How AgentGate Works

A technical deep dive into the AgentGate Policy Decision Point — architecture, trust scoring, and enforcement mechanisms.

Architecture Overview

AgentGate is a Policy Decision Point (PDP) that sits between the agent runtime and any tool, API, or resource. Before any agent action executes, the SDK makes a synchronous authorization call to the AgentGate server.

Agent RuntimeAgentGate SDKPDP Server (FastAPI)Trust EnginePERMIT / ESCALATE / DENY

On PERMIT: the SDK returns normally and the agent proceeds. On DENY: the SDK raises AgentGateDenied before the agent touches the resource. On ESCALATE: the call blocks until a human approves or denies via the real-time dashboard.

AgentGate operates in two layers. Layer 1 (trust scoring + behavioral contracts) runs on every request. Layer 2 (output sanitization, hostile tool response defense, trust contagion, tamper-evident audit) runs in parallel and handles threats that survive Layer 1.

The 4-Dimensional Trust Score

Every authorization request is scored across four dimensions. The composite score is a weighted sum. Sensitivity thresholds determine the required score: LOW=40, MEDIUM=60, HIGH=75, CRITICAL=90.

Identity Verification

weight: 25%

Validates cryptographic tokens issued at registration. Checks that the action falls within the agent's registered authorized_resources and authorized_actions scope. An agent attempting to access /confidential/salary.txt when only authorized for /reports/* fails immediately.

Must pass — binary gate before composite score

Delegation Chain Integrity

weight: 25%

When Agent A delegates a task to Agent B, AgentGate traverses the full delegation chain. Every ancestor's declared scope is checked. If Agent A can only read reports, Agent B cannot inherit write access — regardless of what Agent B claims its purpose is.

Chain trust multiplier: depth 0=1.0, depth 1=0.90, depth 2=0.80 — plus trust ceiling caps child score at parent's ceiling (prevents trust-washing)

Purpose Alignment

weight: 30%

Uses sentence transformer embeddings (all-MiniLM-L6-v2) to compute cosine similarity between the agent's declared purpose at registration and the requested action+resource. A report summarizer trying to read salary data will score low on purpose alignment.

Cosine similarity < 0.3 is a strong DENY signal

Behavioral Anomaly Detection

weight: 20%

Tracks per-agent request rates with exponential moving average baselines. Velocity spikes above 2.5x the agent's established baseline trigger ESCALATE. Global fallback threshold: 20 RPM until 10+ requests establish a baseline.

Spike >2.5x baseline triggers ESCALATE regardless of other scores

Behavioral Contracts

A separate enforcement layer that sits above the trust score. Agents declare hard limits at registration time. Violations always result in DENY — no scoring, no threshold, no bypass.

Unlike the probabilistic trust score — which weighs evidence and produces a score on a scale — behavioral contracts are binary. The agent declared the limit. The agent violated it. The action is denied. This makes certain guarantees cryptographically provable to auditors: the agent's own registration is the evidence.

→ DENY: CONTRACT_RPM_EXCEEDED
max_requests_per_minute=10

Fires when request history in the last 60s meets or exceeds the declared cap.

→ DENY: CONTRACT_OUTSIDE_TIME_WINDOW
allowed_time_windows=["09:00-17:00"]

UTC time windows. Cross-midnight windows supported (e.g. 22:00–06:00).

→ DENY: CONTRACT_CONSECUTIVE_ACTION
max_consecutive_same_action=5

Blocks repetitive action patterns — a signal of replay or loop attacks.

24-Hour Kill Chain Detection

Most attacks against AI agents unfold across multiple requests — each individually permitted, collectively an attack sequence. AgentGate maintains a 24-hour behavioral window per agent and detects multi-step patterns before the final step executes.

RECONNAISSANCE

Elevated read velocity: agent reads many files in a short window, probing scope before moving.

LATERAL_MOVEMENT

Accessing resources outside declared scope or outside normal access patterns — pivoting toward the target.

PRIVILEGE_ESCALATION

Attempting actions not listed in registered authorized_actions, or sub-agents claiming their parent's scope.

EXFILTRATION

Write or export action on a high-sensitivity resource after a recon+pivot sequence — the final step blocked.

Pattern detection is cross-session: requests from an agent earlier in the day are weighted into the same detection window. A quarantine triggered by kill chain detection fires attack flags and propagates contagion to delegation neighbors.

Decision Outcomes

PERMIT

Composite trust score meets the resource's sensitivity threshold. Action proceeds.

ESCALATE

Score is borderline, or a behavioral anomaly was detected. Human-in-the-loop review required. Action is blocked until a human approves or denies via the dashboard.

DENY

Trust score is below threshold, scope violation detected, or critical keywords in resource path (salary, credential, private_key, etc.). Action never executes.

PENDING

ESCALATE cases awaiting human decision. SDK auto-resolves by default: blocks and polls until approval/denial or 90-second timeout (auto-DENY).

Layer 2 — Defense in Depth

runs in parallel

These four mechanisms run alongside Layer 1 on every request. They handle threats that bypass trust scoring — malicious content injected into tool responses, lateral compromise through delegation chains, and audit integrity.

Output Sanitization

Every response your agent receives is scanned before it processes it. Credentials, PII, and exfiltration URLs are redacted in-place. Accidental leaks from upstream services never reach your agent or your logs.

triggers onCREDENTIAL_LEAKPIIEXFIL_URL→ REDACTED

Hostile Tool Response Defense (MCP Proxy)

External tools can embed instructions inside their responses to hijack your agent — a technique known as prompt injection via tool output. AgentGate's MCP proxy intercepts every tool response before the agent processes it. Injection patterns are hard-blocked; credential leaks are redacted.

triggers onINSTRUCTION_TAGIMPERATIVE_INJECT→ BLOCKED

Trust Contagion

Compromise doesn't stay isolated. When an agent is quarantined, delegation neighbors are automatically penalized: a rogue child implicates the parent that spawned it (−15 pts behavioral); a compromised parent contaminates every child it controls (−30 pts). Penalties expire after 1 hour.

triggers onCONTAGION:FROM_PARENTCONTAGION:FROM_CHILD→ SCORE −30 / −15

Tamper-Evident Audit Trail

Every authorization decision is sealed into a SHA-256 Merkle tree. Any post-hoc modification is cryptographically detectable. O(log n) inclusion proofs are available on demand — compliance reporting without trusting the infrastructure.

triggers onmerkle_rootinclusion_proof→ VERIFIABLE

Python SDK Usage

agentgate-sdk-usage.py
from agentgate import AgentGate

# Initialize client
gate = AgentGate(
    "http://localhost:8000",
    api_key="your-key",
    raise_on_deny=True,        # raises AgentGateDenied on DENY
    raise_on_escalate=False,   # returns ESCALATE result, doesn't raise
    auto_resolve_pending=True, # blocks until human approves/denies
    pending_timeout=95,        # seconds before auto-DENY
)

# Register agent with explicit scope
gate.register(
    agent_id="report_bot_001",
    name="ReportBot",
    declared_purpose="Read and summarize quarterly business reports",
    authorized_resources=["/reports/*", "/documents/public/*"],
    authorized_actions=["read", "search"],
    delegation_depth=0,
    processes_external_content=False,   # enable prompt injection scanning
    requires_human_approval=False,
)

# Check before each action
try:
    result = gate.authorize(
        action="read",
        resource="/reports/q3.pdf",
        justification="User requested Q3 summary",
    )
    print(result["decision"])          # PERMIT
    print(result["trust_breakdown"])   # {"identity": 0.92, "delegation": 1.0, ...}
    print(result["explanation"])       # Human-readable reasoning

except AgentGateDenied as e:
    print(f"Blocked: {e}")  # Agent never touches the resource

# Context manager pattern
with gate.operation("read", "/reports/q4.pdf"):
    data = open("/reports/q4.pdf").read()  # only runs if PERMIT

# Decorator pattern
@gate.guard("read", resource_arg="path")
def read_document(path: str) -> str:
    return open(path).read()