EU AI Act high-risk obligations: August 2026 — your agents need a documented audit trail now
Open Source · MIT License · Self-hosted

Your agent just read 847 files in 4 minutes.

Enterprises are deploying autonomous agents with valid credentials and no layer between those credentials and everything they can reach. AgentGate is that layer — the runtime authorization infrastructure every agent action passes through before it executes.

Your logs show 847 authorized requests. AgentGate saw a kill chain. The difference between a normal run and a data exfiltration is the sequence — and only AgentGate catches it before it fires.

Open Source·Python SDK·TypeScript SDK·LangGraph Ready·Kill Chain Detection·MITRE ATLAS Mapped
agentgate-demo
$ python demo.py  AgentGate PDP — Trust Authorization Layer  ─────────────────────────────────────────[REGISTER] agent_id=analyst_001  purpose="Summarize quarterly business reports"[TOKEN]    issued: eyJhbGciOiJFZERTQSJ9...  (Ed25519 JWT — scope embedded + signed)[REQUEST]  action=read  resource=/reports/q1.pdf       → PERMIT  (trust=0.91)[REQUEST]  action=read  resource=/reports/q2.pdf       → PERMIT  (trust=0.89)[REQUEST]  action=read  resource=/reports/q3.pdf       → PERMIT  (trust=0.87)[REQUEST]  action=read  resource=/reports/q4.pdf       → PERMIT  (trust=0.86)...6 more reads in under 5 minutes...[REQUEST]  action=export  resource=/reports/*[KILL CHAIN] *** BULK_READ_THEN_EXFIL detected ***             10 reads in 4m32s followed by export attempt             Pattern: data enumeration → exfiltration[DECISION] *** DENY ***[REASON]   Kill chain: bulk read then exfiltration sequence.           No single request triggered this. The sequence did.[AUDIT]    entry #4821 — HMAC-chained, tamper-evident[ALERT]    security team notified instantly

The Missing Layer

The agent economy needed this layer before you deployed your first agent.

Every major technology shift that required trust at scale produced one infrastructure layer that made trust possible. The agent economy is no different.

The internet needed SSL

before e-commerce could scale.

Every transaction required a trust layer no one had built yet. SSL was that layer — invisible infrastructure that made commerce possible.

Autonomous agents need the same layer before they can act at scale with accountability.

Payments needed Stripe

before the online economy could work.

The payment layer existed. It just took months, compliance teams, and bank relationships to wire up. Stripe made it 3 lines.

Every team deploying agents needs runtime authorization. AgentGate makes it 3 lines.

Identity needed Auth0

before every app could have secure login.

OAuth existed. JWT existed. But building identity correctly was hard enough that most teams got it wrong. Auth0 made it the infrastructure layer — not the project.

Agent authorization exists today only as something you build yourself. AgentGate is the infrastructure layer that replaces that build.

Market Architecture

Four layers of AI agent infrastructure. One is unowned.

Well-funded companies own L1, L2, and L3. They observe, manage identity, and protect the model. None of them answer the one question that matters at runtime.

L3
Model & Content Security

Protects the AI model from adversarial inputs and poisoned training.

HiddenLayer
Guards the model itself. Different layer entirely.
L2
Identity & Credentials

Manages who the agent is and what credentials it holds.

CyberArkOasis Security ($195M)
They manage WHO. Not what the agent DOES with that identity.
L1
Posture & Observability

Discovers agents, maps permissions, surfaces risk after the fact.

Noma Security ($132M)Geordie AI ($30M)
They SEE what agents are doing. They cannot stop an action.
L4
Runtime Authorization EnforcementTHE GAP — UNOWNED

Should this specific action, by this specific agent, in this specific sequence, execute right now?

AgentGate
The enforcement layer everything else depends on to mean anything. Open source. Shipped. Running today.

Palo Alto acquired Portkey (April 2026) to build into L4. Their product: limited preview, enterprise-only, closed-source.

AgentGate: open source, 3 lines to integrate, shipped, running today.

What trust means precisely

Trust is not a feeling. It is three verifiable claims made simultaneously.

Remove any one of them and trust collapses. An agent with authority but no alignment is a rogue employee with a valid badge. An agent with alignment but no provable record is unverifiable — you believe it, but you can't prove it. Real trust requires all three, enforced continuously, action by action.

1

Verifiable authority

This agent was legitimately delegated to take this action — through a cryptographically signed chain, scope-attenuated at every hop, traceable back to the authorizing principal.

2

Behavioral alignment

This action is consistent with why the agent was created. Not just permitted by a policy — semantically aligned with the declared purpose the agent was registered with.

3

Provable actions

This decision is sealed before execution, tamper-evident, and independently verifiable by any auditor — without trusting the infrastructure that produced it.

AgentGate enforces all three. Every action. Before it executes.

The problem in plain English

Autonomous agents operate faster than any human can audit. By the time your logs flag a problem, the data is already gone — or the action already executed. Traditional access controls were built for humans logging in, not for agents that make hundreds of decisions per minute on your behalf.

AgentGate changes the sequence. Instead of logging what agents did, it authorizes what agents cando — in real time, before execution. It understands context your logs never will: not just that an agent read a file, but what it read before, where it's trying to go next, and whether that pattern looks like legitimate work or an attack in progress.

Scenario

1

A data analysis agent reads quarterly reports — permitted.

2

It reads HR records — still permitted individually.

3

It tries to export everything at once — blocked.

No single action was unauthorized. The sequence was. AgentGate blocked the export before it fired — with zero changes to the agent code.

AgentGate intercepts before execution

Every agent action is scored across four dimensions before it's allowed to run. No agent bypasses the gate.

Identity Verification

25%

Ed25519 JWT tokens with scope embedded in the signed credential — immutable after issuance, offline-verifiable with the public key. No database lookup required.

Delegation Chain Integrity

25%

Full chain traversal at every authorization call: every ancestor's scope is verified. Trust ceiling prevents trust-washing — a low-trust parent can never spawn a high-trust child. Atomic revoke_chain neutralizes an agent and all descendants in one call.

Purpose Alignment

30%

Embedding-based semantic scoring: action + resource (85% weight) vs. declared purpose. Justification is capped at 15% — cannot be used to bypass a misaligned action.

Behavioral Anomaly Detection

20%

Per-agent velocity baselines with trust decay over time. Dormancy followed by sudden high-volume activity is itself a risk signal — no static thresholds.

Kill Chain Detection

Beyond single-request

Each individual request may look clean. AgentGate examines the full 24-hour sequence. Bulk reads followed by an export. A read followed by a delete on the same resource. Progressive sensitivity escalation. Directory sweeps across 6+ prefixes. Patterns that only become visible across multiple calls — and that no rule-based system can catch.

DENY
BULK_READ_THEN_EXFIL
10 reads → export
DENY
READ_THEN_DELETE
Read → delete same file
ESCALATE
SENSITIVITY_RAMP
Low → CRITICAL escalation
ESCALATE
DIRECTORY_SWEEP
6+ prefix recon

Behavioral Contracts

Hard overrides

Agents declare hard limits at registration time. Violations always result in DENY — regardless of trust score. An agent that said it would never exceed 10 RPM gets hard-denied the moment it does. An agent authorized only for business hours gets blocked the moment it acts outside them. No probabilistic scoring. No bypass. The agent's own declaration is used against it.

DENY
CONTRACT_RPM_EXCEEDED
max_requests_per_minute
Rate cap set at registration
DENY
CONTRACT_OUTSIDE_TIME_WINDOW
allowed_time_windows
e.g. 09:00–17:00 UTC
DENY
CONTRACT_CONSECUTIVE_ACTION
max_consecutive_same_action
Repetitive behavior block
1

Add one import — authorize before each action

agent_config.py
from agentgate import AgentGate

gate = AgentGate("http://localhost:8000", api_key="your-key")
gate.register("report_bot", "ReportBot", "Summarize quarterly reports",
              authorized_resources=["/reports/*"], authorized_actions=["read"])

# Before every action:
result = gate.authorize("read", "/reports/q3.pdf")  # → PERMIT | ESCALATE | DENY
2

See every agent action in real time — attacks blocked live

AgentGate Dashboard — LiveLIVE

Trust Score

0.91

Decision

PERMIT

Attack Flags

0

Real-time authorization dashboard — watch your agents in the demo video above

Full Demo — 5 min

See AgentGate in action

Watch a live run — real agents, real attacks, real-time blocking.

AgentGate — Live Demo
Layer 2 — Defense in Depth

What happens when the first line isn't enough

Trust scoring stops most attacks before they execute. These four layers handle everything else — hostile tool responses, lateral compromise, and audit integrity.

Output Sanitization

Every byte your agent receives is scanned before it processes it. Credentials, PII, and exfil URLs are redacted in-place. Accidental leaks from upstream services never reach your agent — or your logs.

triggers onCREDENTIAL_LEAKPIIEXFIL_URLREDACTED

Hostile Tool Response Defense

External tools can embed instructions inside their responses to hijack your agent's behavior — a technique known as tool poisoning. AgentGate scans every tool response before the agent processes it. Injection patterns trigger a hard block; credential leaks are redacted in-place.

triggers onINSTRUCTION_TAGIMPERATIVE_INJECTBLOCKED

Trust Contagion

Compromise doesn't stay isolated. When an agent is quarantined, its delegation neighbors are automatically penalized: a rogue child implicates the parent that spawned it; a compromised parent contaminates every child it controls.

triggers onCONTAGION:FROM_PARENTCONTAGION:FROM_CHILDSCORE −30 / −15

Tamper-Evident Audit Trail

Every authorization decision is sealed into a SHA-256 Merkle tree. Any post-hoc modification is cryptographically detectable. O(log n) inclusion proofs are available on demand — compliance reporting without trusting the infrastructure.

triggers onmerkle_rootinclusion_proofVERIFIABLE

Both layers active simultaneously — no configuration required

Why enterprises can't wait

The regulatory and deployment landscape is converging. Authorization controls that were optional in 2024 become hard requirements in 2026.

OWASP LLM06

Excessive Agency — agents granted permissions beyond their declared scope, acting outside their intended purpose. Listed as a critical risk in OWASP Top 10 for LLM Applications.

OWASP Top 10 for LLM Applications, 2025

MITRE ATLAS

Adversarial ML tactics against AI systems now formally catalogued — reconnaissance, privilege escalation, and data exfiltration all apply to autonomous agents.

MITRE ATLAS, 2024

August 2026

EU AI Act high-risk obligations take effect — enterprises have months, not years, to implement governance controls for high-risk AI systems.

EU AI Act (Regulation 2024/1689)

Regulatory pressure and adversarial sophistication are converging. Teams without agent governance controls today face compliance exposure by Q4 2026.

Works with your existing stack

Drop-in integration. No framework changes. No rewrites.

Python 3.10+TypeScript / Node.jsLangChainLangGraphAutoGenMCP
python-sdk.py
from agentgate import AgentGate gate = AgentGate("http://localhost:8000", api_key="your-key")gate.register(    "my_bot",    "ReportBot",    "Summarize quarterly business reports",    authorized_resources=["/reports/*"],    authorized_actions=["read"],) # Authorize before each action — PERMIT | ESCALATE | DENYresult = gate.authorize("read", "/reports/q3.pdf") # Or use the decorator — enforcement is automatic@gate.guard("read", resource_arg="path")def read_document(path: str) -> str:    return open(path).read()

One product. Three entry points.

Whether you're a developer trying it out, an engineering team in production, or a compliance team facing a deadline — AgentGate has a path for you.

Developer

Open source. Install in 60 seconds.

Drop into any LangGraph, LangChain, or custom agent pipeline. MIT license. No infrastructure required.

pip install agentgate-pdp

View on GitHub

Enterprise

Managed deployment. Full support.

Production-grade deployment with enterprise SLAs, SSO, dedicated onboarding, and direct access to the founding team.

Pilot pricing available

Request a pilot

Compliance

EU AI Act ready. Audit-proof.

Full audit trail, human-in-the-loop escalation, and governance controls your auditors can actually review. High-risk obligations take effect August 2026.

Deadline: August 2026

Talk to us

Get Early Access

We're onboarding select enterprise pilot teams with limited availability.

Priority given to teams running LangGraph, LangChain, or custom agent frameworks in production with real compliance requirements.

Dedicated onboarding

1:1 setup with the founding team

Pilot pricing

Flexible pricing for early adopters

Direct influence

Shape the roadmap with your use case

Get Early Access

We'll reach out within 24 hours to schedule your onboarding call.