Skip to content

Governance for AI

Give agents the access they need to do real work, without giving up control. Every AI action in your company passes one gate you set, and lands in a record you keep.

  • Attested confidential VM (TEE)
  • Allowed by policy
  • Blocked and logged
See

Every AI action, on one record

Which agent, which model, which data, when. You finally see where AI pays off across the company, and where it doesn't.

Control

You decide where every agent can go

Allow or block per destination. Secrets injected per request, so agents never hold credentials or leak what they never had.

Prove

Evidence, not promises

The whole path runs attested in hardware. When auditors ask how AI is controlled, you show them the record.

Own

No lock-in, by design

Open source, provider neutral. Swap models, providers, or clouds anytime; run open models in confidential compute.

THE FOUNDATION

Confidential compute is the foundation, not the product: sandboxes, Airlock, and Console all run attested, memory encrypted in use. No middlebox reads your data, not even ours.

How it works

Two ways in. Same gate.

For developers
~/acme-app · concrete
$ concrete claude
sandbox attested · session #42 opened · policy dev-default
> fix the flaky billing test, open a PR when green
# laptop closed · the session keeps running
$ concrete claude # next morning
resumed · PR #118 open · 212 requests on the record

Developers keep Claude Code, Codex, and their editor. The session lives in the sandbox, not on the laptop: close it, come back, pick up where it left off.

For teams
ops · concrete
$ concrete agent deploy "#support"
confidential VM launched · one agent per channel
context support runbooks + channel history
secrets zendesk-token · injected per request
policy support-readonly
→ agent live in #support
# nothing shared: not context, not secrets, not runtime

One agent per confidential VM: its own context, its own secrets, its own policy. Nothing shared with any other channel.

For every team

A governed agent, in every channel.

Your company already works in Slack and Teams. Deploy an agent into any channel or DM: shared context for the team, private context for each person.

One compromised agent compromises nothing else. Same Airlock, same record as everything your developers run, each agent under its own scoped policy.

What it allows

Scoped to the task. Nothing more.

production-debugging.policy
allowprod-db.internalread-only
allowapi.internal
allowgithub.com/acme/app
block*everything else

Diagnose a live incident with no way to change or leak data.

dependency-upgrade.policy
allowregistry.npmjs.org
allowgithub.com/acme/app
block*everything else

A poisoned install hook has nowhere to send what it steals.

outsourced-agent.policy
allowgithub.com/acme/appPRs only
injectgithub-tokenper request
blockcustomer-data
block*open internet

Real work from an agent that holds no standing access.

See it on your own stack.

One repository or one channel, one governed agent, access you would never grant today. Your risk and compliance teams read the full trail: every session, every request, every destination.