Every action checked in context, before it runs.
Guardbase routes every agent action through your policies the moment it happens: allow, block, redact, or ask the user. Sensitive data stays in, destructive commands never run, and your teams keep moving.
Static permissions judge one action. Agents chain hundreds.
Each action clears the allowlist on its own. The risk lives in the combination, and only context catches it.
Four answers for every action.
Allow, block, redact, or ask the user. Decided the moment it happens.
Work keeps moving
Most actions pass without friction. Developers don't notice Guardbase until it matters.
Incidents that never happen
Destructive commands and data leaks stop before they happen, with the reason logged.
Agents work without seeing secrets
Secrets, PII, and PHI are removed in both directions: before the agent processes them, and before anything leaves.
People decide the edge cases
High-risk actions pause and ask the person running the agent, right in their session.
Catches what static permissions can't.
Every decision weighs six things at once. It's how the chain above gets caught.
Who the agent acts as
An agent acts with the identity of whoever runs it. Decisions start there: which employee, which team, which rules apply to them.
What the session already did
Risk builds across a session. Deleting a ticket is fine in a clean session, and requires permission in one that touched an untrusted source.
What the data is
Classifiers detect PII, PHI, PCI, secrets, and credentials in everything agents read and send.
Where data could leave
Posting comments, sending email, creating attachments. Any action that can move data out follows stricter rules than the rest.
What the agent consumed
You define which sources count as untrusted, like web search or specific MCP servers. Once an agent reads from one, the session stays marked and policies tighten.
How destructive it is
Deletes, drops, force-pushes. A risky command on its own can ask the user. The same command after untrusted content is blocked.
Write the policy once. Enforce it everywhere.
Set per user or group: the data agents may process, the commands they may run, the tools they may call, and where anything is allowed to go. Enforced identically across every agent and every surface, MCP or not.
Agents may process customer data, but it only goes to approved destinations. Over MCP or anywhere else.
Data + DestinationsCustomer PII never reaches the agent. Redacted before it's processed.
DataAfter reading untrusted web content, sending anything external asks the user first.
Untrusted contentDestructive commands on production systems are blocked.
CommandsThe CRM MCP server is available to Sales agents. No one else reaches it.
ToolsTool calls that send data out, like creating attachments or posting comments, need approval first.
ApprovalNative hooks, decisions in your environment.
No changes to the agents themselves. No traffic leaving your environment.
Hook in
The same lightweight CLI as Agent Inventory configures each agent's native hooks. Enforced through managed settings that developers can't overwrite.
Decide
Every action routes through Guardbase, inside your environment. Fast decisions before the action runs: allow, block, redact, or ask the user.
Trace
Every decision is logged with the full session behind it and the reason it was made. When something is blocked, you know exactly why.
Control that doesn't slow anyone down.
Inline, in the agent
Decisions show up in the agent session itself. No separate portal, no ticket, no context switch.
No workflow changes
Developers keep their agents and their setups. The native hooks do the routing.
Built to fail open
If the decision service is ever unreachable, sessions keep working. Enforcement is never the outage.
Know what you're controlling.
Runtime Control deploys through the same CLI as Agent Inventory. Start with visibility, turn on enforcement when you're ready.
Common questions.
No. The hooks are enforced through each agent's managed settings, which can't be overwritten on a managed device.
Claude Code, Cursor, Codex, Gemini CLI, OpenCode, Amp, and more. The same policy is enforced identically across all of them.
Shell commands, file reads and writes, MCP tool calls, and web search and fetch. The ways agents actually touch your systems.
Sensitive data is detected with classifiers, and those signals feed the policies you set. The decision itself follows your policy, so enforcement doesn't depend on a model's judgment.
Sessions keep working. Guardbase is designed to fail open, so enforcement never becomes the outage.
In the Guardbase UI, per user or group. Sync with identity providers like Okta, Entra, and Google is coming soon.
What changes with Guardbase in place.
Fewer incidents
Risky actions stop before they run. The incident that never happens is the one you don't clean up after.
Proof on demand
Every action logged with its reason. Ready for audits, reviews, and post-incident questions.
Adoption, endorsed
Your teams already run agents. Guardbase turns that into something security can endorse, not just tolerate.
Turn your policies into enforcement.
Bring a policy from your AI usage guidelines and watch it become a runtime control on a live agent.