Kite Logik · Governance middleware

Govern what your agents actually do.

Other tools test prompts. Other tools validate outputs. Kite Logik governs the agent itself: its tool access, its delegations, its resource budgets. Enforced by infrastructure. Not by the model.

Get StartedView on GitHub
pip install kitelogik
640 tests passing· 11 framework adapters· <8ms gate latency
kitelogik · policy gate · live
$ gate eval approve_refund --amount=75.00 --role=support_agent
evaluating · financial.rego · security.rego
✓ ALLOW · 7ms · approve_refund_under_100
$ gate eval bulk_delete_records --table=orders --count=50000
✕ BLOCK · 5ms · destructive_bulk_operation
625
Tests passing
11
Framework adapters
<8ms
Gate latency (warm)
100%
Deny-by-default
Built for teams deploying agents in
Financial Services
Healthcare
Legal & Compliance
Insurance
Platform Engineering
Security Teams
The problem

The prompt layer is the wrong place
to enforce rules.

Every AI safety tool in this space operates at the wrong layer. Prompts can be overridden, confused, and manipulated. Infrastructure cannot.

Prompt-level enforcement
The industry default
Rules are instructions, not locks
"Do not approve refunds over $500" is advice. The model can be talked out of it.
Prompt injection bypasses everything
Malicious content in a tool response can override your safety instructions wholesale.
No audit trail an auditor can trust
"The model said it followed the rules" is not a compliance artefact.
Non-deterministic by design
Safety properties degrade with every model update. You have no control.
Infrastructure-level enforcement
Kite Logik
Rules are evaluated by a policy engine
OPA evaluates every action before it runs. The model never gets a vote on the outcome.
Injection-resistant by architecture
Tool outputs are sanitised before reaching agent context. Enforcement is out-of-band.
Every action logged, every decision traceable
Immutable audit log with OpenTelemetry tracing. SQL triggers prevent tampering.
Deterministic and model-agnostic
Policy outcome is identical regardless of which model or framework runs the agent.
Architecture

Three interlocking enforcement layers.

Each layer has a distinct role. Together they make it structurally impossible for an agent to violate policy, regardless of what it's told.

Agent
governance event
every action
Tether
OPA / Rego
ALLOW
Execute
tool runs
ESCALATE
Anchor
human review
Layer 01
Tether
Policy Gate · OPA / Rego
Every governance event is evaluated against your Rego policies before execution. ALLOW, escalate to HITL, or BLOCK, decided in under 8ms. Write policies in YAML or Rego.
Layer 02
Anchor
HITL Queue · Credentials · Audit
High-stakes actions escalate to a human reviewer. Session-scoped credentials enforce least privilege. Every decision is logged in an immutable, tamper-proof audit trail.
Layer 03
Sandbox
Container Isolation · Enterprise
Runtime isolation for agent sessions with no network egress by default, resource limits enforced at the container and VM layer. Available in Kite Logik Enterprise.
Beyond tool calls

Govern the entire agent lifecycle.

Not just tool calls. Agent spawn, delegation, plans, resource budgets, and data access. All policy-controlled through the same pipeline.

Tool Calls
event: tool_call
Every tool invocation is evaluated before execution. Block writes outside /tmp. Require scope for financial operations.
"Block file writes outside /tmp"
Agent Spawn
event: agent.spawn
Control which agents can be created and with what capabilities. Enforce delegation depth limits.
"Max delegation depth is 2"
Delegation
event: agent.delegate
Agent-to-agent task handoff with scope narrowing. Child scopes must be a subset of parent.
"Child scopes ⊆ parent scopes"
Plans
event: agent.plan
Evaluate a proposed action sequence before any step runs. Deny plans that contain blocked tools or exceed limits.
"Deny plans with > 20 steps"
Resource Budgets
event: agent.resource
Enforce token spend, API call limits, and compute time per session. Stop runaway agents.
"Deny if session budget exhausted"
Data Access
event: data.classify
Classification-based flow control. Confidential data stays in the primary session. External tiers get sanitized.
"PII stays in primary session"
Integrate in 3 lines

Add governance to any agent.
Any framework.

One decorator. One policy file. Full governance pipeline: policy evaluation, credential check, audit log, OpenTelemetry trace.

agent.py
from kitelogik import governed, PolicyGate, OPAClient, SessionContext

gate = PolicyGate(opa_client=OPAClient())
ctx  = SessionContext(
    session_id="s1",
    user_role="support",
    session_scopes=["read_customer", "approve_refund"],
)

@governed(gate=gate, context=ctx)
async def approve_refund(customer_id: str, amount: float) -> str:
    return payment_api.refund(customer_id, amount)

# approve_refund("cust_123", 50)   -> OPA allows, runs
# approve_refund("cust_123", 5000)  -> OPA denies, raises GovernanceError
policies/policy.yaml
version: 1
rules:
  - name: block_high_refunds
    when:
      action: approve_refund
      args.amount: { gt: 1000 }
    then: deny
    reason: "Refunds over $1000 require escalation"

Works with any framework

OpenAI, LangChain, CrewAI, Google ADK, Pydantic AI, LlamaIndex, and 5 more. Same governance pipeline across all of them.

YAML or Rego, your choice

Write policies in YAML and compile to Rego with kitelogik compile. Or write Rego directly for full OPA power.

Sub-10ms gate latency

Policy evaluation adds <8ms per tool call against a local OPA. Ships with an OPA HTTP client; experimental in-process Rego via RegorusClient.

Deny-by-default, fail-closed

Every policy starts with default allow := false. If OPA is unreachable, the gate returns BLOCK. Never an accidental allow.

Framework adapters

One governance pipeline.
Every major framework.

Drop governance into your existing agent with a single import. All adapters share the same policy engine, audit log, and credential lifecycle.

OpenAI
LangChain
LangGraph
CrewAI
OpenAI Agents SDK
Google ADK
Pydantic AI
LlamaIndex
Semantic Kernel
Haystack
Dify
Enforcement model

Five risk tiers. One policy engine.

Every action is classified at evaluation time. The tier determines the default enforcement outcome. You can override any default in Rego.

TierNameExamplesDefault outcome
01INFORMATIONALRead customer record, list transactions Auto-allow
02OPERATIONALUpdate record, send notification Allow with scope
03TRANSACTIONAL_HIGHApprove refund > $1000, wire transfer HITL escalation
04DESTRUCTIVEDelete records, bulk operations HITL or block
05SECURITY_CRITICALShell exec, credentials, file system Hard block
Comparison

Every competitor enforces at the wrong layer.

Guardrails AI, NeMo Guardrails, AWS Bedrock all operate on LLM inputs and outputs. None of them intercept the agent's actions.

ToolEnforcement layerTool-call governancePolicy-as-CodeHITLAudit trail
Kite LogikAgent actions✓ Yes✓ OPA / Rego✓ Async✓ Immutable
Guardrails AILLM output
NeMo GuardrailsLLM I/O~ Colang
AWS Bedrock GuardrailsInference~ Limited
LangSmithObservability✓ Tracing
Lakera GuardPrompt / response~ Limited
Learn more

Compare, dig deeper, decide.

Side-by-side comparisons against the tools you're probably evaluating, plus the concepts behind why action-layer governance matters.

Compared to other tools
Comparison
Kite Logik vs Guardrails AI
Action governance for tool calls vs output validation for LLM responses.
Read
Comparison
Kite Logik vs NeMo Guardrails
OPA/Rego policy on agent actions vs Colang dialogue rails on LLM I/O.
Read
Comparison
Kite Logik vs LLM Guard
Deterministic action policy vs heuristic prompt and response scanning.
Read
Concepts
Guide
Governance for AI agents
The four governance layers — prompt, output filter, action policy, network egress — and how to compose them in production.
Read
Examples
Rego policies + Python snippets
Working code for tool-call policy, delegation limits, MCP allowlists, HITL approval, and budgets.
Read
Concept
Policy-as-code for AI agents
Why prompts are the wrong layer for agent safety, and what OPA/Rego changes.
Read
Concept
Governance for MCP tool calls
MCP standardises tool discovery, not policy. Closing the gap with Rego.
Read
Get started

First governance decision
in under 30 seconds.

No account. No API key. No dashboard required.

1

Install

pip install kitelogik

2

Start the policy engine

docker compose up -d opa

3

Scaffold a governed agent

kitelogik init my-agent
Creates a policy.yaml, compiles to Rego, generates agent.py

4

See it work

cd my-agent && python agent.py
Watch ALLOW / BLOCK decisions in real time

getting started
$ pip install kitelogik
Successfully installed kitelogik-0.1.0
$ kitelogik init my-agent
Created policies/policy.yaml
Compiled to policies/policy.rego
Generated agent.py
$ cd my-agent && python agent.py
│ evaluating · policy.rego
✓ ALLOW read_customer · 6ms
✓ ALLOW approve_refund($50) · 7ms
✕ BLOCK approve_refund($5000) · 5ms
✕ BLOCK read_file(/etc/passwd) · 4ms
Open Source · Apache 2.0

For developers & startups

The full governance pipeline. Policy engine, HITL queue, credential broker, audit trail, 11 framework adapters, and a CLI.

OPA/Rego + YAML policy compiler
Session-scoped credentials with delegation
Immutable audit trail (SQL trigger-enforced)
OpenTelemetry tracing
640 tests passing, Apache-2.0
View on GitHub
Enterprise

For teams governing agent fleets

Everything in open source, plus centralized enforcement, SSO, fleet management, compliance exports, and dedicated support.

Governance Gateway (centralized HTTP API)
Real-time dashboard + HITL approval UI
SSO / RBAC (SAML, OIDC)
PostgreSQL backends (HA)
SOC 2, HIPAA, FedRAMP compliance exports
Join the list. No spam, unsubscribe anytime.
"A prompt-based guardrail is a suggestion.
Kite Logik is a lock."
Prompts inform. Infrastructure enforces.