What is an Agentic Control Plane?

An Agentic Control Plane is a governance layer that sits between AI coding agents and their tools. It logs every tool call, enforces permissions and policies, and provides audit trails — giving teams visibility and control over what their AI agents are doing.

How does ACP work with Claude Code?

ACP installs a PreToolUse hook in Claude Code that fires before every tool call (Bash, Read, Write, Edit, WebFetch). The hook sends the tool name and input to ACP's governance API for policy evaluation and audit logging. Round-trip is approximately 200ms.

How do I install ACP?

Run one command: curl -sf https://agenticcontrolplane.com/install.sh | bash. This auto-detects Claude Code and OpenClaw, installs the appropriate hooks, and opens your browser to set up your workspace.

Install in your AI client. Keep everything else.

ACP sits between your AI client and the tools it calls. Install the hook (or point at our MCP endpoint) and every tool call gets identity, policy, and audit — without changing how your team works.

Building the agent yourself (CrewAI, LangGraph, Anthropic Agent SDK, OpenAI Agents SDK)? See Frameworks for guided starter code.

Clients

The AI tools your team already uses.

Step-by-step install guides for each AI client — with the caveats vendor docs leave out. Two install paths: a local hook (for coding agents) or an MCP server connection (for chat clients).

Zed (Parallel Agents)

LLM-provider proxy

ChatGPT Workspace Agents

Agents SDK · MCP

Google Agents CLI (ADK)

LiteLLM proxy · ADK callback

Using a client we don't list? If it speaks MCP (Windsurf, Continue, ChatGPT’s connectors) or the OpenAI chat-completions API, point it at ACP — same governance, no code change.

Identity Providers

Your IdP. Your users. Our governance.

ACP verifies JWTs against your IdP's JWKS endpoint on every call. Any OIDC-compliant provider works out of the box — your users stay in your directory.

Auth0 OIDC + JWKS

Okta OIDC + JWKS

Microsoft Entra ID OIDC + JWKS

Google Identity Google Workspace SSO

Firebase Auth Firebase tokens

Any OIDC provider Configurable issuer, audience, JWKS URI

How agent identity works →

What every integration gets

Regardless of which client you install — every agent action passes through the same governance pipeline.

Identity binding

JWT-verified user or agent on every call

Deny-by-default policy

Per-call authorization enforcement

PII detection

Scan and redact sensitive data

Audit logging

Identity-attributed trail on every action

Budget controls

Per-user and per-agent spend limits

Tenant isolation

Multi-tenant separation at every layer

Your clients. Our governance.

Free to start. Add governance to your existing AI client in minutes.

Get started free → For IT teams →