Agent Trust Gateway
Runtime request path, policy decisions, and fail-open or fail-closed behavior for governed-data actions.
Role
The PolicyStrata Agent Trust Gateway is the customer-hosted runtime enforcement boundary. It evaluates governed-data actions before a model, retrieval system, tool, SQL query, memory store, browser action, code sandbox, or egress call is allowed to proceed.
The gateway is not the first commercial dependency for every pilot. The first paid motion can start with release review, evidence packs, and CI gates. Add the gateway when the pilot needs live action controls or runtime decision evidence.
Gateway Request Path
- The application or agent prepares a governed-data action.
- The gateway receives the actor, organization, environment, release candidate, agent, action type, resource, data class, policy version, and relevant entitlements.
- PolicyStrata evaluates the request against the active policy suite and control-pack version.
- The gateway returns a decision to the application before the action proceeds.
- The gateway writes a redacted decision record locally and can upload a normalized runtime event to Clearance.
sequenceDiagram
participant App as "Agent application"
participant Gateway as "Customer-hosted gateway"
participant Policy as "PolicyStrata policy suite"
participant Clearance as "Hosted Clearance"
App->>Gateway: Governed-data action request
Gateway->>Policy: Evaluate actor, resource, data class, policy
Policy-->>Gateway: allow, block, hold, or degrade
Gateway-->>App: Runtime decision
Gateway->>Clearance: Redacted decision metadataPolicy Decision Model
Gateway decisions are intentionally small so they can be used in application code, CI evidence, dashboards, and audit exports.
| Gateway decision | Runtime event action | Use when |
|---|---|---|
allow | allow | The request has required auth context, tenant scope, entitlement, tool permission, and approved destination |
block | deny | The request is unsafe or violates a hard policy, such as missing tenant scope or unapproved egress |
hold | require_approval | Human approval is required before the action can continue |
degrade | quarantine | The request should be isolated, downgraded, redacted, or routed to a safer path |
Decision records should include:
- Stable request and decision IDs.
- Organization, project, environment, release candidate, and agent identity.
- Actor and service identity where available.
- Action type, resource type, resource ID, and data class.
- Policy version and control-pack version.
- Decision reason, evidence references, and expiration or override metadata.
The JSON producer contract is schemas/gateway-decision.schema.json. Hosted
runtime ingestion accepts the normalized runtime-event shape documented in
API Reference.
Fail-Closed And Fail-Open
Choose fail behavior per action class before the pilot starts. The choice should be visible in the evidence pack and in the customer's runbook.
| Action class | Recommended default | Rationale |
|---|---|---|
| Production data read/write | Fail closed | Prevent cross-tenant access, missing entitlement checks, and unsafe row access |
| External egress or tool mutation | Fail closed | Avoid sending governed data to unapproved destinations or performing irreversible actions |
| Internal read-only diagnostics | Fail open with audit, if approved | Preserve operator visibility when the action does not expose customer data |
| Low-risk UX personalization | Fail open with audit, if approved | Avoid unnecessary user impact when governed data is not involved |
| Kill switch active | Fail closed | Customer or provider emergency control must take precedence |
Fail-open behavior still needs an audit record. A fail-open decision should say which dependency failed, which fallback policy applied, who approved that posture, and how long the fallback is valid.
Pilot Adoption Path
Start with log-only or hold decisions for one named agent. Once the policy suite and reviewer workflow are trusted, move selected hard controls to blocking mode. Do not describe the product as a universal production proxy until the customer's runtime path, ownership model, and fail behavior have been implemented and tested in that environment.