Open source · MIT · Pilot access

AI agent security at the moment of action.

The crisis of the future is not intelligence. It is self-authorization.

ProvnAI puts a control point between model reasoning and real action, before agents touch MCP tools, data, or infrastructure.

Deterministic policy
Zero model dependency
Structured routed decisions
Runtime boundary
Before tools execute
Request
read_file
/etc/secrets/.env
Access
blocked
blocked
Verdict
BLOCK
Policy
FS-007
Evidence
audit event queued
Why the boundary matters

Without a control point, text becomes authority.

Governed execution means no AI agent action reaches a real system until it has been inspected, authorized, and recorded with reviewable evidence.

Define governed execution
01
Blocked
Filesystem breach

Secrets read outside scope

Intercepted call
path="/etc/secrets/.env"

A file tool receives a path like /etc/secrets/.env or a traversal payload that escapes the intended workspace.

Rule FS-007 · Enforced

McpVanguard normalizes the path, evaluates it against policy, and blocks the call before the filesystem sees it.

02
Blocked
Unsafe network egress

Internal services reached

Intercepted call
url="http://169.254.169.254/metadata"

A web or API tool is redirected toward localhost, private ranges, or cloud metadata endpoints.

Rule NET-012 · Enforced

Configured URL/IP rules can block selected unsafe destinations in routed MCP tool calls before they reach the upstream tool.

03
Blocked
Authorization mismatch

Authority drifts silently

Intercepted call
scope="privileged" session="untrusted"

A long-running agent expands from harmless retrieval into privileged action because the model treats context as permission.

Rule AUTH-031 · Enforced

Governed execution separates proposal, authorization, execution, and evidence so governed routed actions can be policy-checked.

VEX evidence layer

Selected governed actions leaves evidence behind

In VEX-integrated deployments, selected governed actions can preserve what the agent tried to do, who authorized it, which policy applied, and how the evidence was preserved.

Policy enforced

The action is checked outside the model before it reaches privileged tools.

Governance context

Selected VEX-governed records can preserve the agent, session, and approving principal.

Evidence integrity

VEX-integrated deployments can preserve selected records in tamper-evident form for later review.

vex-evidence-capsule.json
VEX-integrated
capsule_id
vex-cap-9f3a2b1e
action_hashsha256:8f41c9e2...a7d3
principalorg:provn:platform-team
policyfilesystem.read.allowlist.v3
decisionapproved / human-reviewed
witness_root0x7b8c9d0e...f2a1
status
Tamper-evident VEX record
Products

Execution boundary layers

Start with McpVanguard to enforce the MCP execution boundary today, or design governed execution with VEX when actions need authorization, evidence, and review.

Open source
MCP Security Proxy

McpVanguard

An open-source MCP security proxy that enforces the execution boundary: inspect routed tool calls, block unsafe outcomes, and return explicit policy decisions before routed calls reach upstream systems.

Pilot-only
Execution Authorization

VEX Protocol

Separate proposal from permission for consequential actions in governed flows. Authorization decisions can be preserved with verifiable evidence your auditors can review independently.

Layer
McpVanguard
VEX
Primary role
Decides whether a proposed MCP tool call may reach the server.
Decides whether a consequential action was actually authorized.
Best first step
Teams deploying MCP servers or agent toolchains now.
Teams designing governed execution for regulated workflows.
Evidence output
Structured audit events, optional receipt records, and MCP boundary telemetry.
Verifiable authorization and execution evidence for governed actions.
Deployment stage
Open source and available today.
Pilot access with design partners.
Core principles

Why governed
execution matters

AI agents now execute code, call APIs, and make decisions. The infrastructure granting them this power was built for human operators. The authorization model was not updated.

01

Observation is not permission.

If an AI agent can modify files, call APIs, or execute code, logging the action afterward is not enough. The action needs an explicit control point before consequence.

02

Controls must sit outside the model.

Relying on the model to enforce its own constraints is a single point of failure. Policy should be enforced in a layer the model cannot rewrite, negotiate, or bypass through prompt engineering.

03

Identity should not be implicit.

When agents take action on behalf of users or systems, the chain of attribution must be explicit and verifiable. Identity should be explicit, and where needed can be rooted in hardware-backed or protocol-level trust, not inferred from session context.

04

Governance is infrastructure, not an afterthought.

Evidence, audit trails, and enforcement boundaries should be built into the architecture from the beginning. Retrofitting them onto systems designed for speed alone is expensive and usually incomplete.

Integration paths

Choose the path that matches your rollout

Start with MCP tool-call controls, threat analysis, or governed authorization evidence depending on where your agent program is today.

01
Developer Hub

For AI Developers

Put an MCP security proxy in front of tool calls before they execute. Ship agent features faster without treating model intent as permission.

ExploreBuild with McpVanguard
02
Architecture Hub

For Security Teams

Catch injection, exfiltration, and unauthorized access at the execution boundary, before agent text becomes production action.

ExploreView MCP Security Research
03
Governance Hub

For Governance Teams

Separate proposal, authorization, execution, and evidence so high-risk agent actions stay reviewable without spreadsheet archaeology.

ExploreExplore VEX Evidence