Founding customer program now open Start with an Agent Exposure Review

Fugitive Control

Control the action, not just the conversation.

A vendor-neutral control and evidence plane for AI agents that reach enterprise data, credentials, APIs, applications, and operational systems.

Control plane architecture

Stand between machine intent and business impact.

Fugitive Control is designed to sit in the action path while using identity, data, security, and business systems as policy context.

Agent sources
Application agents
Employee copilots
Autonomous workflows
Third-party agents

Fugitive Control

Resolve identity, evaluate authority, enforce policy, and preserve evidence for every consequential tool call.

Agent and action graphDISCOVER
Delegated authority engineAUTHORITY
Tool-call policy gatewayGUARD
Approval and containmentCONTROL
Evidence and assurance ledgerTRACE
Enterprise systems
Customer and data systems
Code and deployment tools
Communications
Financial and privileged APIs
01 / DISCOVER

Build the AI Action Graph.

Start with an authoritative map of agents, owners, models, tools, MCP servers, identities, credentials, data sources, and high-impact workflows.

The graph is designed to answer the questions conventional inventories miss: which agent can affect which business system, under whose authority, through which path?

  • Agent and owner inventoryIdentify production, pilot, embedded, employee-operated, and third-party agents with accountable owners.
  • Tool and MCP topologyMap servers, tools, actions, transports, credentials, trust boundaries, and downstream dependencies.
  • Sensitive data pathsConnect agent workflows to regulated, confidential, customer, financial, and proprietary data.
  • High-impact action analysisPrioritize actions that move money, change code, alter records, contact external parties, or create irreversible effects.
02 / AUTHORITY

Give every agent a bounded mandate.

Agents should not inherit the full power of a human account or a long-lived service credential. Define what the agent may do, for whom, where, when, and up to what value.

Authority can be constrained by action, data class, tenant, customer, record, destination, geography, amount, time window, workflow state, and responsible human.

  • Resolvable agent identityBind a stable agent identity to the initiating user, application, workflow, model, and deployment.
  • Least-privilege action scopesAuthorize exact operations rather than broad API, application, or database access.
  • Short-lived delegated credentialsIssue narrowly scoped credentials that expire with the task instead of persisting in model context or configuration.
  • Separation of dutiesPrevent one agent or user from initiating, approving, and completing a sensitive transaction alone.
03 / GUARD

Enforce policy at the tool call.

Content filtering cannot replace authorization. Guard is designed to evaluate the requested action, current context, target system, data, recipient, transaction value, and declared mandate before execution.

Decisions can allow, deny, redact, transform, rate-limit, constrain, or route the action to accountable human approval.

illustrative-policy.fi
# Customer support refund policy
policy "refund-control" {
  agent       = "support-agent"
  tool        = "payments.issue_refund"

  allow when {
    customer.tenant == request.tenant
    refund.amount <= 500 USD
    case.status == "approved"
  }

  require_approval when {
    refund.amount > 500 USD
    approver.role == "finance-manager"
  }

  deny when {
    destination != original_payment_method
    customer.data_class == "restricted"
  }

  evidence = "full-action-record"
}
04 / TRACE

Preserve the complete action record.

An investigation should not require reconstructing intent from a chat log, identity from an API gateway, data access from a database, and approval from a ticket.

Trace is designed to create one append-only record connecting the agent, human authority, model, request, tools, data, policy evaluation, approval, execution result, and incident context.

  • Decision evidenceRecord the rules, context, signals, and exceptions used to allow, deny, modify, or escalate an action.
  • Data and tool lineageConnect retrieved information, generated instructions, intermediate tools, and final side effects.
  • Investigation-ready searchFind actions by agent, user, customer, tenant, tool, policy, data class, approval, destination, or outcome.
  • Assurance exportsProduce repeatable evidence for customers, auditors, governance teams, incident response, and executive reviews.
05 / ASSURANCE

Continuously test the mandate.

A policy is only useful when it withstands prompt injection, poisoned context, tool metadata changes, privilege escalation, cross-tenant attempts, approval bypass, and chained actions.

Assurance turns adversarial tests into control improvements and maps live evidence to internal policy, customer reviews, and widely used AI risk frameworks.

  • Agent and MCP red teamingExercise goal hijacking, tool poisoning, token abuse, command injection, sensitive-data leakage, and unsafe chaining.
  • Control regression testsRe-run security cases when models, prompts, tools, permissions, servers, or workflows change.
  • Framework mappingOrganize evidence for NIST AI RMF, ISO/IEC 42001, OWASP agentic guidance, internal policy, and customer questionnaires.
  • Executive control reportingShow inventory coverage, high-risk actions, approval coverage, blocked actions, exceptions, response readiness, and unresolved exposure.
06 / CONTAIN

Stop the smallest possible thing.

Emergency response should not require disabling every AI feature or taking an application offline. Containment should revoke the affected agent, credential, tool, tenant, workflow, or action class.

Every kill switch must be tested before an incident, preserve evidence, and support a controlled recovery path.

  • Selective revocationDisable a specific agent, identity binding, credential, MCP server, tool, action, tenant, or destination.
  • Policy safe modeMove affected workflows to read-only, human-approved, or deny-by-default operation.
  • Evidence preservationFreeze relevant logs, decisions, tool responses, model context references, and approval records.
  • Controlled restorationRequire remediation, validation, approval, and monitored re-entry before restoring autonomous action.

Design principles

Independent, enforceable, and evidence-first.

The control layer must remain useful as models, frameworks, clouds, identity systems, and enterprise tools change.

01

Vendor-neutral

Apply consistent policy across model providers, agent frameworks, MCP servers, clouds, and enterprise applications.

02

Default-deny for impact

Unknown or high-impact action paths should fail closed or move to accountable human review.

03

Identity before content

Resolve who and what is acting before attempting to interpret whether the request sounds safe.

04

Minimum necessary context

Expose only the records, fields, tools, credentials, and time window required for the current task.

05

Humans at consequential edges

Reserve accountable approval for sensitive, irreversible, regulated, novel, or high-value actions.

06

Evidence by construction

Generate the investigation and assurance record during enforcement—not after an incident or audit request.

Focused first deployment

Start with one consequential workflow.

The founding release is intentionally narrow: an agent and MCP tool-call policy gateway, accountable approvals, emergency revocation, and a complete action ledger for one or two production workflows.

  • Deploy inline, as a sidecar, or within a customer-controlled environment
  • Integrate with existing identity, secrets, API, logging, and ticketing systems
  • Convert review findings directly into enforceable policies and tests
Discuss a founding pilot