AI agent deployment touches the CTO who builds, the CISO who validates, and the board that governs. Each asks different questions. Behavry answers all of them.
The CTO owns the deployment. These are the questions that determine whether AI ships to production or stays in a sandbox.
No. OPA policy evaluation runs in microseconds. Total proxy overhead is under 5ms per request. For context, LLM inference takes 500ms-5s. Developers only see the governance layer when an action actually violates policy. Safe actions auto-approve at full speed.
Agents point their MCP config at the Behavry proxy URL. That's a config file change, not a code change. A team can be governed in an afternoon. Full enterprise rollout — with IdP connectors, SIEM integration, and custom policies — typically takes days, not weeks.
11 MCP clients (Claude Desktop, Claude Code, Cursor, Windsurf, Zed, VS Code, JetBrains, Warp, Cline, Continue, Open Interpreter). 6 API proxies (OpenAI, Anthropic, Gemini, Ollama, NemoClaw, OpenShell). 12 browser services. 7 vibe-coding platforms. Any MCP client that speaks Streamable HTTP or stdio works out of the box.
Four deployment models: Full SaaS (fastest start), Hybrid (control plane SaaS, data plane in your VPC), BYOC (Helm + Terraform in your cloud), Self-Hosted (air-gapped). All four share a single data plane image with identical capabilities. Agent traffic stays in your network on Hybrid, BYOC, and Self-Hosted.
Zero agent code changes. Agents point at the Behavry proxy URL instead of the target MCP server URL. That's a JSON config change. The proxy is transparent — agents see standard MCP protocol responses. No SDK required, no wrapper functions, no instrumentation.
Network-layer tools (Zscaler, Netskope) see the prompt. Behavry sees the tool call. A network filter can block an agent from calling a domain. Behavry can block a specific agent from calling a specific function on a specific resource based on who that agent is, what risk tier it's in, and what it's done in this session. That's the difference between a firewall and a governance layer.
The CISO doesn't buy Behavry. But the CISO validates that the governance layer meets security requirements. These are the questions they'll bring to the table.
26 DLP patterns scan every tool call payload. Patterns include AWS/GCP/Azure credentials, API tokens, private keys, SSNs (with Luhn validation), credit cards, and PII. Critical-severity patterns auto-block before OPA policy evaluation. The full 4-stage data protection pipeline includes classification, redaction with pseudonymization, BYOK encryption (AES-256-GCM + AWS KMS), and retention purge with immutable decryption audit trail.
The Decision Trace is not a log. It's a causal chain-of-custody artifact. Every event records the agent identity, the tool call, the policy decision (allow/deny/escalate), the DLP findings, the behavioral risk score, the workflow session, the parent event, and the causal depth. Events are SHA-256 hash-chained. The chain is verified nightly. Breaks are tracked, recorded, and acknowledgeable. This artifact can only be produced from an inline execution-path position — which is why observe-and-detect approaches can't replicate it.
Behavry scans MCP tool call responses before they reach agent context. 16 detection patterns across 7 attack classes: imperative commands, authority claims, permission expansion, role reassignment, encoded payloads, exfiltration instructions, and conditioning sequences. Critical findings trigger HITL escalation with allow-sanitized, allow-original, or block options. This addresses the confused deputy and agentic blabbering attack patterns documented in recent CSA research.
SOC 2 (CC6.1, CC6.7, CC7.2-7.4), ISO 27001 (A.12.4.1, A.12.4.2, A.9.4.1), EU AI Act (Art. 9, 13, 14), NIST AI RMF (all four functions), GDPR Art. 32, and HIPAA §164.312. Plus full OWASP ASI Top 10 mapping with live 30-day metrics. Compliance PDF export for auditor handoff.
In a properly configured deployment, MCP target servers are only reachable through the Behavry proxy via network segmentation. Direct connections are monitored and flagged. This is standard zero-trust architecture. The browser extension covers 12 additional AI services for shadow AI detection. AI Surface Discovery identifies 30 SaaS platforms with AI capabilities across your IdP and admin APIs.
Behavry's workflow governance tracks delegation chains with cryptographic session tokens (wf_token JWT). Every tool call in a multi-agent pipeline records its parent event ID, causal depth, and the full delegation chain. Cross-session trust reset detection prevents persistent compromised behavior across session boundaries. Blast radius limits cap the total impact of any single delegation chain.
The board doesn't ask about OPA policies. They ask about risk, accountability, and whether the organization can prove what happened. Here's what they'll want to hear.
Behavry's AI Surface Discovery answers this directly. 30 AI-capable SaaS platforms are fingerprinted and tracked through a four-state model: Licensed (contracted), Enabled (admin-confirmed), Active (in use), and Governed (under policy enforcement). IdP connectors (Okta, Azure AD, Google) cross-reference who has access. SaaS admin API connectors confirm what's enabled. The exposure score tells you the gap between what's running and what's governed.
Yes. The Decision Trace provides a complete, immutable, hash-chained record of every action every governed agent took — including the policy decision, the data classification, and the delegation chain if the action was part of a multi-agent workflow. This artifact is exportable for legal and audit review. SIEM integration (Splunk, Sentinel, Chronicle, QRadar) means the same data is already in your security operations workflow.
It depends on what the policy says. Behavry supports three outcomes: allow (action proceeds, audit logged), deny (action blocked, agent receives error, audit logged), and escalate (action held, human reviewer approves or rejects, agent receives the decision). The global kill switch suspends all agent activity instantly when needed. Per-agent rate limiting tightens automatically as risk scores increase.
Behavry maps directly to EU AI Act Articles 9 (risk management), 13 (transparency), and 14 (human oversight). The Decision Trace provides the transparency artifact. HITL escalation provides the human oversight mechanism. Behavioral risk scoring provides the risk management framework. Compliance PDF export produces a branded, auditor-ready report with framework mapping, control status, and audit statistics.
This is the citizen coder problem. Employees using Replit, Lovable, Bolt, and similar platforms are shipping production apps without security review, change management, or oversight. Behavry discovers these apps via browser extension fingerprinting and platform API connectors, scores them across 7 risk signals, and enforces OPA policies — from auto-enrollment to blocking. The 30-day ungoverned SLA ensures nothing stays invisible indefinitely.
The Attestation Separation Principle: any entity that can act cannot independently attest to its own behavior. Behavry is architecturally independent from the agents it governs. It doesn't modify agent code, doesn't run inside agent processes, and doesn't depend on agent self-reporting. The proxy sits in the network path. The audit chain is hash-verified. The governance layer is provably separate from the thing being governed.
That's the pitch. Behavry is the governance layer that lets everyone say yes.
Request Early Access