AI Agent Assembly — Enterprise Documentation

Welcome to the AI Agent Assembly enterprise documentation site.

AI Agent Assembly is a governance-native runtime for AI agents. It enforces policy, tracks costs, and intercepts unsafe actions across your entire AI agent fleet — without changing your existing agent code.

Who this documentation is for

This site is for enterprise evaluators, security teams, and operators assessing AI Agent Assembly for production adoption.

If you are a developer looking to contribute or integrate at the code level, see the open-source documentation.

What you will find here

Section	Purpose
Security Model	STRIDE threat analysis, IronClaw five-layer defense, cryptographic primitives
Why AI Agent Assembly?	Feature comparison against Langfuse, Helicone, Opik, and Pillar Security
Open Core Boundary	What is Apache-2.0 licensed vs. proprietary; the open-core business model
Quick Start (SaaS)	Zero to governed agent in under 5 minutes using the SaaS platform
Cloud Deployment	Tenant provisioning, SSO, billing, and region selection
Policy Reference	Every YAML policy field documented with type, default, and examples

The three-layer interception model

AI Agent Assembly enforces governance through three independently deployable layers:

SDK layer (in-process) — language SDKs wrap your agent calls and enforce pre-execution allow/deny before any network egress occurs.
Sidecar proxy (aa-proxy) — intercepts outbound HTTPS via MitM with a per-host CA, catching anything the SDK misses without code changes.
eBPF sensor (aa-ebpf) — kernel-level hooks watching SSL libraries and process syscalls; catches bypass attempts at the OS level (Linux only).

All three layers report to the gateway, which evaluates policy and tracks per-team budgets.

Last reviewed: 2026-05-10 — AI Agent Assembly Team

Security Model

This page documents the security posture of AI Agent Assembly for enterprise security and compliance teams.

IronClaw Five-Layer Defense

AI Agent Assembly organizes its security controls into five named layers. Each layer is independently deployable and adds defense-in-depth:

Layer	Name	What it does
1	Boundary	Network perimeter: sidecar proxy (`aa-proxy`) enforces egress policy; eBPF sensor (`aa-ebpf`) catches kernel-level bypass attempts
2	Identity	Agent and user authentication: JWT-based agent identity issued by the gateway; operator authentication via SAML 2.0 / OIDC SSO
3	Policy	Runtime governance: YAML/JSON policy rules evaluated by the gateway policy engine before every agent action
4	Vault	Secret and credential management: AES-256-GCM encryption at rest for stored secrets; Ed25519-signed tokens for inter-component trust
5	Telemetry	Audit and observability: append-only event log for every agent action; Slack/webhook connectors for real-time alerting on policy violations

STRIDE Threat Model

The table below maps each STRIDE category to the five primary components of AI Agent Assembly and the mitigating controls in place.

Component	Spoofing	Tampering	Repudiation	Info Disclosure	Denial of Service	Elevation of Privilege
Language SDK	Ed25519-signed agent tokens prevent impersonation	SDK integrity verified by Cargo/npm/PyPI package hash	Every call logged with agent ID and timestamp	SDK communicates over mTLS; secrets never logged	Rate limiting enforced by gateway budget tracker	Policy engine enforces agent scope; no ambient privilege
Gateway (aa-gateway)	JWT validation on all gRPC connections	Input validation on all RPCs; schema-enforced policy rules	Append-only audit log with tamper-evident signatures	Internal-only gRPC endpoint; never exposed directly	Per-team budget caps block runaway agent spending	RBAC on all administrative API endpoints
Sidecar Proxy (aa-proxy)	Per-host CA pinning prevents MitM spoofing by agents	TLS termination with certificate validation on every upstream	All intercepted requests logged by proxy before forwarding	Proxy does not log request/response bodies by default	Connection pool limits per agent; circuit breaker on upstream failure	Proxy runs as unprivileged user; no write access to host filesystem
eBPF Sensor (aa-ebpf)	eBPF program loaded only by privileged system service	BPF verifier rejects unsafe programs at load time	Kernel event timestamps are monotonic; cannot be retroactively altered	eBPF only reads SSL buffers; no access to unrelated memory regions	eBPF programs have bounded execution; verifier enforces loop limits	Loaded via CAP_BPF only; capability is dropped after program load
REST API (aa-api)	SAML/OIDC token validation on every request	OpenAPI schema validation rejects malformed inputs	All mutating API calls logged with actor identity	HTTPS-only; HSTS enforced; no sensitive data in query strings	Rate limiting per IP and per tenant; DDoS mitigation via upstream load balancer	Tenant isolation enforced at API layer; cross-tenant access rejected

Traceability: Each STRIDE row maps to a specific IronClaw layer control. For configuration paths and runbook references, consult the security runbook in the agent-assembly repository.

Cryptographic Primitives

Primitive	Algorithm	Key length	Usage	Rotation cadence (NIST SP 800-57)
Agent signing key	Ed25519	256-bit	Signs agent identity tokens issued by the gateway	Every 90 days or on compromise
Vault encryption	AES-256-GCM	256-bit	Encrypts secrets and credentials at rest	Every 1 year or on compromise
Callback / webhook signature	HMAC-SHA256	256-bit	Signs outbound webhook payloads so receivers can verify authenticity	Every 90 days or on rotation of webhook secret
TLS (transport)	TLS 1.3	ECDHE-256	All inter-component and external communication	Certificate: every 90 days (auto-renewed)

All keys are generated using a CSPRNG. No MD5, SHA-1, or DES primitives are used anywhere in the stack.

Authentication Flow

SDK → Gateway (gRPC)

sequenceDiagram
  autonumber
  participant SDK as Language SDK
  participant GW as aa-gateway

  SDK->>GW: RegisterAgent(agent_id, public_key, metadata)
  GW-->>SDK: AgentToken (Ed25519-signed JWT, TTL=1h)
  Note over SDK,GW: All subsequent calls carry the AgentToken in gRPC metadata

  SDK->>GW: CheckPolicy(event) [+ AgentToken]
  GW->>GW: Verify Ed25519 signature, check TTL
  GW-->>SDK: PolicyDecision

Operator → Dashboard / CLI (SAML/OIDC)

sequenceDiagram
  autonumber
  participant Ops as Operator
  participant CLI as aasm CLI / Dashboard
  participant API as aa-api
  participant IdP as Enterprise IdP (SAML/OIDC)

  Ops->>CLI: aasm login --sso
  CLI->>IdP: Redirect to IdP with SAML AuthnRequest
  IdP-->>Ops: Login prompt (MFA enforced by IdP)
  Ops->>IdP: Credentials + MFA
  IdP-->>CLI: SAML Assertion / OIDC id_token
  CLI->>API: Exchange assertion for session token
  API-->>CLI: Signed session token (TTL=8h)
  CLI-->>Ops: Login successful

Secrets Management

Secrets (LLM API keys, webhook tokens) are stored encrypted with AES-256-GCM.
The encryption key is derived from a master secret held in the SaaS control plane's hardware security module (HSM).
Secrets are never written to disk in plaintext.
Secrets are never logged, even at DEBUG level.
Secret rotation is supported via the aasm secret rotate command, which re-encrypts in place without service restart.

Audit Log

Every agent action (policy check, event record, budget debit) produces an immutable log entry.
Log entries are signed with HMAC-SHA256 using a log-signing key.
Logs are append-only; no delete or update API exists.
Log retention: configurable per tenant (default: 90 days).
Logs are exportable in JSON or CEF format for SIEM integration.

Compliance Posture

Standard	Status
SOC 2 Type II	In preparation (target: Q3 2026)
ISO 27001	Roadmap (post-SOC 2)
GDPR	Architecture is GDPR-compatible; DPA available on request
CCPA	Covered under SaaS Data Processing Agreement

Why AI Agent Assembly? — competitive positioning and governance differentiation
Cloud Deployment — SSO configuration, SCIM provisioning
Open Core Boundary — which security features are OSS vs enterprise

Last reviewed: 2026-05-10 — AI Agent Assembly Team

Why AI Agent Assembly?

This page helps enterprise evaluators understand where AI Agent Assembly fits relative to other tools in the AI governance and observability space. All competitor data cited from vendor public documentation as of 2026-05-05.

Feature Matrix

Rows are capability axes. Columns: AI Agent Assembly (AAASM), Langfuse, Helicone, Opik, Pillar Security.

Legend: ✓ = full support · partial = limited / gated behind tier · ✗ = not available · n/a = not applicable to product category

Capability	AAASM	Langfuse	Helicone	Opik	Pillar Security
Observability
LLM call tracing (latency, tokens, cost)	✓	✓	✓	✓	partial
Multi-turn conversation tracing	✓	✓	partial	✓	✗
Agent lineage / parent-child spans	✓	✓	✗	partial	✗
SIEM export (JSON / CEF)	✓	✗	✗	✗	partial
Policy enforcement
Pre-execution allow / deny (runtime block)	✓	✗	✗	✗	partial
Policy-as-code (YAML / JSON versioned rules)	✓	✗	✗	✗	✗
Network-level interception (no code change)	✓ (aa-proxy)	✗	✗	✗	✗
Kernel-level bypass detection (eBPF)	✓	✗	✗	✗	✗
PII / secret detection at gateway	✓ (regex rules)	partial (post-hoc)	✗	partial (evaluators)	✓
Vault-backed secrets management
Secrets vault integration	✗	✗	✗	✗	✓
Secret scanning in prompts / outputs	partial (regex policy)	✗	✗	✗	✓
Multi-language SDK
Python SDK	✓	✓	✓	✓	✓
TypeScript SDK	✓	✓	✓	✓	partial
Go SDK	✓	✗	✗	✗	✗
BYO-LLM (provider agnostic)
Works with any LLM provider	✓	✓	✓	✓	✓
Open-source SDK core (Apache-2.0)	✓	✓ (MIT)	✗	✓ (Apache-2.0)	✗
Access control (RBAC)
Role-based access control	✓ (Owner/Admin/Developer/Viewer)	partial	partial	partial	✓
SAML 2.0 / OIDC SSO	✓	partial (Enterprise)	partial (Enterprise)	partial (Enterprise)	✓
SCIM user provisioning	✓	✗	✗	✗	partial
Approval workflows
Human-in-the-loop approval gates	partial (policy deny + alerting)	✗	✗	✗	✓
Automated approval routing	✗	✗	✗	✗	✓
Cost analytics
Per-team token / cost budgets (enforced)	✓	partial (tracking only)	✓ (tracking + alerts)	partial (tracking only)	✗
Budget enforcement (hard deny on exceed)	✓	✗	✗	✗	✗
Audit log immutability
Immutable audit log with tamper-evident signatures	✓ (HMAC-SHA256)	✗	✗	✗	partial
Audit log retention > 30 days	✓ (up to 1 year, Enterprise)	partial (30 days free)	partial	partial	✓
On-premises / self-hosted option
Self-hosted deployment	✗ (SaaS only)	✓	✗ (SaaS only)	✓	✓

Where We Currently Lag

These are capabilities competitors offer that AI Agent Assembly does not yet fully deliver. Linked roadmap tickets where one exists.

Vault-backed secrets management — Pillar Security provides first-class secrets vault integration with automatic secret rotation and injection. AAASM currently supports secret-pattern detection via regex policies but does not integrate with HashiCorp Vault or AWS Secrets Manager.
Automated human-in-the-loop approval workflows — Pillar Security provides structured approval routing with escalation chains. AAASM can deny and alert but does not yet route decisions to a named approver queue.
Self-hosted deployment — Langfuse, Opik, and Pillar Security all support self-hosted deployment. AAASM is SaaS-only in this release; self-hosted is out of scope for the current roadmap (see Open Core Boundary).
Evaluation frameworks and LLM-as-judge scoring — Langfuse and Opik provide built-in evaluation pipelines, dataset management, and automated LLM-as-judge scoring for output quality. AAASM's policy engine operates on patterns and metadata, not semantic quality.
Prompt management and versioning — Langfuse provides a managed prompt registry with version history and A/B comparison. AAASM does not include a prompt registry.

Where We Lead

These are capabilities where AI Agent Assembly provides uniquely strong or differentiated support.

Pre-execution runtime enforcement — AAASM is the only product in this comparison that makes binding allow/deny decisions before an agent action executes. All others are observability tools that record what happened after the fact.
Kernel-level bypass detection via eBPF — aa-ebpf intercepts TLS calls at the SSL library level using Linux uprobes, catching bypass attempts that SDK-only solutions cannot see. No competitor in this matrix offers kernel-level enforcement.
Network-layer interception without code changes — aa-proxy performs MitM HTTPS interception via a per-host CA. Governance can be applied to agents that do not use the SDK. No competitor supports sidecar-proxy-level enforcement.
Policy-as-code with GitOps workflow — AAASM policies are YAML/JSON documents that can be versioned, reviewed, and deployed via standard Git workflows. No competitor in this matrix offers a structured policy language; guardrails in other tools are typically configured through UI forms or proprietary DSLs.
Immutable tamper-evident audit log — AAASM's audit log entries are signed with HMAC-SHA256, making post-hoc alteration detectable. This is a compliance requirement in regulated industries (PCI-DSS, SOC 2 Type II) that no competitor in this matrix fully addresses.

Competitor Documentation References

Last validated: 2026-05-05 against vendor documentation as of that date.

Competitor	Documentation URL
Langfuse	https://langfuse.com/docs
Helicone	https://docs.helicone.ai
Opik	https://www.comet.com/docs/opik
Pillar Security	https://docs.pillar.security

Security Model — STRIDE threat model, IronClaw defense
Open Core Boundary — what is OSS vs enterprise
Quick Start (SaaS) — get started in minutes

Last reviewed: 2026-05-10 — AI Agent Assembly Team

Open Core Boundary

AI Agent Assembly follows an open-core model. The interception infrastructure, policy engine, SDK shims, and CLI are Apache-2.0 open source. Enterprise features — SSO, SCIM, advanced audit, multi-region data residency — are covered by the AAA-Commercial license and available on paid SaaS tiers.

Self-hosted deployment is not available. Regardless of license, AI Agent Assembly is a SaaS-only product. The Apache-2.0 crates are open source for inspection, contribution, and SDK integration — not for self-hosted deployment. There is no bring-your-own-infrastructure path. See Cloud Deployment and Quick Start (SaaS) for the available onboarding paths.

Why Open Core?

The interception and enforcement infrastructure that sits between AI agents and the outside world must be trustworthy, inspectable, and independently auditable. Keeping the core open source is not a marketing decision — it is a direct consequence of the product's security posture. An enterprise deploying AI agents cannot take our word for how the policy engine evaluates rules, how eBPF probes intercept system calls, or how the sidecar proxy terminates TLS. Open source means the enforcement path can be read, reviewed, and verified by a third party without involving us.

The boundary between what is open and what is commercial follows a single principle: enforcement is always open; operational convenience and enterprise compliance infrastructure are commercial. If a feature controls what agents can do, it belongs in the Apache-2.0 core. If a feature controls how operators manage, scale, or audit the system at enterprise grade — SSO federation, automated user lifecycle via SCIM, long-retention tamper-evident audit logs, multi-region data residency — it belongs in the commercial tier. This principle means that a motivated team can always fork, read, or contribute to every security control in the stack, regardless of their subscription status.

Open-sourcing the core also creates a community feedback loop that makes the enforcement logic stronger over time. Security researchers who find a gap in the policy engine, proxy TLS handling, or eBPF program can open an issue or send a pull request. The Apache-2.0 license was chosen specifically because it permits commercial integration without a copyleft obligation — SDK users can embed the shims in proprietary products without the license propagating to their codebase.

Finally, open core without self-hosting is a deliberate choice. We ship the crates as open source so teams can read, audit, and contribute — not so they can run their own private deployment. Operating a multi-tenant SaaS with the security and reliability commitments described in the Security Model requires infrastructure, on-call, and operational expertise that goes far beyond what a compiled binary provides. Keeping deployment SaaS-only lets us uphold the SLA and compliance posture without fragmenting the product across self-managed installs.

Feature Matrix

Feature	Apache-2.0 (OSS)	AAA-Commercial (Enterprise)
Core interception layers
Language SDK (Python, TypeScript, Go)	✅	✅
Sidecar proxy (`aa-proxy`)	✅	✅
eBPF sensor (`aa-ebpf`)	✅	✅
Gateway and policy
Agent registry	✅	✅
Policy engine (allow/deny/audit)	✅	✅
Per-team budget enforcement	✅	✅
Policy-as-code (YAML/JSON)	✅	✅
Authentication and access
API key authentication	✅	✅
SAML 2.0 / OIDC SSO	❌	✅
SCIM user provisioning	❌	✅
Role-based access control (RBAC)	Basic	Full (Owner/Admin/Developer/Viewer)
Audit and compliance
Basic audit log	✅	✅
Tamper-evident signed audit log	❌	✅
Audit log retention > 30 days	❌	✅ (configurable, up to 1 year)
SIEM export (JSON / CEF)	❌	✅
Deployment and SLA
SaaS — shared region	✅ (Free/Team tier)	✅
SaaS — dedicated region	❌	✅ (Enterprise tier)
Multi-region data residency	❌	✅
99.9% uptime SLA	❌	✅ (Enterprise tier)
Dedicated SRE contact	❌	✅ (Enterprise tier)
Support
Community forum	✅	✅
Business-hours support	❌	✅ (Team tier)
24/7 support	❌	✅ (Enterprise tier)

Crate Licensing

All Cargo crates in the agent-assembly workspace are Apache-2.0:

Crate	License	Notes
`aa-core`	Apache-2.0	Core domain types — always OSS
`aa-proto`	Apache-2.0	Protobuf definitions — always OSS
`aa-runtime`	Apache-2.0	Async runtime utilities — always OSS
`aa-gateway`	Apache-2.0	Gateway with policy engine — OSS core; enterprise features gated behind SaaS config
`aa-api`	Apache-2.0	REST API surface — OSS
`aa-proxy`	Apache-2.0	Sidecar proxy — always OSS
`aa-ebpf`	Apache-2.0	eBPF user-space loader — always OSS
`aa-ebpf-common`	Apache-2.0	eBPF shared types — always OSS
`aa-ffi-python`	Apache-2.0	Python SDK native shim — always OSS
`aa-ffi-node`	Apache-2.0	TypeScript SDK native binding — always OSS
`aa-ffi-go`	Apache-2.0	Go SDK CGo shim — always OSS
`aa-wasm`	Apache-2.0	WebAssembly build — always OSS
`aa-cli`	Apache-2.0	`aasm` operator CLI — always OSS
`conformance`	Apache-2.0	Conformance test suite — always OSS

Apache 2.0 key terms

The Apache License 2.0 grants users the right to use, reproduce, prepare derivative works, distribute, and sublicense the software with or without modification. It does not grant trademark rights, and it requires preservation of copyright notices and attribution in distributed works. See the full license text at https://www.apache.org/licenses/LICENSE-2.0.

Enterprise features (SSO, SCIM, tamper-evident audit, dedicated regions) are delivered via SaaS-side configuration — not via separate closed-source crates. The OSS codebase contains all interception and enforcement logic.

Contributing to the OSS Core

The Apache-2.0 crates welcome community contributions. See CONTRIBUTING.md in the agent-assembly repository for:

Branching and commit conventions
How to run the test suite (cargo nextest run --workspace)
The CLA requirement for non-trivial contributions
How to file issues and feature requests

Enterprise feature requests (SSO, SCIM, audit extensions) are tracked as AAASM JIRA tickets in the Enterprise component and delivered by the AI Agent Assembly team.

Security Model — cryptographic primitives and audit log details
Cloud Deployment — SSO, SCIM, SLA tier comparison
Why AI Agent Assembly? — open-source posture vs competitors

Last reviewed: 2026-05-10 · Legal approver: @legal-team

Quick Start (SaaS)

AI Agent Assembly is a SaaS-only product. Choose the tier that matches your team size and compliance requirements, then follow the path below to connect your first AI agent.

Self-hosted deployment is not available. There is no self-hosted, on-premises, or bring-your-own-infrastructure option. All governance, policy evaluation, and audit logging run in the AI Agent Assembly cloud. See Open Core Boundary for the licensing model.

LangChain: Zero-to-Governance in Under 5 Minutes

This end-to-end example takes a LangChain agent from zero to fully governed in under 5 minutes using any SaaS tier.

Prerequisites: Python 3.12+, an OpenAI API key, and a Pro (or higher) workspace.

Step 1 — Install packages

pip install agent-assembly langchain langchain-openai langchain-core

Step 2 — Set credentials

export AAA_WORKSPACE_ID="<your-workspace-id>"   # from Settings → Workspace
export AAA_API_KEY="<your-api-key>"             # from Settings → API Keys
export OPENAI_API_KEY="<your-openai-key>"

Step 3 — Instrument your LangChain agent

import os
from agent_assembly import AgentAssembly
from langchain_openai import ChatOpenAI
from langchain.agents import AgentExecutor, create_openai_tools_agent
from langchain_core.prompts import ChatPromptTemplate, MessagesPlaceholder
from langchain_core.tools import tool

aaa = AgentAssembly()

@tool
def summarise_text(text: str) -> str:
    """Return a one-sentence summary of the provided text."""
    return text[:200] + "..." if len(text) > 200 else text

@aaa.agent(name="langchain-research-agent")
def run_agent(question: str) -> str:
    llm = ChatOpenAI(model="gpt-4o", temperature=0)
    tools = [summarise_text]

    prompt = ChatPromptTemplate.from_messages([
        ("system", "You are a helpful research assistant."),
        ("human", "{input}"),
        MessagesPlaceholder(variable_name="agent_scratchpad"),
    ])

    agent = create_openai_tools_agent(llm, tools, prompt)
    executor = AgentExecutor(agent=agent, tools=tools, verbose=False)
    result = executor.invoke({"input": question})
    return result["output"]

if __name__ == "__main__":
    answer = run_agent("What is AI Agent Assembly and why does it matter for enterprise governance?")
    print(answer)

The @aaa.agent decorator registers langchain-research-agent with the gateway, wraps every invocation with pre-execution policy evaluation, and emits an audit event for every LangChain call — without modifying LangChain internals.

Step 4 — Activate a starter policy

In the console, open Policies → New Policy and apply the starter template (allow all, audit all). This takes under 30 seconds. Every subsequent call from langchain-research-agent is now governed, audited, and visible in the Audit Log panel.

What governance looks like at runtime

[AAASM] Agent registered: langchain-research-agent (workspace: ws-a1b2...)
[AAASM] Policy check: ALLOW  event=llm_call  agent=langchain-research-agent
[AAASM] Audit event written: id=evt_01j...  latency=2ms

Pro Tier

Signup: self-serve at https://app.agent-assembly.io/signup

Included features: up to 10 agents, basic policy engine (allow/deny/audit), 30-day audit log retention, community forum support.

Expected onboarding time: ~10 minutes from signup to first governed agent call.

Primary contact channel: self-serve; community forum at https://community.agent-assembly.io.

Navigate to https://app.agent-assembly.io/signup and create an account with your work email.
Verify your email address.
On the Workspace Setup page, enter a workspace name (e.g., acme-ai-ops) and select your primary region.
Copy your Workspace ID and generate an API Key under Settings → API Keys.
Install the SDK:

pip install agent-assembly          # Python
pnpm add @agent-assembly/sdk        # TypeScript
go get github.com/agent-assembly/go-sdk  # Go

Set credentials:

export AAA_WORKSPACE_ID="<your-workspace-id>"
export AAA_API_KEY="<your-api-key>"

Instrument your agent entry point:

from agent_assembly import AgentAssembly

aaa = AgentAssembly()

@aaa.agent(name="my-first-agent")
def run_agent(prompt: str) -> str:
    import openai
    client = openai.OpenAI()
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[{"role": "user", "content": prompt}],
    )
    return response.choices[0].message.content

Open Policies → New Policy in the console and activate a starter policy. Your agent is now governed.

Business Tier

Signup: self-serve at https://app.agent-assembly.io/signup — select Business during workspace setup.

Included features: up to 50 agents, full policy engine, SSO (SAML 2.0 / OIDC), 90-day audit log retention, SIEM export, business-hours support (24h response).

Expected onboarding time: ~30 minutes, including SSO connect.

Primary contact channel: support ticket via https://app.agent-assembly.io/support.

Sign up at https://app.agent-assembly.io/signup, select the Business tier.
On the Billing page, enter your credit card details (processed via Stripe).
Complete workspace setup (name, region) as in the Pro flow above.
Connect SSO: navigate to Settings → Authentication → SSO and follow the SAML 2.0 or OIDC setup steps. SSO is optional at the Business tier but recommended for teams.
Invite your team under Settings → Users — assign roles (Admin, Developer, Viewer).
Instrument agents and create policies as in the Pro flow.

Enterprise Tier

Signup: form-driven via https://app.agent-assembly.io/contact-sales.

Included features: unlimited agents, dedicated region (data residency), SCIM provisioning, tamper-evident audit log, audit log retention up to 1 year, 99.9% SLA, 24/7 support (4h response), dedicated SRE contact.

Expected onboarding time: 1–3 weeks, driven by procurement and security review.

Primary contact channel: your assigned Sales Engineer (SE).

Enterprise procurement timeline

Week	Activity
Week 1	Submit the `/contact-sales` form → initial SE call (30 min) → receive the Enterprise Order Form and DPA/BAA templates
Week 2	Legal review of DPA / BAA → IT security review → contract signature
Week 3	SE-led workspace provisioning → SSO + SCIM setup with your IdP team → pilot agent onboarding

Enterprise-specific steps

Submit the contact form at https://app.agent-assembly.io/contact-sales. Include estimated agent count, primary region preference, and compliance requirements (SOC 2, HIPAA, GDPR).
During the SE call, confirm your IdP (Okta, Azure AD, PingFederate, etc.) and data residency requirement.
After contract signature, the SE provisions your workspace in the selected dedicated region and sends your Workspace ID and initial API key.
Configure SSO (SAML or OIDC) per Cloud Deployment → SSO Configuration.
Configure SCIM provisioning per Cloud Deployment → SCIM User Provisioning for automated user lifecycle management.
Configure budgets per Cloud Deployment → Budget Configuration for per-team LLM spend caps.
Instrument agents and create policies as in the Pro flow.

Next Steps

Cloud Deployment — SSO/SCIM deep-dive, region selection, billing, SLA tiers
Policy Reference — full policy rule schema
Open Core Boundary — what's in the OSS core vs enterprise tier

Last reviewed: 2026-05-10 · AI Agent Assembly Team

Cloud Deployment

This page covers enterprise deployment configuration for the AI Agent Assembly SaaS platform: identity federation, user provisioning, regional data residency, and SLA commitments.

Self-hosted deployment is not available. AI Agent Assembly is a SaaS-only product. There is no self-hosted, on-premises, or bring-your-own-infrastructure option. All compute, storage, and governance logic runs in the AI Agent Assembly cloud.

SaaS Regions

AI Agent Assembly is available in the following regions. Data at rest and in transit stays within the selected region.

Region	Location	Data residency
`us-east-1`	Northern Virginia, USA	United States
`eu-west-1`	Dublin, Ireland	European Union
`ap-northeast-1`	Tokyo, Japan	Asia-Pacific

Select your primary region when creating a workspace (see Quick Start (SaaS)). Region selection is permanent — contact support to migrate.

Tenant Provisioning

A workspace is the top-level isolation boundary. All agents, policies, budgets, and users belong to a single workspace (tenant).

Tenant creation

Path	Who	How
Self-serve	Pro and Business	Sign up at `https://app.agent-assembly.io/signup`; workspace created immediately after email verification
SE-provisioned	Enterprise	Sales Engineer creates the workspace in the contracted dedicated region after contract signature

Tenant ID format

Tenant IDs (workspace IDs) follow the format ws-<uuid4> — for example, ws-a1b2c3d4-e5f6-7890-abcd-ef1234567890. The workspace ID is shown in Settings → Workspace and is required in all SDK configuration.

Default quotas per tier

Tier	Max agents	Max policies	Audit log retention
Free	3	5	7 days
Pro	10	20	30 days
Business	50	100	90 days
Enterprise	Unlimited	Unlimited	Up to 1 year (configurable)

Contact support to request a quota increase.

SSO Configuration

The following diagram shows the SSO authentication flow for a user's first login after SSO is configured.

sequenceDiagram
  autonumber
  participant User as User (Browser)
  participant AAA as AI Agent Assembly
  participant IdP as Identity Provider

  User->>AAA: Navigate to app.agent-assembly.io
  AAA-->>User: Redirect to IdP SSO URL
  User->>IdP: Authenticate (password / MFA)
  IdP-->>User: SAML assertion or OIDC id_token
  User->>AAA: POST assertion / code to ACS / callback URL
  AAA->>IdP: Verify assertion signature (SAML) or exchange code (OIDC)
  IdP-->>AAA: Validated identity claims (email, groups)
  AAA->>AAA: Map groups to AAASM roles (SCIM group-role mapping)
  AAA-->>User: Session cookie issued — workspace access granted

SAML 2.0

In the AI Agent Assembly console, navigate to Settings → Authentication → SSO.
Select SAML 2.0.
Copy the Assertion Consumer Service (ACS) URL and Entity ID shown in the console.
In your IdP (Okta, Azure AD, PingFederate, etc.), create a new SAML application:
- Set the Single Sign-On URL to the ACS URL.
- Set the Audience URI / SP Entity ID to the Entity ID.
- Map the following attributes:

SAML Attribute	Description
`email`	User's email address (required)
`firstName`	User's given name
`lastName`	User's family name
`groups`	Group memberships for role mapping (optional)

Download the IdP metadata XML from your IdP and upload it to the AI Agent Assembly console.
Click Test SSO to verify the configuration before enabling.
Enable Enforce SSO to prevent password-based login for your domain.

OIDC

In the AI Agent Assembly console, navigate to Settings → Authentication → SSO.
Select OpenID Connect (OIDC).
Register AI Agent Assembly as an OIDC client in your IdP:
- Set the Redirect URI to the value shown in the console.
- Request scopes: openid email profile groups.
Enter the following values from your IdP registration:
- Issuer URL (e.g., https://your-idp.example.com)
- Client ID
- Client Secret
Save the configuration and click Test OIDC Login.

SCIM User Provisioning

SCIM 2.0 enables automatic user and group provisioning from your IdP. When SCIM is configured, users are created, updated, and deprovisioned automatically as they are added to or removed from groups in your IdP.

Supported operations

SCIM operation	Supported
Create user	✅
Update user attributes	✅
Deactivate user	✅
Delete user	✅ (deactivates; audit log records are retained)
Create group	✅
Update group membership	✅
Delete group	✅

Configuration steps

In the console, navigate to Settings → Authentication → SCIM.
Click Generate SCIM Token. Copy the token — it is shown only once.
In your IdP, configure the SCIM provisioning connector:
- SCIM Endpoint URL: shown in the console (e.g., https://api.agentassembly.io/scim/v2)
- Authentication Method: Bearer Token
- Bearer Token: the token generated in step 2
Enable provisioning in your IdP and run a test synchronization.
Verify users appear under Settings → Users in the console.

Role-Based Access Control

Workspace members are assigned one of the following roles:

Role	Permissions
Owner	Full workspace administration: billing, SSO config, API keys, user management, all policy operations
Admin	Policy management, agent management, audit log access; cannot modify billing or SSO
Developer	Read agent topology and audit logs; manage own API keys; cannot create or modify policies
Viewer	Read-only access to agent topology, audit logs, and policy list

Roles are assigned in the console under Settings → Users, or automatically via SCIM group-to-role mapping.

SCIM Group → Role Mapping

Configure group-to-role mappings in Settings → Authentication → SCIM → Role Mapping:

IdP Group (example)	Mapped Role
`aaa-owners`	Owner
`aaa-admins`	Admin
`aaa-developers`	Developer
`aaa-viewers`	Viewer

Budget Configuration

Budgets cap per-team LLM spending. The gateway enforces the budget before allowing agent actions.

Configuring a budget

Navigate to Budgets → New Budget.
Set the following fields:

Field	Description
Team name	Name of the team (matches the `team` label on registered agents)
Token limit	Maximum tokens (input + output combined) per window
Cost limit	Maximum USD spend per window
Window	`hourly`, `daily`, `weekly`, or `monthly`
Action on exceeded	`deny` (block further calls) or `alert` (notify only)

Click Save Budget.

Budget enforcement behaviour

Budgets are evaluated after policy rules. A deny policy overrides a budget allow.
When a budget is exceeded and action is deny, agents receive a BudgetExceededError.
Budget state resets at the start of each window (midnight UTC for daily/weekly/monthly).
Budget alerts are delivered to the configured notification channel (Slack, webhook).

SLA Tiers

Tier	Availability SLA	Support response time	Notes
Free	Best effort	Community forum	For evaluation only
Team	99.5% monthly uptime	24h business hours	Up to 50 agents
Enterprise	99.9% monthly uptime	4h any time	Unlimited agents, dedicated SRE contact

SLA credits apply for downtime exceeding the SLA threshold. See the Terms of Service for the full credit schedule.

Billing Setup

Card-based billing (Pro and Business)

Pro and Business tiers are billed monthly via Stripe.

During workspace creation, enter your credit card on the Billing page.
Invoices are emailed to the workspace Owner's address on the first of each month.
Update your payment method any time under Settings → Billing → Payment Method.

Invoice-based billing (Enterprise)

Enterprise customers are billed via net-30 invoice.

The Sales Engineer adds your purchase order number to the workspace at contract signature.
Invoices are issued monthly to the billing contact specified in the Order Form.
Wire transfer and ACH are accepted; credit card is not required.

BAA and DPA (Enterprise)

HIPAA and GDPR compliance documents: Enterprise customers requiring a Business Associate Agreement (BAA) for HIPAA compliance or a Data Processing Agreement (DPA) for GDPR compliance should request these documents during the SE call. Both are countersigned by the AI Agent Assembly legal team before workspace provisioning.

Security Model — authentication flow diagrams, cryptographic primitives
Quick Start (SaaS) — initial workspace setup
Open Core Boundary — which features are on which tier

Last reviewed: 2026-05-10 · AI Agent Assembly Team

Policy Reference

Policies are YAML documents that control what AI agents are allowed, denied, or rate-limited to do. The gateway evaluates every policy before each agent action.

Document Formats

The gateway accepts two formats.

Envelope format (recommended)

Uses apiVersion / kind / metadata / spec wrapping — version-controlled and GitOps-friendly:

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: my-policy         # shown in console and audit log
  version: "1.0.0"        # your policy revision
  description: ...        # optional
spec:
  scope: team:platform
  network:
    allowlist:
      - api.openai.com
  budget:
    daily_limit_usd: 25.0

Flat format

Minimal format without the envelope wrapper — useful for quick testing:

version: "1.0"
scope: global
network:
  allowlist:
    - api.openai.com

Top-Level Fields

Field	Type	Required	Default	Description
`version`	string	No	—	Schema version tag (e.g., `"1.0"`). Informational; not validated.
`scope`	string	No	`global`	Hierarchical scope this policy applies to. See Scope.
`network`	object	No	—	Network egress policy. See network.
`schedule`	object	No	—	Active-hours restriction. See schedule.
`budget`	object	No	—	Per-day / per-month spend cap. See budget.
`data`	object	No	—	PII / credential pattern detection. See data.
`tools`	map	No	`{}`	Per-tool allow/deny/rate configuration. See tools.
`capabilities`	object	No	—	Capability allow/deny lists. See capabilities.
`approval_timeout_secs`	integer	No	`300`	Default seconds before an approval request expires. Must be > 0.
`approval`	object	No	—	Per-policy approval escalation overrides. See approval.

Scope

The scope field determines which agents a policy applies to. Policies cascade from broadest to narrowest — Global → Org → Team → Agent → Tool — with most-restrictive-wins merging.

Value	Example	Applies to
`global`	`scope: global`	Every agent in the workspace (default when absent)
`org:<id>`	`scope: org:acme`	Every agent inside the named organisation
`team:<id>`	`scope: team:platform`	Every agent that belongs to the named team
`agent:<uuid>`	`scope: agent:01234567-89ab-cdef-0123-456789abcdef`	A single specific agent (UUID format)
`tool:<name>`	`scope: tool:slack-mcp`	A specific MCP tool, across all agents otherwise admitted by higher scopes

tool:<name> sits at the most-restrictive end of the cascade. A tool-scoped policy can deny slack-mcp for every agent in team:platform even when team- and agent-level policies would otherwise allow it.

Validation: The agent: variant requires a valid hyphenated UUID. The identifier after : must not be empty. Unknown scope kinds (e.g., project:foo) are rejected with a validation error.

`network`

Controls outbound network connections the agent may initiate.

Field	Type	Required	Description
`network.allowlist`	list of strings	No	Domain glob patterns the agent may connect to. Empty string entries are rejected.

When network is present but allowlist is absent or empty, no outbound connections are permitted.

network:
  allowlist:
    - "api.openai.com"
    - "*.slack.com"
    - "internal-api.corp.example"

`schedule`

Restricts the time window during which the agent is permitted to run.

`schedule.active_hours`

Field	Type	Required	Format	Description
`schedule.active_hours.start`	string	Yes (if active_hours present)	`HH:MM` 24-hour	Window start time
`schedule.active_hours.end`	string	Yes (if active_hours present)	`HH:MM` 24-hour	Window end time; must be later than `start`
`schedule.active_hours.timezone`	string	Yes (if active_hours present)	IANA name	Timezone for window boundary (e.g., `"Asia/Taipei"`, `"UTC"`)

All three sub-fields are required when active_hours is present. start must be earlier than end.

schedule:
  active_hours:
    start: "09:00"
    end: "18:00"
    timezone: "America/New_York"

`budget`

Caps per-agent LLM spend. The gateway enforces the budget before allowing the agent action.

Field	Type	Required	Description
`budget.daily_limit_usd`	float	No	Maximum USD spend per calendar day. Must be > 0.
`budget.monthly_limit_usd`	float	No	Maximum USD spend per calendar month. Must be > 0 and ≥ `daily_limit_usd`.
`budget.timezone`	string	No	IANA timezone for the daily/monthly reset boundary. Defaults to UTC when absent.
`budget.action_on_exceed`	`"deny"` \| `"suspend"`	No	Action when budget is exceeded. `deny` (default): blocks individual requests but keeps the agent active. `suspend`: suspends the agent entirely until the budget resets.

budget:
  daily_limit_usd: 25.0
  monthly_limit_usd: 500.0
  timezone: "America/Los_Angeles"
  action_on_exceed: deny

`data`

Scans agent inputs and outputs for PII or credential patterns using regex.

Field	Type	Required	Description
`data.sensitive_patterns`	list of regex strings	No	RE2-compatible regex patterns. A match causes the agent action to be blocked. Invalid regex is rejected at validation time.

data:
  sensitive_patterns:
    - "sk-[a-zA-Z0-9]{48}"               # OpenAI API key
    - "\\b\\d{3}-\\d{2}-\\d{4}\\b"       # US SSN
    - "(?i)password\\s*[:=]\\s*\\S+"     # password assignment

`tools`

Per-tool configuration keyed by tool name. Each key in the tools map is a tool name string; the value is a tool policy object.

Field	Type	Required	Default	Description
`tools.<name>.allow`	boolean	No	`true`	Whether this tool is permitted. Set to `false` to block the tool entirely.
`tools.<name>.limit_per_hour`	integer	No	unlimited	Maximum calls to this tool per hour.
`tools.<name>.requires_approval_if`	string	No	—	CEL expression that triggers human-in-the-loop approval when true. Valid governance level values: `L0`, `L1`, `L2`, `L3`.

tools:
  bash:
    allow: true
    limit_per_hour: 10
    requires_approval_if: "governance_level >= L2"
  execute_shell:
    allow: false
  file_write:
    allow: true
    limit_per_hour: 5

requires_approval_if CEL expressions: The expression is evaluated against the tool call context. The identifier governance_level exposes the current agent's governance tier (L0–L3). Referencing an unknown level (e.g., L4) is a validation error.

`capabilities`

Broad capability allow/deny lists that apply across all tools and actions.

Field	Type	Required	Description
`capabilities.allow`	list of capability strings	No	Capabilities explicitly permitted.
`capabilities.deny`	list of capability strings	No	Capabilities explicitly denied. Deny takes precedence over allow.

Valid capability strings

String	Description
`file_read`	Read access to the filesystem
`file_write`	Write access to the filesystem
`network_outbound`	Outbound network connections
`network_inbound`	Inbound network connections
`terminal_exec`	Execute commands in a terminal/shell
`agent_spawn`	Spawn child agents
`mcp_tool:<name>`	Use a specific named MCP tool (e.g., `mcp_tool:bash`, `mcp_tool:git`)
`model:<name>`	Use a specific named AI model (e.g., `model:gpt-4o`)

Unknown capability strings are rejected with a validation error. The mcp_tool: and model: prefixes require a non-empty name after the colon.

capabilities:
  allow:
    - file_read
    - network_outbound
    - mcp_tool:git
    - mcp_tool:bash
  deny:
    - terminal_exec
    - file_write

`approval`

Per-policy escalation overrides. When absent, team-level routing defaults are used.

Field	Type	Required	Description
`approval.timeout_seconds`	integer	No	Override the escalation timeout (seconds) for approvals triggered by this policy's rules.
`approval.escalation_role`	string	No	Override the approver group or role name for this policy (e.g., `"org-admin"`, `"security-team"`).

approval:
  timeout_seconds: 600
  escalation_role: org-admin

The top-level approval_timeout_secs sets the default for the whole policy document; approval.timeout_seconds overrides it at the per-policy escalation level.

Validation Rules

The gateway validates every policy on upload. All errors are collected and returned together; the upload is rejected if any error is present.

Field	Rule
`network.allowlist[n]`	Entry must not be empty
`schedule.active_hours.start`	Required when `active_hours` is present; must be `HH:MM` 24-hour format
`schedule.active_hours.end`	Required when `active_hours` is present; must be `HH:MM` and later than `start`
`schedule.active_hours.timezone`	Required when `active_hours` is present; must be a valid IANA timezone name
`budget.daily_limit_usd`	Must be > 0 when present
`budget.monthly_limit_usd`	Must be > 0; must be ≥ `daily_limit_usd` when both are set
`budget.timezone`	Must be a valid IANA timezone name when present
`budget.action_on_exceed`	Must be `"deny"` or `"suspend"` when present
`data.sensitive_patterns[n]`	Must be a valid RE2 regex
`tools.<name>.requires_approval_if`	Must not be empty; must reference only `L0`–`L3` governance levels
`capabilities.allow[n]` / `capabilities.deny[n]`	Must be a known capability string
`approval_timeout_secs`	Must be > 0 when present
`scope`	Must be `global`, `org:<id>`, `team:<id>`, `agent:<uuid>`, or `tool:<name>`; identifier after `:` must not be empty; `agent:` value must be a valid UUID

Unknown keys at any level produce a warning (not an error) — the policy is accepted and the unknown key is ignored. This allows forward-compatible policy files.

Examples

Minimal — budget cap only

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: budget-only
  version: "1.0.0"
spec:
  budget:
    daily_limit_usd: 10.0
    action_on_exceed: deny

Network egress allowlist

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: allowlist-openai-slack
  version: "1.0.0"
spec:
  scope: team:platform
  network:
    allowlist:
      - "api.openai.com"
      - "*.slack.com"

Capability control

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: capability-example
  version: "1.0.0"
spec:
  scope: global
  capabilities:
    allow:
      - file_read
      - network_outbound
      - mcp_tool:git
      - mcp_tool:bash
    deny:
      - terminal_exec
      - file_write

Tool rate-limiting with approval gate

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: guarded-tools
  version: "1.0.0"
spec:
  tools:
    bash:
      allow: true
      limit_per_hour: 10
      requires_approval_if: "governance_level >= L2"
    execute_shell:
      allow: false

Business-hours schedule

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: business-hours-only
  version: "1.0.0"
spec:
  scope: team:ops
  schedule:
    active_hours:
      start: "09:00"
      end: "18:00"
      timezone: "America/New_York"

PII detection

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: no-pii-in-output
  version: "1.0.0"
spec:
  data:
    sensitive_patterns:
      - "sk-[a-zA-Z0-9]{48}"
      - "\\b\\d{3}-\\d{2}-\\d{4}\\b"

Full policy — all sections

apiVersion: agent-assembly/v1
kind: Policy
metadata:
  name: production-full
  version: "1.0.0"
  description: Full example combining all policy sections.
spec:
  scope: team:platform
  network:
    allowlist:
      - "api.openai.com"
      - "slack.com"
  schedule:
    active_hours:
      start: "09:00"
      end: "18:00"
      timezone: "Asia/Taipei"
  budget:
    daily_limit_usd: 25.0
    monthly_limit_usd: 500.0
    action_on_exceed: deny
  data:
    sensitive_patterns:
      - "sk-[a-zA-Z0-9]{48}"
  tools:
    bash:
      allow: true
      limit_per_hour: 10
    file_write:
      allow: false
  capabilities:
    allow:
      - file_read
      - network_outbound
    deny:
      - terminal_exec
  approval_timeout_secs: 300
  approval:
    escalation_role: org-admin

Security Model — IronClaw layers and policy engine position in the stack
Cloud Deployment — uploading and activating policies in the console
Quick Start (SaaS) — create and activate your first policy

Last reviewed: 2026-05-10 · AI Agent Assembly Team