Control Agent Actions
Full visibility into agent execution.
Control tool calls, data flow, and risky actions before they run.
Backed by top investors




The core problem
Access proves permission.Flow proves safety.
Agent identity, user, action, and resource prove permission.
They do not prove the context flow behind the action is safe.
The missing layer betweenagents and actions.
Full visibility into runtime tool actions, with deterministic controls before execution.
Aligned with recognized security and AI assurance frameworks


Every agent action becomes a control point
Evaluate intent, data provenance, destination, and risk before any tool call executes.
I’ll read the ticket, extract the customer fields, and send the email.
const ticket = await tool.support.readTicket("SUP-1842");const { customerEmail, customerName, emailSummary} = await tool.extract({ text: ticket.body});await tool.email.send({ to: customerEmail, subject: `Update for ${customerName}`, body: emailSummary,});tool
support.readTicket
origin
support.readTicket
value
ticket.body
source trust
policy
"Never send PII / confidential data by email."
CodeIntegrity protections
Agents bypass approval paths.
Put controls between intent and execution.
CodeIntegrity separates instructions, data, and actions
01 / Code execution
Prompts become executable control flow.
The runtime turns agent instructions into sandboxed code, making each action explicit, inspectable, and repeatable. Code becomes the control layer where intent, data, and tool calls can be checked before execution.
const ticket = await tool.readTicket("SUP-1842");const updates = []; for (const item of ticket.history) { updates.push(normalize(item));} await tool.sendEmail({ to: ticket.customer.email, body: updates.join("\n"),});02 / Dual LLM
Untrusted data stays separate from instructions.
One model controls the workflow. Another reads untrusted content and returns structured values inside the sandbox.
03 / Data provenance
Every value keeps its origin.
CodeIntegrity tracks data and control flow across the agent, so the runtime can see when email.body came from an untrusted Jira ticket.
AI breaks all defenses.
Agents need deterministic control.
Security research
Research and insights for securing the next generation of AI agents.