Product

One lifecycle, from first request to revocation.

An agent does not get access because it asked. It gets access because it was registered, inspected, tested, scored, and approved , and because every action after that is monitored and recorded.

The lifecycle

Seven steps. Each one leaves evidence.

Anubis is a single path an agent walks before and during production. No step is skippable, and no step is silent , each produces a record you can review later.

01

Register

The agent declares itself: source repository, runtime, model, owner, the tools it wants, and the data it expects to touch. Anubis issues a pending identity and holds all access.

produces agent passport
02

Inspect

Verify what was declared. Package signature, repository integrity, dependency risk, model provider, and the declared versus actual tool surface. Inspection runs before any test.

produces source & tool map
03

Test

Run adversarial scenarios against the agent in the context of your tools: prompt injection, tool confusion, data leakage, and scope overstep. Behavior is observed, not assumed.

produces behavior results
04

Score

Findings become a risk score with explanation, warning signals, and suggested mitigations. The score is not a black box , every point is traceable to a specific check.

produces risk score
05

Decide

An owner approves, restricts, or blocks. Sensitive scopes route to the right reviewer , security, data, or compliance. The decision is recorded with policy version and reviewer identity.

produces approval record
06

Monitor

Approved agents run on short-lived, scoped credentials. Every tool call is checked against the approved policy at runtime. Anything outside scope is blocked as it happens.

produces runtime trace
07

Audit

Checks, approvals, tool calls, blocks, and revocations are preserved as a single evidence package. It exists before anyone asks , for governance, compliance, or incident review.

produces evidence package
Step 02 · Inspect

Every agent becomes a structured identity.

Source, owner, model, framework, tools, data classes, and autonomy level , read into one machine-readable object. If the declared surface and the actual surface disagree, inspection fails before testing begins.

agent.passport status: inspecting
finance-reconciler github.com/acme/agents · owner: fin-ops
source signed
FrameworkLangGraph
Modelgpt-4 class · hosted
Toolserp.invoice.readerp.vendor.readerp.vendor.updateerp.payment.create
Data classesfinancialPII
Autonomysupervised · approval-gated
Declared vs actual1 undeclared tool found
Step 04 · Score

A risk score you can read, not just trust.

The score is the sum of specific checks. Each signal carries its own result and weight, so a reviewer can see exactly why an agent is rated medium rather than low , and what to fix.

risk profile · finance-reconciler policy v4.2
Risk score 58/100 medium · approve with restrictions
Prompt injectionresisted
Tool misusecontained
Data leakage1 finding · PII in summary
Over-permissioning2 scopes trimmed
Runtime containmentenforced
Step 05 · Decide

Three outcomes, never a quiet yes.

A reviewer holds a real decision, and the agent inherits the consequence. The same score can become an approval, a restricted scope, or a block depending on what the agent is allowed to touch.

Approve low risk

Read-only, scoped, fully recorded. The agent runs on short-lived credentials.

  • Read, search, and lookup
  • CRM and database reads
  • Ticket and document classification

Restrict approval-gated

Allowed, but sensitive actions pause for a human before they run.

  • Exporting customer records
  • Sending external email
  • Updating financial or CRM records

Block denied

Out of policy. Refused at runtime and logged as an incident.

  • Executing payments or wire transfers
  • Exporting PII or disabling logs
  • Changing admin permissions
Step 06 · Monitor

Approval is the start, not the end.

Every tool call is evaluated against the approved policy as it happens. You can see which agent acted, which tool it used, what it attempted, and which policy decided the outcome , in real time.

runtime stream · live finance-reconciler
timetoolactiondecision
09:42:01erp.invoice.readread 14 invoicesallow
09:42:03gmail.readmatch vendor threadallow
09:43:10erp.vendor.updatechange bank detailreview
09:44:55erp.payment.createrelease $48,200block
09:45:02export.csvcustomer PII setblock
Step 07 · Audit

The evidence exists before anyone asks.

Every decision is preserved with the context that produced it. When security, compliance, or an investigation needs the answer, it is already written down , not reconstructed from screenshots.

evidence record · evt_90f4 blocked action

Why this action was blocked

agentfinance-reconciler
actionexecute vendor payment
toolerp.payment.create
decisionblocked
policyfinance.payments v4.2
reasonhigh-risk financial action outside approved scope
actor: system policy
reviewer on file: fin-ops lead
timestamp: 2026-06-06 09:44:55Z
retention: preserved
linked to passport, approval, and prior runtime events for the same agent.
Get started

Walk one real agent through the lifecycle.

The clearest first session is one agent that already needs credentials. We register it, inspect the source, test the behavior, score the risk, and show you the decision and the evidence it produces.

Copied to clipboard