An out-of-process governance layer for agent egress.
Panopticore sits in a separate process and a separate trust boundary from the agent runtime. This is what makes enforcement deterministic and evidence independently verifiable.
Three components. Your VPC.
Edge Authenticator
- mTLS identity at the boundary
- Principal extraction from URI SAN
- CRL checking
- DSSE token minting
Sidecar Proxy
- Token verification
- Policy evaluation against OPA/Rego bundles
- Egress guardrails: allowlists, DNS pinning, rate limits
- Event capture to tamper-evident ledger
Admin Service
- Policy management
- Approval orchestration
- Slack integration with TOCTOU-safe signed tokens
- Evidence Binder rendering
A separate process. A separate trust boundary.
Panopticore is not a library, not an SDK, and not middleware inside the agent's runtime. It is an out-of-process control point that sits between the agent and the external systems the agent wants to reach. The agent cannot modify, bypass, or disable it because the governance layer exists in a trust boundary the agent does not control.
This is the same architectural pattern the security community has relied on for decades: external authentication services, network firewalls, reverse proxies. The entity being controlled and the entity doing the controlling must not share the same boundary.
What the platform produces.
Policy decisions
Allow, warn, block, or approval-required. Deterministic. Evaluated against OPA/Rego policy bundles.
Approval workflows
Slack today, additional channels on the roadmap. Signed tokens prevent TOCTOU races between approval and execution.
Tamper-evident ledger
Every governance event is captured in a tamper-evident ledger. Merkle-linked. Signed. Auditable.
Evidence Binders
Cryptographically signed session summaries. Self-contained. Offline-verifiable. The artifact that closes the evidence gap.
Learn more →Fail-closed. No best-effort fallback.
Identity validation failure
If mTLS identity cannot be established or the certificate fails CRL checks, the edge fails readiness and blocks traffic. No fallback to unauthenticated operation.
Key rotation
Evidence remains verifiable under key rotation. Binders carry the verification artifacts needed to validate them against the key that was active at signing time.
Policy bundle updates
Policy bundles are versioned. The proxy evaluates against the bundle that was active at request time. Bundle checksums are recorded in the Evidence Binder so auditors can verify which policy was in effect.
What Panopticore does not do.
- Govern intra-platform actions. Actions that remain entirely within a vendor's closed infrastructure (e.g., Agentforce executing inside Salesforce, Copilot acting on Dataverse without crossing the network) are outside the interception surface. This is a deliberate architectural boundary.
- Replace the agent's own runtime. Panopticore governs agent egress. It does not host, execute, or modify the agent itself.
- Certify model behavior. Panopticore governs actions at the network layer. It does not evaluate the quality, safety, or correctness of the underlying model's reasoning.
What's next.
See it in your environment.
Request early access and we'll scope a design partner engagement for your stack.