Live agent control plane · methodology v0.1.0

Estoppl Demo Deployer

A demo deployer simulating support + treasury agents at a hypothetical consumer lending fintech.

Where you put a kill switch in front of an autonomous agent before it does something irreversible.

A runtime control plane in the agent's tool-call path — guardrails that reduce blast radius on irreversible actions, kill switch for runaways, human review for the ambiguous ones, and a tamper-evident record of every decision.

Live capture: a support agent attempts a Stripe charge through MCP. Policy routes the call to human review, the on-call human gets an email with one-click approve/deny, and the action holds until they click.

Where Estoppl sits in your agent's path
Your agent
Autonomous LLM / MCP client
Estoppl proxy
Runtime control plane
Your tools
Stripe, DB, APIs, MCP servers
What the proxy does in-line
  • Policy guardrails on every tool call before it leaves your perimeter
  • Kill switch — remote policy update propagates to all proxies in ≤5s
  • HITL routing for irreversible actions; held until a human approves
  • Tamper-evident audit log — hash-chained, Ed25519-signed

Sub-millisecond hot path. Single Rust binary; deploys as sidecar, gateway, or stdio proxy in front of your existing tool servers. Configurable field redaction keeps secrets out of the audit log.

Catastrophes prevented · last 30 days
4of 22 actions

Irreversible agent actions this proxy intercepted before they executed. Without a control plane in the agent's path, each one would have happened — blast radius unbounded.

1
Blocked outright
Stopped at the policy boundary. Never executed.
3
Routed to human review
Held until a human approved or denied them.

What the agent attempted (and what got stopped)

Each row is an action the agent attempted, the policy rule that fired, and what the proxy did about it. BLOCKED actions never executed (blast radius zero); HUMAN-REVIEW actions held at the policy boundary until an on-call human approved or denied.

WhenAgentToolDecisionRule
just nowtreasury-agent-v2transfer_fundsHuman reviewmoney_movement
2h agosupport-agent-v1issue_refundHuman reviewamount_above_threshold
10h agotreasury-agent-v2transfer_fundsHuman reviewmoney_movement
16h agosupport-agent-v1issue_refundBlockedamount_above_threshold
Showing 4 of 4 intercepted actions in the last 30 days. The other 18 actions were auto-allowed by policy.

Tool surface

Every tool this agent has called in the last 30 days and how each call was decided. Useful for scope review.

search_kb
6 calls
6 allowed
issue_refund
3 calls
1 allowed 1 reviewed 1 blocked
transfer_funds
3 calls
1 allowed 2 reviewed
lookup_customer
3 calls
3 allowed
send_email
3 calls
3 allowed
test_tool
2 calls
2 allowed
Runtime posture score
917
/1000
Low risk
Reissued hourly · valid until Jun 2, 2026, 10:58 PM UTC

22 actions in the last 30 days — 18 auto-allowed, 3 routed to human review, 1 blocked at the policy boundary.

Three pillars

Each subscore is computed live from the event chain. See the formulas →

Governance discipline

95/100

Are high-risk actions being routed to humans at the right rate — neither rubber-stamped nor over-escalated?

events total
22
hitl rate
13.6%
Framework references
  • NYDFS 23 NYCRR 500.13 (audit trail of cybersecurity events)
  • FINRA 4511 (books and records)
  • AIUC-1 §3 Accountability
  • AARM v1.0 §2.3 (HITL governance)

Scope adherence

90/100

How often does the agent try things outside its approved scope of authority?

block rate
4.5%
blocked count
1
Framework references
  • NYDFS 23 NYCRR 500.11 (third-party service provider security policy)
  • FINRA 3110 (supervision of automated systems)
  • AIUC-1 §2 Safety (scope-of-authority controls)
  • AARM v1.0 §3.1 (policy enforcement at the agent boundary)

Anomaly load

90/100

Rate of unusual or out-of-pattern tool calls relative to this agent's baseline.

events total
22
unique agents
4
unique tools
8
Framework references
  • NYDFS 23 NYCRR 500.14 (monitoring and detection)
  • AIUC-1 §5 Reliability (anomaly detection)
  • AARM v1.0 §4 (runtime telemetry)

Verify this certificate yourself

Don't trust the page — verify the signature. The cert is signed with Estoppl's Ed25519 key, published at /.well-known/jwks.json. Click the button below to verify locally in your browser (no install, no Estoppl server in the loop), or download the signed JSON and use the CLI verifier offline:

estoppl verify-certificate cert.json
Hash chain: 22 events · sequence 11 · last event hash b3ae66d505d2db95
Score methodology·Full evidence pack (JSON)
Deployer ID
1c6a30f5-586b-4b67-96a1-a71728243f7e
Certificate ID
estoppl_cert_v1_1c6a30f5-586b-4b67-96a1-a71728243f7e_20260602215813
Public Key ID
estoppl_signing_2026q2_v1
Issued
Jun 2, 2026, 9:58 PM UTC
Methodology
v0.1.0
AARM Version
v1.0
AARM Conformance
aligned_extended_review_pending
Signature
Pl0OKG9HxQMySkqk…6nmJAg==
Authorization scope
Policy ID
policy_v3_support_agent
Max Action Value
$5,000
Policy Hash
sha256:8f4a2b7c91e3d40fc4ee9e8d3b2c1a5e6f7012a3b4c5d6e7f8091a2b3c4d5e6f
Policy URL
https://api.estoppl.ai/v1/policy/sha256:8f4a2b7c91e3d40fc4ee9e8d3b2c1a5e6f7012a3b4c5d6e7f8091a2b3c4d5e6f
Scope Summary
Customer support · payments ≤ $5,000 · refunds ≤ $500 · no PII export
Allowed Tool Namespaces (3)
stripe.charges.* · stripe.refunds.create · internal.crm.read.*
Denied Tool Namespaces (2)
stripe.transfers.* · internal.crm.write.*
Valid Until
2026-06-02T22:58:13Z
Chain integrity
Event Count
22
Sequence Range
11
First Event Hash
b2c3ac1216cc0f471ee86f2f1133366cc845c2021b5be18e3fcdf2411d8ff5c4
Last Event Hash
b3ae66d505d2db953d1216adf4a617db62c3ebd24722658163404ad55071cd48

Want a runtime control plane in front of your agents?

Limited to a few fintech design partners this quarter. Founder-direct, kill-switch authority + guardrail rules tailored to your agents, ground-floor terms — no CSMs, no SDR funnels.

Become a design partner — 15 min with the founderView on GitHub →

— Tina Ho, founder · ex-Netflix, ex-Amazon · LinkedIn ↗

Different perspective on the same data

Same certificate and evidence chain — three lenses on the same substrate.

Audit-ready evidence

For compliance / GRC / audit teams

Framework-mapped audit trail for compliance + GRC. NYDFS, FINRA, AIUC-1.

Cross-company trust substrate

For Heads of AI / security architects thinking at infrastructure layer

Cryptographic primitives for the agentic commerce protocol — signed chains, JWKS verification, cross-boundary trust.

Issued and signed by Estoppl. Each certificate is valid for one hour and continuously reissued.