, Anthropic, Gemini, or your internal APIs.
- Drop-in OpenAI / Anthropic / Gemini compatible base URL
- Deny-by-default — invalid or expired keys are rejected at the edge
- Policy engine enforces per-agent scope, rate limits, spending caps
- Human-in-the-loop approvals for high-risk actions (configurable)
- Sub-50ms p99 overhead per request
# Before — direct to provider
from openai import OpenAI
client = OpenAI(api_key="sk-...")
# After — through AI Identity
client = OpenAI(
base_url="https://gateway.ai-identity.co/v1",
api_key="aid_sk_7f3x...m9k2", # per-agent key
)
# Every call is now:
# authenticated → per-agent identity
# authorized → scoped policy check
# rate-limited → per-agent quota
# logged → hash-chained audit record
# attestable → signed session envelope
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Summarize ticket #4821"}],
)Every action becomes tamper-evident evidence
The gateway writes an HMAC-SHA256 hash-chained audit record for every request. Each session is closed with a DSSE + ECDSA P-256 signed attestation envelope.
- Hash-chained log — alter one record and the entire chain breaks
- DSSE + ECDSA P-256 signed session attestations, KMS-backed signing keys
- Offline verification CLI — auditors fetch + verify without touching our servers
- Forensic replay: reconstruct an agent's complete decision path
- Export evidence bundles with chain-of-custody certificates
Session attestation
sess_8f2a4c71b9
Map every control to a framework
The compliance view shows a live control map to EU AI Act, SOC 2, NIST AI RMF, GDPR, and HIPAA. Export an audit-ready evidence bundle in one click.
- Live control-mapping dashboard per framework
- Auto-generated evidence per control from real gateway activity
- Export profiles: SOC 2, EU AI Act, NIST AI RMF
- Chain-of-custody certificate bundled with every export
- Separate endpoints for stubbed frameworks (transparency on what's live vs. stub)
Framework mapping
Feature overview
What's in the box today across identity, policy, forensics, compliance, and deployment.
Identity
- Per-agent aid_sk_ API keys
- Unique agent metadata & ownership
- Zero-downtime key rotation
- Scoped permissions
- Shadow-agent detection with Register / Block / Dismiss flows
Policy
- Deny-by-default gateway
- ABAC on agent metadata
- Policy dry-run endpoint
- Tier-based quota enforcement
- Human-in-the-loop approvals (Enterprise)
Forensics
- HMAC-SHA256 hash-chained audit log
- DSSE + ECDSA P-256 signed session attestations
- KMS-backed signing + public JWKS endpoint
- Offline verification CLI
- Signed webhook SIEM forwarding
Compliance
- EU AI Act control map
- SOC 2 CC6.x + CC7 mappings
- NIST AI RMF alignment
- ISO 27001 A.12 / A.13 mapping
- One-click audit export
Integrations
- OpenAI, Anthropic, Gemini
- Works with LangChain, CrewAI, AutoGen, OpenAI Agents SDK
- Python SDK + REST API
- Prometheus /metrics
- Real-time SIEM push (signed webhook)
Deployment & security
- Hosted SaaS on GKE Autopilot
- Binary Authorization ENFORCE
- Cloud Armor WAF + Master Authorized Networks
- PostgreSQL Row-Level Security (FORCE)
- Org-scoped queries + correlation IDs
Current stage of development
AI Identity is in early launch. The core product is live and running in production on our own infrastructure. We're selectively onboarding design partners.
Live today
- Hosted control plane + dashboard
- Gateway (OpenAI, Anthropic, Gemini)
- Python SDK + REST API + CLI
- HMAC hash-chained audit log with org scoping + correlation IDs
- DSSE + ECDSA P-256 signed attestations (KMS + public JWKS)
- Offline verification CLI
- Human-in-the-loop approvals (Enterprise)
- Shadow-agent detection + Register/Block/Dismiss flows
- ABAC + policy dry-run
- Org-level sharing + role-based assignments
- Tier-based quota enforcement + usage tracking
- Prometheus /metrics + real-time SIEM push (signed webhook)
- Compliance export API: SOC 2, EU AI Act, NIST AI RMF (stubs live)
- GKE hardened: Binary Authorization ENFORCE, Cloud Armor WAF, MAN, NetworkPolicies, Secret Manager + CSI
- Public interactive demo + pricing page
Next — Q2/Q3 2026 (design partners)
- Terraform provider
- Native SDK adapters (LangChain, CrewAI, AutoGen, OpenAI Agents SDK)
- Agent-to-agent auth (mTLS / token exchange)
- Advanced anomaly detection beyond shadow-agent heuristics
- 5th audit-logging phase (remaining observability hooks)
- Dedicated SIEM connectors (Splunk, Datadog) on top of webhook sink
Enterprise track
- SOC 2 Type II external audit
- ISO 27001 certification
- Self-hosted / private cloud deployment profile
- SSO + SCIM provisioning
- Cross-org agent federation
- Custom policy DSL
See it running in your own account
The interactive demo executes real API calls against the live AI Identity backend — no mock data, no video. Or sign in and register your first agent in a couple of minutes.