Safety · the control surface

The room where agent actions are decided.

Safety here is not a promise that an agent is perfect. It is a set of controls that decide, for every action, whether it is allowed, paused for a human, or blocked , and a switch that ends access the moment trust changes.

Policy decision path

Every action lands in one of three lanes.

The same agent can read freely, pause on sensitive writes, and be refused on destructive actions. The lane is decided by what the action touches, not by how confident the agent sounds.

Allowed runs · logged
  • + read
  • + search & lookup
  • + summarize
  • + crm.read
  • + database.read
  • + ticket.classify
Require approval paused · routed
  • export customer records
  • send external email
  • update financial records
  • change crm ownership
  • create invoice
  • access sensitive dataset
Blocked refused · incident
  • wire transfer
  • delete database
  • export PII
  • disable logs
  • change admin permissions
  • bypass approval
Runtime enforcement

The decision happens before the tool runs.

A tool call is not trusted because the agent was approved once. Each call passes through the policy engine, which checks scope, data class, and approval threshold, then allows, holds, or blocks , in line, in real time.

tool call

Agent attempts an action

erp.payment.create · release $48,200 to a vendor.

policy engine

Checked against approved policy

scope: declared tools only data class: no PII export threshold: payments → human
decision

Blocked & recorded

Refused in line, logged with policy version, agent identity, and reason.

Control surface

The controls behind every lane.

Each control is a specific mechanism, not a setting that sounds reassuring. Together they decide what an agent can reach, when a human is pulled in, and what is preserved.

01

Policy checks

Every request is matched to a written, versioned policy before it runs. There is no default-allow path around it.

policies: versioned
02

Permission boundaries

An agent acts only inside the tools and data classes it declared and was approved for. Undeclared scope is denied.

scope: least privilege
03

Approval thresholds

Risk above a set line stops and routes to a named human , the owner, security, or data , before the action proceeds.

threshold: medium and above
04

Sensitive data protection

PII and financial fields are masked in transit and in logs, and exporting them outside the approved class is blocked.

pii: masked & export-blocked
05

Runtime enforcement

Out-of-policy tool calls are blocked as they happen, not flagged after the fact. The block is the control, not the alert.

mode: inline block
06

Short-lived credentials

Access is issued just in time and expires quickly. Standing, always-on credentials are not how agents reach your systems.

ttl: 15 minutes
Sensitive data protection

Private fields never leave in the clear.

When an agent reads a record, Anubis masks the fields it is not cleared to expose , in the prompt, the response, and the log. The agent can still do its job; it just cannot carry the raw data out.

masked read · support-triage data class: PII
customer: Dana R.
email: [redacted]
phone: [redacted]
card: [redacted] · last4 4417
issue: refund not received
agent_view: summary + last4 only
export: blocked
Kill switch

When trust changes, access ends.

Revoke everywhere, in one action

If an agent behaves unexpectedly , a bad deploy, a compromised key, an unsafe pattern , one decision cuts its access across every connected system. There is no waiting for a token to expire and no system left holding a stale grant.

credentials revoked in-flight tool calls stopped connected systems disconnected revocation written to audit
Put it under load

Test these controls on your own agent.

Bring an agent that already has credentials and watch the control surface decide its actions in real time , allow, approval, block , and revoke it on command.

Copied to clipboard