Agents
This section covers the three agent screens: the agent list, the registration wizard for adding new agents, and the detail page for managing an individual agent.
Agent list
The agent list shows every AI agent registered in your workspace. Each row displays the agent's name, environment, identity type, risk level, and whether it is currently active.
Click any row to expand it and see the agent's attached policies and identity details. From the expanded row you can disable the agent immediately or navigate to its full profile.
Risk level
Each agent is assigned a risk level - low, medium, or high. This is based on how many tools the agent has access to, whether any of those tools perform destructive or irreversible actions, and whether a human approver is required for high-risk calls.
A high-risk agent in production is highlighted so it is easy to spot.
Environments
Agents declare the environment they run in: dev, sandbox, or prod. Use environments to separate governance requirements - for example, requiring approvals in production but not in dev.
Disabling an agent
The kill switch next to each agent disables it immediately. A disabled agent cannot execute any tool calls. It stays in the registry with all its history intact and can be re-enabled at any time.
Registering a new agent
Click Onboard new agent to open the five-step registration wizard.
Step 1 - Name and environment
Give the agent a descriptive name, an optional description, and select the environment it runs in (dev, sandbox, or prod).
Step 2 - Identity type
Choose how this agent proves its identity to KeyRunner:
| Option | What it is |
|---|---|
| Kubernetes | A service account in your Kubernetes cluster |
| AWS | An IAM role in your AWS account |
| GCP | A service account in Google Cloud |
| Azure | A managed identity in Azure |
| Claude | An Anthropic Claude model acting as the agent |
| OpenAI | An OpenAI model acting as the agent |
| Cursor | A Cursor IDE instance |
| API key | A static API key |
| None | No identity - not recommended for production |
Step 3 - Identity details
Fill in the fields for the identity type you chose. For example, a Kubernetes identity requires your cluster name, namespace, and service account name. An AWS identity requires the IAM role ARN.
Step 4 - Policies
Select which policies this agent should carry. Policies determine which tools the agent can call. You can attach or change policies later from the agent's detail page.
Step 5 - Contracts (optional)
Define how KeyRunner manages this agent's executions:
- Execution contract - whether the agent runs synchronously or asynchronously, how long to wait before timing out, and whether there is a cancel or rollback endpoint.
- Governance contract - the lifecycle shape (see Governance Concepts) and how human approval fits into the execution flow.
These can also be configured later. Leaving them blank uses safe defaults.
Agent detail page
The agent detail page shows everything about a single agent in one place.
Connection snippet
At the top of the page, a ready-to-use code snippet shows how to connect this agent to KeyRunner from your codebase. It is pre-filled with your workspace ID and this agent's ID. Switch between Node.js and Python using the tabs, then copy and paste it into your agent's code.
Identity
Shows the identity type you configured and a verification strength indicator - strong (for cloud infrastructure identities like Kubernetes and AWS), moderate (for API keys and AI model identities), or unverified (when no identity is set).
Policies
Lists all policies currently attached to this agent and the tools each policy covers.
Capability drift
A timeline of every governance change that affected this agent - policies attached or removed, tools approved or disabled - with who made each change and when. Use this to understand how an agent's permissions have evolved over time.
Execution history
A log of every tool call this specific agent has made, with status, timing, and the policy that matched. For the full workspace-wide log with trace view, see Audit Logs.