What is ARX?¶

ARX is a governance layer for AI agents operating in enterprise security environments. It sits between autonomous agents and the security tools they interact with, intercepting every action, evaluating it against policy, and producing an immutable audit trail. ARX does not replace existing agents or tools. It wraps them, adding the control plane that enterprises require before granting AI systems access to production infrastructure.

The Problem¶

AI agents are being deployed to automate security operations: triaging detections, enriching incidents, isolating compromised hosts, creating tickets. These agents interact with tools that carry significant blast radius -- CrowdStrike can contain endpoints, Okta can disable users, Palo Alto can modify firewall rules. Without governance, an agent misconfiguration or prompt injection can escalate into a production incident.

Compliance frameworks (SOC 2, ISO 27001, FedRAMP) require documented access controls, audit trails, and human oversight for privileged operations. Most AI agent frameworks provide none of these.

How ARX Works¶

ARX implements an intercept-evaluate-log pattern. Every operation an agent attempts -- reading detections from CrowdStrike, creating a Jira ticket, running a Splunk query -- passes through ARX before reaching the target tool.

The execution flow for every agent action:

1. Intercept. The agent calls an operation through the ARX SDK or API. ARX captures the full request context: which agent, which connector, which operation, what parameters, and the session history.

2. Evaluate. The policy engine assesses the operation against the organization's rule set. It computes a risk score based on the operation type (read vs. write vs. destructive), the connector's sensitivity, the agent's permission bindings, and behavioral drift from its declared intent manifest. The engine returns one of three verdicts: PERMIT, ESCALATE, or DENY.

3. Log. Regardless of the verdict, ARX writes an immutable audit event containing the agent identity, the operation attempted, the policy verdict, the risk score, and the matched policy rule. For permitted operations, the result payload is also recorded.

For ESCALATE verdicts, ARX routes an approval request to a human reviewer via Slack, Microsoft Teams, or webhook. The operation blocks until a reviewer approves or denies it. For DENY verdicts, the operation is rejected and the agent receives a PermissionDeniedError.

Wrapping Agents Without Code Changes¶

ARX uses connectors to abstract security tool APIs. Instead of calling CrowdStrike directly, an agent calls arx.crowdstrike().execute("detections:read", params). The ARX SDK routes this through the governance layer, which handles credential retrieval, policy evaluation, and audit logging before executing the operation against the CrowdStrike Falcon API.

Agents do not need to store or manage credentials. ARX injects credentials from its secrets vault at execution time. The agent code never sees API keys, OAuth tokens, or client secrets.

Who ARX Is For¶

• CISOs and security leadership who need visibility and control over what AI agents are doing across their security tooling.
• Security engineers building or deploying AI agents who need a governed execution environment rather than building audit and policy infrastructure from scratch.
• Compliance teams who need to demonstrate that AI-driven security operations meet SOC 2, ISO 27001, and regulatory requirements.
• Platform teams managing multi-tenant environments where different teams deploy agents with different permission levels.

Key Capabilities¶

Agent Registry¶

A centralized inventory of all AI agents operating in the environment. Each agent has a declared identity, an owner, a set of permission bindings, and an intent manifest describing its expected behavior. The CISO dashboard provides real-time visibility into agent activity, risk posture, and policy compliance.

Immutable Audit Trail¶

Every agent action produces an append-only, tamper-proof audit record. Records include the agent identity, connector, operation, parameters, policy verdict, risk score, execution result, and timestamp. Audit data can be exported to external SIEMs (Splunk HEC, Microsoft Sentinel, syslog, webhooks) for correlation with existing security monitoring.

Policy Engine and Guardrails¶

Organizations define policy rules that govern agent behavior. Rules match on connector, operation, risk level, agent identity, time-of-day, or custom attributes. Each rule specifies a verdict: PERMIT, ESCALATE, or DENY. The engine evaluates rules in priority order and returns the first match, with a configurable default verdict.

Approval Gates¶

Operations that receive an ESCALATE verdict require explicit human approval before execution. ARX sends structured approval requests to Slack channels or Microsoft Teams, including the agent name, operation details, risk score, and one-click approve/deny buttons. Approval decisions are recorded in the audit trail.

Compliance Packages¶

ARX generates compliance documentation from platform data: Vendor Security Questionnaire (VSQ) responses, Data Flow Diagrams (DFDs), sub-processor lists, and SOC 2 control mappings. These packages are derived from actual system configuration and agent behavior, not manually authored.

Behavioral Drift Detection¶

Each agent declares an intent manifest specifying the connectors and operations it is expected to use. ARX continuously compares actual agent behavior against declared intent. When an agent attempts an operation outside its manifest, ARX flags the deviation as behavioral drift, which can trigger ESCALATE or DENY verdicts.

Secrets Vault¶

ARX stores connector credentials (API keys, OAuth client secrets, service account tokens) in an encrypted vault. Credentials are injected at operation execution time and are never exposed to agent code. The vault supports eight credential provider backends, including HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault.

Connectors¶

ARX ships with 101 pre-built connectors covering 2,519 governed operations across endpoint security (CrowdStrike, SentinelOne, Carbon Black), SIEM (Splunk, Microsoft Sentinel, Elastic), identity (Okta, Entra ID, Duo), cloud security (Wiz, Prisma Cloud, AWS Security Hub), ticketing (Jira, ServiceNow), and more. Each connector maps operations to specific API endpoints with pre-assigned risk classifications.

Deployment¶

ARX runs on Aptible with deployment options on AWS and Microsoft Azure. The data layer uses Supabase (PostgreSQL) for transactional data and audit storage, with optional customer-managed encryption keys (AWS KMS, Azure Key Vault, GCP KMS). Authentication integrates with existing identity providers via SAML 2.0 and OIDC, with SCIM 2.0 provisioning for user and group lifecycle management.