Skip to main content
ProductLive · Design-partner stage

The AI Agent Forensics Platform — in action

A walkthrough of what the product actually does: capture every agent action as tamper-evident, cryptographically-signed evidence — and prove what happened on demand. The gateway, identity, and policy engine all feed the forensic audit trail.

Request Design Partner AccessView Incident Replay DemoTry the live API demo →
AI Identity control plane — overview of agents, keys, API latency, request volume, and recent agent activity

AI Identity dashboard overview — live from dashboard.ai-identity.co

The Four Pillars of AI Agent Governance

Most solutions cover one or two. AI Identity covers all four.

PillarCore QuestionAI Identity Capability
IdentityWho is this agent?Per-agent API keys, lifecycle management, scoped credentials.
PolicyWhat is it allowed to do?Fail-closed gateway, deny-by-default policy evaluation.
ComplianceCan we prove rules were followed?DSSE-signed session attestations, HMAC-verifiable audit logs, automated compliance assessments.
ForensicsWhat happened, provably?Hash-chained logs, incident replay, export, offline cryptographic verification.

How agent activity becomes forensic evidence

The destination is step 3 — every action sealed in a tamper-evident, cryptographically-signed audit chain. Steps 1, 2, and 4 are how we get there and prove it.

01

Register agents in the control plane

Each AI agent gets a unique, scoped identity in the AI Identity control plane. No more shared OpenAI keys across ten agents and guessing which one ran up a bill.

  • Create agents via dashboard UI, REST API, Python SDK, or Terraform
  • Per-agent metadata: owner, team, environment, intended tool-calls
  • Unique aid_sk_ key issued once, SHA-256 hashed at rest
  • Scope permissions: which models, which tools, which upstream APIs
  • Set rate limits and monthly spending caps before the agent goes live
AI Identity dashboard overview — total agents, active sessions, request volume, and recent activity
02

Route agent traffic through the gateway

Change one URL in your agent code. The AI Identity gateway authenticates every request, checks policy, and forwards to OpenAI, Anthropic, Gemini, or your internal APIs.

  • Drop-in OpenAI / Anthropic / Gemini compatible base URL
  • Deny-by-default — invalid or expired keys are rejected at the edge
  • Policy engine enforces per-agent scope, rate limits, spending caps
  • Human-in-the-loop approvals for high-risk actions (configurable)
  • Sub-50ms p99 overhead per request
python — agent.py
# Before — direct to provider
from openai import OpenAI
client = OpenAI(api_key="sk-...")

# After — through AI Identity
client = OpenAI(
    base_url="https://gateway.ai-identity.co/v1",
    api_key="aid_sk_7f3x...m9k2",  # per-agent key
)

# Every call is now:
#   authenticated  → per-agent identity
#   authorized     → scoped policy check
#   rate-limited   → per-agent quota
#   logged         → hash-chained audit record
#   attestable     → signed session envelope
response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize ticket #4821"}],
)
03

Every action becomes tamper-evident evidence

The gateway writes an HMAC-SHA256 hash-chained audit record for every request. Each session is closed with a DSSE + ECDSA P-256 signed attestation envelope.

  • Hash-chained log — alter one record and the entire chain breaks
  • DSSE + ECDSA P-256 signed session attestations, KMS-backed signing keys
  • Offline verification CLI — auditors fetch + verify without touching our servers
  • Forensic replay: reconstruct an agent's complete decision path
  • Export evidence bundles with chain-of-custody certificates

Session attestation

sess_8f2a4c71b9

verified ✓
00:00.000agent.authenticate aid_sk_7f3xok
00:00.042policy.evaluate model=gpt-4o tools=[crm.read]allow
00:00.063llm.call tokens=1,240 / cap=50,000ok
00:00.810tool.call crm.read ticket=4821allow
00:01.112session.close dsse + ecdsa-p256signed
sha256: 9b4c...af12
prev: e73a...c018
signature: MEYCIQD...
04

Map every control to a framework

The compliance view shows a live control map to EU AI Act, SOC 2, NIST AI RMF, GDPR, and HIPAA. Export an audit-ready evidence bundle in one click.

  • Live control-mapping dashboard per framework
  • Auto-generated evidence per control from real gateway activity
  • Export profiles: SOC 2, EU AI Act, NIST AI RMF
  • Chain-of-custody certificate bundled with every export
  • Separate endpoints for stubbed frameworks (transparency on what's live vs. stub)

Framework mapping

EU AI ActArticle 12 — logging & traceability5/5 live
SOC 2CC7 — system monitoring4/5 live
NIST AI RMFMEASURE 2.7 — decision traceability3/4 live
GDPRArticle 30 — record of processing2/3 live
HIPAA§164.312(b) — audit controlsstub

Feature overview

What's in the box today across identity, policy, forensics, compliance, and deployment.

Identity

  • Per-agent aid_sk_ API keys
  • Unique agent metadata & ownership
  • Zero-downtime key rotation
  • Scoped permissions
  • Shadow-agent detection with Register / Block / Dismiss flows

Policy

  • Deny-by-default gateway
  • ABAC on agent metadata
  • Policy dry-run endpoint
  • Tier-based quota enforcement
  • Human-in-the-loop approvals (Enterprise)

Forensics

  • HMAC-SHA256 hash-chained audit log
  • DSSE + ECDSA P-256 signed session attestations
  • KMS-backed signing + public JWKS endpoint
  • Offline verification CLI
  • Signed webhook SIEM forwarding

Compliance

  • EU AI Act control map
  • SOC 2 CC6.x + CC7 mappings
  • NIST AI RMF alignment
  • ISO 27001 A.12 / A.13 mapping
  • One-click audit export

Integrations

  • OpenAI, Anthropic, Gemini
  • Works with LangChain, CrewAI, AutoGen, OpenAI Agents SDK
  • Python SDK + REST API
  • Prometheus /metrics
  • Real-time SIEM push (signed webhook)

Deployment & security

  • Hosted SaaS on GKE Autopilot
  • Binary Authorization ENFORCE
  • Cloud Armor WAF + Master Authorized Networks
  • PostgreSQL Row-Level Security (FORCE)
  • Org-scoped queries + correlation IDs

Current stage of development

AI Identity is in early launch. The core product is live and running in production on our own infrastructure. We're selectively onboarding design partners.

Live today

  • Hosted control plane + dashboard
  • Gateway (OpenAI, Anthropic, Gemini)
  • Python SDK + REST API + CLI
  • HMAC hash-chained audit log with org scoping + correlation IDs
  • DSSE + ECDSA P-256 signed attestations (KMS + public JWKS)
  • Offline verification CLI
  • Human-in-the-loop approvals (Enterprise)
  • Shadow-agent detection + Register/Block/Dismiss flows
  • ABAC + policy dry-run
  • Org-level sharing + role-based assignments
  • Tier-based quota enforcement + usage tracking
  • Prometheus /metrics + real-time SIEM push (signed webhook)
  • Compliance export API: SOC 2, EU AI Act, NIST AI RMF (stubs live)
  • GKE hardened: Binary Authorization ENFORCE, Cloud Armor WAF, MAN, NetworkPolicies, Secret Manager + CSI
  • Public interactive demo + pricing page

Next — Q2/Q3 2026 (design partners)

  • Terraform provider
  • Native SDK adapters (LangChain, CrewAI, AutoGen, OpenAI Agents SDK)
  • Agent-to-agent auth (mTLS / token exchange)
  • Advanced anomaly detection beyond shadow-agent heuristics
  • 5th audit-logging phase (remaining observability hooks)
  • Dedicated SIEM connectors (Splunk, Datadog) on top of webhook sink

Enterprise track

  • SOC 2 Type II external audit
  • ISO 27001 certification
  • Self-hosted / private cloud deployment profile
  • SSO + SCIM provisioning
  • Cross-org agent federation
  • Custom policy DSL

Close your accountability gap

We're onboarding a small cohort of design partners to validate AI Forensics in production. Get hands-on with the platform, shape the v1.0 spec, and lock in preferred pricing.

Request Design Partner AccessView Incident Replay DemoTry the live API demo

Building today? Spin up a free dev sandbox →