Start Free Trial
Capabilities

Everything your compliance team
needs to say yes to agentic AI

AutoPIL is the policy enforcement and audit layer between your AI agents and your sensitive data. Built for regulated industries where a data access violation is a compliance incident, not just a bug.

322 tests passing 10 integration channels 115 pre-built policies
Core capabilities

Built for enforcement, not just observability

Sixteen capabilities that work together to give your compliance and engineering teams full control over what data enters an agent's context window.

🔒
Policy engine
YAML-based policies with source allowlists, denylists, and sensitivity ceilings. Deny by default. Hot-reload without service restarts. Full CRUD via REST API with version history.
policies/
📋
Immutable audit log
Every retrieval attempt is logged — decision, policy matched, reason, context hash, and timestamp. Append-only. No delete API. Every event is cryptographically chained to the one before it. SQLite for dev, Postgres for production.
audit_events
📈
PIL Score new
A composite 0–100 governance health index computed from 30 days of audit activity. Five components: Scope Integrity (35%), Governance Coverage (25%), Isolation Safety (20%), Source Registration (10%), and Trend (10%). Four bands: Governed, Monitored, At Risk, Critical. Shown in the dashboard as a sparkline with component breakdown — queryable via API for board reporting.
GET /v1/audit/pil-score
🔔
Real-time alerting
Threshold rules on denial spikes, new data source access, cross-agent isolation violations, and high deny rates. Webhook and email delivery with per-rule cooldowns.
AlertEngine
📡
OpenTelemetry
Spans and metrics emitted from every policy evaluation. Routes to Datadog, Grafana, and Splunk via OTEL_EXPORTER_OTLP_ENDPOINT. Zero overhead when not configured.
autopil.evaluate
🏢
Multi-tenancy
Row-level tenant isolation across all tables. Each tenant's audit events, policies, and alert rules are fully separated. Superadmin provisioning via REST API.
tenant_id
🔗
Cross-agent isolation
A session belongs to the first agent that accessed it. Any other agent attempting the same session is automatically denied and logged — no configuration needed.
cross_agent_isolation
⏱️
Policy-driven session TTL
Set session_ttl_minutes per agent role in policy YAML. A fraud_investigator session expires in 60 minutes. A route_optimization_agent runs for 8 hours. Precedence: policy → global server setting → no expiry.
session_ttl_minutes
📉
Sensitivity decay novel
As a session ages, its effective sensitivity ceiling tightens automatically. A fraud_investigator has full critical access for 30 minutes, then drops to high, then medium. Risk narrows over time without operator action.
sensitivity_decay
📌
Revocation reason
Every session revocation records why — fraud_detected, admin_action, policy_violation, user_logged_out, and more — with an exact revoked_at timestamp. Surfaced as a tooltip on the status badge in the dashboard.
revocation_reason
Async-native
protect_async uses Python ContextVar for concurrent-safe last_event_id tracking across async agents. Fully compatible with asyncio, FastAPI, and aioboto3.
protect_async
🌐
ASGI Middleware
HTTP-layer enforcement for FastAPI and Starlette apps. RouteRule maps URL patterns to policies. Shadow mode (on_deny="log") for zero-disruption rollout. Buffers and replays the request body so downstream handlers are unaffected.
AutoPILMiddleware
📊
Live dashboard
React-based dashboard with real-time charts, full-text search across audit events, isolation violation banner, trend arrows on denial rates, channel distribution donut chart, and per-channel breakdown. Sessions tab shows active and historical sessions with TTL countdown, context hash, bulk revocation, and revocation reason tooltip.
by_source_type
🔑
Context hash
Every ALLOW event stores a SHA-256 hash (first 16 chars) of the returned context. Lets you prove exactly what data entered an agent's context window — tamper-evident.
context_hash
⛓️
Tamper-evident hash chain SOC 2
Every audit event carries a SHA-256 hash of the previous event's hash plus its own immutable fields. Any modification to any past event breaks the chain. A single API call verifies the entire log, returning the exact event where tampering occurred.
GET /v1/audit/verify
🏷️
Source type tagging
Every audit event is stamped with source_type — one of 9 channels. Dashboard by_source_type breakdown lets you see which channels are generating the most access or denial events.
source_type
🔄
Policy hot-reload
Change a policy YAML, call the REST API, and the new rule takes effect immediately — no agent restarts, no downtime, no config drift.
POST /v1/policies
SOC 2 · Tamper evidence

The only AI governance platform with cryptographic proof your audit log was never touched

Most platforms call their log "immutable" because there's no delete button. That's not tamper evidence — it's just a UI restriction. AutoPIL chains every event to the previous one using SHA-256. If any row is modified, deleted, or inserted out of order, the chain breaks and the verification endpoint tells you exactly which event.

This is what SOC 2 Type II auditors look for under CC7.2 and CC9.1 — evidence that log integrity controls exist and are verifiable on demand.

SHA-256 per event Linked chain across tenant Verify via REST API SOC 2 CC7.2 / CC9.1
GET /v1/audit/verify 200 OK 
// audit log intact — no tampering detected
{
  "valid":      true,
  "total":      1 247,
  "chained":    1 247,
  "legacy":     0,
  "broken_at":  null
}

// after any row is altered
{
  "valid":      false,
  "total":      1 247,
  "chained":    83,
  "broken_at":  "evt_a3f9c..."
}
Governance measurement

From enforcement log to governance posture — automatically

Most platforms give you data. AutoPIL gives you a score. Every enforcement decision — every ALLOW, every DENY, every isolation check — flows into a continuously updated PIL Score: a 0–100 governance health index that tells your compliance team and your board exactly where you stand.

The component breakdown pinpoints where to focus: low Governance Coverage means unregistered agents; low Source Registration means shadow data access; a declining Trend means something changed in the last 30 days that needs investigation.

Governed 85+ Monitored 65+ At Risk 40+ Critical <40
Dashboard · Overview tab Governed
87 / 100  ·  last 30 days
Scope Integrity
91
Gov. Coverage
88
Isolation Safety
100
Source Reg.
75
Trend
100
Integration

Nine ways to integrate

Adopt AutoPIL with whichever integration fits your stack. Every channel runs the same policy engine and writes to the same audit log.

🐍 Python SDK
source_type="sdk"
@guard.protect() decorator for Python microservices, scripts, and notebooks. Sync and async variants.
🔄 Async / protect_async
source_type="sdk"
ContextVar-based async decorator for concurrent agent frameworks. Safe under asyncio gather.
🔌 MCP Server
source_type="mcp"
Works with Claude Desktop and any MCP-compatible agent. No code changes in the agent required.
🌐 REST API
source_type="rest"
Language-agnostic HTTP endpoint. Use from Go, Java, Ruby, PHP, .NET, or any language with an HTTP client.
⚙️ ASGI Middleware
source_type="api"
FastAPI/Starlette middleware that enforces policy at the HTTP layer before your handler runs.
🦜 LangChain
source_type="langchain"
Wraps LangChain tools, chains, and LCEL pipelines. Compatible with LangChain agents.
🦙 LlamaIndex
source_type="llamaindex"
Wraps LlamaIndex query engines and retrievers. Works with any LlamaIndex agent.
💎 Gemini
source_type="gemini"
Wraps retrieval functions called from Google Gemini function-calling agents.
🤖 OpenAI Agents
source_type="openai_agents"
Integrates with OpenAI Agents SDK function tools.
☁️ AWS Bedrock
source_type="bedrock"
Wraps boto3 bedrock-agent-runtime client. Supports sync and async (aioboto3). inputText used as the policy query.
SDKs

Native SDKs for every stack

Each SDK wraps the same REST API and preserves the same method signatures so you can swap languages without relearning the integration.

Python SDK
pip install autopil
Decorator, async decorator, ASGI middleware, LangChain, LlamaIndex, Gemini, OpenAI Agents, Bedrock.
from autopil import ContextGuard
guard = ContextGuard(policy_path="policies/")

@guard.protect(agent_role="analyst", ...)
def retrieve(query):
    ...
TypeScript SDK
npm install autopil-ts
REST client for Node.js and browser agents. Matches the Python SDK's method signatures.
import { AutoPILClient } from 'autopil-ts';
const client = new AutoPILClient({ baseUrl, apiKey });
const result = await client.context.evaluate({
    agent_role: 'analyst', ...
});
Go SDK
go get github.com/vibrantcapital/autopil-go
stdlib only (net/http, encoding/json). Table-driven tests. Go 1.21+.
import "github.com/vibrantcapital/autopil-go/autopil"
client := autopil.New("http://localhost:8000", "apl_yourkey")
result, err := client.Context.Evaluate(ctx,
    autopil.EvaluateRequest{
        AgentRole: "analyst",
        SourceID:  "reports",
    })
Java SDK
ai.vibrantcapital:autopil-java:0.1.0
Jackson only. Builder pattern. Java 17+. JUnit 5.
AutoPILClient client = AutoPILClient.builder()
    .baseUrl("http://localhost:8000")
    .apiKey("apl_yourkey")
    .build();
EvaluateResponse resp = client.context().evaluate(
    EvaluateRequest.builder()
        .agentRole("analyst")
        .sourceId("reports")
        .build());
Dashboard

Real-time visibility. No log spelunking.

The AutoPIL dashboard gives your team a live view of every policy decision, across every channel, in one place.

Full-text search Search across audit events by query, reason, agent_role, source_id, and policy_name.
Isolation violation banner Red alert surfaces automatically when cross-agent isolation events are detected.
Trend arrows on denied requests ↑ red indicator when denial rate is rising relative to the prior window.
Channel distribution donut See at a glance which of 9 channels is generating the most traffic or denials.
Per-channel breakdown Stats API returns by_source_type with total, allowed, and denied per channel.
Row highlighting Isolation violation rows are highlighted with a red left border for immediate triage.
Stat card hover animations Smooth lift-on-hover interaction across all stat cards and event rows.
Zero-setup audit trail Every channel writes to the same audit log. No extra instrumentation in your agents.
localhost:3000 — AutoPIL Dashboard
Total Events
1,247
last 24 hours
Allowed
1,118
89.7% allow rate
Denied
129
10.3% deny rate — rising
sdk847 api203 langchain87 bedrock64 rest46
Time
Query
Channel
Verdict
Policy
14:32:01
customer revenue Q3
langchain
ALLOW
analyst-base
14:31:47
session_id: s_a9f2 — agent_2 blocked
sdk
DENY
cross-agent
14:31:22
summarize PII records
rest
DENY
pii-ceiling
14:30:58
bedrock: loan approval docs
bedrock
ALLOW
credit-analyst

Start governing your agents today

Self-hosted. No vendor lock-in.

Start Free Trial