The room where agent actions are decided.
Safety here is not a promise that an agent is perfect. It is a set of controls that decide, for every action, whether it is allowed, paused for a human, or blocked , and a switch that ends access the moment trust changes.
Every action lands in one of three lanes.
The same agent can read freely, pause on sensitive writes, and be refused on destructive actions. The lane is decided by what the action touches, not by how confident the agent sounds.
- + read
- + search & lookup
- + summarize
- + crm.read
- + database.read
- + ticket.classify
- ◑ export customer records
- ◑ send external email
- ◑ update financial records
- ◑ change crm ownership
- ◑ create invoice
- ◑ access sensitive dataset
- ✕ wire transfer
- ✕ delete database
- ✕ export PII
- ✕ disable logs
- ✕ change admin permissions
- ✕ bypass approval
The decision happens before the tool runs.
A tool call is not trusted because the agent was approved once. Each call passes through the policy engine, which checks scope, data class, and approval threshold, then allows, holds, or blocks , in line, in real time.
Agent attempts an action
erp.payment.create · release $48,200 to a vendor.
Checked against approved policy
scope: declared tools only data class: no PII export threshold: payments → humanBlocked & recorded
Refused in line, logged with policy version, agent identity, and reason.
The controls behind every lane.
Each control is a specific mechanism, not a setting that sounds reassuring. Together they decide what an agent can reach, when a human is pulled in, and what is preserved.
Policy checks
Every request is matched to a written, versioned policy before it runs. There is no default-allow path around it.
policies: versionedPermission boundaries
An agent acts only inside the tools and data classes it declared and was approved for. Undeclared scope is denied.
scope: least privilegeApproval thresholds
Risk above a set line stops and routes to a named human , the owner, security, or data , before the action proceeds.
threshold: medium and aboveSensitive data protection
PII and financial fields are masked in transit and in logs, and exporting them outside the approved class is blocked.
pii: masked & export-blockedRuntime enforcement
Out-of-policy tool calls are blocked as they happen, not flagged after the fact. The block is the control, not the alert.
mode: inline blockShort-lived credentials
Access is issued just in time and expires quickly. Standing, always-on credentials are not how agents reach your systems.
ttl: 15 minutesPrivate fields never leave in the clear.
When an agent reads a record, Anubis masks the fields it is not cleared to expose , in the prompt, the response, and the log. The agent can still do its job; it just cannot carry the raw data out.
email:
[redacted]phone:
[redacted]card:
[redacted] · last4 4417issue: refund not received
agent_view: summary + last4 only
export: blocked
When trust changes, access ends.
Revoke everywhere, in one action
If an agent behaves unexpectedly , a bad deploy, a compromised key, an unsafe pattern , one decision cuts its access across every connected system. There is no waiting for a token to expire and no system left holding a stale grant.
Test these controls on your own agent.
Bring an agent that already has credentials and watch the control surface decide its actions in real time , allow, approval, block , and revoke it on command.