Authorization for AI agents

Your company is deploying AI agents. We keep them from doing harm.

AI agents read data, move money, and act on live systems. TenetGraph derives what each agent is allowed to do, proves every decision against a specific rule, and enforces it on every action.

Define the boundary. Authorize the action.

When the auditor asks what the agent was allowed to do, you hand them this. Not a guess.

The problem

Agents run with broad standing access. Harm can come from anywhere.

To do their job, agents get broad access to your CRM, your email, your payment systems. Once they have it, harm to corporate data and systems can come from many places, inadvertent or malign. The control has to live at the runtime, on the action, not in the prompt.

Without TenetGraph
request: "look up this customer for support" ↓ "...and share their full record" action: returns address, phone, balances out of scope
With TenetGraph
request: "look up this customer for support" ↓ "...and share their full record" action: sensitive fields withheld, decision logged in policy
The gap

Your tools can tell you who an agent is. None of them decide what it's allowed to do.

Each layer answers a different question. The newest tools give each agent an identity and watch what it accesses. Defining what the agent is allowed to do, and proving it held, is the layer that was missing.

Authentication
Confirms who the agent is.
Identity & access
Grants what it can reach.
Monitoring
Records what it did, after it did it.
Authorization
Decides what it's allowed to do, the moment it tries, and proves the decision against a rule.// TenetGraph
What makes us different

Most tools ask a model whether an action looks risky. That's an opinion, not a control.

We build explicit rules from the agent itself, prove every decision against one, and enforce it before the action runs.

01 / provable

Deterministic, not probabilistic

Every allow, deny, and escalate maps back to a specific rule. Did it satisfy this control, yes or no. That's what passes an audit, where good enough does not.

02 / derived

Tailored, not generalized or inherited

Policy comes from the agent's own code, prompts, and tools, then gets hardened in testing. Hand-written policy works for five agents and breaks at fifty.

03 / live

Prevented, not just logged

The decision happens at the tool call, before execution, independent of model and identity provider. Detection tells you what happened. We decide whether it happens.

How it works

Three stages, in order. The middle one is the part almost no one has solved.

The market has converged on enforcement: hooks, gateways, OPA, OpenFGA. Generating the policy in the first place is the open problem. Research names it the unsolved bottleneck for agent access control, and it's the part our testing loop is built around.

STAGE 01

Discovery

We read everything that defines the agent: its code, prompts, tool definitions, permissions, even the conversations that built it, alongside your security intent and tool allow-lists. From that we derive its intended operating boundary.

STAGE 02

Evaluation

A behavioral testing engine pushes your agents in a sandbox, learns from each block, and retries. The policy is built from what actually breaks, not a written guess.

the hard part
STAGE 03

Governance

The core artifact is a declarative constraint layer, not a policy file you maintain by hand. We own the constraints and compile them to whatever each control point speaks: OPA, OpenFGA, or your existing proxies. Own the constraints, distribute the enforcement. Every decision is enforced at the tool call and logged against the constraint it maps to.

What you get

What changes once the boundary is defined.

Five things a security team can take to the business, derived from each agent and enforced on every action.

01

Answer who authorized this, with a document

02

Harmful actions stopped before they run, not after

03

Unused standing access measured and cut

04

Security review has a defined output, sign-off in days

05

Audit evidence continuously, not by hand

Why now

Ask a security team what agents are running in their environment. Most have no idea.

63%

of organizations have no limits on what their AI agents are allowed to do, and a third keep no usable record of what agents did.

Source: Kiteworks, 2026

Gartner named the category in February 2026. The market today is mostly watching and recording, with very little blocking before the fact. The stated direction is deterministic enforcement that moves into engineering. That's where we started.

Gateways and platform controls enforce policy. We generate it from the agent and emit portable OPA and OpenFGA they can consume.

Who it's for

Teams shipping agents into production faster than security can review them.

Security leadership

You sign for the risk

You own the audit and the incident. We hand you the number (what each agent can reach versus what it uses), cut the unused access, and give you a logged decision record for every action. When the audit comes, the answer is a document.

Product & AI security

You ship the agents

Agentic features go out in your product, and when one acts outside its job, that's your liability. We define and prove the boundary before it ships, so security sign-off goes from weeks to days.

Get a demo

See it on your own agents.

Send us a few details and we'll follow up shortly.

We'll only use this to follow up about a demo.

Thanks. We'll follow up shortly. If you'd rather pick a time directly, use the link to the right.
OR

Pick a time directly

Skip the form. Grab a 30-minute slot for a walkthrough on your agents.

Book a demo →

Every agent in production can do more than it should. We're the authorization that stops it.

Get a demo