+33 9 84 25 52 61
Sign in
AI agent governance

Keep every AI agent under control.

Autonomous agents act on their own credentials, at machine speed. Obexal gives your security team the oversight, detection, and kill switch to stay in command of a growing fleet.

Governance built for machine identities

Every control below applies per agent, evaluated at the identity provider, not bolted on afterwards.

Full visibility

See every agent, its human owner, its scopes, its audience allowlist, and its last activity in one unified directory.

Anomaly detection

Six deterministic rules: dormant agent waking up, expired agent or expired secret in use, activity despite a kill switch, unusual hours, volume spikes. Extreme drift triggers automatic containment.

Real-time revocation

Suspend or revoke an agent instantly. Token introspection and revocation propagate to relying parties.

Kill switch

One action cuts an agent off: no new tokens, tokens still in circulation go inert at introspection, delegation withdrawn.

Delegation oversight

On-behalf-of grants are explicit and reviewable. Human owners stay accountable for what an agent may do.

Periodic review

Attested access reviews, every 90 days, keep scopes, audiences, and time-to-live caps from drifting out of bounds.

Contain the blast radius by default

Governance starts before the first token is issued. Obexal ships fail-closed defaults so an agent can never quietly exceed its mandate.

Policy per agent, enforced at issuance

Each agent carries its own policy, enforced when the token is issued: a scope ceiling, a time-to-live cap, and an audience allowlist. Any request outside the mandate fails closed. The full identity model (human owner, expiry, lifecycle statuses, secrets) is detailed on the AI agent identity page.

  • Scope ceiling, TTL cap, and audience allowlist: fail-closed
  • Immediate kill switch: tokens still in circulation go inert at introspection
  • Secret rotation with immediate old-secret cutoff
Identity
OAuth 2.1 client credentials + PAR
Delegation
Token Exchange RFC 8693, chained act claim
Audience
RFC 8707 + per-agent allowlist
Default posture
Fail-closed
Kill switch
Immediate effect, circulating tokens go inert
Audit
Append-only log + real-time event stream

From signal to containment

A repeatable loop your SOC can run on every agent.

1

Baseline

Obexal learns each agent's normal pattern of scopes, audiences, and request cadence.

2

Detect

Deviations from the baseline are surfaced against the agent's policy and recent activity.

3

Investigate

Follow the delegation chain and the live audit stream to see exactly what the agent did and on whose behalf.

4

Contain

Trigger the kill switch or tighten the agent's scope ceiling and audience allowlist without redeploying it.

5

Review

Tighten the policy where needed: every change creates a new policy version, recorded in the append-only audit log, and the next periodic review is scheduled.

Tuesday, 3:12 am: the purchasing agent calls the HR API

An incident scenario in five acts, exactly as your SOC would live it in Obexal.

1

Baseline

The purchasing agent has never issued a token at this hour. Its baseline knows its usual scopes, audiences, cadence, and hours.

2

Detection

The unusual hours rule opens an anomaly: a token request at 3:12 am, towards an audience the agent never calls at night.

3

Investigation

The delegation chain (act claim) shows who delegated what to the agent, and the forensic log replays every token issued overnight.

4

Containment

Kill switch: no new tokens are issued, and tokens still in circulation go inert at introspection.

5

Review

The agent's policy is tightened (lower scope ceiling), the new policy version is recorded, and the review is attested.

Support your AI Act obligations

Obexal does not claim to make you compliant. It gives you the technical controls that oversight of autonomous systems rests on.

Traceability

An append-only audit log records who did what, when, and on whose behalf, per agent.

Human oversight

Owners and reviewers stay in the loop through delegation, periodic review, and self-service grants.

Ability to intervene

The kill switch and real-time revocation give a human the means to stop an agent at any moment.

EU by design

Designed and hosted in the EU, no non-EU dependency, self-hosted fonts and no CDN. GDPR aligned.

Questions from security and compliance teams

How is this different from your AI agent identity product?

Identity is how each agent authenticates and what it is allowed to request. Governance is how you supervise the fleet over time: detection, revocation, kill switch, delegation oversight, and audit. The two work together. Start with the identity model on our AI agent identity page.

How fast does revocation take effect?

A kill switch or revocation stops new token issuance immediately, and relying parties can confirm status through token introspection and the revocation endpoint. Time-to-live caps keep any already-issued token short lived.

What powers the anomaly detection?

Six deterministic rules, evaluated against each agent's behavioural baseline: dormant agent waking up, expired agent in use, expired secret in use, activity despite a kill switch, unusual hours, and volume spikes. Anomalies are surfaced for a human to review; only extreme drift triggers automatic containment.

Does Obexal claim AI Act compliance?

No. Compliance depends on your organisation, your use case, and legal review. Obexal supplies supporting controls: traceability, an audit trail, a kill switch, and human oversight of agents.

Which plan includes AI agent governance?

AI agent governance is available from the Business plan up, which includes agent identity and governance, anomaly detection, policy-as-code, and the real-time audit stream. See plans and pricing.

Where is the data hosted?

Obexal is hosted in France, in a datacenter in the Paris region, and data resides in the EU. No non-EU dependency in the request path, no external CDN, self-hosted fonts. Certifications: not certified ISO 27001, SOC 2, or HDS to date; the ISO 27001:2022 mapping is documented and the SecNumCloud roadmap is under way. More on our sovereignty page.

See the kill switch on your own agents.

Create a trial space, register an agent, and trigger the kill switch: the effect is immediate and audited.