Deterministic governance for AI agents — no LLM in the safety path

[nagasatish007]

Hi @simon — built something you might find interesting given your writing on the lethal trifecta for AI agents.

TealTiger is an open-source (Apache 2.0) governance SDK that wraps AI agent execution with deterministic policy enforcement. The key design choice: zero LLM in the governance path.

What it does:

• Typed policy decisions with risk scores and reason codes
• Fail-closed defaults with "most restrictive action wins" merge
• Secret detection (500+ patterns) to prevent data leakage
• Circuit breakers and cost budgets to prevent runaway agents
• SARIF v2.1.0 evidence export for auditability
• Works with 7 providers (OpenAI, Anthropic, Gemini, Bedrock, Azure, Cohere, Mistral)

It's the kind of thing that sits between the agent and the tools — enforcing policy at the SDK layer before actions execute. Addresses the "excessive permissions" leg of the trifecta.

PyPI/npm: tealtiger (v1.2)
GitHub: https://github.com/agentguard-ai/tealtiger
Docs : https://docs.tealtiger.ai

Would love your take on the approach.

[musaabhasan]

The strongest part of this design is keeping governance outside the model path. For an llm ecosystem integration, I would make the boundary explicit at two points: before tool/model execution and after output generation.

Before execution, the policy layer should return a typed decision such as allow, deny, redact, require_confirmation, or route_to_safer_profile, with stable reason codes. After execution, it should inspect outputs for secret leakage, unsafe tool results, policy violations, and evidence export.

A few details would make this easier to trust in real workflows:

• dry-run mode that records what would have been blocked without changing behavior
• deterministic test fixtures for policies, so teams can unit-test governance changes
• machine-readable capability manifests for tools/providers
• explicit handling for policy conflicts, where the most restrictive decision wins
• SARIF or JSON evidence that can be attached to CI, PRs, or incident reviews

That would make the system useful beyond one agent framework, because the governance contract becomes portable even when the model, tool runner, or provider changes.