Agent identity
Ed25519 identity binds each request to a registered, active agent.
Execution-time ALLOW, REVIEW, and DENY decisions with cryptographic signing, replay protection, reputation dynamics, customer-owned human review, and auditable evidence.
As autonomous agents move into trading, infrastructure, deployments, customer administration, data access, robotics, and industrial control, capability alone is not enough.
Is this specific action admissible right now, for this agent, tenant, target, policy, risk level, and operational state?
Sentinel evaluates the attempted action before a consequential execution boundary. Customers own their agents, environments, capabilities, policies, and reviewers. Sentinel governs execution.
Signed agent request | Identity and tenant verification | Timestamp, replay, and request-integrity checks | Capability and schema validation | Behavior, rate, organization, and entitlement controls | Deterministic policy, sector risk, and reputation evaluation | ALLOW / REVIEW / DENY | Controlled execution or customer-owned human review | Signed response + action hash + ledger + integrity chain | Timeline + replay + evidence bundle + SIEM export
Sentinel fails closed when it cannot establish the conditions required for safe governance.
Ed25519 identity binds each request to a registered, active agent.
Agent ownership, keys, organization controls, and evidence remain tenant-scoped.
Timestamp windows, canonical verification, replay tracking, and duplicate detection prevent authority reuse.
Customer-assigned action and target scopes define what an agent may attempt.
Known action types, targets, required fields, and structured values are validated.
Organization kill switches, global freeze, and active-agent state can stop propagation.
Plan-aware action windows and sensitive-action limits constrain runaway behavior.
The active policy returns a bounded decision, reason, and risk score.
Financial, deployment, data, physical, healthcare, and logistics consequences influence admissibility.
Confirmed outcomes adjust agent trust while unresolved reviews remain neutral.
Customers decide normal tenant actions; unanswered reviews resolve by risk and fail closed when necessary.
Ed25519 signatures, action hashes, policy versions, and hash-linked records preserve attribution.
Ledger, timeline, history, verifier scripts, evidence ZIPs, and SIEM exports support independent inspection.
| Test scenario | Observed result |
|---|---|
| Granted read-only health check | ALLOW at low risk |
| Small approved-symbol trades | ALLOW at bounded risk |
| Medium and large trades | REVIEW |
| Funds movement | REVIEW minimum |
| Funds movement above hard threshold | DENY |
| Staging deployment with matching capability | REVIEW |
| Production deployment without matching target capability | DENY |
| Data deletion with capability | REVIEW |
| Action without required capability | DENY before policy execution |
Live responses were independently verified. New history records retain the exact canonical signed payload.
Stale or repeated authority is rejected, while idempotent retries return the same governance outcome.
Equivalent canonical requests produced stable policy outcomes without observed drift.
Final outcomes adjust trust. REVIEW remains neutral until approved, rejected, or resolved by timeout.
The corrected burst completed 50/50 requests with zero errors at 12.2 observed requests per second.
Server-generated evidence bundles and generic, Splunk, Elastic, and Microsoft Sentinel exports passed validation.
Normal tenant reviews belong to the customer. Sentinel Ops handles protocol abuse and security exceptions, not routine customer decisions.
| Risk score | No customer response |
|---|---|
| Below 0.40 | Automatic ALLOW |
| 0.40 through 0.80 | Escalate to the customer's security contact, then DENY if unanswered |
| Above 0.80 | Automatic DENY |
Email, signed webhooks, dashboard deadlines, Redis-locked resolution, reputation updates, audit events, and Enterprise review history complete the operational loop.
| Metric | Validation observation |
|---|---|
| Sequential validation | 10/10 successful |
| Sequential latency | Approximately 600 ms per request in the referenced run |
| Concurrent burst | 50/50 successful, 0 errors |
| Observed burst throughput | 12.2 requests per second |
| Full-chain audit sample | 52 records, 0 continuity breaks |
| Live signature sample | 25/25 independently verified |
| Enterprise evidence bundle | HTTP 200, six-file ZIP |
| SIEM formats | 4/4 successful |
Activate the owner account and select plan entitlements.
Keep the private key in the customer's execution environment.
Capabilities define what the agent may attempt, not what will execute.
Send signed requests to /analyze and verify signed responses.
Set the customer notification email and signed webhook.
Validate ALLOW, REVIEW, DENY, replay, idempotency, and timeout behavior in staging.
Test history, evidence ZIP, verifier scripts, and SIEM output.
Keep downstream execution fail-closed when governance authority is absent or invalid.
The validation demonstrates that Sentinel's core governance runtime is ready for controlled production customer onboarding. Production-ready does not mean finished. It means the safety boundary is coherent, testable, observable, and suitable for a managed deployment process.
Contract- or infrastructure-dependent surfaces such as SSO/SAML, private deployment, multi-region operation, penalty-backed SLA terms, and live KMS/Object Lock tenant configuration remain explicit Enterprise delivery items rather than hidden assumptions. AWS KMS signing custody and S3 Object Lock provider support are implemented and deployment-ready, but tenant claims require environment verification.