Ephor is the identity and policy layer for AI agents. Every action from every agent — Claude Code, LangGraph, CrewAI, your internal bots — flows through one gate: risk-scored, policy-checked, human-approved when it matters, and recorded in a tamper-evident audit chain.
14-day pilot · no card · your agents connect with one command
Live simulation — an agent is about to try something. You hold the clearance. Open the full console →
AI agents are already operating production systems — merging code, scaling clusters, touching databases, messaging customers. They're autonomous and non-deterministic, and most teams can't answer the basic questions: which agent is allowed to do what, what exactly did it do, and who said it could?
of container workloads in production now run on Kubernetes — it's where agents act.
of organizations serving generative AI run it on Kubernetes — and increasingly let agents operate it.
established tools that gate, approve, and record agent actions across frameworks. That's the category we're building.
Sources: CNCF — The Great Migration (2026) · Tigera — The Rise of AI Agents (2026) · Kubernetes — Agent Sandbox (2026)
You wouldn't run containers without a scheduler and RBAC. Ephor gives agents the same two things: a place to run safely, and rules for what they're allowed to do.
Every action an agent proposes — through the MCP gateway or admission webhook — is risk-scored and evaluated against your policies before it touches any system.
Coming soon — in active development. On the new Kubernetes Agent Sandbox API from SIG Apps: a declarative runtime for stateful agents, managed like any other workload.
Ephor is an MCP gateway. Agents connect through it instead of straight to their tools — no code changes on the agent side. Run it locally next to one agent, or host it once and connect a whole fleet over the network.
Name it, set its trust level, tick the systems it may touch. From the console — all buttons.
Local (stdio) or hosted (HTTP + token). Paste into Claude Code, Desktop, Cursor, or any MCP client.
Risky actions ping you; everything is scored and recorded either way.
The gateway runs inside your perimeter — on the laptop or server right next to your agents. Your tokens, keys, and kubeconfigs stay in your config files on your hardware, and execution goes straight from your gateway to your systems. We can't touch them, and neither can anyone who breaches us.
The same control-plane / data-plane split you already trust in GitLab runners, Buildkite agents, and Teleport — the sensitive half stays home.
Read-only, guarded, or autonomous — enforced at the gate, changed in one click, applied to the very next action.
The flight recorder stores why the agent wanted the action, not just the kubectl line — the trace auditors actually ask for.
Rules are CRDs — versioned, reviewed, GitOps-friendly. The console is a viewer, not the source of truth.
Coming soon: agents that execute code will do it inside Agent Sandbox with kernel-level isolation — a compromised agent hits a wall, not your nodes.
Every action gets a 0–100 score with named factors — "destructive operation +50, production namespace +15" — that executives and auditors read at a glance.
The MCP gateway sits in front of whatever your agents touch — Kubernetes, GitHub, databases, Slack, internal APIs. One rulebook, one audit trail, everywhere.
Every plan starts with a free 14-day pilot — create your company, connect an agent, and try the full product on a real workflow. Upgrade in-app when you're ready; cancel anytime.
Create your company, connect an agent with one command, and hold the clearance on its very next action. Free for 14 days — or explore the simulated demo first, no signup.