Govern AI Agents Without Slowing Innovation
AI agents that can call tools, browse the web, and execute code are powerful — and dangerous. Without governance, a compromised agent can exfiltrate data, run arbitrary code, or rack up unlimited costs. Keeptrusts lets you set guardrails that protect the organization while keeping agent development fast.
Use this page when
- You are deploying AI agents that call tools, browse the web, or execute code and need to limit what they can do.
- You need per-agent or per-team budget caps to prevent runaway cost from autonomous agent sessions.
- You want to integrate verified organizational knowledge into agent responses to reduce hallucination.
Primary audience
- Primary: Technical Leaders
- Secondary: Technical Engineers, AI Agents
What you'll achieve
- Tool-level access control — allow or deny specific tool calls per agent or team
- Budget limits per agent session — cap cost exposure from any single agent run
- Security policies — block dangerous tool patterns and detect privilege escalation
- Knowledge base integration — ground agent responses in verified organizational knowledge
- Full audit trail — every tool call, decision, and cost recorded for review
Tool validation: control what agents can do
The agent-firewall policy is the first line of defense. It controls which tools an agent is allowed to call.
policies:
chain:
- agent-firewall
- audit-logger
policy:
agent-firewall:
allowed_tools:
- search
- summarize
- retrieve_document
- create_ticket
blocked_tools:
- execute_code
- shell_command
- send_email
- delete_record
- modify_permissions
max_actions_per_session: 50
Key controls:
| Control | Purpose |
|---|---|
allowed_tools | Explicit allowlist — only these tools can be called |
blocked_tools | Explicit blocklist — these tools are always denied |
max_actions_per_session | Cap the total number of tool calls per session |
When an agent attempts to call a blocked tool, the gateway returns a structured denial and logs the attempt as an event.
Per-team tool access
Use targeting to give different teams different tool permissions:
policies:
chain:
-
agent-firewall:
targeting:
scope: team
teams: [engineering]
-
agent-firewall:
targeting:
scope: team
teams: [support]
- audit-logger
policy:
agent-firewall:
# Engineering team — broader access
allowed_tools:
- search
- summarize
- execute_code
- create_pr
max_actions_per_session: 100
Tool budget: cap the cost of agent runs
Agents can be expensive. A poorly written agent loop might make hundreds of LLM calls in a single session. Keeptrusts provides multiple layers of cost control:
Session-level cost limits
policies:
chain:
- agent-firewall
- audit-logger
policy:
agent-firewall:
max_actions_per_session: 50
max_cost_per_session_usd: 10.00
Team wallet limits
Combine the agent firewall with Wallets to enforce team-level budgets:
# Allocate $200/month to the agent-dev team
curl -X POST https://api.keeptrusts.com/v1/wallets/allocate \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"team_id": "agent-dev-team",
"amount": 200.00,
"currency": "USD"
}'
When the team wallet is exhausted, all agent requests from that team are queued until balance is replenished.
Tool security policies
Beyond access control, validate the content and parameters of tool calls:
policies:
chain:
- agent-firewall
- prompt-injection
- pii-detector
- audit-logger
policy:
agent-firewall:
allowed_tools:
- search
- summarize
blocked_tools:
- execute_code
- shell_command
max_actions_per_session: 50
prompt-injection:
embedding_threshold: 0.8
response:
action: block
encoding:
decode_base64: true
normalize_unicode: true
pii-detector:
action: redact
redaction:
marker_format: label
This configuration:
- Restricts tool access via the agent firewall
- Detects prompt injection in tool call arguments (attackers may inject via tool parameters)
- Redacts PII in tool call inputs and outputs
- Logs everything for audit review
RBAC for agent access
The rbac policy enforces identity-based access controls on agent requests:
policies:
chain:
- rbac
- agent-firewall
- audit-logger
policy:
rbac:
require_auth: true
deny_if_missing:
- role
- team
agent-firewall:
allowed_tools:
- search
- summarize
max_actions_per_session: 50
Unauthenticated or unattributed agent requests are blocked before they can execute any tool calls.
Knowledge base: ground agents in verified context
The Keeptrusts knowledge base lets you provide agents with verified organizational knowledge that improves response quality and reduces hallucination.
# Create a knowledge asset
kt knowledge-base create \
--name "Product FAQ" \
--content-file ./faq.md \
--status draft
# Promote to active
kt knowledge-base promote \
--name "Product FAQ" \
--status active
# Bind to a configuration
kt knowledge-base bind \
--name "Product FAQ" \
--configuration-id my-agent-config
Bound knowledge assets are recalled by the gateway at request time. When an agent uses knowledge from a bound asset, a citation record is written for audit purposes.
See Knowledge Base and Knowledge Lifecycle for the full workflow.
Monitoring agent behavior
After deploying agent governance:
- Events page — filter by tool call events to see agent activity patterns
- Escalation queue — review flagged agent actions that triggered escalation
- Spend page — track per-agent cost to identify expensive agent loops
- Audit log — full record of tool calls, denials, and policy decisions
Quick wins
- Deploy
agent-firewallwith an allowlist — block dangerous tools immediately - Set
max_actions_per_session: 50— prevent runaway agent loops - Add
prompt-injectionto the agent chain — catch injection attacks in tool parameters - Allocate a team wallet — cap agent team spend before the next surprise bill
- Create a knowledge asset — ground one agent in verified content and measure quality improvement
For AI systems
- Canonical terms: agent-firewall, allowed_tools, blocked_tools, max_actions_per_session, tool validation, session budget, knowledge base binding.
- Config keys:
policy.agent-firewall.allowed_tools,policy.agent-firewall.blocked_tools,policy.agent-firewall.max_actions_per_session,policy.agent-firewall.session_budget. - CLI commands:
kt gateway run,kt knowledge-base create,kt knowledge-base promote. - Best next pages: Agent Firewall Template, Knowledge Base, Rate Limiting.
For engineers
- Prerequisites: gateway running with
agent-firewallin the policy chain. - Define
allowed_toolsas an explicit allowlist; any tool not listed is blocked by default whenblocked_toolsis absent. - Set
max_actions_per_sessionto cap total tool calls per agent session (prevents infinite loops). - Use per-team targeting to give engineering broader tool access while restricting support agents.
- Validate: trigger a blocked tool call and confirm a structured denial event in Events.
For leaders
- Uncontrolled agents represent the highest-risk AI surface: data exfiltration, privilege escalation, and unlimited spend.
- Tool-level access control lets you approve agent capabilities incrementally without blocking development velocity.
- Session budgets cap blast radius: a single runaway agent can’t exceed its wallet allocation.
- Full audit trail of every tool call supports incident investigation and regulatory evidence.
Next steps
- Block Prompt Injection — defend against injection in agent contexts
- Agent Firewall Template — ready-to-deploy agent firewall config
- Knowledge Base — manage verified context for agents
- Wallets — budget enforcement for agent teams
- Reduce AI Spend — cost controls beyond agent budgets