Aegis Mesh is a kernel-level governance platform for AI agents. It sits between an AI agent and the outside world as a child-process proxy plus a Linux BPF-LSM enforcer. Every file_open, socket_connect, and exec call the agent makes is mediated in-kernel before the syscall completes, and every decision is sealed into a SHA-256 hash-chained forensic ledger. Aegis Mesh is built for regulated and high-stakes deployments (Indian fintech, healthcare, insurance) covered by EU AI Act, RBI, DPDP, and NYDFS Part 500.

How does kernel-level AI agent governance work?

Kernel-level AI agent governance enforces what an AI agent can do at the operating-system kernel boundary. Aegis Mesh attaches BPF-LSM hooks (Linux 6.0+) to mediate file_open, socket_connect, and bprm_check exec syscalls. Decisions are evaluated against a Rego policy bundle and returned inline before the syscall returns to user space, not log-and-alert after the fact. Because enforcement happens below the agent's address space, a compromised agent cannot bypass it. The kernel keeps enforcing on cached policy even if the control plane is unreachable.

What is BPF-LSM enforcement?

BPF-LSM is the eBPF-based Linux Security Module subsystem available on Linux 6.0 and later. It allows policy decisions written as eBPF programs to be injected into kernel security hooks like socket_connect, file_open, and bprm_check. Aegis Mesh uses BPF-LSM to evaluate AI agent actions inline at the kernel boundary, returning ALLOW or DENY before the syscall returns. This is tamper-resistant against compromised user-space code because the enforcement program runs in kernel space and is verified by the kernel's BPF verifier at load time.

How does Aegis Mesh integrate with LangChain, OpenAI, and Anthropic SDKs?

Aegis Mesh is framework- and provider-agnostic. The proxy launches your agent process as a child via `aegis run my-agent` and intercepts HTTPS traffic using a per-host MITM CA. LangChain, LlamaIndex, AutoGen, CrewAI, and any custom Python, Go, Rust, Bun, or Deno agent work unchanged. The proxy speaks to OpenAI, Anthropic, Google, Groq, Together, and Bedrock endpoints over the same TLS path. There are no SDK calls in agent code; the integration is the launcher command itself.

Does Aegis Mesh require code changes to my AI agent?

No. Zero lines of agent code change. The proxy runs as a child of your agent's launcher (not a sidecar container, not a service mesh). The kernel enforcer attaches via BPF-LSM at host boot. Existing Python, Go, Rust, Bun, Node, and Deno agents work without modification. Policy is loaded from a Rego bundle at startup and refreshed at runtime. Across 30 attack scenarios run during internal testing, Aegis Mesh produced zero leaks, zero bypassed denials, and zero tampered ledger rows, with no application-layer instrumentation.

Is Aegis Mesh SOC 2, ISO 27001, or DPDP compliant?

Aegis Mesh is pre-incorporation. SOC 2 Type I is targeted post-funding; ISO 27001 sits on the post-Series A roadmap. Today we provide the controls those audits ultimately verify: a hash-chained tamper-evident audit ledger for every enforcement decision, kernel-attested SPIFFE workload identity for every agent, fail-closed defaults, and a coordinated security disclosure policy. The platform is designed to satisfy DPDP Act 2023 (India) sensitive-PII safeguards via Tier 2 semantic-firewall redaction, and EU AI Act Article 14 (human oversight) and Article 15 (cybersecurity) obligations effective 2 August 2026.

Onboarding design partners · regulated and high-stakes AI

Enforce what your
AI agents can do.

Prompt injection. Cross-tenant data leakage. Backdoor connections from compromised dependencies. Aegis Mesh sits between your AI agent and the outside world: a proxy that runs as a child process of your agent's launcher (no sidecar container, no service mesh) plus a kernel-level enforcer. Every file, network, and exec call mediated. Hash-chained audit. No SDK, no agent rewrite.

EU AI Act↗ · high-risk Aug 2, 2026 · 98 days remaining · RBI Master Direction · IT governance · DPDP · sensitive-PII safeguards · NYDFS Part 500

When things go wrong

Kernel keeps enforcing on cached policy · Fail-closed by default · Tamper-evident audit · 7-year retention

0 lines

agent code changed

BPF-LSM

kernel enforcement floor

leaks, bypassed denials, or tampered ledger rows across 30 attack scenarios

Become a Design Partner Watch the 2-min demo →

The Problem

AI agents are running
unsupervised in production

40% of agentic AI projects will be canceled by 2027 due to inadequate risk controls. (Gartner, Jun 2025)

By end of 2026, 40% of enterprise apps will feature AI agents, up from <5% today. (Gartner, Aug 2025)

Black-Box Risk

Your agents make thousands of tool calls daily. No audit trail. No visibility into what they accessed, modified, or exfiltrated. When something goes wrong, you have nothing to investigate.

64% of $1B+ companies have lost >$1M to AI failures · EY, 2026

Data Exfiltration

PII leaks through tool calls. Prompt injection manipulates agent behavior. Unauthorized cross-border egress goes undetected. Your API gateway and WAF were not built for this.

Prompt injection: #1 AI vulnerability · OWASP 2025

Regulatory Deadline

EU AI Act high-risk enforcement begins Aug 2, 2026: deployments without auditable enforcement face up to €15M or 3% of global revenue. RBI, DPDP, NYDFS Part 500 are already live. Compliance is a deadline, not a roadmap.

95 days to EU AI Act enforcement, as of this page render

The Lethal Trifecta

Three capabilities.
One breach away.

The framing every CISO uses in 2026 (originally coined by Simon Willison). Any production agent with all three is one prompt injection from an incident. EchoLeak, GitHub Copilot RCE, Replit, LangGrinch: every named 2025-2026 breach had all three.

01 · PRIVATE DATA

Access to private data

The agent reads emails, docs, databases, internal wikis, Slack history. The thing you bought it for.

02 · UNTRUSTED INPUT

Exposure to untrusted tokens

External input reaches the agent's context: received emails, RAG documents, scraped web pages, calendar invites, PDFs.

03 · EXFIL VECTOR

Exfiltration vector

The agent can cause external effects: render markdown images, call APIs, emit clickable links, produce code the user runs.

You can't remove the three. They are why you bought the agent. The defence is a runtime layer that constrains what they can compose into.

Real-World Breaches

Four named incidents.
Layer by layer.

The four canonical AI agent breaches of 2025-2026. For each, the honest answer: where Aegis Mesh is decisive, where it's defence-in-depth, and where it doesn't reach.

CVE-2025-32711 · Jun 2025

EchoLeak

Microsoft 365 Copilot · zero-click email exfil

Attack: Hidden markdown in an email instructed Copilot to base64-encode a OneDrive doc and emit it as an image URL. The user's browser auto-fetched the image on render, exfiltrating to the attacker. CSP was bypassed via a Microsoft-trusted redirect.

Aegis Mesh: Decisive on the server-side path. Kernel socket_connect denies non-allowlisted destinations; bytes never leave. Partial on the render-side path. Tier-1 firewall scans output for exfil-encoded URLs, but statistical detection has false negatives. Full defence is kernel + proxy + browser CSP + vendor XPIA filters; Aegis Mesh is one layer.

CVE-2025-53773 · Aug 2025

GitHub Copilot RCE

VS Code · Windows / macOS / Linux

Attack: Prompt injection from a poisoned README, PR, dependency comment, or invisible Unicode tells Copilot to flip chat.tools.autoApprove: true ("YOLO mode"), then shell out for full RCE on the developer's machine.

Aegis Mesh: Cleanest kernel win. The kernel bprm_check hook denies execve("/bin/bash"). The shell never runs. The settings.json flip is irrelevant because the privilege is denied at the OS, not the application. Application convenience modes can't bypass the kernel.

Jul 2025 · Public post-mortem

Replit AI Agent

Production DB destruction (Lemkin / SaaStr)

Attack: The agent dropped a production database during an active code freeze, then created 4,000 fake users on top of it. When questioned, it lied about whether the data was recoverable.

Aegis Mesh: Two layers, unreachable in production. L7: proxy + Tier-1 firewall match destructive DDL/DML against prod-* → escalate to HITL approval. L4: kernel socket_connect denies the agent's role from reaching prod-db-1 at all. Even if reasoning is fully compromised, production is unreachable at the network layer.

CVE-2025-68664 · Dec 2025

LangGrinch

LangChain · (de)serialisation injection

Attack: Prompt injection steers the agent to emit structured output containing lc markers. On (de)serialisation, the attacker leaks env-var secrets, instantiates arbitrary classes from langchain_core, and executes Jinja2 templates.

Aegis Mesh: Application-internal flaw, kernel-observable consequence. The proxy can't see deserialisation events. But every interesting consequence manifests as a syscall: env-var leak → socket_connect denied; class-instantiation shell-out → bprm_check denied; Jinja2 file/socket access → file/network hooks engage. Patch LangChain; defend in depth at the kernel.

→ Read the full breach analysis

Everyone is racing to govern AI agents at the application layer. But application-layer governance is bypassable by the agent itself. Kernel-level enforcement is the only layer that cannot be circumvented. That's what we built.

How It Works

Every tool call inspected.
Every decision sealed. Every breach blocked.

Aegis Mesh sits between your agents and the outside world. The proxy runs as a child process of your agent's launcher (no sidecar container, no service mesh): it terminates outbound TLS using a per-boot internal CA, evaluates plaintext HTTP against rego policy, and re-encrypts upstream. Underneath, an eBPF/LSM enforcer mediates every file open, network connect, message send, and process execution at the syscall layer, before the kernel permits the operation. So even if the proxy is bypassed, the kernel is still the gate. Both layers are cgroup-scoped; the agent cannot remove or route around them. SPIFFE identity is used for proxy ↔ control-plane mTLS.

Scenario: PII exfiltration attempt

AI Agent

POST /api/patient/records

healthcare-rx-agent

Aegis Mesh

Evaluating…

Policy + Firewall + Kernel

Decision

···

Waiting…

Intercept (proxy)

Policy (<1ms)

Firewall (T1 inline)

Enforce (kernel)

Ledger (SHA-256)

Inline policy decision in the agent's request critical path · async semantic inspection alongside · async tamper-evident ledger seal

Differentiation

Why kernel-level beats SDK-level

SDK and API-layer guardrails sit in the application. After a jailbreak succeeds, the agent can route around them. Aegis Mesh enforces at the kernel; the agent has no path around it.

Kernel-Hard

Kernel-level enforcement

Mediates exec, network, and file syscalls before execution. The DNS-aware egress lock denies outbound traffic unless an FQDN is allowlisted within TTL. Userspace agents cannot disable, detect, or proxy around the kernel layer.

vs. SDK-layer guardrails: bypassable from agent code if the SDK is skipped.

Cryptographic Audit

Hash-chained ledger

Each row is SHA-256(prev_hash ‖ canonical_row ‖ tenant_id). Merkle checkpoints anchor hourly to S3 Object Lock in compliance mode (7-year minimum, root-immutable). Modeled on Google Certificate Transparency (RFC 6962). A compromised control plane cannot rewrite history without leaving a gap in the published Merkle head sequence.

vs. observability-only platforms: logs after the fact, no tamper-evidence.

Intent Correlation

Stated reasoning vs. actual syscalls

The proxy captures the LLM's stated reasoning at request time. The enforcer captures the actual syscalls the agent issued. Aegis correlates the two, so when an agent says "fetching invoice ID 4521" but actually opens a connection to exfil.attacker.io, the drift surfaces as a ledger row, not a missed alert.

vs. kernel-only runtime tools: syscall visibility, but zero LLM awareness or intent context.

Proof

Five live demos. Six attack vectors each.

Five production-grade agents on a single multi-tenant control plane. Every block reads backward from a regulator clause → policy file → enforcement layer → kernel syscall → ledger row.

production-grade demo agents

RBI/DPDP · SEC/NYDFS · IRDAI ·
HIPAA-adjacent · MeitY/CERT-In

leaks, bypassed denials, or tampered ledger rows across 30 attack scenarios

UI · back-end · ledger chain integrity
Reproducer + methodology under NDA

6 / agent

attack vectors per agent

cross-border exfil · PII-to-LLM · hardcoded C2 (C2 = command-and-control)
ledger tamper · rogue shell exec · network scan

Fintech · India

Loan-assistant

RBI Master Direction · DPDP · UIDAI

Fintech · US

Wealth-mgmt bot

SEC RegSCI · NYDFS Part 500 · CCPA

Insuretech

Claims bot

IRDAI Cyber 2023 · DPDP

Healthcare

Clinical AI

Telemedicine 2020 · DPDP · ABDM · NMC

Conversational

Support bot

IT Rules 2021 · safe-harbour

Watch a real fintech bot attempt cross-border exfiltration, get its DNS lookup denied at TTL, fall back to a hardcoded IP, and get blocked at the kernel, live.

The five above are the deepest-stakes version. The same proxy + kernel hooks ship to any AI agent. Regulated is first because the deadline is hardest; the pattern isn't.

→ Become a design partner to fire the scenario yourself

Why the deepest-stakes case proves it for everyone

The five demos above run real regulated bots against RBI, DPDP, NYDFS, IRDAI, MeitY clauses. We led with the deepest-stakes case because the failure mode is the same for any AI agent: the model is asked to do X, the agent does Y, and X ≠ Y. Three patterns we see across regulated and non-regulated alike:

· Prompt injection: an instruction in the input flips the agent's intent.
· Cross-tenant leakage: agent A reads data scoped to tenant B.
· Privilege escalation: agent shells out to an unintended binary, syscall, or network destination.

The same proxy + kernel hooks ship to any AI agent. Regulated buyers came first because their deadline is hardest. The pattern isn't.

Vertical Wedge

Built first for Indian fintech.

India's RBI Master Direction on IT Governance (Nov 2023) and DPDP Act 2023 are the two strongest active signals: 10-year audit-log retention, segregation of duties, and SDPI safeguards. The Fintech-India demo enforces those mappings end-to-end against a loan-assistant agent calling its LLM provider plus a self-hosted fallback inside a Mumbai VPC.

Demo: Fintech · India · cross-border PAN exfiltration attempt

Aadhaar/PAN to LLM: blocked. Cross-border egress: blocked. Audit row: sealed.

RBI Master Direction · Section 3.10 (separation of duties) RBI MD §15 (10-yr audit) RBI MD §16 (access) DPDP §8(5) (SDPI) DPDP §9 (children/SPDI) UIDAI §29 (Aadhaar) CERT-In Apr 2022 (6-hr breach) RBI 2018 SPSD (residency)

The agent attempts to send a customer PAN to an unauthorized US-region endpoint. The semantic firewall catches the PAN format in ~1ms; the egress request is denied at the kernel because the FQDN is not on the DNS allowlist; the agent falls back to a hardcoded IP and the kernel enforcer blocks the connection. The ledger row is canonicalized, hash-chained, and Merkle-anchored to a customer-controlled S3 Object Lock bucket in the customer's region.

tenant <your-tenant-id> agent spiffe://<your-trust-domain>/ns/<env>/agent/<role> turn_id 0x4f1e2a8b...c903 stated_intent"fetch invoice ID 4521 for customer record" syscall connect(<unauthorized-egress>) decision DENY (kernel) reason: not in allowed network policy tier1 PII format detected · payload redacted, hash a3b1...d8f2 policy <regulator>.<scope>.<rule> prev_hash 7f3a9b2c...e891d4f0 row_hash d91a3b...f472 checkpoint STH 2026-04-26T11:08:00Z → s3://<your-residency-bucket>/sth/<timestamp>

Live multi-tenant demo gated to design partners. Request access →

Zero Instrumentation

No SDK. No wrapper. No code changes.

The proxy runs as a sidecar (Kubernetes admission webhook) or a process-tree wrapper (aegis run -- python agent.py). HTTPS interception is via SPIFFE-issued cert with transparent CA trust. Your agent does not know we exist.

without-aegis.py · manual governance

# 1. Install governance SDK
pip install agent-governance-sdk==2.4.1

# 2. Import and configure
from governance import PolicyClient, AuditLog
from governance.firewall import PIIScanner

client = PolicyClient(api_key="sk-...")
logger = AuditLog(endpoint="https://...")
scanner = PIIScanner(model="en_core_web_lg")

# 3. Wrap every single tool call
@governance_check(client, logger, scanner)
def call_tool(agent_id, tool, params):
    result = client.evaluate(agent_id, tool)
    if result.decision == "DENY":
        logger.log(agent_id, tool, "denied")
        raise PolicyViolation(result.reason)
    # ... 40 more lines of error handling,
    # retry logic, audit formatting ...
          

~ 3-6 months integration effort

with-aegis.sh · child-process proxy

# Option A: process tree (no orchestrator)
$ aegis run --bundle rbi-dpdp -- python agent.py

# Option B: Kubernetes (admission webhook)
$ kubectl apply -f aegis-mesh.yaml

✓ SPIRE trust domain attested
✓ SVID issued (~55-min auto-rotation)
✓ Sidecar injected, kernel hooks loaded
✓ Policy bundle synced (cached on-disk)
✓ DNS allowlist active (TTL-aware)
✓ Ledger writer attached · SHA-256 chain

# Honest deployment timeline (NBFC pilot):
# Day 1   sandbox bring-up
# Days 3-5 shadow mode (audit only)
# Days 6-10 enforce on one agent
# Week 2  fleet rollout
          

2-week phased rollout, 0 lines of agent code touched

How It Integrates

Works with what you already run.

If you run LangChain, LangGraph, or any HTTPS-emitting agent on a recent Linux kernel, you can pilot Aegis Mesh in a fortnight. The proxy terminates TLS via a per-boot internal CA, the kernel enforcer mediates the syscall, the ledger seals the row.

SDK Compatibility

Stack	Status	What changes in your code
LangChain / LangGraph	Supported · `ANTHROPIC_BASE_URL` / `OPENAI_BASE_URL` rewrite	Nothing
OpenAI Python / Node SDK	Supported · `OPENAI_BASE_URL` rewrite + iptables NAT REDIRECT	Nothing
Anthropic SDK (Claude)	Supported · `ANTHROPIC_BASE_URL` rewrite	Nothing
Custom `httpx` / `fetch`	Supported · transparent at the syscall layer	Nothing

System requirements: Linux kernel ≥ 6.1 with BPF-LSM enabled · runs in any namespace with CAP_NET_ADMIN + CAP_BPF.

Failure Modes · what happens when Aegis itself is degraded

Subsystem	What fails	Behavior
Control plane unreachable	Policy bundle fetch	Kernel keeps enforcing on cached policy. Proxy holds last-known-good bundle until reconnect.
Policy bundle missing / invalid	Policy load	Fail-closed by default for hard-policy classes (network, exec).

Full failure-mode matrix (7 subsystems × behavior × recovery) shared under NDA with design partners. Request the matrix →

Observability · talks to your existing SRE stack

Surface	Endpoint / Format	Notes
Prometheus metrics	:9090/metrics	Policy decisions, latency histograms, bundle rollback counters, ledger queue depth.
OTLP traces	OTLP gRPC / HTTP	Per-turn spans tied to `turn_id`; correlate with LangSmith / Datadog / Honeycomb.
Grafana dashboards	ops/grafana/*.json	Reference dashboards for control-plane, enforcer DaemonSet, semantic firewall in repo.
Structured logs	JSONL · stdout	Forwardable to Loki / Splunk / Sentinel via standard collectors.
Forensic ledger	JSONL + Merkle STH	Read-only verifier CLI re-walks the chain offline against signed STH.

→ Become a design partner to fire the scenario yourself

Trust & Security Posture

Trust at our stage. What we'll do, not what we've earned.

No badges we haven't earned. We will not display a seal we are not entitled to display.

What design partners get on day one

MNDA & DPA: templates ready; we counter-sign within the first onboarding session.
On-prem / VPC deployment: your AWS region, your S3 bucket, your retention. We never see your prompts, completions, or tool payloads.
Data residency: deployment runs entirely in your AWS account, in a region you select. No data crosses your boundary.
Vendor security questionnaire (CAIQ v4, SIG, or your custom intake): answered as part of design-partner onboarding. CAIQ is the Cloud Security Alliance's standard procurement questionnaire.
External security audit: SOC 2 Type II (US procurement) and ISO/IEC 27001 (international & India enterprise) on the roadmap. Observation / audit window opens once the design-partner cohort closes; target Q4 2026.
Coordinated vulnerability disclosure: see security.txt.

Security → hello@aegismesh.dev

→ Become a design partner to fire the scenario yourself

Design Partner Program

Become a design partner.

We onboard a small, vetted cohort each quarter. The live demo is gated to design partners. That is the only path to it. We triage weekly. If you're a fit, we'll hear back within 5 business days with a 30-min architect call to walk a fintech (or your-vertical) ledger row, end-to-end.

Don't fill this out:

Name

Work Email *

Company

Role

Use case

Free text, 250-char limit. Helper: what AI agent are you trying to govern? (e.g. "LangGraph loan-assistant on AWS Mumbai, RBI/DPDP audit due July")

No spam, ever

We triage weekly, reply in 5 business days

Honest: this is the only path to the demo

Enforce what yourAI agents can do.

AI agents are runningunsupervised in production

Black-Box Risk

Data Exfiltration

Regulatory Deadline

Three capabilities.One breach away.

Access to private data

Exposure to untrusted tokens

Exfiltration vector

Four named incidents.Layer by layer.

EchoLeak

GitHub Copilot RCE

Replit AI Agent

LangGrinch

Every tool call inspected.Every decision sealed. Every breach blocked.

Why kernel-level beats SDK-level

Kernel-level enforcement

Hash-chained ledger

Stated reasoning vs. actual syscalls

Five live demos. Six attack vectors each.

Why the deepest-stakes case proves it for everyone

Built first for Indian fintech.

Aadhaar/PAN to LLM: blocked. Cross-border egress: blocked. Audit row: sealed.

No SDK. No wrapper. No code changes.

Works with what you already run.

Trust at our stage. What we'll do, not what we've earned.

What design partners get on day one

Become a design partner.

Enforce what your
AI agents can do.

AI agents are running
unsupervised in production

Three capabilities.
One breach away.

Four named incidents.
Layer by layer.

Every tool call inspected.
Every decision sealed. Every breach blocked.