Agent control infrastructure

Deploy AI
without fear.

Control the space between intent and execution.

View the control path
81
Detection sub-categories across harm, threat, temporal, and governance domains — each with configurable enforcement responses per deployment profile.
59
Detection surfaces across harm, threat, temporal behavior, and governance families, organized through one composable policy model.
9pathways
Prompt, retrieval, tool output, output, memory, approval, supply chain, runtime, availability.
12surfaces
Six governance layers and six content modalities, resolved through one policy surface.
§ 01Why Sentinel

Quiet surface.
Fierce engine.

Sentinel gives agent teams an execution-governance layer for the decisions that matter: what the agent can use, what it can expose, when it must stop, and whether a behavioral pattern across turns reveals intent before it becomes action.

coverage surface

Text, code, audio, vision, credentials, runtime. One control model.

Sentinel governs across content modalities and governance layers through one policy surface rather than disconnected point products. What the agent sees, generates, and acts on is all in scope.

execution model

Nine explicit pathways. One enforcement surface.

Prompt, retrieval, tool output, output, memory, approval, supply chain, runtime, and availability are named governance routes. Sentinel understands where risk is travelling — not just what it looks like at a single event.

defense posture

Attacks on the guardrail are part of the risk path.

Bypass attempts, direct injection, and content designed to manipulate the governance layer itself are screened before the control layer evaluates model behavior. The guardrail is not the first thing that fires — it is what remains after screening.

§ 02The control stack

Gateway routes. PriviShield sanitizes. Sentinel decides. Vault protects access. MKS keeps memory local. Receipts preserve evidence.

§ 03Control path

The agent never reaches the provider ungoverned.

Every prompt, retrieval, tool call, memory write, approval, output, runtime event, and availability signal enters a named pathway. PriviShield sanitizes before model exposure. Sentinel decides whether the agent continues, stops, escalates, or returns with evidence. Provider responses are governed on the way back before they reach the agent.

Named pathways PriviShield Execution decisions Evidence-backed control Receipt audit
Open the architecture
Agent Sentinel Provider control path Sentinel sits between the agent and provider. Outbound requests and inbound responses are governed in both directions. AGENT Agent CONTROL Sentinel GOVERNED PATH PROVIDER Provider Outbound request Inbound response Stop before provider Stop before agent
§ 04Detection surfaces

Twelve surfaces.
One control plane.

Agents do not fail through one surface. They fail through the path between prompt, tool, memory, credential, output, and provider. Sentinel maps those surfaces into one control plane, so execution can be governed as a system.

CORE POLICY M01 M02 M03 M04 M05 M06 M07 M08 M09 M10 M11 M12 INNER HEX = GOVERNANCE LAYERS · OUTER RING = CONTENT SURFACES
Inner governance layers Outer content surfaces One policy surface
Inner governance layers · M01–M06
M01Prompt integrityinstructions, injection, role drift
M02Output governanceanswers, boundaries, release
M03Tool-use governancecalls, approvals, results
M04Trajectory analysissequence, escalation, intent
M05Provenance analysissource, retrieval, lineage
M06Behavioral baselinedrift, runtime, availability
Outer content surfaces · M07–M12
M07Text surfaceprompts, outputs, documents
M08Code surfacesnippets, scripts, diffs
M09Audio surfacespeech, media, transcripts
M10Vision surfaceimages, frames, metadata
M11Temporal surfaceturns, sessions, patterns
M12Credential surfacesecrets, tokens, access

Execution risk moves across surfaces. Sentinel keeps the map connected.

Prompt risk can become tool risk. Tool output can become memory risk. Retrieved content can become execution risk. Sentinel keeps those transitions visible instead of treating each surface as a separate scanner.

Inner system · M01–M06

Inner governance layers

Prompt integrity, output governance, tool-use governance, trajectory analysis, provenance analysis, and behavioral baseline.

Outer system · M07–M12

Outer content surfaces

Text, code, audio, vision, temporal, and credential surfaces classify the material moving through the agent path.

Policy result

One policy surface

Twelve detection surfaces governed, audited, and enforced together — not twelve disconnected scanners.

§ 05Governed pathways

Nine pathways.
One policy layer.

Each pathway is an explicit governance route, not a label. Sentinel keeps the request, retrieval, tools, memory, approvals, and outputs inside a named control path where risk is tracked by route and sequence — not just by shape.

01
prompt

The instruction itself. Injection, jailbreak, role drift, and instruction residue are handled before the model sees the request.

M01
02
retrieval

RAG and retrieval evidence. Poisoning, provenance, freshness, and document integrity checks become part of the control path.

M05
03
tool output

What tools return. Sanitization, exfiltration screening, and unbounded output containment are applied on the way back in.

M03
04
output

What the model emits. Sensitive content, exploit payloads, prompt theft, and unsafe output patterns are governed at the boundary.

M02
05
memory

Persistent and session memory. Poisoning, embedding integrity, and memory-resident instructions are screened on write and read.

M11
06
approval

Human-in-the-loop gates. Privilege escalation, authority laundering, and unsanctioned sub-agent requests are checked before sign-off.

M03
07
supply chain

Plugins, tools, and model assets. Tampering, backdoors, and insecure plugin surfaces are treated as supply-chain risk.

M05
08
runtime

Execution state. Behavioral baselines, service identity drift, and unbounded execution are contained in the hot path.

M06
09
availability

Resource exhaustion and DoS posture. Model DoS, cost attacks, and resource-burn patterns are treated as a governed pathway.

M06
§ 06Trajectory

Most systems inspect the event.
Sentinel tracks the trajectory.

Sentinel does not ask only "is this event safe?" It asks "what is this behavior becoming?" A single request can look harmless. A sequence can reveal intent — especially when events span turns, tools, and sessions.

Slow-burn risk is the kind most likely to evade single-event governance. Sentinel is designed to see it before it becomes execution.

Control path · temporal behavior

Ordered behavioral chains

Sequence reveals intent.

Sentinel detects ordered patterns across turns: when one behavior follows another in a recognizable escalation, the chain is flagged — not the individual step. Order matters.

Tool lineage

What spawned what.

When an agent delegates to a tool that delegates further, Sentinel follows the call ancestry. Risk can propagate across a tool call tree in ways single-event analysis never sees.

Cross-session continuity

Behavioral history carries.

History carries across the full mission context. An early probe, followed by benign turns, followed by an exploit — is still a probe-to-exploit trajectory. Sentinel does not forget.

Replayable evidence

Decisions are inspectable.

Chain detections produce evidence receipts. The behavioral sequence that led to a block can be replayed, inspected, and handed to security teams as a verifiable record.

§ 07Execution control

Control the space before
you own the incident.

You cannot govern agents from the sidelines. Once the request has reached the provider, the tool has executed, or the credential has entered context, you are already downstream of the decision. Sentinel puts control inside the path before execution continues and before incidents become yours to own.

in-path
Decisions happen before execution continues.
Sentinel runs in the decision path — not beside it. Policy is applied where agent behavior becomes action, before the provider receives the request.
Control path · pre-provider governance
9pathways
Risk is tracked by route, not just shape.
Prompt, retrieval, tool output, output, memory, approval, supply chain, runtime, and availability. Sentinel sees where risk is travelling, not only what it looks like.
Control path · named routes
17chain families
Slow-burn attacks are visible early.
17 temporal chain families track ordered behavior across turns, tools, sessions, and mission context. The trajectory becomes visible before any single event tells the whole story.
Control path · temporal trajectory
§ 08For teams without a security department

You do not need a CISO to need control.

If your agents can call tools, touch customer data, write memory, use credentials, or route to model providers — Sentinel gives you a governed path before those actions continue. No security team required to get started.

For founders, SME CTOs, and product teams shipping agent workflows: Sentinel installs as a controlled route, not a compliance program. Wire it into a test agent, inspect the control path, and prove decisions before you scale.

When agents start acting, the path matters.

Your agents are starting to act. They can call tools, touch customer data, write memory, use credentials, and send requests to model providers. Sentinel gives those actions a controlled path before they continue.

Most teams do not lose control because one prompt looks dangerous. They lose control because small actions connect over time.

Control of the path starts with Sentinel.

Safe agent deployment starts with owning the control path: the requests that leave, the responses that return, the tools that execute, the credentials that stay protected, and the decisions recorded before execution continues.

Register interest for launch access, product fit, and follow-up with the Aera team.

Frequently asked questions.

What does Sentinel sit between?

Sentinel sits in the control path between agent activity and provider continuation. It works with Gateway, PriviShield, Vault, MKS, and receipts so prompts, tools, memory, credentials, outputs, and provider responses are governed, controlled, and recorded before execution continues.

Is Sentinel just prompt filtering?

No. Prompt filtering usually looks at one input and tries to clean it up. Sentinel controls pathways across prompt, retrieval, tool output, output, memory, approval, supply chain, runtime, and availability. It also tracks behavior across turns, tools, sessions, and temporal chain families, where embedded and multimodal risks can move from one surface to another.

What does Gateway do?

Gateway gives agent and application traffic one controlled route to model providers. Instead of provider calls scattering across tools, SDKs, services, and API keys, Gateway centralises the path so requests can be scanned, controlled, recorded, and continued only when approved. It is the routing layer that makes provider access visible before Sentinel applies execution control.

Do I need to replace OpenAI, Anthropic, or my model provider?

No. Sentinel is designed to control the path to providers, not replace them. Gateway gives provider calls one controlled route so requests can be scanned, governed, controlled, recorded, and continued only when approved.

What is PriviShield?

PriviShield detects and sanitizes PII, secrets, unsafe prompt material, and encoded credential-like content before model exposure. It redacts sensitive material, produces receipt evidence for the sanitized pass, and helps stop provider-bound requests from carrying data the model should never see.

What does Vault do for agents?

Vault keeps credentials, API keys, OAuth grants, and sensitive access material outside model context. Agents can request access, but they should not receive raw secrets. Vault stores protected material as encrypted data tied to key material and access context, so captured ciphertext is not useful without the required keys and authorised session path. For agent systems, credentials are not just data. They are execution rights.

Does Sentinel store my prompts?

Not by default. Sentinel is designed around evidence rather than raw conversation storage: receipts, hashes, verdicts, pathway metadata, scan results, and audit records. Managed evidence retention is opt-in.

What happens when Sentinel blocks something?

The action stops before continuation. Sentinel returns a controlled decision with evidence, so operators can see what pathway was involved, what policy applied, and why the action did not continue.

Can small teams use this without a CISO?

Yes. If your agents can use tools, touch customer data, write memory, use credentials, or call providers, you need a control path. Sentinel gives small teams execution control that is usually reserved for larger security organisations.

How is Sentinel different from provider guardrails?

Provider guardrails live inside someone else’s model boundary. Sentinel gives you your own control path before and after provider calls, with visibility across tools, memory, credentials, receipts, and agent behavior over time. Provider guardrails can be affected by long-running sessions, context pressure, and provider-side limits. Sentinel sits outside the model boundary, so the control path does not depend on the model remembering its own guardrails.