Product Features

Runtime Policy Enforcement Engine

Enforcement at execution time

AgntID evaluates and enforces access at execution time — for every agent tool call.

The runtime operates as a deterministic policy decision layer between agents and tools. Each tool invocation is treated as an independent enforcement event.

No session-wide permissions. No standing privileges. No blanket agent access.

Enforcement Flow per Tool Invocation

Every agent → tool action follows this execution path:

Policy Evaluation

Customer-defined policy guardrails determine whether the requested action is permitted.

Evaluation happens at runtime — not during configuration.

Optional Intent Awareness

If enabled, the runtime evaluates the agent’s intended action (via SDK shim) before granting access.

Intent awareness is additive — core enforcement works without modifying agents.

Scoped Access Resolution

If allowed, the runtime resolves access according to the configured credential model.

Access is granted only for the specific tool action being executed.

(Details of credential sourcing and narrowing are covered in the Credential Enforcement Models section.)

Controlled Execution

The tool executes with the resolved access boundary.

No session reuse. No privilege carryover. No implicit access expansion.

Audit & Visibility

Every decision and execution event is logged with full runtime context.

Core Characteristics

Per tool-action enforcement

Runtime decisioning

Optional intent-aware evaluation

Scoped access per invocation

Deterministic enforcement inside customer infrastructure

Policy Authoring

Define deterministic execution-time guardrails against real tool schemas.

AgntID lets infrastructure and security teams author fine-grained policies for every agent → tool action — enforced at runtime.

How Policies Work

MCP-Aware by Default

Auto-discover tools and actions from MCP servers
Auto-discover typed tool schemas
Policies written against real execution inputs

No abstract permission guessing.

Runtime Enforcement Model

Default deny (no policy = blocked)
Per tool-action evaluation
Deterministic enforcement at execution time

Guardrails defined centrally. Enforced per invocation.

Authoring Experience

Visual Policy Builder

Parameter-level constraints
Rule composition without writing policy code
Automatically compiled into runtime enforcement logic

Built for infrastructure teams.

sync

Advanced (Rego) Authoring

Full Rego support
Multi-policy priority ordering
Direct validation and enterprise-grade logic

Built for security engineers.

Policy Simulation & Runtime Testing

Test policies against real execution paths — before production impact.

AgntID allows teams to simulate and validate policy behavior using the same runtime engine that enforces production traffic.

No mock logic. No hypothetical evaluation. Real runtime decisions.

Two Simulation Paths — One Runtime Engine

Path 1

Scenario Simulation (LLM)

Write a natural-language prompt
Simulate full agent reasoning → tool calls
Evaluate policy + credential logic
View complete call flow and enforcement decisions

Built for:

What-if analysis, pre-production safety validation, testing new or modified policies

Path 2

MCP Inspector

Invoke MCP tool actions manually
Provide explicit parameters
Evaluate enforcement per tool action
Inspect credential resolution and audit logs

Built for:

Tool-level debugging, edge-case testing, deterministic enforcement verification

Deterministic Runtime Replay

Both simulation paths execute against the customer-hosted runtime — not a sandboxed approximation.

Policies are validated against the same deterministic enforcement engine used in production.

Credential Enforcement Models (2×2)

AgntID supports multiple credential enforcement models based on how credentials are sourced and how access is constrained at runtime.

Agent Tool Call

Policy Evaluation (Runtime)

(per agent → tool action)

Credential Source?

Pass-through

(existing identity)

Managed

(issued by AgntID)

Runtime Enforcement?

Static Scope

(policy-defined)

Runtime Narrowing

(per tool action)

Derived Credentials Issued

(Scoped + Ephemeral)

Tool Execution

(inside customer infra)

Deployment Architecture

Cloud Control Plane & Customer-Hosted Runtime

AgntID separates configuration from execution to ensure security, trust, and data isolation.

Runtime Traffic Flow (High-Level)

Internet / AgntID Hosted

Hosted

AgntID Cloud Control Plane

Policies & Guardrails

Credential Models

Audit & Visibility

No Execution

Trust Boundary

Policy Sync

Customer Intranet / Execution

Customer

Execution Plane (Customer)

Agent

Tool Call

AgntID Customer-Hosted Runtime

MCP Proxy | Policy Eval | Scoped Creds
Tool Execution | Audit

MCP Tool Invocation

MCP Servers

Vendor-hosted | Customer-hosted | Custom

Tool Call API

Tools

External SaaS / APIs / Internal APIs

Infrastructure-Owned. Developer-Light.

AgntID is deployed and operated by infrastructure and security teams — outside application code.

Runtime enforcement executes inside your environment with centralized policy control and zero agent redesign.

Infrastructure-Owned Runtime

Customer-hosted runtime controlled by platform / security teams
Centralized policy definition and guardrails
Works with existing IAM and MCP servers
No rip-and-replace of tools or identity systems

Minimal Developer Dependency

Core runtime enforcement requires no SDK changes
Optional intent-aware evaluation uses a lightweight SDK shim
Intent parsing is additive — not required for baseline enforcement

Integration Surface — At a Glance

Concern	AgntID Approach
Agent redesign required?	Not required
Mandatory SDK?	Not required
Optional SDK for intent parsing?	Optional (lightweight shim)
Owned by infra / security?	Infrastructure-owned
Enforcement location	Inside customer-hosted runtime

MCP Changes How Agents Use Tools

Model Context Protocol (MCP) introduces a new execution model for agents:

Agents dynamically discover and select tools at runtime

Tool actions are not known ahead of time (no static binding)

Execution happens after reasoning, not at design time

MCP defines capability discovery, but does not provide identity, access control, or enforcement for tool execution.

AgntID’s Bring-Your-Own MCP Model

AgntID is MCP-first — without owning or replacing MCP.

MCP provides capability discovery. AgntID adds runtime governance.

Execution Path with AgntID

Agent

AgntID Customer-Hosted Runtime

(Embedded MCP Proxy)

MCP Server

Tools

The agent does not call MCP directly.

All tool invocations flow through AgntID first.

AgntID intercepts, evaluates policy, derives scoped credentials, and then forwards the call to MCP.

MCP remains the capability layer. AgntID governs access and execution.

MCP-Aware Runtime Enforcement

Auto-Discover Tools

Live capability discovery from MCP servers

Auto-Discover Tool Schemas

Parameter types and structures surfaced directly

Policy Written Against Real Schemas

No abstract permission guessing

Typed Execution Validation

Deterministic enforcement aligned with real tool inputs

AgntID does not modify MCP. It extends MCP by enforcing policy and access control at execution time.

MCP Alone vs MCP + AgntID

MCP Alone

Tool discovery
Tool schema visibility

MCP defines what tools exist. It does not control how they are used.

MCP + AgntID

Tool discovery
Tool schema visibility

Runtime policy enforcement
Optional intent evaluation
Scoped, ephemeral credential resolution
Deterministic audit logging

Capability + Enforcement + Scoped Access

Runtime Operations & Observability

Operational control + deterministic visibility for every runtime

Runtime Control & Health

Start / stop / restart runtimes

Real-time health & policy sync status

Centralized logging & audit visibility

mTLS & secure runtime configuration

Per-Tool Execution Reporting

Complete tool call timeline

Step-by-step policy decision trace

Credential derivation visibility

Deterministic execution record

Operate with confidence. Investigate with precision.