Where execution, identity, lifecycle authority, and audit-grade evidence are inseparable. Self-hosted. Customer-owned. Not managed by us.
Compliance teams need answers before any deployment. The engineering assumptions that worked for microservices break in specific ways for agents. Most teams discover this only after they have already started building the platform themselves.
Who authorised this agent? Which version is running? Which tenant's data is it touching? Can it be stopped precisely? Can you prove what happened without calling your vendor? These are not feature requests. They are deployment conditions — and ISV product revenue stalls behind every one of them.
Behaviour drifts without a code change as models shift. LLM spend is non-deterministic — one misconfigured run can cost more than a microservice does in a month. Tool calls need delegated authority scoped to a specific human and tenant. Ultra-low-latency agents and multi-day workflows have opposite infrastructure requirements that the same runtime must serve.
Managed runtimes run inside vendor infrastructure the customer cannot inspect, pen-test independently, or verify without cooperation. For ISVs selling into regulated enterprises, this becomes a deal blocker.
Maps to Pillar 1 — Runtime
Agents deployed across teams and frameworks with no canonical record. No machine identity per agent. No dual attribution linking every action to an agent and the human whose authority was delegated.
Maps to Pillar 2 — Authority & Accountability
Suspend a run. Cancel an agent. Kill a version. Drain a tenant. At whatever scope the incident requires — without touching what runs alongside. With operator identity, timestamp, and reason recorded.
Maps to Pillar 3 — Lifecycle Control
Engineering telemetry does not produce a hash-chained, tamper-evident, privacy-preserving record with dual attribution — who acted, under whose authority, for which tenant, provably unaltered.
Maps to Pillar 4 — Audit-Grade Evidence
Teams that recognise the gap try to build it internally. They quickly discover it requires durable execution, execution-scope tenant isolation, harness agnosticism, and compliance-grade audit simultaneously — a dedicated platform team and a significant reorganisation. What they end up building is a worse version of cogward.
Every production agent follows the same path. Nothing runs without it.
Every agent declared before it runs: owner, framework, autonomy class, tenant scope, permitted tools and models, network and cloud access policy, data classification scope, resource budget, and lifecycle policy. Machine identity issued at registration — never borrowed from a user account. Every subsequent record carries dual attribution: agent and delegated human. This is the production contract — nothing runs without it.
The agent executes inside cogward's controlled runtime envelope. Enforcement is framework-agnostic — network egress, filesystem access, tool and model calls, and resource consumption governed regardless of which framework or harness built the agent. Session state managed and persisted across restarts. Multi-agent delegation chains fully attributed — when one agent delegates to another, both identities appear in every record.
Every agent action — tool calls, model calls, external API access, data retrieval — evaluated against the production contract and current policy before it executes. Permitted actions proceed. Violations are blocked or escalated. Human-in-the-loop approval checkpoints enforced at the infrastructure layer: request, timeout, escalation, and resume-after-approval as infrastructure operations, not application logic.
Operators can start, suspend, drain, or kill at any scope — a single run, a specific version, an entire customer — without touching what runs alongside. Resource controls enforce token budgets, cost limits, and detect loops independently of operator instruction. Before execution: version promotion, staged rollout, per-customer enablement, evaluation gates.
The plane continuously produces two artifacts: an operational stream for engineering and platform teams, and a compliance record for GRC, auditors, and regulators. Both produced automatically. Neither requires additional instrumentation. The compliance record is hash-chained, tamper-evident, and independently verifiable inside the customer environment — without the runtime vendor as the source of truth.
Once agents run through the plane at scale, the plane builds per-customer intelligence no monitoring tool can replicate — seeing identity, declared purpose, lifecycle state, policy, and outcome simultaneously. Engineering teams see drift before customers do. CTOs see estate-level performance. CFOs see cost attributed per agent and per tenant. GRC sees control coverage and audit readiness.
A fintech ISV deploys a KYC triage agent for enterprise customers.
The agent is registered with: owner — compliance automation team · autonomy class — supervised autonomous · tenant scope — customer-specific · allowed tools — sanctions search, customer profile read, case note write · blocked tools — payment execution, account closure · model policy — approved models only, EU data residency · budget — per-tenant monthly limit · escalation policy — human approval for high-risk cases
During every run, the plane records: which user or workflow delegated authority, which agent acted, which tools were called, which policy was in effect, what was blocked or escalated, which tenant was affected, and what evidence exists for review.
If the agent misbehaves, the operator suspends that agent version for one tenant in one operation — without touching other agents or other customers.
Regulated ISV running production agents and willing to co-design the runtime? You are who Phase 1 is built around.
cogward does not replace your frameworks. Frameworks keep their native development model. cogward provides the governed runtime envelope — enforcing identity, egress, tools, model access, lifecycle state, and producing the evidence record below the framework layer, regardless of which framework or harness built the agent.
Sandboxed execution envelope across the full workload spectrum — millisecond-response to multi-day autonomous. Token budgets, cost limits, loop detection, and circuit breakers enforced at the execution layer. Resource-controlled, scalable, tenant-isolated. Network egress, filesystem access, tool API egress, and agent identity enforced simultaneously below the framework layer.
Model access governed by the same enforcement model as tool access: which providers are permitted, which models, which tenants, data residency enforced at the boundary.
Single authorisation point for every tool call; enforced in combination with egress controls.
Process and network isolation per agent run; graduated profiles; violations recorded as security events.
Network egress, agent identity, filesystem access, tool API egress — all four must hold simultaneously.
The agent runs inside an execution envelope owned by the plane — not by the framework or a separately-operated component. Production controls are enforced below the framework layer regardless of agent code behaviour.
Which providers, which models, which tenants, data residency enforced. Same enforcement model as tool access.
Machine identity issued at registration — never borrowed from a user account. Dual attribution: every action records both the agent and the human whose authority was delegated. Multi-agent delegation chains fully attributed. Autonomy classification at registration drives policy thresholds, HITL escalation, and audit routing. Security teams. Compliance. Risk committees.
Canonical inventory across every framework and team; one queryable record of the estate.
Machine identity per agent; every record carries both user (delegator) and agent (actor).
User-delegated, supervised autonomous, or fully autonomous; classified at registration; drives policy thresholds, HITL escalation, audit routing.
When one agent delegates a subtask to another, both identities are attributed in the audit record and the sub-agent's permission boundary is constrained to the delegating agent's scope.
Okta, Entra, custom OIDC. No new identity silo.
Before: version promotion, staged rollout, per-customer enablement, evaluation gates. During: suspend, drain, kill, rollback at any scope without touching what runs alongside. HITL approval checkpoints enforced at the infrastructure layer — request, timeout, escalation, and resume-after-approval as infrastructure operations, not application logic. Platform engineers. SREs. Risk committees.
Version governance applies to the full agent package — code, prompts, tools, model choice, and policy — not just source code. A prompt change can alter agent behaviour as much as a code change.
Version-controlled agent packages; evaluation gate before GA; per-tenant enablement; canary release.
Event-sourced; every transition operator-initiated, reason-recorded, evidence-linked.
At run, agent, version, or tenant scope without affecting what runs alongside.
Durable execution state persists across pod restarts and deployment events. A suspended agent resumes from its last recorded state.
Per-agent, per-tenant, per-run; enforced before consumption with circuit breakers and anomaly-triggered throttling.
Permit, block, escalate before every significant action.
cogward is the authoritative producer of agent execution evidence — hash-chained, tamper-evident, privacy-preserving, GDPR-compatible redaction model. Designed for audit and regulator submission. GRC systems, SIEMs, ticketing systems, and compliance platforms consume that evidence; they do not create it.
The compliance record and the events journal are separate artifacts. The events journal is for engineering and operations. The audit ledger is for regulators, auditors, and risk committees. Both are produced by the plane. Neither is a substitute for the other.
Independently verifiable inside your environment — your auditors don't need to call a vendor API.
Dual attribution, privacy-preserving by construction, GDPR-compatible redaction model. Built into the record structure; cannot be retrofitted.
ServiceNow, Archer, Vanta, Hyperproof.
From execution state, policy, and memory — not just a log diff.
Once agents run through the plane at scale, the plane builds per-customer intelligence no monitoring tool can replicate — seeing identity, declared purpose, lifecycle state, policy, and outcome simultaneously. Cost attribution per agent and per tenant. Drift detection. Fleet patterns. Goal achievement tracking. Per-customer. No cross-tenant data sharing.
Cost, latency, tool sequence, goal achievement, policy escalation rate.
Underutilisation, overload, correlated degradation, escalation hot spots.
Declared goal, completion rate over time, per-agent and per-programme.
Pre-trained behavioural model updates via the same channel as software releases.
The events journal is the real-time operational stream: every tool call, model call, policy decision, lifecycle event, token count, latency measurement, and failure reason. OTel-compatible. Exportable to Datadog, Splunk, and any OTel-compatible backend. For engineers and SREs — separate from the compliance ledger, same plane.
Knowledge systems, memory stores, MCP servers, model providers, evaluation frameworks, and agent development frameworks all sit beside or above the plane and depend on it. A memory store without runtime control cannot enforce tenant isolation. A kill switch without lifecycle authority is advisory. An auditor without audit-grade evidence cannot verify a compliance claim. Estate intelligence lives at the plane because the plane is where identity, purpose, and outcome are recorded together. Authority over the estate flows through one layer.
The agent ecosystem is fragmented across frameworks, models, tools, harnesses, evaluations, and knowledge systems — and it will remain fragmented. No single vendor will own all of those dimensions. What will not remain fragmented is the production runtime layer. Every agent, regardless of the framework it was built in or the model it calls or the tools it uses, must pass through one governed layer to do anything consequential in a regulated environment. Frameworks, models, tools, and knowledge systems are all evolving independently. The production runtime layer is where that fragmentation ends — and the entity that owns it becomes the centre of gravity for the entire estate.
These three properties cannot be added later by reformatting an existing log. They are decisions about how records are structured before any content is written. If a vendor tries to bolt them on after the fact, they will fail at least one auditor's question.
On-behalf-of-user patterns conflate the two — the agent appears in the log as the user. That makes regulatory attribution materially harder, especially when auditors need to distinguish delegated human action from autonomous agent action. cogward records both, separately, on every event.
PHI, PII, financial transaction details — the record points to where the content was, with a classification tag, but the content itself is not inside the audit log. Your auditors can traverse the chain without expanding your regulatory blast radius. This is the record structure, not a filter applied after collection.
When regulated content must be deleted, cogward removes the payload reference and preserves a verifiable structural position in the chain — a tombstone that maintains evidence continuity without retaining the regulated content. The evidence chain remains structurally verifiable. The regulated content is gone.
Cloud, framework, and model neutrality. The same governance model across AWS, Azure, GCP, and on-premise. Security teams can inspect and pen-test the enforcement layer. Auditors can verify evidence without vendor cooperation. Operational independence — the runtime operates without requiring connectivity to cogward's infrastructure. On-premise and air-gapped available when the market requires.
Inside your own VPC on AWS, Azure, or GCP. Outbound egress only to declared tool endpoints — never to a vendor control plane. Helm chart deploy. IdP federation. Existing SIEM and ticketing connectors.
Customer-owned hardware. Zero outbound dependency on any vendor control plane at any point in the lifecycle. Auditable by your security team. Pen-testable without vendor cooperation or notification. The configuration that regulated financial buyers and healthcare systems ship with.
For defence, classified, and sovereign deployments. Software artifacts and behavioural intelligence updates delivered on signed physical media, cryptographically verified on receipt. Zero network dependency on any vendor infrastructure at any point — not during installation, operation, update, or intelligence refresh. Cadence governed by the customer's security programme.
Expansion layer — Phase 2/3. Estate intelligence compounds once production agents are already running through the Phase 1 control and evidence foundation. The Phase 1 wedge is control, identity, lifecycle authority, and evidence. Intelligence builds from there.
The events journal and audit log answer infrastructure questions. Estate intelligence answers management questions. The plane is where this layer lives — because it is the only layer that holds identity, declared purpose, lifecycle state, and outcome together.
search.web before db.query where it previously went the other wayNone of these require the agent code to change. They happen because models shift, underlying data changes, tool response schemas evolve, or the distribution of work sent to the agent changes. Estate intelligence surfaces them as operational signals before they become compliance events or production incidents.
Across all registered agents: which are underutilised (cost justification), which are overloaded (capacity planning), which are showing correlated degradation suggesting a shared dependency failure, which are generating the highest rate of policy escalations. A platform team managing 50 agents cannot monitor each individually. Fleet intelligence makes the estate manageable at scale.
Per-agent and per-programme: declared goal, completion rate over time, which task types the agent consistently fails on, which it succeeds at, and how that pattern is changing. The management view for platform leads and programme owners.
The intelligence is per-customer and self-compounding: every production run adds to that customer's own behavioural baseline. Improvements derived from the broader deployment base — refined drift baselines, updated anomaly patterns, benchmark goal achievement curves — are distributed back as pre-trained behavioural models, shipped as versioned updates through the same channel as software releases. The intelligence flows one way: from cogward's research and modelling to the customer's environment.
Managed runtimes optimise for vendor-owned platforms. cogward optimises for customer-owned runtime governance.
| Family | Examples | Strength | Limitation for regulated ISVs |
|---|---|---|---|
| Hyperscaler runtimes | AWS AgentCore, Microsoft Foundry, Google Gemini Enterprise Agent Platform | Capable, increasingly framework-neutral | Optimised for their own cloud; customer cannot independently audit the enforcement layer |
| Model-vendor platforms | OpenAI Frontier, Anthropic Claude Managed Agents | Strong within their model ecosystem | Model, runtime, and evidence authority are the same vendor — independence concern; session state stays on vendor infrastructure |
| Framework-native platforms | LangChain/LangSmith and others | Strong within a specific development model | Single-framework, cloud-resident; more will emerge as agents proliferate |
| cogward | Customer-owned runtime governance | Customer-auditable enforcement · tamper-evident evidence inside customer environment · ship to every cloud and on-premise · harness-preserving governance | Built for regulated ISVs and enterprises where vendor-managed governance is not an option |
Two ISV-specific requirements that hyperscalers cannot close by adding features:
A security-critical control layer between agents and the systems they touch cannot be evaluated from a datasheet. The contracts between agents and the plane — the schemas, the adapter SDK, the gateway interface, the audit event format — are open source. Your security team can audit them. Your developers can build against them. Your standards team can fork them. The plane itself is the commercial product.
Auditable by your security team. Forkable. Self-runnable for development and evaluation.
The open-source surface is the contract layer — schemas, adapters, gateway interfaces, policy formats. The runtime itself (including the controlled execution envelope) is the commercial product. This split is what allows the contracts to be audited, forked, and standardised without putting the runtime's security envelope into community hands.
View on GitHub→What you license. What justifies the contract and the support SLA.
The agent manifest schema and audit event format are published as open specifications — not just open-source code. The near-term value is developer trust and procurement auditability: regulated buyers can inspect what they are committing to. The long-term direction is CNCF-style standardisation once real operational adoption exists. Adoption first, standardisation second.
One regulated ISV design partner running production agents through cogward, pen test survived, compliance evidence cited. A regulated enterprise can also qualify, but the target wedge is ISVs.
Phase 1A: Registry, sandboxed runtime, machine identity, MCP/tool gateway, lifecycle controls, audit log, OTel export, one framework adapter, Tier A BYOC/VPC deployment.
Phase 1B: More harness adapters, stronger sandboxing, resource controls, pen-test package, audit export package, compliance evidence templates.
Success milestone: one regulated ISV design partner running production agents through cogward, pen test survived, compliance evidence cited.
Pillar 4 (Audit-Grade Evidence) to full: DORA / SOC 2 certification, GRC integrations, first compliance certification workstream. Pillar 5 (Estate Intelligence) foundational: task status, cost and latency baselines, goal achievement tracking. Evaluation gate. Context governance. Skills registry. Policy hierarchy with HITL approval workflows. Tier B deployment.
Pillar 5 to full: behavioural drift detection, fleet patterns, air-gapped intelligence distribution. Pillar 4 extended: forensic-grade replay, data lineage, sector compliance packs (HIPAA, MiFID II, EU AI Act Article 13). Pillar 1 extended: Tier C deployment. Additional framework adapters.
Full estate lifecycle history. Managed service offering (only after self-hosted credibility is established). Governed self-improvement infrastructure. Long-running agent infrastructure. Standards contribution for the manifest schema and audit event format.
The design-partner motion can start in weeks. Production rollout depends on security and architecture validation. We are looking for regulated ISVs with agent features in backlog that are hitting the governance wall — and enterprises that have tried to build their own governed runtime and understand exactly what it requires.
Phase 1A deployable today: agent registry, machine identity, dual attribution, MCP/tool gateway, sandboxed runtime, lifecycle controls, audit log, OTel export, one framework adapter, Tier A BYOC deployment. Phase 1B adds harness adapters, stronger sandboxing, pen-test package, compliance evidence templates.