Seven modules, three phases — Onboard, Govern, Account. Deploy in your environment or ours.
Managed ComplyAI control plane with SSO, dashboards, and compliance packs.
Run Guard, Ledger, and Meter on your infrastructure with adapters for your agent environment.
Runtime enforcement on developer machines or VPC; ledger and policy sync to your SIEM and IdP.
Evidence-scoped path view across agents, MCP servers, packages, credential references, and findings. The highest-risk path is ranked first — and signed so it can't be tampered with.
Default view ranks the highest-risk agent first and hides lower-priority nodes until you expand filters.
cursor → pillow@9.0.0 → CVE-2022-22817risk 10 · hops 6 · agents 1 · tools 3 · creds 2 · fix 9.0.1Most controls catch agent actions after they happen. ComplyAI was designed around four moves that have to land before the action runs, before the audit, and before the cascade.
Approval queues that don't cause alert fatigue.
A constrained companion model pre-audits the review queue, synthesises actions in plain English, auto-approves routine low-risk events, and escalates only genuine anomalies. Denials feed back into the agent system prompt automatically.
In published evaluations of constrained-model triage, roughly nine in ten review queue items resolve without a human stopping to read them.
Stop the bad action before the tool is ever called.
Most controls catch the call after the agent has already decided. ComplyAI watches the decision form, against the original objective, and ends the chain when it drifts.
Step-level reasoning guardrails have been shown to reduce harmful tool calls by about two thirds, before any tool is ever invoked.
Trust the tool manifest, not the tool name.
Tool Metadata Poisoning is OWASP MCP03:2025 and assigned CVE-2025-54136. ComplyAI binds every agent call to a signed manifest tied to a verified developer identity. Tools whose live metadata no longer matches the signed manifest stop being callable.
Public reference: OWASP MCP03:2025 · CVE-2025-54136.
Quantify the cascade before the cascade.
A shadow-infrastructure simulator mirrors your production agent topology. Inject a compromised tool, a hijacked prompt, or a privilege escalation, and watch the cascade across the full agent network. Output: maximum data exposure, dollar impact, and downstream system damage.
Industry research has measured downstream contamination across multi-agent fleets at roughly 87% within four hours of a single compromise. ComplyAI lets you measure your own number before the compromise.
Onboard, govern, and account—seven modules for autonomous development across every runtime you operate.
Vet the agent. Issue its non-human identity. Validate before it touches production.
Every component your agent depends on is scanned against known threat patterns. Approved components get an Agent SBOM. The rest are blocked at intake.
OutputsSBOM JSON · scan report · webhook on policy violation
Replay historical session traffic against new configuration and report which actions would have been allowed, denied, or sent for approval.
OutputsDry-run report · CI exit code · diff document
Scoped identities per agent and MCP server, federated with Okta, Entra, or Google Workspace. Subagents inherit parent scope.
OutputsOIDC tokens · audit events to SIEM
Enforce zero trust at the action boundary. Detect behavioral drift in flight.
Policy evaluates every tool call before execution—IDE, CLI, cloud, or MCP. Allow, deny, or ask in under 100ms. Runtime-local. No proxy to bypass.
OutputsAllow / Deny / Ask + reason · feeds Ledger
Guard answers "is this single action authorized?" Insight answers "is this trajectory authorized?"
OutputsAnomaly events · session replay timeline
Continuous compliance evidence. Attribute every token and dollar to a team.
Every action, every decision, every actor—machine-readable JSONL for SIEM ingest and human-readable exports for review.
OutputsJSONL · plain text · OpenTelemetry records to SIEM
Captured at the source—never estimated. Cache reads and cache creation broken out for FinOps attribution.
OutputsPer-session rollup JSON · OpenTelemetry exports
One vulnerable package, one compromised tool, one hijacked prompt — and the cascade is already in motion. ComplyAI traces every attack path from package to agent and quantifies the impact before it lands.
Attack-path drilldown from one vulnerable package
package → vulnerability → MCP server (tools + credential refs) → connected agents — so remediation is fix-first, not guess-first.
3
agents compromised
3
credentials exposed
5
tools reachable
1
exec-capable tool
RECOMMENDED FIX
upgrade better-sqlite3 → 11.7.0
Resolves all 3 agent exposures in one upgrade.
Decision latency at the action boundary.
Runtime-local enforcement. No proxy to bypass.
A single control layer connecting AI agents to enterprise policy, audit, and cost systems.
Capture meaningful AI activity across agents in your environment through supported hooks and telemetry streams.
Evaluate each action against plain-language rules and return allow, deny, or ask decisions in real time.
Store append-only trace data for every tool call, file action, prompt, response, and policy decision.
Ingest authoritative provider-reported token and cost data, including prompt-cache reads and writes.
Present live activity, session detail, governance controls, denied actions, and cost dashboards for operators.
Export telemetry to SIEM and observability backends using OpenTelemetry-native formats.
ComplyAI is in early access. We're working directly with security and engineering teams to deploy, configure, and demonstrate value in their environment — in a single session.