AI agent governance · Human-in-the-loop

Control every AI agent before it touches production.

Ephor is the identity and policy layer for AI agents. Every action from every agent — Claude Code, LangGraph, CrewAI, your internal bots — flows through one gate: risk-scored, policy-checked, human-approved when it matters, and recorded in a tamper-evident audit chain.

14-day pilot · no card · your agents connect with one command

ephor · gateLIVE

Live simulation — an agent is about to try something. You hold the clearance. Open the full console →

Any agent · any system KubernetesGitHubAWS · TerraformDatabasesSlackany MCP serverClaude CodeLangGraph · CrewAI
The problem

Agents got credentials. Nobody built the control layer.

AI agents are already operating production systems — merging code, scaling clusters, touching databases, messaging customers. They're autonomous and non-deterministic, and most teams can't answer the basic questions: which agent is allowed to do what, what exactly did it do, and who said it could?

82%

of container workloads in production now run on Kubernetes — it's where agents act.

66%

of organizations serving generative AI run it on Kubernetes — and increasingly let agents operate it.

0

established tools that gate, approve, and record agent actions across frameworks. That's the category we're building.

Sources: CNCF — The Great Migration (2026) · Tigera — The Rise of AI Agents (2026) · Kubernetes — Agent Sandbox (2026)


One control plane, two layers

Run them. Govern them. Same pane of glass.

You wouldn't run containers without a scheduler and RBAC. Ephor gives agents the same two things: a place to run safely, and rules for what they're allowed to do.

LAYER 01 — GOVERN

The approval gate & flight recorder

Every action an agent proposes — through the MCP gateway or admission webhook — is risk-scored and evaluated against your policies before it touches any system.

  • Explainable risk scores (0–100 with named factors); reads auto-clear, risky ops park in a clearance queue for one-click human approval.
  • Policy-as-code: allow / hold / deny per agent, system, tool, and risk level — plus trust tiers, autonomy budgets, instant revocation, and a global kill switch.
  • The flight recorder is a tamper-evident hash chain: the action, the agent's reasoning, the policy trace, the human decision — provable to an auditor.
LAYER 02 — RUN ON THE ROADMAP

The Agent Sandbox fleet manager

Coming soon — in active development. On the new Kubernetes Agent Sandbox API from SIG Apps: a declarative runtime for stateful agents, managed like any other workload.

  • gVisor-isolated sandboxes from templates — Python tools, browser use, code execution.
  • Warm pools to kill cold starts; scale-to-zero to kill the idle bill.
  • Sandboxed agents will inherit gate policies automatically — run and govern, one object model.
Every action, one lifecycle
01PROPOSEDagent asks via MCP proxy or webhook
02POLICY CHECKfirst matching rule decides
CLEARHOLDDENY
03HUMAN GATEheld actions wait for one-click clearance
04EXECUTEDcleared actions hit the target system
05RECORDEDaction + reasoning + decision, forever

How it works

Point your agents at the gate. They keep working. You start seeing.

Ephor is an MCP gateway. Agents connect through it instead of straight to their tools — no code changes on the agent side. Run it locally next to one agent, or host it once and connect a whole fleet over the network.

STEP 1

Create the agent's identity

Name it, set its trust level, tick the systems it may touch. From the console — all buttons.

# in the Tower agent: payments-copilot trust: guarded systems: github, postgres, k8s
STEP 2

Connect it — one line

Local (stdio) or hosted (HTTP + token). Paste into Claude Code, Desktop, Cursor, or any MCP client.

# hosted: connect over the network claude mcp add ephor \ --transport http https://gc.you.com/mcp \ --header "Authorization: Bearer …"
STEP 3

Approve from anywhere

Risky actions ping you; everything is scored and recorded either way.

# slack / console ⚠ HOLD · risk 85 payments-copilot: DROP customer record cus_4813 [Approve] [Deny]

Architecture · Security

Your credentials never leave your infrastructure.

The gateway runs inside your perimeter — on the laptop or server right next to your agents. Your tokens, keys, and kubeconfigs stay in your config files on your hardware, and execution goes straight from your gateway to your systems. We can't touch them, and neither can anyone who breaches us.

RUNS ON YOUR SIDE — THE DATA PLANE

Where the work happens

  • The gateway process — launched with one command, next to your agents.
  • Every credential: GitHub tokens, AWS keys, database strings, kubeconfig. In your files, on your machines, never transmitted to us.
  • Execution — cleared actions hit your systems directly. Tool traffic never routes through our cloud.
RUNS IN OUR CLOUD — THE CONTROL PLANE

Where the decisions live

  • The Tower console, approval queue, Slack notifications, and policies.
  • The decision trail: what was proposed, what policy said, who approved — hash-chained, isolated per company by row-level security.
  • No credentials, no code, no direct access to your systems. Enterprise can self-host this half too.

The same control-plane / data-plane split you already trust in GitLab runners, Buildkite agents, and Teleport — the sensitive half stays home.


Built for the paranoid (that's a compliment)

Everything you need to trust an autonomous system.

Per-agent trust levels

Read-only, guarded, or autonomous — enforced at the gate, changed in one click, applied to the very next action.

Reasoning in the record

The flight recorder stores why the agent wanted the action, not just the kubectl line — the trace auditors actually ask for.

Policy as code

Rules are CRDs — versioned, reviewed, GitOps-friendly. The console is a viewer, not the source of truth.

gVisor sandboxes ROADMAP

Coming soon: agents that execute code will do it inside Agent Sandbox with kernel-level isolation — a compromised agent hits a wall, not your nodes.

Explainable risk scoring

Every action gets a 0–100 score with named factors — "destructive operation +50, production namespace +15" — that executives and auditors read at a glance.

Any agent, any system

The MCP gateway sits in front of whatever your agents touch — Kubernetes, GitHub, databases, Slack, internal APIs. One rulebook, one audit trail, everywhere.


Pricing

Start with a free pilot. Scale when the agents do.

Every plan starts with a free 14-day pilot — create your company, connect an agent, and try the full product on a real workflow. Upgrade in-app when you're ready; cancel anytime.

Starter
$199/mo
First agents, small teams
  • MCP gateway + policy engine
  • Approval queue & live console
  • 3 agents · 2 seats · 30-day retention
  • Email support
Start free pilot
Team
$499/mo
Teams shipping agents to staging
  • Hosted control plane
  • Slack approvals · policy templates
  • 10 agents · 10 seats · 90-day retention
  • Email support
Start free pilot
Business
$1,499/mo
Agents in production
  • Everything in Team
  • Unlimited agents & seats
  • Compliance exports · 1-yr retention
  • SSO/SAML · priority support
Start free pilot
Enterprise
Custom
Regulated & large orgs
  • Self-hosted or dedicated cloud
  • Audit-chain attestations
  • Custom integrations & SLAs
  • Security review support
Contact

FAQ

Fair questions.

Doesn't a human gate defeat the point of autonomous agents?
No — it defines it. Reads and routine writes auto-clear in milliseconds; only actions you've marked risky wait for a human. Teams typically start guarded and promote agents to autonomous per-verb as trust builds. The gate is how you get more autonomy, safely, not less.
How is this different from K8sGPT, kagent, or Botkube?
Those tools are agents — they diagnose and act. Ephor is the layer that governs them (any of them, together): what they may do, what needs sign-off, and what actually happened. It's complementary — the demo cluster runs K8sGPT and a kagent agent behind the gate.
Do you get access to my credentials or my systems?
No — and not as a promise, as an architecture. The gateway runs on your infrastructure with your credentials in your config files; cleared actions execute directly from your gateway to your systems. Our control plane only receives the decision trail — the proposed action, the risk score, the policy verdict, who approved — so we can show you the queue and keep the tamper-evident audit chain. If our cloud were breached, there would be no keys to steal and no path into your clusters.
What does it add to plain RBAC?
RBAC is binary and identity-shaped: a ServiceAccount can delete deployments or it can't. Agents need the middle: "can propose, human decides, everything recorded with the agent's reasoning." That middle — plus the approval queue, trust levels, and the flight recorder — is Ephor.
What's the performance cost?
Policy evaluation is in-memory and adds double-digit milliseconds to gated actions (the demo shows real gate latency per action). Auto-cleared reads are effectively free; only held actions wait, which is exactly the point.
Is this production software?
The gate, approvals, Slack notifications, audit chain, and multi-tenant isolation are live today — sign in and connect a real agent in minutes. This site's demo runs against a simulated cluster so you can try every workflow without credentials first. Early teams get hands-on onboarding from the founder.

Stop hoping your agents behave.
Start clearing them for takeoff.

Create your company, connect an agent with one command, and hold the clearance on its very next action. Free for 14 days — or explore the simulated demo first, no signup.