Keep every AI agent under control.
Autonomous agents act on their own credentials, at machine speed. Obexal gives your security team the oversight, detection, and kill switch to stay in command of a growing fleet.
Governance built for machine identities
Every control below applies per agent, evaluated at the identity provider, not bolted on afterwards.
Full visibility
See every agent, its human owner, its scopes, its audience allowlist, and its last activity in one unified directory.
Anomaly detection
Six deterministic rules: dormant agent waking up, expired agent or expired secret in use, activity despite a kill switch, unusual hours, volume spikes. Extreme drift triggers automatic containment.
Real-time revocation
Suspend or revoke an agent instantly. Token introspection and revocation propagate to relying parties.
Kill switch
One action cuts an agent off: no new tokens, tokens still in circulation go inert at introspection, delegation withdrawn.
Delegation oversight
On-behalf-of grants are explicit and reviewable. Human owners stay accountable for what an agent may do.
Periodic review
Attested access reviews, every 90 days, keep scopes, audiences, and time-to-live caps from drifting out of bounds.
Contain the blast radius by default
Governance starts before the first token is issued. Obexal ships fail-closed defaults so an agent can never quietly exceed its mandate.
Policy per agent, enforced at issuance
Each agent carries its own policy, enforced when the token is issued: a scope ceiling, a time-to-live cap, and an audience allowlist. Any request outside the mandate fails closed. The full identity model (human owner, expiry, lifecycle statuses, secrets) is detailed on the AI agent identity page.
- Scope ceiling, TTL cap, and audience allowlist: fail-closed
- Immediate kill switch: tokens still in circulation go inert at introspection
- Secret rotation with immediate old-secret cutoff
- Identity
- OAuth 2.1 client credentials + PAR
- Delegation
- Token Exchange RFC 8693, chained act claim
- Audience
- RFC 8707 + per-agent allowlist
- Default posture
- Fail-closed
- Kill switch
- Immediate effect, circulating tokens go inert
- Audit
- Append-only log + real-time event stream
From signal to containment
A repeatable loop your SOC can run on every agent.
Baseline
Obexal learns each agent's normal pattern of scopes, audiences, and request cadence.
Detect
Deviations from the baseline are surfaced against the agent's policy and recent activity.
Investigate
Follow the delegation chain and the live audit stream to see exactly what the agent did and on whose behalf.
Contain
Trigger the kill switch or tighten the agent's scope ceiling and audience allowlist without redeploying it.
Review
Tighten the policy where needed: every change creates a new policy version, recorded in the append-only audit log, and the next periodic review is scheduled.
Tuesday, 3:12 am: the purchasing agent calls the HR API
An incident scenario in five acts, exactly as your SOC would live it in Obexal.
Baseline
The purchasing agent has never issued a token at this hour. Its baseline knows its usual scopes, audiences, cadence, and hours.
Detection
The unusual hours rule opens an anomaly: a token request at 3:12 am, towards an audience the agent never calls at night.
Investigation
The delegation chain (act claim) shows who delegated what to the agent, and the forensic log replays every token issued overnight.
Containment
Kill switch: no new tokens are issued, and tokens still in circulation go inert at introspection.
Review
The agent's policy is tightened (lower scope ceiling), the new policy version is recorded, and the review is attested.
| Agent | Rule | Time | Status |
|---|---|---|---|
| purchasing-agent | Unusual hours | 3:12 am | Contained |
| crm-sync-agent | Volume spike | Mon 2:05 pm | Resolved |
| support-agent | Dormant wake-up | Fri 9:41 am | Resolved |
Support your AI Act obligations
Obexal does not claim to make you compliant. It gives you the technical controls that oversight of autonomous systems rests on.
Traceability
An append-only audit log records who did what, when, and on whose behalf, per agent.
Human oversight
Owners and reviewers stay in the loop through delegation, periodic review, and self-service grants.
Ability to intervene
The kill switch and real-time revocation give a human the means to stop an agent at any moment.
EU by design
Designed and hosted in the EU, no non-EU dependency, self-hosted fonts and no CDN. GDPR aligned.
Questions from security and compliance teams
How is this different from your AI agent identity product?
Identity is how each agent authenticates and what it is allowed to request. Governance is how you supervise the fleet over time: detection, revocation, kill switch, delegation oversight, and audit. The two work together. Start with the identity model on our AI agent identity page.
How fast does revocation take effect?
A kill switch or revocation stops new token issuance immediately, and relying parties can confirm status through token introspection and the revocation endpoint. Time-to-live caps keep any already-issued token short lived.
What powers the anomaly detection?
Six deterministic rules, evaluated against each agent's behavioural baseline: dormant agent waking up, expired agent in use, expired secret in use, activity despite a kill switch, unusual hours, and volume spikes. Anomalies are surfaced for a human to review; only extreme drift triggers automatic containment.
Does Obexal claim AI Act compliance?
No. Compliance depends on your organisation, your use case, and legal review. Obexal supplies supporting controls: traceability, an audit trail, a kill switch, and human oversight of agents.
Which plan includes AI agent governance?
AI agent governance is available from the Business plan up, which includes agent identity and governance, anomaly detection, policy-as-code, and the real-time audit stream. See plans and pricing.
Where is the data hosted?
Obexal is hosted in France, in a datacenter in the Paris region, and data resides in the EU. No non-EU dependency in the request path, no external CDN, self-hosted fonts. Certifications: not certified ISO 27001, SOC 2, or HDS to date; the ISO 27001:2022 mapping is documented and the SecNumCloud roadmap is under way. More on our sovereignty page.
See the kill switch on your own agents.
Create a trial space, register an agent, and trigger the kill switch: the effect is immediate and audited.