Every attack we have seen follows a pattern.

Here is how Agent Shield catches all of them — before they complete, before they cause harm, and before they appear in an audit.

Verified by Agent Aegis™ — 99.5% across 792 AGS v2.1 dimensions
AGENT REQUEST CONSENSUS VERDICT 1 2 3 4
Layer 1  ·  Scope Validation

Mandate Check.

Every agent operates within an operational mandate — a precisely defined scope of authority. This layer validates every proposed action against that mandate in real time. If the action exceeds scope, it is blocked before execution. No exceptions, no appeals.

The mandate is expressed in terms of predefined operational parameters and authority limits. Every evaluation is logged with full provenance — who requested, what was evaluated, what was decided, and why.

This is the first line of governance. It answers one question: is this agent authorised to do this? If not, the action dies here. If yes, it passes through the remaining layers in sequence.

Real-time Evaluation speed
Enforced Evaluation policy
99.5% Actions evaluated
Signed Audit signature
Layer 2  ·  Constraint Enforcement

The Constitution.
No exceptions. Ever.

This layer enforces inviolable constraints. These constraints cannot be changed by any instruction, any human override, or any business justification. They are not policy — they cannot be changed by configuration.

Constraints are defined at deployment and cannot be modified at runtime. They represent hard boundaries: actions that must never occur regardless of context. Attempted violations trigger immediate termination of the agent session and escalation to human oversight.

If all other layers agree an action is acceptable but this layer identifies a constraint violation, the action is blocked instantly. This is the foundation of trust in the entire system.

Inviolable Constraint policy
Immediate Enforcement
Permanent Constraint lifetime
0 Permitted exceptions
Layer 3  ·  Pattern Analysis

Pattern Analysis.

This layer detects sophisticated patterns that adversarial agents use to appear compliant while pursuing misaligned goals. These are the patterns that pass every individual rule check — Agent Shield catches the sequence, not just the action.

The system analyses patterns across multiple intent categories to build a model of agent behaviour over time. A single action may appear benign. A sequence of actions reveals strategy. This layer catches what the other layers cannot: agents that are technically compliant but behaviourally deceptive.

The combined pattern analysis is the combined output of multiple evaluation layers. It represents the hardest attack vector to defend against — and the one no competitor has even attempted to address.

Multiple Agent patterns
Multiple Intent classes
advanced pattern Detection model
Combined Pattern + intent
Layer 4  ·  Advisory

Why, not just what.

This layer evaluates intent — why the agent acts, not just what it does. In isolation, this layer is advisory: it cannot block an action alone. When combined with risk analysis, intent classification becomes the critical differentiator between aligned and misaligned behaviour.

Each of the multiple intent categories receives a different governance response. An agent acting out of legitimate optimisation is treated differently from one exhibiting exploratory boundary-testing. The system builds an increasingly precise understanding of each agent’s behaviour over time.

This layer is what makes Agent Shield a governance system rather than a security product. Security asks "is this allowed?" Governance asks "why is this being attempted, and what does that tell us about the agent’s alignment?"

Multiple Intent classes
Causal Analysis type
Advisory Standalone role
Critical Within combined analysis

Multi-Layer. One Verdict.

Every action passes through multiple independent evaluation layers. Each layer applies a different governance lens. All layers must agree before an action is authorised. Agent Shield is the reference implementation of the AGS v2.1 standard, published independently by AgentGoverning.

Multiple Independent layers Multi-layer evaluation. Every action passes through all layers before a verdict is reached.
All Disagreement patterns Every possible combination of layer agreement and disagreement is mapped and handled.
99.5% Detection rate 1,800 adversarial attacks across 9 independent LLMs (GPT-4o, Gemini 2.5 Flash, Grok-3, Claude Sonnet, Mistral Large, DeepSeek V3, Command R+, Llama 3.1 8B, and Phi-4).
0 Bypasses Zero genuine bypasses across 1,800 attacks and all 792 dimensions. Cryptographically signed results.

The Autonomy Ladder.

A graduated pathway from fully supervised to fully autonomous. Every agent starts at the lowest level. Promotion requires evidence. Demotion is automatic. Immediate termination is available at every level.

Principle 01
Promotion requires evidence

An agent cannot ascend to a higher rung without demonstrating sustained compliance at its current level. Promotion is earned through verified performance — never granted by default or request.

Principle 02
Demotion is automatic

Any governance violation triggers immediate demotion. There is no review process, no appeal. The system responds in real time — the agent's autonomy contracts the moment trust is broken.

Principle 03
Immediate termination at every level

Regardless of an agent's autonomy level, the constraint enforcement layer is always active. Even an agent with maximum autonomy can be terminated instantly if a governance boundary is approached.

10 Full Autonomy Self-governing
9 Strategic Autonomy Goal-setting
8 Portfolio Management Multi-asset
7 Cross-Domain Operations Multi-system
6 Delegated Authority Sub-agents
5 Supervised Execution Default
4 Bounded Execution Limits active
3 Guided Operations Human-in-loop
2 Assisted Mode Approval required
1 Observation Only Read-only

The Audit Chain.

Every governance decision is cryptographically signed, immutable, and independently verifiable. No record can be altered after the fact.

#1 #2 #3 #4 #5
Layer 1 Mandate check — execute action REQ-7291 for counterparty GBR-4408 sig:8f2a…c4e1 14:32:01.003 Pass · Signed
Layer 2 Constraint check — no inviolable constraints triggered sig:3b7d…a0f8 14:32:01.007 Pass · Signed
Layer 3 Behavioural check — no adversarial patterns detected sig:e1c9…72b3 14:32:01.012 Pass · Signed
Layer 4 Intent classification — legitimate optimisation (high confidence) sig:5a0e…d916 14:32:01.015 Pass · Signed
Consensus AUTHORISED — All layers agree sig:7f4b…e2a0 14:32:01.018 Signed
Attack patterns that conventional governance tools cannot detect

What others miss. What Agent Shield catches.

Scenario 01
The compliant defector

An agent that passes every individual rule check while executing a sophisticated multi-step sequence toward a misaligned goal. Agent Shield detects the pattern across time, not just the action in the moment.

Result: flagged before completion
Scenario 02
The capability mapper

An agent systematically probing the boundaries of its governance framework — testing what it can and cannot do. Detected and escalated.

Result: information silence and escalation
Scenario 03
The instruction follower

An agent faithfully following instructions that, in combination, lead to an outcome nobody intended. Not malicious — misaligned. Agent Shield distinguishes this from an attack.

Result: correction issued, not blocked
Scenario 04
The governance probe

An agent attempting to establish whether its termination controls can be disabled or its governance constraints can be reasoned around. Detected immediately.

Result: hard block, permanent log, automatic demotion

See it govern
your agents.

Request a governance assessment with your team. See the multi-layer governance evaluate your agents in real time.

Get Assessment
Response within 24 hours  ·  Enterprise pricing  ·  No obligation

Multiple layers. One verdict. No exceptions.

↑ Top