A centralized runtime control plane for AI Agents that evaluates and governs inputs and outputs at every step of the agent workflow, supporting PII leak prevention, prompt injection defense, tool call governance, and unified security policy enforcement across multi-agent clusters.
Core Positioning#
Agent Control does not participate in Agent business logic orchestration; it serves as a governance layer (Control Plane) independent of the Agent. It inserts interceptors at key nodes—input, LLM output, tool calls, and final actions—and performs real-time validation and intervention based on predefined policies.
Policy & Governance#
- Centralized Control: Define a control rule once, apply it across all Agents; policy updates do not require redeploying Agent applications.
- Composable Condition Trees: Build complex composite validation conditions using
and,or,notlogical operators.
Runtime Interception & Decision#
- Lifecycle Coverage: Real-time validation at
pre(input) andpost(output) stages via the@control()decorator. - Multi-dimensional Decision Control: Four control actions:
allow,deny(throwsControlViolationError),steer(guide/rewrite),warn(warn and pass).
Evaluation Engine#
- Built-in Evaluators: Regex, List, JSON, SQL evaluators available out of the box.
- Pluggable Extensions: Support for custom evaluator integration.
- Third-party Guardrail Integration: Native support for Amazon Bedrock Guardrails, NVIDIA NeMo Guardrails, Galileo Luna-2, Azure AI Content Safety, Cisco AI Defense.
Execution & Performance#
- Dual Execution Modes:
server(remote server-side evaluation) andlocal(local client-side evaluation). - Client-side Caching: Policy caching in local mode to reduce network overhead.
- High-performance Benchmarks: Single Control evaluation reaches 437 RPS (p50 36ms); 50 parallel Control evaluations reach 199 RPS (p50 63ms).
Observability#
- Audit Logs: Complete recording of Agent workflow trajectories and Control trigger events.
- Custom Telemetry: Support for registering custom
ControlEventSinkto forward events to external logging or monitoring systems. - Visual Dashboard: Built-in Web Dashboard providing Agent registration and Control visual management.
Architecture Overview#
Core modules: Engine (evaluation engine), Evaluators (evaluator pool), Control Store (policy storage backed by PostgreSQL), Server (API/gRPC service), Telemetry (telemetry module), Models (data models), UI (console). Directory structure: engine/, evaluators/, server/, sdks/ (multi-language SDKs), models/, telemetry/, ui/, docs/, examples/.
Typical Use Cases#
| Scenario | Description |
|---|---|
| PII Leak Prevention | Block SSNs, credit card numbers, and other sensitive info from Agent output via regex matching |
| Prompt Injection Defense | Detect and intercept malicious prompt injection |
| Tool Call Governance | Restrict Agent access to sensitive tools like databases and validate permissions |
| Content Safety Compliance | Integrate third-party content safety guardrails |
| Accuracy Validation | Check Agent output format and content accuracy |
| Multi-Agent Cluster Governance | Centrally update security policies without modifying Agent code |
Framework Compatibility#
Out-of-the-box support for LangChain / LangGraph, CrewAI, Google ADK, AWS Strands, OpenAI Agents SDK, AutoGen, and more.
Quick Start#
Prerequisites: Docker, Python 3.12+
# One-click launch (PostgreSQL + Agent Control Server + UI)
curl -L https://raw.githubusercontent.com/agentcontrol/agent-control/refs/heads/main/docker-compose.yml \
| docker compose -f - up -d
uv venv && source .venv/bin/activate
uv pip install agent-control-sdk
import agent_control
from agent_control import control, ControlViolationError
@control()
async def chat(message: str) -> str:
return await LLM.ainvoke(message)
agent_control.init(agent_name="my_bot", agent_description="My Chatbot")
Unconfirmed Information#
- Initial release date not explicitly stated in README or official site
- Enterprise/paid edition page not clearly found
- PyPI package version and TypeScript SDK npm package name need repository confirmation
- OIDC / SAML enterprise identity authentication support not mentioned in docs
- Native multi-tenancy isolation not explicitly stated in README