Your tools already work. Your copilots already work. ACE is the governance layer that knows what happens when they talk to each other.
Architecture
ACE sits between developer tools and delivery infrastructure. Every interaction crosses the governance spine. Nothing bypasses it.
Six integrated services. One governance spine. Every boundary crossing inspected, routed, and recorded.
Three-Directional Security
Traditional access control asks "can this agent reach this service?" ACE asks "can this agent return this content to this requestor at this sensitivity level?"
Per-request content-aware authorization. Agents get a ceiling scoped to the task — not a copy of the developer's role. The ceiling can only tighten, never loosen.
VIGIL evaluates every boundary crossing against seven factors: identity, capability, content sensitivity, destination trust, temporal context, provenance chain, and cumulative exposure. A request that passes six factors but fails the seventh is blocked.
Inspect what enters before agents consume it. XSS payloads in Jira tickets, poisoned MCP tool responses, prompt injection in email bodies — caught at the boundary, not after processing.
Inbound content passes through adversarial inspection before it reaches any agent context window. Known attack patterns, encoding tricks, and structural anomalies are flagged and quarantined. The agent never sees the payload.
Inspect what leaves — even when the agent doesn't know it's leaking. Outbound content checked against sensitivity ceilings before it crosses any boundary.
Every outbound channel — API calls, tool invocations, email, webhook posts — is inspected for content that exceeds the sensitivity ceiling of the destination. Exfiltration through side channels (DNS, encoded payloads, incremental leakage) is detected by cumulative exposure tracking.
Core Components
Each component is an independent service with its own API, its own tests, and its own deployment. Together they form the spine that governs every agent interaction.
Capability-Aware Intent Routing
Policy-weighted routing engine with RIB/FIB architecture — like BGP for agents. Agents declare intents; CROWN routes to the optimal provider by policy. Local model for cheap tasks, cloud for hard ones. Swap providers by updating a routing weight, not rewriting code.
Content-Aware Authorization
Seven-factor evaluation model for every boundary crossing. Sensitivity ceilings that can only tighten. Graduated trust ramp across four stages — from full human oversight to earned autonomy. Adversarial inspection and sensitivity analysis on every request.
Cryptographic Agent Identity
Ephemeral JWT tokens with short TTLs. OAuth2/OIDC for machine-to-machine auth. Enterprise IdP bridge — works with Teleport, Okta, Entra ID, or any OIDC-compliant provider. Agents get cryptographic identities, not shared secrets.
Tamper-Evident Audit Trail
Hash-linked provenance chains for every agent action. Attestation types for every boundary crossing. Reconstruct exactly what any agent saw, decided, and did — with cryptographic proof that the record hasn't been altered.
Governed Multi-Agent Communication
Switchboard architecture with boundary inspection on every message. Human-in-the-loop gates on high-impact actions. N2C (network-to-chat), N2A (network-to-agent), and A2A (agent-to-agent) communication patterns — all auditable.
Dynamic Agent Configuration Protocol
DHCP-like leases for agent capacity. Agents request capabilities; DACP negotiates what they're allowed based on current policy, load, and trust level. Leases expire. Capabilities are revocable. No standing permissions.
Capabilities
The platform watches itself. The same governance spine that inspects agent behavior inspects its own services. Anomalies in the governance layer are caught by the governance layer.
Governance improves over time. Four-stage trust ramp: full oversight, supervised autonomy, conditional autonomy, earned autonomy. Evidence-based progression — not time-based.
Multi-organization collaboration without shared infrastructure. Each org runs its own spine. Federated trust policies govern cross-boundary interactions. No shared databases, no shared secrets.
Docker, Git, Jira, AWS, Prometheus, Grafana, Loki, email — governed. Works with your identity provider. Works with your agents. Works with your infrastructure. SMB or enterprise.
Built with the governance we ship. Tested on the infrastructure we run.