// open standard · commercial product
OPA is open source. Styra built a $100M+ business operationalizing it. CrowdStrike publishes threat intelligence openly. Enterprises pay for the platform that makes it actionable. Behavry follows the same model: the frameworks and tooling the industry needs to govern AI agents are open. The production platform that runs them at enterprise scale is Behavry.
// why open source
Agent governance doesn't have a standard yet. Every vendor is inventing proprietary vocabulary. We're publishing ours because the industry needs a shared language — and the vendor that defines the vocabulary wins the category.
OPA is open source and free. Nobody complains they can't "get" OPA. Enterprises pay Styra because they need it operationalized, supported, and audit-ready. The same dynamic applies here: teams can use the Behavry Risk Framework, the reference policies, and the SDK for free. When they need it running in production with SIEM integration, compliance reporting, multi-tenant isolation, and a support SLA — that's the product.
// repositories
Each repository solves a real problem on its own. Together, they form the reference implementation for AI agent governance.
Open-source MCP governance proxy. Sits between any AI agent and the MCP servers it calls — every tool invocation is policy-checked via OPA/Rego, scanned for secrets (26 DLP patterns), and inspected for injected instructions (16 detection patterns across 7 attack classes). Fail-closed enforcement, JSON audit trail, Prometheus metrics, per-agent rate limiting. Drop it in front of any MCP server — works with Claude Desktop, Claude Code, Cursor, or any Streamable HTTP client.
★ View on GitHub — Apache 2.0Measure the context window cost of your MCP integrations before they hit production. Parses Claude Desktop, Cursor, VS Code, Windsurf, and Claude Code configs, calls tools/list on every server, and reports token counts, waste analysis, risk scoring, and compression simulation across four verbosity levels. CI mode exits non-zero when token budgets or destructive tool thresholds are exceeded. Terminal, JSON, Markdown, and HTML output.
Pattern library for detecting injected instructions in MCP tool call responses — before they reach agent context. Seven pattern classes: imperative commands, authority claims, permission expansion, role reassignment, encoded payloads, exfiltration instructions, and conditioning sequences. Each pattern includes severity classification and confidence scoring. The detection layer that sits between your agents and the data they fetch.
GitHub — coming soonReference OPA Rego policies for AI agent governance. RBAC, resource access control, action-type enforcement, blast radius limits, inbound injection blocking, citizen app approval, DLP severity thresholds, requester identity verification, and workflow delegation scope. Drop them into any OPA deployment — they work with or without the Behavry platform.
GitHub — coming soonThe Behavry Risk Framework — a six-dimension scoring model for evaluating AI agent risk. Access, Action, Decision Scope (1.5×), Oversight, Intent Drift, and Observability. Weighted composite score maps to four risk tiers that drive policy behavior, token lifetime, and escalation thresholds. Published as a specification with reference scoring implementation in Python.
GitHub — coming soonPython SDK for agent identity binding. BehavryClient handles OAuth 2.1 client credentials, JWT RS256 token refresh, and request wrapping. Agents call wrapFetch and every outbound request is identity-attributed. <100 lines of code for the core client.
Manifest V3 Chrome extension for browser-based AI governance. DLP scanning across 12 AI services with 26 pattern rules. DOM-based fingerprinting for vibe-coding platform detection (Replit, Lovable, Bolt, v0). SaaS admin page fingerprinting for AI asset discovery. Shadow AI detection for unenrolled services. Real-time findings streamed to the Behavry backend or standalone log endpoint.
GitHub — coming soonThe Community Policy Library. Every Behavry customer contributes and consumes governance policies — the same network-effect model CrowdStrike uses for threat intelligence. Industry-specific Rego policy packs (financial services, healthcare, government), agent-type-specific templates, and red-team-validated detection rules. The collective knowledge of every organization governing AI agents, available to all of them.
GitHub — coming soon// the community policy library
The same model that made CrowdStrike's threat intelligence the industry standard. Behavry's Community Policy Library turns every deployment into a contribution — and every contribution into a defense.
Your Behavry deployment detects novel attack patterns, behavioral anomalies, and policy gaps specific to your agent environment.
The red-team-to-policy automation loop generates candidate Rego rules from detections. Approved rules are contributed to the Community Library — anonymized, de-identified, pattern-only.
Every customer gets access to the full library. A novel injection pattern detected at one organization becomes a defense for all of them — automatically.
// what's open · what's commercial
Everything an enterprise team needs to understand, evaluate, and prototype AI agent governance is published openly. Everything they need to run it in production is the product.
Behavry Risk Framework (6 dimensions, scoring rubrics, tier mappings), reference Rego policy library (RBAC, blast radius, injection blocking, citizen app governance), Python SDK, browser extension, AI platform fingerprint DB, inbound scanner patterns, MCP integration guides, Community Policy Library
Inline MCP proxy with pre-execution enforcement, multi-tenant isolation (PostgreSQL RLS), behavioral analytics with cross-session correlation, SIEM integration (4 connectors), compliance reporting with PDF export, Decision Trace (causal chain-of-custody), AI asset discovery (30 platforms, 8 SaaS connectors, 3 IdP connectors), cost attribution, enterprise dashboard, 4 deployment models, support SLA