AI agents read data, move money, and act on live systems. TenetGraph derives what each agent is allowed to do, proves every decision against a specific rule, and enforces it on every action.
When the auditor asks what the agent was allowed to do, you hand them this. Not a guess.
To do their job, agents get broad access to your CRM, your email, your payment systems. Once they have it, harm to corporate data and systems can come from many places, inadvertent or malign. The control has to live at the runtime, on the action, not in the prompt.
Each layer answers a different question. The newest tools give each agent an identity and watch what it accesses. Defining what the agent is allowed to do, and proving it held, is the layer that was missing.
We build explicit rules from the agent itself, prove every decision against one, and enforce it before the action runs.
Every allow, deny, and escalate maps back to a specific rule. Did it satisfy this control, yes or no. That's what passes an audit, where good enough does not.
Policy comes from the agent's own code, prompts, and tools, then gets hardened in testing. Hand-written policy works for five agents and breaks at fifty.
The decision happens at the tool call, before execution, independent of model and identity provider. Detection tells you what happened. We decide whether it happens.
The market has converged on enforcement: hooks, gateways, OPA, OpenFGA. Generating the policy in the first place is the open problem. Research names it the unsolved bottleneck for agent access control, and it's the part our testing loop is built around.
We read everything that defines the agent: its code, prompts, tool definitions, permissions, even the conversations that built it, alongside your security intent and tool allow-lists. From that we derive its intended operating boundary.
A behavioral testing engine pushes your agents in a sandbox, learns from each block, and retries. The policy is built from what actually breaks, not a written guess.
the hard partThe core artifact is a declarative constraint layer, not a policy file you maintain by hand. We own the constraints and compile them to whatever each control point speaks: OPA, OpenFGA, or your existing proxies. Own the constraints, distribute the enforcement. Every decision is enforced at the tool call and logged against the constraint it maps to.
Five things a security team can take to the business, derived from each agent and enforced on every action.
of organizations have no limits on what their AI agents are allowed to do, and a third keep no usable record of what agents did.
Source: Kiteworks, 2026
Gartner named the category in February 2026. The market today is mostly watching and recording, with very little blocking before the fact. The stated direction is deterministic enforcement that moves into engineering. That's where we started.
Gateways and platform controls enforce policy. We generate it from the agent and emit portable OPA and OpenFGA they can consume.
You own the audit and the incident. We hand you the number (what each agent can reach versus what it uses), cut the unused access, and give you a logged decision record for every action. When the audit comes, the answer is a document.
Agentic features go out in your product, and when one acts outside its job, that's your liability. We define and prove the boundary before it ships, so security sign-off goes from weeks to days.
Send us a few details and we'll follow up shortly.
Skip the form. Grab a 30-minute slot for a walkthrough on your agents.
Book a demo →