AI Agent Governance
AI agents can read databases, send emails, call billing APIs, and modify infrastructure. Governing what they are allowed to do - and keeping a record of what they actually did - is what the KeyRunner Control Plane is for.
What you can do here
- Register agents and define what APIs they are allowed to call
- Set policies that control which tools each agent can use
- Require human approval for sensitive or high-risk actions before they run
- Review every execution in an immutable audit log
- Validate an agent's configuration before deploying it to production
- Test whether a specific tool call would be allowed or blocked, without running it for real
How it works
When an agent attempts a tool call, KeyRunner checks it against the agent's policies before anything executes. The check takes milliseconds and produces one of three outcomes:
Allowed - the call meets all policy requirements and runs immediately.
Approval required - the call is held (or flagged for review) until a designated approver signs off.
Blocked - the call does not meet policy requirements and is rejected. The agent receives a clear reason.
Credentials are never exposed to the agent. KeyRunner retrieves them server-side and executes the API call on the agent's behalf.
Key concepts
Agent - an AI process you have registered with KeyRunner. An agent needs at least one policy before it can call any tools.
Tool - a specific API action agents can request (for example, github_create_issue or stripe_charge_customer). Tools must be registered and approved before agents can use them.
Policy - a named set of tools. Attaching a policy to an agent grants that agent access to all tools in the policy. You can optionally add approvers to a policy, which routes every covered tool call through human review.
Approval request - a queued tool call waiting for a human decision. Approvers are notified via Slack and can approve or reject with a reason.
Pages in this section
| Page | What it's for |
|---|---|
| Agents | Register agents and manage their identity, policies, and status |
| Tools | Review and approve API actions agents can request |
| Policies | Define which tools agents can use and who must approve them |
| Approvals | Review and act on tool calls waiting for human sign-off |
| Audit Logs | See the full history of every tool call across all agents |
| Agent Graph | Visualize your agent fleet and each agent's governance chain |
| Preflight | Check that an agent is correctly set up before going to production |
| Policy Playground | Test whether a specific tool call would be allowed, without running it |
| Governance Concepts | Reference for identity, lifecycle shapes, and enforcement rules |
| Connecting Your Agent | Connect your agent to KeyRunner using the SDK |