Documentation
Solutions Guide

AI Agent Governance

Configure comprehensive governance for AI agents. Manage identities, enforce safety controls, and maintain full visibility into agent operations.

Estimated time: 25 minutes

Safety Controls

Agent Identity

Cryptographic identities for every AI agent

Rate Limits

Requests/second and operations/hour limits

Circuit Breakers

Auto-intervention on anomalous behavior

Action Budgets

Maximum operations per session

Configuration Steps

1

Register AI Agent Identity

Create a cryptographic identity for your AI agent.

tacctl create -f - <<EOF
kind: ai_agent
metadata:
  name: coding-assistant
  labels:
    team: engineering
    purpose: code-review
spec:
  description: "AI assistant for code reviews"
  owner: platform-team
  ttl: 1h
EOF
2

Configure Safety Controls

Set rate limits, action budgets, and resource scopes.

tacctl create -f - <<EOF
kind: ai_agent_policy
metadata:
  name: coding-assistant-policy
spec:
  agent: coding-assistant

  rate_limits:
    requests_per_second: 10
    operations_per_hour: 1000

  action_budget:
    max_operations: 500
    budget_period: 1h

  resource_scope:
    allowed:
      - "db/dev-*"
      - "ssh/dev-*"
    denied:
      - "db/prod-*"
      - "ssh/prod-*"
EOF
3

Set Up Circuit Breakers

Configure automatic intervention for anomalous behavior.

tacctl create -f - <<EOF
kind: circuit_breaker
metadata:
  name: coding-assistant-breaker
spec:
  agent: coding-assistant

  thresholds:
    error_rate: 0.1        # 10% error rate
    latency_p99: 5s        # 99th percentile latency
    anomaly_score: 0.8     # ML-detected anomaly

  actions:
    - type: alert
      severity: warning
    - type: rate_limit
      factor: 0.5
    - type: revoke
      condition: anomaly_score > 0.9
EOF
4

Configure Audit Requirements

Require reason context for all agent actions.

tacctl create -f - <<EOF
kind: ai_agent_policy
metadata:
  name: audit-requirements
spec:
  agent: coding-assistant

  audit:
    require_reason: true
    log_level: detailed
    retention: 90d

  human_approval:
    required_for:
      - "db/write/*"
      - "ssh/*/sudo"
EOF
5

Issue Agent Credentials

Generate credentials with embedded safety controls.

# Generate agent credentials
tac agent auth coding-assistant --ttl=1h

# Verify agent identity
tac agent verify coding-assistant

# Monitor agent activity
tac agent logs coding-assistant --follow

AI Agent Governance Enabled

With AI agent governance configured, you have:

  • Cryptographic identity for every AI agent
  • Embedded safety controls in certificates
  • Automatic circuit breakers for anomalies
  • Complete audit trail of all agent actions

Related Guides

Machine Identity

SPIFFE/SPIRE for workloads

Session Recording

Record agent sessions

Audit Logging

Complete audit trails