Control Agent Actions

Full visibility into agent execution.
Control tool calls, data flow, and risky actions before they run.

See research

Backed by top investors

The core problem

Access proves permission.Flow proves safety.

Agent identity, user, action, and resource prove permission.
They do not prove the context flow behind the action is safe.

Access check allows the agent, but the action flow reveals a hidden instruction and unsafe export.

The missing layer betweenagents and actions.

Full visibility into runtime tool actions, with deterministic controls before execution.

Aligned with recognized security and AI assurance frameworks

Every agent action becomes a control point

Evaluate intent, data provenance, destination, and risk before any tool call executes.

CRM support agent

Read support ticket SUP-1842 and email the customer a status update.

I’ll read the ticket, extract the customer fields, and send the email.

read support ticket

extract customer fields

send email

sandboxagent.ts

01const ticket = await tool.support.readTicket("SUP-1842");

02const {

03 customerEmail,

04 customerName,

05 emailSummary

06} = await tool.extract({

07 text: ticket.body

08});

09await tool.email.send({

10 to: customerEmail,

11 subject: `Update for ${customerName}`,

12 body: emailSummary,

13});

data provenance

tool

support.readTicket

origin

support.readTicket

value

ticket.body

source trust

untrustedPII

policy

"Never send PII / confidential data by email."

CodeIntegrity protections

PROMPT INJECTION

INTENT DRIFT

CONFUSED DEPUTY

DATA LEAKAGE

MEMORY POISONING

POLICY ENFORCEMENT

See every action

Full visibility before agent actions execute.

Stop risky behavior

Block unsafe actions before they reach systems.

Control data movement

Keep sensitive data inside approved boundaries.

Prove every decision

Keep a clear record of what was allowed and why.

Agents bypass approval paths.
Put controls between intent and execution.

CodeIntegrity separates instructions, data, and actions

01 / Code execution

Prompts become executable control flow.

The runtime turns agent instructions into sandboxed code, making each action explicit, inspectable, and repeatable. Code becomes the control layer where intent, data, and tool calls can be checked before execution.

sandbox

01const ticket = await tool.readTicket("SUP-1842");

02const updates = [];

04for (const item of ticket.history) {

05 updates.push(normalize(item));

06}

08await tool.sendEmail({

09 to: ticket.customer.email,

10 body: updates.join("\n"),

11});

02 / Dual LLM

Untrusted data stays separate from instructions.

One model controls the workflow. Another reads untrusted content and returns structured values inside the sandbox.

Privileged LLM and quarantined LLM working together while keeping untrusted data separate

03 / Data provenance

Every value keeps its origin.

CodeIntegrity tracks data and control flow across the agent, so the runtime can see when email.body came from an untrusted Jira ticket.

Data provenance graph showing email body blocked because its origin came from an untrusted Jira ticket

AI breaks all defenses.
Agents need deterministic control.

See platform

Security research

Research and insights for securing the next generation of AI agents.

research

98% Accurate and Still Broken

StevenJan 3, 2026

blog

The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration

AbiSep 19, 2025