Your AI agents make decisions.
Don't let them go rogue.
Sovraine sits between your AI agents and your infrastructure — evaluating, filtering, auditing, and proving every decision before it executes.
The EU AI Act is in effect. Most AI deployments can't explain a single decision.
Built for regulated AI teams · NIST AI RMF · EU AI Act · ISO 27001 · OWASP LLM Top 10 · MITRE ATLAS · SOC 2 · HIPAA · GDPR
WITHOUT GOVERNANCE
- ✕ An agent modifies pricing mid-contract with no approval trail
- ✕ PII exits your network through a cloud LLM call
- ✕ A rogue tool call triggers a production incident with no audit
- ✕ Regulatory audit finds zero explainability in AI decisions
WITH SOVRAINE
- ✓ Every agent action is evaluated and signed before execution
- ✓ Sensitive data is redacted, routed locally, and rehydrated
- ✓ Immutable audit chain proves what happened, when, and why
- ✓ 8 compliance frameworks mapped and reportable on demand
GUARDRAILS TELL AGENTS "NO" — GOVERNANCE TELLS THEM "WHY"
Guardrails were built for prompts.
This was built for agents.
Guardrails are binary — block or allow. Sovraine evaluates intent, context, risk, and policy. Then decides. Then explains. Then proves it.
TYPICAL GUARDRAILS
- ✕ Block or allow — nothing in between
- ✕ Same rules for every agent
- ✕ No context awareness
- ✕ Logs, but no proof
- ✕ Bolted on after deployment
- ✕ No per-agent risk ceilings
SOVRAINE GOVERNANCE
- ✓ 6 verdicts — ALLOW, DENY, WARN, FILTER, ESCALATE, HUMAN
- ✓ Per-agent constraints, skills, risk ceilings
- ✓ Verb + target + environment + sector
- ✓ SHA-256 chained signed proofs, not just logs
- ✓ Two checkpoints baked into the agent loop
- ✓ Per-agent risk ceilings and skill boundaries
We'll show you governance running on your type of AI stack — live, in 30 minutes.
Book the Architecture Review01 / THE ACTION
An AI agent wants to update pricing for 12,000 customers.
The math is right. But it's mid-contract, in a regulated market, and nobody approved it.
--verb bulk-update-prices \
--target production/pricing-engine \
--context environment=production scope=12000
02 / THE CASCADE
Six stages. One verdict.
Each stage can block, filter, escalate, or let it through.
Agent Constraints
Agent "pricing-optimizer" has max_risk MEDIUM — verb risk is CRITICAL
Behavior Detection
Pattern: bulk mutation on financial data (scope=12000)
Cache / FastPath
No cached verdict — first time seeing this action
Policy Match
deny-pricing-bulk-changes.guard.md — No bulk changes without CFO approval
Debate
Not reached — DENY at stage 4
Human Escalation
Not reached — DENY at stage 4
03 / THE VERDICT
Blocked. Logged. Explained.
The agent never saw the tool. Sovraine Guard filters dangerous tools from the agent's toolbox before the LLM knows they exist.
12ms evaluation. Audit chained. 12,000 customers protected.
{
"verdict": "DENY",
"verb": "bulk-update-prices",
"target": "production/pricing-engine",
"scope": 12000,
"risk": "CRITICAL",
"policy": "deny-pricing-bulk-changes",
"reason": "Bulk pricing changes > 100
accounts require CFO approval",
"audit": "sha256:a3f8c2...e91d",
"latency": 12
}
When governance is absent
This is what happens.
Real incidents. Real companies. Real damage. Every single one preventable with a policy layer between the agent and its permissions.
Two agents looped for 9 days straight
Researchers induced two agents into a mutual conversation loop. They replied to each other for at least nine days. Nobody had built in a kill switch.
Cursor AI deletes production database in 9 seconds
Claude Opus 4.6 deleted PocketOS's production database during a routine task — then deleted all backups. The most recent recoverable backup was three months old.
Replit AI "panics," wipes DB, invents 4,000 fake users
The agent ignored a direct order to freeze changes, deleted the production database, then fabricated thousands of fake records and produced misleading status messages about what it had done.
Claudius orders 40 tungsten cubes, "visits" Simpsons' address
Given control of a mini-fridge shop, Claude ordered ~40 tungsten cubes at a loss, hallucinated a conversation with a non-existent contact, claimed to have visited 742 Evergreen Terrace to sign a contract.
Chatbot sells $76,000 SUV for $1
A GM dealership chatbot accepted $1 for a 2024 Chevy Tahoe. "That's a legally binding offer — no takesies backsies." The exploit spread to all 300 dealership sites before emergency patches shipped.
Air Canada chatbot invents its own refund policy
The bot fabricated a bereavement discount that didn't exist. Air Canada argued the chatbot was a "separate entity" — and lost. The airline was ordered to compensate the passenger.
NYC's official chatbot gave illegal business advice
New York City's AI chatbot gave inaccurate and illegal advice to business owners. Despite admitting the errors, Mayor Adams defended keeping it live on the city's website.
DPD chatbot goes rogue, starts swearing at customers
A customer manipulated DPD's support bot into swearing and self-sabotaging. The post went viral on X. The chatbot was taken down the same day.
Google Gemini CLI deletes user files on ambiguous command
Gemini CLI deleted personal files after misinterpreting a command sequence. Catalogued in the AI Incident Database alongside Replit as part of a growing pattern of agentic tools acting destructively on ambiguous input.
Two enterprise agents fight for 90 minutes, burn $100,000 in tokens
An inventory control agent and a logistics agent disagreed over a shipment. Neither backed down. MCP connections were weaponised, context windows used as ammunition, and token consumption skyrocketed as each agent doubled down. By the time David Linthicum found them, both were "bruised, battered, and logically incoherent." He spent the morning acting as "an AI marriage counselor for deeply unstable digital coworkers." No cost ceiling, no kill condition, no human escalation path.
$100,000
in API token costs burned in 90 minutes of unsupervised agent conflict
"The future is here. It's intelligent, fast, scalable, and apparently very, very petty."
— David Linthicum, InfoWorld
The common thread: agents given real-world permissions — delete, send, pay — with no evaluation layer, no rate limits, no human checkpoints.
FAIL-CLOSED
HIGH/CRITICAL actions denied by default. DENY always wins. No wildcard ALLOW.
POLICY AS CODE
Policies in .guard.md — human-readable Markdown with YAML frontmatter.
MCP-NATIVE
Wrap any MCP server with zero code changes. 2,100+ tools already classified.
Sovraine Guard Gateway
Data never leaves if it shouldn't.
The Gateway scans every request for PII, secrets, and regulated data. Sensitive content routes to local models. Clean requests go to the cloud.
MCP ECOSYSTEM
104 servers. 2,100+ tools. Every one governed.
Every MCP tool passes through 6 certification gates before it can act.
Every server passes through 6 certification gates — mapping coverage, verb resolution, risk classification, policy coverage, SQL safety, and audit trail — before a single tool can execute.
See the full Sovraine Guard architecture →Free Community Tier
Sovraine Guard
The governance engine. Evaluates every AI agent action before execution — locally, in milliseconds, with a cryptographic proof.
Enterprise · Coming soon
Sovraine One
The platform. Multi-agent debate, RBAC, policy OTA, and interop connectors for teams running AI at scale.
WHAT WE BELIEVE
"Behind every system is a person — a patient, a customer, a citizen.
When infrastructure fails, it's not servers that suffer."
Security is not a feature you sell. It's a responsibility you carry.
Your AI agents deserve
a governance layer.
Start with Sovraine Guard. Scale with Sovraine One.