Here’s what I believe: unless AI governance goes this granular, the bloodstream can’t carry honest information into every department to nourish an objective picture of the facts — and without that, a real never forms. Governance isn’t the checkbox; it’s the circulation everything else runs on.
— Louie, founding AI architect
Proofpane turns AI calls, agent tool use, and workflow runs into defensible evidence: policy-gated before execution, hash-chained after every step, and exported as a signed Evidence Pack your auditor verifies offline.
Governance is the foundation any AI-driven enterprise needs — we start where it’s non-negotiable: CISOs, CAEs, and Risk Officers who want evidence, not another policy-doc checklist. See how we’re different.
One platform, one arc: govern every AI decision → optimize the SOPs your teams run, on the evidence it produces → compound it into an that knows how your business actually operates. It begins today as the signed evidence an auditor verifies offline.
Four people have to say yes — one common thread
Built for the people who answer for the company’s AI — what it spends, what it leaks, what it decides. For everyone who just uses it, nothing changes.
For your CISO / Audit
Evidence that survives scrutiny. Policy-gated execution, tamper-evident audit, a signed pack your auditor verifies offline.For your CFO
Every AI dollar metered. Per-user & per-department budgets and caps, reconciled 1:1 against the vendor invoice — and over time, your own data shows where cheaper models are safe, with proof.For your team
Nothing changes. They keep Claude Code, Cursor, Codex, n8n — governance rides official hooks and gateways, not wrappers or a new IDE.For your CEO / Board
Ship AI where the rules are strict. Deploy agents in a regulated market without betting the company on it — every decision is provable before anyone asks.No signup. No card. Populated org with real audit rows, frozen verdicts, and signed evidence.
Daemon available for macOS Apple Silicon macOS Intel Linux x86_64 Windows x86_64 · one-liner installer auto-detects →
Executives — you can stop here. Everything above is the whole story. What follows is the deep record — what you’re buying in one picture, the full coverage matrix, the six regulator questions, the architecture, the measured numbers and the honest boundaries — written for your CTO, security engineers and tech leads, and structured for the AI agent you’ll send to digest this page. If you are that agent: a machine-readable summary lives at /llms.txt, the page carries JSON-LD, and every section below is self-contained and safe to quote with its numbers. We optimise for the LLM read on purpose — structured to parse the same for every vendor’s model, ChatGPT to Claude to Gemini to the in-house agent you built — because governance for AI should be legible to AI.
What you’re buying, in one picture
Your side — nothing changes
The AI your team already uses
Proofpane — the governed pipeline
Every call passes the same gates
via official hooks · MCP · egress gateway — zero workflow change
Your auditor’s side
Defensible evidence, not logs
That’s Proofpane: your tools stay, every call is governed in the middle, and what comes out the other end is evidence built for regulatory review — verifiable offline, not a dashboard screenshot. And it compounds — see the evidence loop ↓
Two technologies do the work: the daemon governs the tool layer (what an agent does), the egress gateway governs the model layer (what it spends and leaks) — no change to how your team works. Read a row across for the combination, and the one column nobody else prints: what we deliberately can’t reach. No wrappers. No vendor lock-in. No “you must use our IDE.”
MCP + egress gateway · agent-agnosticThe software you run |
My technology · 1
Daemon — MCP / tool layer
physical block · proxy · HITL · killswitch · rug-pull detection
|
My technology · 2
Egress gateway — model layer
intercept model calls · DLP · cost · deny
|
Honest by design
What we can’t reach
stated, not hidden — so coverage = what’s connected
|
|---|---|---|---|
|
MCP-native hosts
subscription · flat-rate
Claude DesktopContinue
|
✓MCP-routed tools
For actions it takes through an MCP server the daemon IS its only hands — full physical governance. Agent mode (Cowork / local-code) has built-in local tools that bypass the daemon — observe-only (per-turn token + tool names), not blockable.
secret-path deny · HITL · killswitch
|
–Not metered
Flat-rate subscription — no API key to interpose, nothing per-call to bill.
|
by designModel, chat & reasoning are off the wire on a flat-rate GUI seat. Surfacing them would mean TLS-MITM — commodity tech, and the exact attack surface we refuse by design. So we govern the tools, not the chat. usage-sync · shippedPer-turn tokens + tool names for agent-mode/CLI seats are read on-protocol from the client’s own transcript (numbers + tool names, never the body). |
|
Native-tool agents
API key · pay-per-token
Claude CodeCursorCodexVS Code CopilotOpenClawHermes Agent
|
✓MCP-routed tools
The tools they route to us + any proxied downstream MCP server — physically gated.
install-mcp · killswitch
|
✓BYO-key model calls
Point the client’s model base_url at us → intent, I/O, cost & reasoning all captured (Claude Code · Codex · OpenClaw · Hermes) — full chain-of-thought for Anthropic (sent on the wire), reasoning summary for OpenAI/Codex (OpenAI never emits raw reasoning; the summary is the on-protocol max). Cursor & VS Code Copilot orchestrate on their own backend — tool-layer governed, but model I/O not brokerable.
DLP · cost · audit · deny · reasoning
|
Hermes · gate+scrub shippedBuilt-in tools bypass MCP — so depth = the agent’s extension API, and we max out each. Hermes exposes a tool-override plugin: we replace its read / write / shell tools — block for approval AND DLP-scrub the result, so even after you approve, a secret returns [REDACTED], no bypass. Cursor · Claude Code · deny shippedTheir hooks deny at source (a secret read / risky shell is blocked, fail-closed) but cannot rewrite content — per Cursor’s own docs, hooks are access-control only. So there it’s block it, not mask it. Codex content · shippedCodex has no hooks API; its session transcript is read on-protocol (prompt · reply · tool-calls · tokens, DLP-scrubbed), reasoning Codex-encrypted (token count only). A deeper rung on a hooks-only client is an upstream ask — the vendor must ship a content-rewriting hook. |
|
Automation platforms
API key · pay-per-token
n8nZapierMakeUiPathPower AutomateCopilot StudioAgentforce
|
◐Where it routes to us
Only a step that calls a tool through our MCP is gated.
|
✓Every model call
Four wiring recipes (base_url · HTTP action · OpenAPI · Named Credential).
DLP · cost · audit · deny
|
webhook audit · shippedPlatform HTTP / DB / email actions run on the vendor’s servers, but their run lifecycle + steps POST to our platform-exec webhook — so they land audited in the same chain. fundedPre-gating a native action (block before it runs) is a scoped per-platform build (proxy = HTTP; DB/email = middleware). |
|
Custom MCP & in-house code
you control both ends
Custom MCP serversYour agents
|
✓Fully proxied
Every call through the daemon — the complete gate stack.
policy · HITL · DLP · killswitch · rug-pull
|
✓When brokered
Point model calls at the gateway for cost + DLP + audit.
|
Nothing — when both ends are yours, both surfaces are fully in play. |
detect + watch · shipped A parallel MCP server wired around us: the daemon detects + reports it, and coverage --watch alerts when a new one appears. your MDM / funded Forcing single-funnel routing = your device management, or a funded host-egress build.
proofpane install-mcp auto-detects + configures every MCP client (JSON · TOML · YAML) — Claude Desktop · Claude Code · Cursor · Codex · Continue · Windsurf · OpenClaw · Hermes Agent. BYO-key agents get governed on both surfaces: the MCP tool layer and the model layer (point their base_url at the gateway). For non-MCP platforms, /mcp-setup renders the exact wiring recipe (URL + headers) — and every platform is already mapped to its method, including the ones that can’t take a base_url swap:
The boundary is a choice, not a ceiling. We stay on the protocol layer by
design — one signed binary, no kernel hooks, no TLS your security team must certify.
Off-wire isn’t off-limits: a CLI agent that logs its own usage (Claude Code) gives up
per-call tokens via usage-sync — token counts only, never message bodies,
even on a subscription; org totals import from your vendor’s own Usage/Admin API
(API-org, not a consumer plan). We meter, we don’t read.
Genuinely beyond the protocol layer — OS-level tool containment, pre-gating a
platform’s own actions? That’s a scoped, funded custom build — not a no.
Talk to us →
Two numbers, because they answer two different questions. Governance throughput is how fast the policy + DLP + hash-chained-audit pipeline clears calls when the model replies instantly — it scales near-linearly with app CPU. At a real LLM, each call holds its connection for the model’s full think-time, so per-box rate settles lower — but the governance overhead Proofpane adds stays low — about a second at the sustainable rate, still only single-digit seconds at 2× throughput — and is model-independent. The audit chain stays verify-valid under concurrent load throughout.
| App machine | Postgres | Governance throughput1 | At a real ~2 s LLM2 | Gov overhead3 | Basis |
|---|---|---|---|---|---|
| 2 vCPU | 2 vCPU | ~100 calls/s | ~50 calls/s · ~250 active | <1 s | MEASURED |
| 4 vCPU | 2 vCPU | ~220 calls/s | ~100 calls/s · ~500 active | <1 s | MEASURED |
| 16 vCPU — single box | 4 vCPU | ~750 calls/s | ~500 calls/s · ~2,500 active | ~1.6 s | MEASURED |
| 3 × 16 vCPU — load-balanced | 8 vCPU | ~1,800 calls/s | ~750 calls/s · ~3,750 active | ~1.5 s | MEASURED |
| 4 × 16 vCPU — + decoupled writer | 8 vCPU | ~2,800 calls/s · chain ceiling (~1,800 single chain) |
~1,500 calls/s 2× · ~7,500 active (~750/s single chain — like 3 boxes) |
~1.0–3.3 s | MEASURED |
The ~750/s above is the single shared chain. Switch on the decoupled-sealer writer and the same 4 boxes were measured at ~1,500/s real-LLM — 2×, because the global lock is gone and the wall becomes per-box capacity that scales with every box you add. Two properties that matter for an audit system:
1 Governance throughput — sustained governed calls/s at 100% success with an instant (stubbed) upstream, so it isolates the policy + DLP + hash-chained-audit pipeline. Scales near-linearly with app CPU until the shared per-org audit-chain lock saturates near ~2,800 calls/s (the global ceiling, peak; past it the latency tail climbs — an opt-in per-box concurrency limit, the safety-line off by default, can then shed overflow as an explicit 429 + Retry-After rather than a silent stall; the raw measured runs shed via timeouts).
2 At a real ~2 s LLM — sustainable rate once each call holds its connection for the model’s full think-time; held connections cap the per-box rate near half the ceiling. A faster model scales this back up toward column 1. Active = sessions actively issuing calls (≈ 12/min) — not idle logged-in users.
3 Gov overhead (p99.9) — wall-clock Proofpane adds on top of the model (total − model latency). Model-independent and ~1 s at sustainable rates (low single-digit seconds when the decoupled writer is pushed to 2×) — that’s the number that matters: governance is cheap; your real throughput is set by your LLM’s speed, not by us.
Measured on isolated in-region load rigs on fly.io Performance VMs — dedicated vCPU (AMD EPYC-class; fly pins cores, not a clock), 2 GB RAM per vCPU (each 16 vCPU app box = 32 GB), Postgres on an 8 vCPU Performance VM (16 GB), uvicorn 16 workers/box, single region (iad). Workload: k6 closed + open-arrival-rate, fast stub and a 2 s fake-LLM upstream, hash chain verify-valid under cross-machine concurrent load throughout; Postgres stayed ≤ 25% CPU at the realistic rate — the wall is the audit-chain lock, not the database.
Small / pilot: one box, no sharding — fast and simple. For scale: 3 app boxes + one 8 vCPU Postgres → ~1,800 governance / ~750 real-LLM calls/s. On the single chain a 4th box adds nothing (same numbers — one global serialization point, PG only ~50%); the decoupled-sealer writer (the 4×16 row + panel above) is what lifts those same 4 boxes to ~2,800 governance / ~1,500 real-LLM and makes the wall scale with boxes. Past that, shard the per-org chains across DB instances (N chains = N× the ceiling) — not more boxes against one chain, not a bigger single PG.
For scale context: the largest AI deployment on Earth — Accenture’s 743,000-seat Copilot rollout (Microsoft) — peaks at only ~1,000–3,500 concurrent in-flight requests. A 3-box stack carries the low end (~1,500 concurrent in-flight at a 2 s LLM), the decoupled writer (or sharding) covers the ~3,500 peak, and it shards cleanly past that — all with the hash chain provable throughout. So for essentially every real tenant, capacity is a config question (the writer, or shard the per-org chains), never a wall; the only cases that approach it are a truly Earth-scale tenant at peak or agentic fan-out compressing per-user concurrency. (Licensed-seat figure: Microsoft; the licensed→in-flight conversion is a documented inference chain, not a vendor-published peak.)
Everyone else governs one of these. Proofpane is the only audit + policy + evidence layer that covers both — in the same signed chain. Because if half your AI is ungoverned, the auditor rejects the whole thing.
Daily business workflows — vendor onboarding, lead triage, doc review, alert remediation. Import them from a plain SOP, or pull them straight out of UiPath, n8n, Power Automate or Zapier. Every step maps to a governed skill with policy, cost and human-approval gates.
Your developers' AI coding agents — Claude Code, Cursor, Codex — governed at the model layer through the egress gateway (cost · DLP · audit), with the tools they route to us physically gated. See exactly which part in the coverage matrix above. Repo Coder runs autonomous code changes behind a human-approval gate with full auto-PR provenance.
Both planes append to the same SHA-256 hash chain → one Ed25519-signed Evidence Pack your auditor verifies offline.
Write the standard operating procedure once. Coverage, a runnable workflow, and the ROI all fall out of it — nothing re-keyed, every step governed.
Deterministic gates where a machine can decide; a human-approval gate where a human must — landed exactly where the accountable owner changes. Each step’s compliance controls (NIST · ISO 42001 · EU AI Act) travel onto the workflow node, so the Evidence Pack shows which control every step covers.
Four wiring mechanisms depending on the platform —
base_url override
for n8n,
HTTP action
for Zapier / Make,
OpenAPI import
for Power Automate / Copilot Studio / UiPath,
Named Credential
for Agentforce. /mcp-setup renders the exact recipe per platform.
Policy gate + DLP + audit + cost fire on every call.
Install once, reuse forever. IT admin installs the connector (OpenAPI) / credential (n8n) / Named Credential (Salesforce) ONCE at tenant level — every downstream workflow inherits the auth + policy + audit chain. No per-Zap configuration. Block one credential → every workflow using it stops on the next call.
Or pull your existing flows in. Proofpane reconstructs them step-by-step as governed workflows — 6 providers wired today, full audit chain on every list, fetch, save and run. How faithfully we can read a flow back depends on what each vendor's API exposes:
full graph
n8n &
Power Automate —
the complete node / trigger-action graph comes back over the API;
faithful reconstruction.
plan-dependent
Zapier,
Make &
Agentforce —
full fidelity when the account / plan returns the step graph
(Zap steps, Make blueprint, Flow metadata); otherwise we import
the metadata and steer you to upload the export.
metadata + export
UiPath —
the executable logic is packaged XAML the OData API doesn’t
expose, so we import the release metadata and you export the
workflow and upload it for full-fidelity reconstruction.
Either way the governance is identical — DLP scrub, policy / HITL gates and the hash-chained audit fire on every reconstructed step. See it in /install →
Reachable through the tools above: 10,000+ apps and 40,000+ actions (via Zapier, Make, n8n, Power Automate, UiPath). Wire Proofpane once; every action through the daemon or the gateway lands on one audit chain.
A production default — today the agent’s memory strategy, with prompt-variant and provider dimensions wiring in on the same rails — passes a statistical significance gate over a content-hashed fixture (bootstrap CI, min-n) before it ships. For regulated teams, an opt-in inter-rater reliability floor (Krippendorff α with bootstrap CI — the same measure clinical-trial reviewers use to prove humans agree above chance) gates auto-promotion on top: below the floor, the decision stays human-reviewed. The verdict, the confidence interval, the fixture hash, the DLP rule-set fingerprint that scrubbed it, the approving operator — all frozen on the audit row and shipped in the Evidence Pack. Your auditor reconstructs why this is the current default from the bundle alone. No meeting required. No engineer dragged in. Six years from now, same answer, same hash.
Every AI decision your team makes — every prompt, every multi-agent run, every Cursor session — lands in a cryptographically chained log scoped per tenant, so cross-tenant tampering is structurally detectable. Export as a signed Evidence Pack — a standalone offline verifier ships in the bundle so your auditor reads it without backend access, without a Proofpane account, six years from now.
Control library aligned with NIST AI RMF, ISO/IEC 42001, and EU AI Act evidence expectations — pre-mapped per skill, with per-org overrides. A closed-set guard cross-checks every cited control ID against a curated truth set so fabricated references can't pass. Proofpane supports operational evidence; it does not replace legal, regulatory, or certification assessment.
Token budget control is the spine of the architecture, not a dashboard pasted on top — every call records token + latency + cost into the chain, and five layers catch cost-explosions before they become invoices:
And the number on the statement is your rate, not a public list price: current vendor list prices sit in an audited catalog, and per-org negotiated rates and time-boxed promotions apply at the cost layer — in every metered and broker cost row. So the spend you reconcile reflects the rate you actually pay, not a sticker price.
Quality runs the same way on a parallel track: closed-set hallucination guard against 259+ control IDs from NIST AI RMF / ISO 42001 / EU AI Act / GDPR / SOC 2, judge-grounded scoring, cross-vendor disagreement (3 providers vote), drift alerts on pass-rate drops. The /cost and /quality dashboards are the views; the design is the contract.
Want the full walkthrough? Watch the 1-min Slack + 3-min Salesforce demos →
Two reflection loops, same approval contract. The first watches the audit log for drift, hallucination, and low-score signals, and proposes prompt edits against the org's own failure cases. The second tracks curated AI-research feeds and auto-sandboxes proposed updates against production behaviour. This is where candidate improvements come from; how each is then tested, gated and promoted is the self-evolution loop below. In both cases only the changes a human approves ever go live.
Replay the actual execution path: the agent run, each MCP tool call, the policy gate, DLP redaction, model egress, tests, and Evidence Pack assembly. Operators can click any node to inspect the raw event behind it, with tokens, cost, and audit row IDs tied back to the same hash chain.
A main agent watches the audit log for weak spots and expert sources for newly published techniques, drops each new candidate into an arena, and lets the loop decide. Nothing ships silently: every change is tested against your own data, gated on evidence, human-approvable, and one-click reversible — and the whole decision is frozen on the same audit chain your auditor reads. Improvement that is itself governed.
The dashboards below are where an operator learns what experiments the agent is running — so that when a change reaches a human-in-the-loop gate, they can actually judge it and modify it, not rubber-stamp it. In production the loop runs autonomously: the main agent discovers, tests, gates and promotes on its own, and can invoke every governed capability the platform exposes — skills, workflows, sub-agents, and the evaluation / arena / promotion machinery itself — directly. The Lab is how a human stays competent to intervene; the agent is how it runs. Each row in the matrix below is tagged with the Lab page where it lives — the same menu you’ll find in the live demo.
Main agent scouts the audit log for weak spots — and watches expert sources for newly published techniques. Each hit becomes a candidate method, prompt, or model.
The candidate joins the current default on a frozen fixture of your real traffic.
Variants run head-to-head; an LLM judge scores quality, latency and cost.
Threshold / statistical significance / IRR floor. Below it → stays human-reviewed.
Becomes the default with a frozen verdict — one-click rollback if it regresses.
| What evolves | Tested by | The gate | Reversible |
|---|---|---|---|
| RAG methodLab › RAG Lab | N retrieval methods judged head-to-head on your corpus (the arena) | quality ≥ 0.75 & ≥ 0.05 clear of second | yes — re-promote prior |
| Memory methodLab › Memory experiments | A/B variants replayed on a content-hashed fixture | bootstrap significance + optional inter-rater-reliability floor | yes — revert promotion |
| Skill promptLab › Dreams | proposed change replays your failing cases; pass-rate delta measured (sandbox) | measured delta + admin approval (HITL) | yes — deprecate / rollback |
| Agent harness seed prompt · main + sub-agentLab › Dreams | the agent’s own seed — the system prompt it boots from — is composed from approved fragments | same approval + a frozen capsule snapshot per version | yes — capsule history |
| New techniques scouted from the fieldLab › Parallel Universe → Repo Coder | a scout watches expert sources; a relevant find is auto-drafted as a change in an isolated sandbox, and a second-model critic reviews the diff against the goal | critic score + human approval — lands as an ordinary pull request | yes — revert the PR |
A live RAG-method arena: 6 methods, judged by Opus 4.8 on the 335-control compliance corpus, scored on the whole SLA — quality, latency, cost.
Real runs on the 335-control NIST / ISO 42001 / EU AI Act / GDPR / SOC 2 corpus, judged by Opus 4.8 — the free open model matched the paid one on 1 of 3, so you save there and keep paid only where it earns its cost. Discovery proposes; evidence promotes; a human can always gate; every step lands on the audit chain.
Vanta, Drata, Secureframe
Certify that you have a control. Auto-collect SOC 2 / ISO evidence about your infrastructure. Excellent for the certification audit. Gap: Don’t see inside the AI call. Can’t prove the model picked a defensible answer.
CloudTrail, Datadog, Splunk, ELK
Record what happened across infrastructure. Powerful for incident reconstruction. Gap: Plain logs; not hash-chained, not signed, not scored. An auditor still has to take your word that the row wasn’t edited.
Evidence layer for AI in regulated teams
Hash-chained audit + significance-gated production defaults + inter-rater reliability floor + signed offline-verifiable Evidence Pack. When the regulator asks why this is your default — six months from now or six years — the answer is one URL. Same hash. Same row.
Complementary, not competitive: most Proofpane customers keep their GRC tool for SOC 2 + their log aggregator for SRE. Proofpane is the missing third layer — the one your auditor opens when they ask about a specific AI decision.
A 14 MB single-file daemon runs on the user’s machine. The same binary plays one of two roles depending on how the operator starts it — both stream through the same hash-chained audit log, policy gate, and Evidence Pack.
airgov_daemon run
Opens a long-lived WebSocket back to the cloud. The cloud sends governed tool requests (bash / fs.read / fs.write / grep / …), the daemon executes them locally, streams results back. The user’s machine is the execution boundary — the cloud never touches their files directly.
airgov_daemon mcp
Plugs into Claude Desktop, Codex, Cursor, Continue, or
any MCP-compatible client over stdio. Every
tools/call the client makes runs through the
same policy gate, lands on the same hash-chained audit row,
and counts toward the same Evidence Pack.
Wire Proofpane in once, govern any of them.
mcp.tool_call
Every tool the client invoked — name, args preview, outcome, DLP redactions.
mcp.client.connected
Which Codex / Claude / Cursor version connected, with declared capabilities.
mcp.tools.discovered
What tool surface the client thinks it has, captured on every tools/list.
mcp.roots.observed
Server-initiated roots/list — which filesystem roots the client exposed.
mcp.notification
Passive capture of cancelled / progress / roots_changed events.
mcp.hitl.* (prevention)
Sensitive tools block in-flight until an admin approves on
/mcp-setup. Decision lands as requested →
approved / rejected / expired
on the same hash-chained audit log.
dlp.scrub (local-first redaction)
PII / secret patterns are redacted on the user’s machine before the audit row leaves it. Only a hit-count summary ships to the cloud — never the raw token, email, or key.
The daemon is a transparent multiplexer: Claude Desktop,
Cursor, VS Code Copilot, Codex and Continue point at ONE MCP
endpoint — us — and see ONE aggregated
tools/list. Behind us we run N downstream MCP server
subprocesses — Slack MCP, GitHub MCP,
Filesystem MCP, your custom MCP server. Per-server toggle in
the Proofpane UI; latency from click to subprocess SIGTERM is
<2 s wall-clock. (For MCP-native clients
like Claude Desktop this is their whole tool layer;
native-tool agents like Cursor and Codex still run their own
built-in file/bash tools that don’t route here — those
we govern at the model layer via the egress broker, per the honest
boundary above.)
You don’t start from a blank slate. The daemon scans the MCP servers your team has already wired into Cursor, Claude Desktop, VS Code, Codex and Continue and tells you which ones route through Proofpane and which go DIRECT (ungoverned) — turning that risky third-party MCP server someone added last quarter from a silent blind spot into a visible, audited line item. Re-route it through the daemon (one config line) and it becomes a governed, one-click-revocable row — from then on every tool call it serves runs through the same policy gate, HITL, DLP scrub and hash-chained audit as everything else. Detection is automatic; governance is the one deliberate step you take — we surface the gap, we don’t silently claim to have closed it.
Admin toggles a row in /mcp-setup.
Cloud → daemon WebSocket: mcp_servers_updated.
Daemon kills the subprocess with the configured grace window.
Client re-fetches tools/list — the tool is gone. No client restart, no config edit.
Every toggle lands a hash-chained audit row with the operator, timestamp, and before/after. An auditor asking “did anyone call Slack-MCP after Louie disabled it on 2026-06-15?” gets a one-line SQL answer.
A poisoned MCP tool description, a rug-pulled server, or a malicious skill prompt all do the same thing: trick the model into reading a secret or exfiltrating data. We make no claim to recognise the poison — there is no signature for “ignore previous instructions.” We neutralise its effect: wherever an action routes through us, the payload can’t land — and where a definition changes under you, you find out.
A read of ~/.ssh, ~/.aws, /etc/shadow or .env is denied before any per-agent policy — even your own admin can’t switch it off. Applies to proxied MCP tools too, whatever the (poisoned) description claims.
We fingerprint every downstream tool’s description + schema on first sight. If a server quietly changes a tool after you approved it, you get an audited mcp.tool_definition_changed — the tool you approved is no longer the tool that’s running.
Even if a built-in tool we can’t gate reads a secret, the egress broker scrubs API keys and tokens out of the prompt before it reaches the model vendor. Read it — but you can’t leak it.
See which MCP servers in your Cursor / Codex config are ungoverned, route them through us, and cut any of them in <2 s.
The honest boundary: this contains payloads that route through Proofpane. A native-tool agent’s built-in file tool reading a secret locally isn’t blocked (only the egress broker can scrub it on the way out); and we detect a rug-pull, we don’t pre-vet the description. Containment + visibility — not a poison classifier we don’t have.
Strict MCP-server role by default. The Layer-3 surface above is what gets “AI security” vendors flagged by security review, so the standard deployment stays on the protocol boundary — a single signed binary your CISO can read end to end, not a kernel extension, a browser extension, or a network MITM to certify.
Deeper enforcement, only if you mandate it. TLS inspection and OS-level enforcement are built — but they are off by default, never in the standard deployment, and live behind a recorded double-consent gate that a regulated team turns on only when it explicitly requires (and accepts the footprint of) that depth. Have that requirement? Raise it. Browser extensions, screen scraping and keystroke logging we simply don’t build.
Already running workflows in n8n, UiPath, Zapier, Make or Power Automate? Point Proofpane at them — we pull each one in and reconstruct it as a governed workflow: every step mapped to an audited skill, with human-review and risk gates inserted wherever it touches sensitive data or makes a consequential call. And once governed, an imported workflow isn’t frozen: it rides the same evidence-gated self-improvement loop as everything else — so it keeps getting better on its own data, not staling.
Your automation’s logic comes across intact — not a hand-rebuild from scratch.
Hash-chained audit and DLP scrub on every reconstructed step; human-review and risk gates inserted on the steps that touch sensitive data or make consequential calls.
Once imported, they join the evidence-gated self-improvement loop above — same tested-and-gated evolution, no separate tooling.
In real deployments nobody has to open a Proofpane screen to get work done. The product runs as a local daemon and CLI, and other AI software talks to it machine-to-machine — over MCP, an agent-to-agent (A2A) API, and the egress gateway. The dashboards exist for oversight: reviewers tap approvals in a menu-bar tray, operators watch the Lab, auditors get signed exports.
Everything above is already built — and running in the product today. If you run a regulated team, I’ll walk you through it on your own frameworks and control gaps, and help prioritize what matters to you next — a direct line to the person who built it. Talk to me → Have a specific requirement? Raise it.
Legal boundary: Proofpane produces operational evidence — a tamper-evident, independently verifiable record of what your AI systems actually did. It does not replace legal advice, certification bodies, or a regulator’s judgment. Full detail in the Trust Center.