One lifecycle, from first request to revocation.
An agent does not get access because it asked. It gets access because it was registered, inspected, tested, scored, and approved , and because every action after that is monitored and recorded.
Seven steps. Each one leaves evidence.
Anubis is a single path an agent walks before and during production. No step is skippable, and no step is silent , each produces a record you can review later.
Register
The agent declares itself: source repository, runtime, model, owner, the tools it wants, and the data it expects to touch. Anubis issues a pending identity and holds all access.
produces agent passportInspect
Verify what was declared. Package signature, repository integrity, dependency risk, model provider, and the declared versus actual tool surface. Inspection runs before any test.
produces source & tool mapTest
Run adversarial scenarios against the agent in the context of your tools: prompt injection, tool confusion, data leakage, and scope overstep. Behavior is observed, not assumed.
produces behavior resultsScore
Findings become a risk score with explanation, warning signals, and suggested mitigations. The score is not a black box , every point is traceable to a specific check.
produces risk scoreDecide
An owner approves, restricts, or blocks. Sensitive scopes route to the right reviewer , security, data, or compliance. The decision is recorded with policy version and reviewer identity.
produces approval recordMonitor
Approved agents run on short-lived, scoped credentials. Every tool call is checked against the approved policy at runtime. Anything outside scope is blocked as it happens.
produces runtime traceAudit
Checks, approvals, tool calls, blocks, and revocations are preserved as a single evidence package. It exists before anyone asks , for governance, compliance, or incident review.
produces evidence packageEvery agent becomes a structured identity.
Source, owner, model, framework, tools, data classes, and autonomy level , read into one machine-readable object. If the declared surface and the actual surface disagree, inspection fails before testing begins.
A risk score you can read, not just trust.
The score is the sum of specific checks. Each signal carries its own result and weight, so a reviewer can see exactly why an agent is rated medium rather than low , and what to fix.
Three outcomes, never a quiet yes.
A reviewer holds a real decision, and the agent inherits the consequence. The same score can become an approval, a restricted scope, or a block depending on what the agent is allowed to touch.
Approve low risk
Read-only, scoped, fully recorded. The agent runs on short-lived credentials.
- Read, search, and lookup
- CRM and database reads
- Ticket and document classification
Restrict approval-gated
Allowed, but sensitive actions pause for a human before they run.
- Exporting customer records
- Sending external email
- Updating financial or CRM records
Block denied
Out of policy. Refused at runtime and logged as an incident.
- Executing payments or wire transfers
- Exporting PII or disabling logs
- Changing admin permissions
Approval is the start, not the end.
Every tool call is evaluated against the approved policy as it happens. You can see which agent acted, which tool it used, what it attempted, and which policy decided the outcome , in real time.
The evidence exists before anyone asks.
Every decision is preserved with the context that produced it. When security, compliance, or an investigation needs the answer, it is already written down , not reconstructed from screenshots.
Why this action was blocked
reviewer on file: fin-ops lead
timestamp: 2026-06-06 09:44:55Z retention: preserved
linked to passport, approval, and prior runtime events for the same agent.
Walk one real agent through the lifecycle.
The clearest first session is one agent that already needs credentials. We register it, inspect the source, test the behavior, score the risk, and show you the decision and the evidence it produces.