For Production AI Teams
How to control autonomous AI agents in production — at the moment they try to act, not after.
Autonomous AI agents make consequential decisions thousands of times faster than humans can review them. Strix is the execution boundary: every state-changing call an agent makes is intercepted, evaluated, and either allowed, denied, or held for explicit human approval. No mutation runs without a decision. Every decision produces signed evidence.
Answers the question: “How do I control what an autonomous AI agent does in production?”
Why production AI keeps catching teams off-guard
Most AI safety lives in the prompt or the model. That's the wrong layer. Prompt injection, hallucinations, and chained tool calls all defeat input-side controls — and by the time the agent has called your API, the prompt-side defense doesn't exist anymore.
Prompt-injection attacks bypass system prompts. The model is following instructions; the instructions are just the wrong ones.
Tool-using agents (LangChain, AutoGPT, custom agents) chain calls in ways the prompt author never anticipated. The 100th call is not the 1st.
API keys with broad scope grant the agent everything its training didn't teach it not to do.
Agent observability tells you what the agent did. It doesn't stop the agent before it acts.
Human-in-the-loop UIs that ask for approval after the agent has already initiated a destructive call are too late by definition.
Strix as the agent's execution boundary
Strix sits between the agent's tool layer and your application's mutation layer. Every tool call routes through it. The kernel is the only path; there is no alternate.
| Capability | How Strix delivers it |
|---|---|
| One-line agent integration | Wrap any tool the agent can call with strix.govern({ capability, actor, context }). The function returns a decision before the mutation runs. No SDK, no model fine-tuning, no prompt engineering — just a function call at the I/O boundary. |
| Capability-aware tool registry | Each tool the agent can call is registered as a capability with a risk tier. Critical tools (delete, role assignment, payment) require approval. Medium tools (create, update) auto-allow with evidence. Low tools (toggle, reorder) auto-allow with evidence. The agent cannot escalate — risk tier is set by the registry, not by the caller. |
| Intent-aware evaluation | Strix evaluates not just 'can the agent do this?' but 'should this specific action, in this context, with this declared intent, execute?' Same agent, same permission, different intent = different decision. RBAC cannot see this distinction. |
| Hold for human approval (INTERCEPT) | High-risk actions are held for explicit human approval. The agent receives a pending decision; a human reviews capability + actor + context + payload in the console; if approved, a single-use execution token is issued. The agent presents the token; the mutation executes once and only once. |
| Token-bound, revocable execution | Approved tokens are HMAC-signed, single-use, and expire (5 min default). Atomic redemption (UPDATE WHERE status=ACTIVE AND redeemedAt IS NULL) guarantees no double-spend. Tokens can be revoked mid-flight — the agent's call fails closed even if it already started executing in another path. |
| Cryptographic evidence per call | Every governed call produces an Ed25519-signed evidence record. The signature is verifiable against the public JWKS by any third party. When the auditor asks 'what did your agent do at 2:47 PM on March 15?' you produce a signed record, not a log query. |
Proof, not promises
Every claim Strix makes is backed by an artifact you can independently verify.
Live decision feed
Public, real-time stream of governance decisions across the platform. No tenant data exposed; aggregate counts and hash prefixes only.
https://www.strixgov.com/live-proofPublic capability registry
Every governable AI-callable capability, classified by risk tier, exposed via /api/v1/capabilities. Auditors and prospects can enumerate what the system can govern in one call.
GET /api/v1/capabilitiesWalkthrough: governing a single agent action
End-to-end demo of one autonomous agent action: capability lookup, risk evaluation, three-state decision, token redemption, evidence signing. 2 minutes.
https://www.strixgov.com/trailerFrequently asked questions
Does Strix work with LangChain / LlamaIndex / custom agent frameworks?+
Strix governs at the tool/capability layer, which is framework-agnostic. Any tool definition that resolves to a function call can be wrapped. We have a TypeScript governance SDK (@strixgov/sdk) and a tool-gateway package (@strixgov/tool-gateway) for local-first integration. The integration is one function call per tool — no model retraining.
What happens when the agent's call is intercepted?+
The agent receives a 'pending' response with the decision ID. The action is held. A human reviewer sees capability + actor + intent + context in the Strix console and approves or denies. If approved, a single-use execution token is issued and returned to the agent. The agent presents the token; the mutation executes once. The whole flow takes seconds — the agent waits, it doesn't loop.
Won't this slow my agent down?+
The kernel evaluates in-process with zero network dependency. ALLOW decisions add microseconds. DENY decisions terminate the call before the mutation runs (saving you the cost of the mutation). INTERCEPT decisions block until human review — which is the point; you don't want a destructive action running while a human is still thinking.
Can the agent learn to bypass Strix?+
The kernel is the only execution path — there is no alternate, including for agents. CI enforces this: tests/gate-j/irrev-boundaries.json registers every irreversible route, and the build fails if any handler is unguarded (REQUIRED_GUARD_BASELINE = 0). An agent cannot reach the mutation layer without going through the kernel.
What does an agent see when it tries to do something it shouldn't?+
A structured decision response with reason code, capability ID, evidence ID, and (for INTERCEPT) a pending decision URL. Your agent can decide what to do next — explain to the user, wait for approval, request a different capability — based on a stable, machine-readable response.
How do I get started?+
Wrap one tool first. Pick a high-risk action (delete, send-email, charge-card, role-change) and add strix.govern() at the boundary. Watch a single decision flow through the system. Verify the evidence at /api/public/verify. Once that loop is real, scale to the rest of the registry.
Stop hoping. Start governing.
Wrap one agent action with Strix in 15 minutes. See the decision, the token, the signed evidence. Then decide if you want the rest.
Currently in private beta — limited spots available.
npx @strixgov/verifier@latest 5686