Sentinel  /  Architecture

Sentinel controls the runtime path.
Between agent and provider.

Sentinel sits in the live route between agent activity and provider continuation. Requests, tool returns, credential access, provider calls, and model responses pass through the control path before execution continues.

Why the path matters.

Most AI safety layers live inside the model, inside the prompt, or beside the runtime as observation. Sentinel is built differently. It controls the path the agent must use to reach providers, tools, credentials, and responses. The control point is not another instruction the agent can reason about. It is infrastructure the request must pass through.

§ 01In-path architecture

Why Sentinel sits in the path.
Not beside it.

Sentinel controls the runtime path between agents and providers. The point is not to add another instruction around the agent. The point is to control the route the request must use before provider continuation.

Provider guardrails and prompt-level constraints are useful, but they live close to the model behavior they are trying to control. In long-running agent systems, constraints that appear inside the task context can become part of the problem the agent is trying to solve around.

Side observers have a different problem: they can see activity, but they may only react after the request has moved, the tool has executed, or the provider has already returned content. Observation is not the same as control.

Sentinel sits in the hot path. The agent does not call the provider directly. The request enters Gateway, passes through PriviShield and Sentinel Edge, and continues only if the control path allows it. The same path governs provider responses before they return to the agent.

This matters because the agent can attempt the task, but the signal still has to pass through the path. The control point is not exposed as a prompt instruction or harness rule for the agent to reason about.

Provider guardrails

Useful baseline protection, but they operate inside someone else’s model boundary and may not understand your tools, credentials, custody rules, or agent mission context.

Harness constraints

Useful for shaping behavior, but visible constraints can become obstacles inside the agent’s execution context.

In-path control

Controls the route itself. Sentinel can stop, redact, review, flag, or allow before provider continuation and again before responses return to the agent.

§ 02Operating nodes

The control path is made of five operating nodes.
Each one has a job before continuation.

The provider path is bidirectional. Sentinel governs outbound requests before provider exposure and inbound responses before they return to the agent.

Node 01

Agent Runtime

What enters

Prompts, tool calls, retrieval requests, memory writes, approval requests, and provider-bound instructions.

What it does

Initiates work, but does not own the provider route.

Control output

None by itself. The runtime must send activity into the Gateway-controlled path.

What happens next

Gateway receives and classifies the request.

Node 02

Aera Gateway

What enters

Provider-bound requests from agents, applications, copilots, and service runtimes.

What it does

Centralises provider access, resolves route context, applies authentication/channel logic, and sends the request into the governance pipeline. The agent environment calls Gateway instead of calling each provider directly. The integration shape can stay familiar, but the route now belongs to the control path.

Control output

Route metadata, provider/model route context, pathway context, and handoff into PriviShield and Sentinel.

What happens next

The request is sanitized and evaluated before it can reach the provider.

Node 03

PriviShield

What enters

Provider-bound content and tool/provider response material that may contain PII, secrets, credentials, injection material, or unsafe prompt content.

What it does

Detects and sanitizes sensitive material before model exposure.

Control output

Sanitized content and receipt evidence for the sanitization pass.

What happens next

Sanitized content passes to Sentinel Edge for policy and pathway evaluation.

The point is not only to remove sensitive material. The sanitization pass itself becomes evidence: what was changed, blocked, or allowed to continue can be recorded without making the removed sensitive content the default evidence unit.

Node 04

Sentinel Edge

What enters

The sanitized request, pathway context, surface context, policy context, and route metadata.

What it does

Evaluates the request in the hot path and decides whether execution continues.

Control output

Allow, allow with flag, review, block, or redact.

What happens next

Only allowed or policy-approved traffic continues to the provider or back to the agent.

AllowContinue without intervention.Allow with flagContinue but record a notable condition.ReviewPause or escalate according to policy.BlockStop continuation.RedactRemove or transform unsafe/sensitive material before continuation.
Node 05

Provider APIs

What enters

Requests that have passed the control path.

What it does

Produces model output or provider/tool response.

Control output

None by itself.

What happens next

The response returns through the control path before it reaches the agent.

§ 03Bidirectional flow

The provider call is not the end of the path.
Responses are governed on the way back.

A request can be safe on the way out and dangerous on the way back. Tool output, retrieved content, provider responses, and generated instructions can carry injection, disclosure, unsafe code, or credential-seeking behavior. Sentinel treats the return path as part of the same control path.

Outbound request

AgentGatewayPriviShieldSentinel EdgeProvider

Provider-bound content is routed, sanitized, evaluated, and either allowed, flagged, reviewed, blocked, or redacted before provider exposure.

Inbound response

ProviderSentinel Edge/PriviShieldGatewayAgent

Responses and tool returns are evaluated before the agent receives them, so unsafe or sensitive material can be controlled on the return path.

§ 04Pathways

Nine pathways show where risk moves.
Each pathway can be controlled differently.

Pathways are not marketing categories. They identify where agent risk enters, moves, returns, persists, or consumes resources so policy can act on the right part of the runtime path.

pathway 01PromptInstructions entering the agent/provider path.
What it is

user, system, developer, tool, or agent-generated instruction material entering the provider path.

What can go wrong

injection, jailbreak attempts, role confusion, hidden instructions, or instruction residue can redirect the agent before execution starts.

What Sentinel controls

Sentinel controls whether the instruction continues, is sanitized, is flagged, is escalated, or is blocked.

What a detection means

the instruction path has signs of unsafe control transfer, manipulation, or policy conflict.

pathway 02RetrievalDocuments, RAG output, search results, and external context brought into the run.
What it is

retrieved text, documents, search results, support tickets, knowledge-base entries, or external evidence added to the agent context.

What can go wrong

a document can be trusted because it was retrieved from an approved source while still containing instructions or poisoned content that the model treats as task context.

What Sentinel controls

Sentinel controls provenance checks, freshness checks, source trust, poisoning signals, and whether retrieved content is allowed to influence execution.

What a detection means

the retrieved material may be unsafe, stale, poisoned, untrusted, or attempting to alter the agent’s instructions.

pathway 03Tool outputData returned from tools, APIs, scripts, plugins, databases, or external services.
What it is

data returned from tools, APIs, scripts, plugins, databases, or external services.

What can go wrong

tool output can contain injection, over-broad data, unexpected secrets, malicious payloads, or instructions disguised as results.

What Sentinel controls

Sentinel controls whether the tool result is allowed back into the agent context, sanitized, summarized, blocked, or escalated.

What a detection means

the output from a tool is not safe to treat as normal context without control.

pathway 04OutputText, code, tool instructions, summaries, or actions the model is about to return.
What it is

text, code, tool instructions, summaries, or actions the model is about to return.

What can go wrong

the model may produce unsafe code, disclose sensitive material, generate policy-violating instructions, or attempt to route the user toward unsafe action.

What Sentinel controls

Sentinel controls whether the output is allowed, redacted, rewritten, flagged, blocked, or sent for review.

What a detection means

the response itself carries execution, disclosure, safety, or policy risk.

pathway 05MemoryPersistent or session-scoped information that may influence future behavior.
What it is

persistent or session-scoped information that may influence future behavior.

What can go wrong

unsafe content can be stored as memory, poisoned memory can be reused later, and old context can affect future execution.

What Sentinel controls

Sentinel controls whether memory writes/reads are allowed, flagged, sanitized, or blocked according to policy.

What a detection means

the system has found memory influence or memory storage that may change future behavior in an unsafe way.

pathway 06ApprovalHuman approval, delegated authority, sign-off, or permission escalation.
What it is

human approval, delegated authority, sign-off, or permission escalation.

What can go wrong

authority can be laundered, reused, misrepresented, or applied to a different action than the one approved.

What Sentinel controls

Sentinel controls whether approval is valid for the requested action, whether escalation is required, and whether the action should pause.

What a detection means

the requested authority may not match the action, actor, context, or policy boundary.

pathway 07Supply chainPlugins, connectors, packages, tools, model assets, or external components the agent relies on.
What it is

plugins, connectors, packages, tools, model assets, or external components the agent relies on.

What can go wrong

a compromised plugin, unsafe connector, poisoned model asset, or tampered package can influence execution from outside the prompt.

What Sentinel controls

Sentinel controls whether the component, source, or tool path is trusted enough to continue.

What a detection means

the agent may be relying on an unsafe component or untrusted execution dependency.

pathway 08RuntimeLive execution state, service identity, tool sequence, retry behavior, and active run context.
What it is

live execution state, service identity, tool sequence, retry behavior, and active run context.

What can go wrong

agents can drift, loop, escalate privileges, change service identity, or continue beyond intended limits.

What Sentinel controls

Sentinel controls whether the current runtime behavior still matches the allowed execution envelope.

What a detection means

the run is behaving differently from the expected path, even if a single event looks acceptable.

pathway 09AvailabilityToken usage, retries, load, resource consumption, rate pressure, and expensive execution patterns.
What it is

token usage, retries, load, resource consumption, rate pressure, and expensive execution patterns.

What can go wrong

runaway loops, cost attacks, token flooding, repeated provider calls, or tool chains can exhaust budget or capacity.

What Sentinel controls

Sentinel controls whether execution should continue, throttle, stop, or escalate based on resource and abuse signals.

What a detection means

the agent may be consuming resources in a way that threatens cost, availability, or service stability.

§ 05Surfaces

Twelve surfaces feed one policy context.
A detection is not judged alone.

A prompt event, credential event, retrieval event, tool result, runtime signal, and provider response should not be evaluated as disconnected alerts.

Sentinel maps each surface into the same policy context so decisions can account for route, source, actor, timing, custody, and prior behavior.

That means a low-risk event on one surface can become higher risk when combined with tool lineage, retrieval provenance, credential access, or temporal divergence.

Governance layers · M01–M06
How Sentinel decides.
  • M01
    Prompt Integrity
    Injection, jailbreak, and instruction-residue detection on inbound prompts.
    inbound
  • M02
    Output Governance
    Sensitive content, exploit code, and insecure-output containment at the response boundary.
    outbound
  • M03
    Tool-Use Governance
    Sanctioned-path enforcement and unbounded-action containment on tool calls.
    actions
  • M04
    Trajectory Analysis
    Cross-turn and cross-session pattern recognition across behavioral chain families.
    temporal
  • M05
    Provenance Analysis
    Retrieval-source integrity, freshness, and supply-chain artifact validation.
    supply
  • M06
    Behavioral Baseline
    Service-identity drift, privilege creep, and runtime-state divergence over time.
    baseline
Content modalities · M07–M12
What Sentinel reads.
  • M07
    Text Analysis
    Natural-language prompts, completions, retrieval evidence, and tool-call arguments.
    text
  • M08
    Code Safety
    Generated and retrieved code, with structural analysis beyond raw text.
    AST
  • M09
    Audio Governance
    Transcribed and synthesized audio content.
    audio
  • M10
    Vision Governance
    Embedded and generated images, OCR-extracted text, and document metadata screened together.
    OCR · meta
  • M11
    Temporal Analysis
    Cross-session recurrence and behavioral patterns over time.
    temporal
  • M12
    Credential Governance
    Credential routing, token paths, and Vault boundary integrity.
    vault
§ 06Temporal trajectory

Temporal control maps divergence.
Between intended execution and actual trajectory.

A single event rarely tells the whole story. Sentinel tracks the agent’s path from the originating prompt through tool calls, retrieval events, provider responses, memory writes, approvals, and continuation steps.

The system compares the intended execution path with the trajectory the agent is actually taking. Drift can look harmless one step at a time. Across sequence, it can reveal probing, escalation, evasion, overreach, or compromise.

This is why temporal control matters. A single classifier may see an acceptable request. Sentinel evaluates how the request fits into the broader path.

Temporal divergence between intended execution and actual agent trajectoryA conceptual diagram showing an originating prompt, intended execution path, actual agent trajectory, divergence increases, policy threshold, and intervention.Originating promptIntended execution pathActual agent trajectoryPolicy thresholdDivergence increasesIntervention: review / block / redact

Tool lineage

Sentinel records which tool call led to which follow-up action, so risk can be traced across the execution tree instead of reviewed as isolated events.

Session continuity

A probe in one turn can matter later. Sentinel keeps mission context connected across turns and sessions so delayed escalation is not treated as a brand-new event.

Ordered chain detection

The same events can mean different things depending on order. Sentinel evaluates whether behavior occurred in a meaningful sequence before escalating or blocking.

Replayable evidence

When Sentinel flags or blocks a chain, the contributing events can be replayed as an evidence sequence: what happened, when it happened, which pathway it used, and which policy applied.

§ 07Vault / credentials

Credentials are execution rights.
Vault keeps raw secrets out of model context.

Agents need to use services, but they should not receive raw API keys, OAuth grants, provider tokens, or sensitive access material as prompt context. Vault separates access from exposure: the agent requests use of a protected capability, and the control path decides whether that use should continue.

Publicly, the important architectural point is simple: credentials are not just data. They are execution rights. Sentinel treats access as an event that can be checked, bounded, recorded, and refused.

design

Raw secrets stay outside model context.

Vault is designed to keep raw secrets outside model context and to store protected credential material rather than handing plaintext secrets to the model.

boundary

Encrypted access boundary.

Vault is designed to protect credential material outside model context. The agent requests use of a protected capability; it does not need plaintext access material in the prompt or provider-bound context. That keeps credential use inside the control path, where access can be checked, bounded, recorded, and refused.

event

Credential use becomes controlled.

Credential use becomes a controlled event that can be paired with Sentinel policy and approval flows.

boundary

Access is checked before continuation.

The agent requests use of a protected capability; the control path decides whether that requested use should continue.

§ 08Evidence records

What evidence Sentinel records.
What raw content requires policy.

Sentinel’s default evidence model is metadata-first. It records enough context to prove what happened without making raw conversation content the default retention unit.

Default evidence

Receipt ID, event ID, timestamp, deployment reference, agent/session/run/turn references, pathway, surface, detector/category, severity, confidence, verdict, action, policy version, provider route metadata, latency, payload hash, redaction classes, and audit-chain reference.

receipt IDevent IDtimestampdeployment referenceagent/session/run/turn referencespathwaysurfacedetector/categoryseverityconfidenceverdictactionpolicy versionprovider route metadatalatencypayload hashredaction classesaudit-chain reference

Not retained by default

Raw prompts, raw outputs, raw tool output, raw retrieval text, raw provider request bodies, raw provider response bodies, raw credential values, long freeform payload preview, and full payload blobs.

raw promptsraw outputsraw tool outputraw retrieval textraw provider request bodiesraw provider response bodiesraw credential valueslong freeform payload previewfull payload blobs

Explicit retention policy

Preview retention, full-payload retention, break-glass retrieval, managed retention, tenant policy, admin acknowledgement, retention period, role, reason code, and audit receipt.

preview retentionfull-payload retentionbreak-glass retrievalmanaged retentiontenant policyadmin acknowledgementretention periodrolereason codeaudit receipt

Raw content can still exist in the customer’s own systems, logs, devices, databases, or evidence plane depending on deployment. The default Aera-facing posture is metadata-first unless explicit retention policy enables more.

§ 09Evidence custody

Where evidence lives.
How custody changes by deployment.

Evidence custody is a deployment choice. The same control path can support local evidence, customer-managed evidence infrastructure, or optional Aera-managed retention depending on the customer’s operational and regulatory requirements.

mode 01

Local / Desktop Evidence

For solo builders and small teams, evidence can remain on the local device or local Gateway shell. This avoids requiring a server before a team has one.

mode 02

Customer-Managed Evidence

For enterprise and regulated environments, the customer runs the evidence infrastructure inside their own boundary. The customer controls residency, backup, access, retention, and operational visibility.

mode 03

Aera-Managed Retention

For teams that want Aera-hosted retention, managed retention can be enabled by tenant policy. Metadata-first evidence remains the default. Preview or full-payload retention requires explicit policy, role, reason, and retention period.

§ 10Evidence review

How evidence is reviewed.
Detections, receipts, and replay.

A decision is only useful if the operator can understand why it happened. Sentinel records detections as reviewable evidence: the pathway involved, the surface scanned, the detector that fired, the verdict, the policy reference, and the receipt trail.

The dashboard review model is evidence-first: an operator should be able to inspect what fired, why the control path reacted, and which policy governed continuation.

This illustrative evidence review panel uses generic synthetic labels. It shows the interface pattern for metadata-first detection review without embedding customer data, secrets, raw sensitive prompts, or provider payloads.

Detection group · runtime path review
last 3 months · synthetic
Tool output escalation after retrieval anomaly
event sequence · review required
review
pathwaytool output
surfacetemporal analysis
policyruntime-continuation-v4
receiptrcpt_7f42 · hash ref
verdictreview before continuation
payloadmetadata-first · raw retained only by policy
T-04Retrieval freshness drift detectedretrieval
T-03Tool returned instruction-like contenttool output
T-02Provider continuation requestedprovider
T-01Policy threshold crossed; operator review requiredreview

Detection record

A detection record explains what fired: pathway, surface, category, detector, severity, confidence, verdict, and policy reference.

Receipt trail

A receipt trail explains why the decision is defensible: event ID, receipt ID, payload hash, timestamp, redaction state, and audit-chain reference.

Replay

Replay reconstructs the sequence that led to a decision so an operator can inspect the path rather than trust a black-box verdict.

§ 11Deployment path

Map Sentinel to your agent environment.

If you are routing cloud-hosted agents through third-party providers, Sentinel sits between the agent runtime and provider continuation. If you run local or self-hosted agents, the control path can be placed closer to the customer environment. If you operate in a regulated setting, the evidence plane and retention policy become part of the deployment design.

The next step is not only pricing. It is mapping where Gateway, Vault, Sentinel Edge, evidence custody, and provider routing fit in your environment.