The incidents you're one bad tool call away from
Nobody adopts a control plane in the abstract. You adopt it because an agent can refund the wrong 200 customers, delete the wrong table, or email the wrong person's data — and your hand-rolled checks won't hold when you're not watching. Here's the failure mode by failure mode version.
Six failure modes, one choke point
The refund fan-out
An agent misreads a policy and starts refunding customers — each one valid on its own, catastrophic in aggregate. Flat daily caps don't help; the agent cheerfully spends them to zero. ACP gates money tools on the outliers: unusual size asks a human, the Nth call in an hour trips, everything routine keeps flowing.
Stop your agent from making payments without approval →The destructive write
rm -rf, DROP TABLE, repo.delete — the calls you can't undo. Prompt rules are advisory; the model ignores them under pressure or a poisoned tool response. ACP enforces deny-by-default on destructive operations at the call itself, outside the model, scoped by agent and by who it's acting for.
The wrong customer's data
An agent acting for user A pulls something only user B should ever see — because the backend saw a valid service token, not a person. ACP binds every call to the identity of the user the agent is acting for, scopes access to what they can touch, and redacts PII before it reaches the model.
The three-party identity gap →The runaway bill
A loop that retries, re-plans, and re-reads until the invoice arrives. ACP meters every tool and model call, shows you which step is actually burning the money (it's usually one), and enforces hard budgets that warn the agent before cutting it off mid-task.
The loop tax: why agents are expensive →The talked-into-it agent
A poisoned web page or tool response instructs your agent to do something it shouldn't — and anything that lives in the prompt can be talked past. ACP's enforcement sits outside the model: whatever the agent was convinced of, the call still hits deterministic policy on the way through.
What's actually inside 7,522 agent skills →“Prove what every agent did — and why it was allowed”
The question you can't answer when your logs say service_account: 200. ACP logs the decision, not just the action: who asked, which agent acted, which rule allowed it, what it touched, what it cost — per call, exportable.
Poke a governed stack yourself
Three live demos — real multi-system agents with ACP in the call path. Watch identity, policy, and metering apply to every call.
ERP, suppliers, and warehouse — unified through AI
Production planners cross-reference supplier delays with buffer stock and production schedules in seconds. Plant managers simulate schedule changes and see revenue impact instantly.
CRM, compliance, and ops — unified through AI
Sales leaders respond to RFQs in 20 minutes instead of 11 days. VPs get real-time account risk assessments that cross-reference incidents with CRM data and revenue impact.
Dispatch, carriers, and terminals — unified through AI
Ops managers see detention fees, HOS violations, and vessel diversions across truck, ocean, and rail in one view. Dispatchers get driver availability and appointment math instantly.
Same control plane, any industry
The failure modes above don't care what business you're in — only the data changes. A few concrete shapes:
Healthcare SaaS
Diagnostic assistants query patient records with the physician's identity verified on every call, access scoped by license type, PII redacted before the model, every query logged — the audit trail HIPAA asks for.
Fintech & lending
Credit queries scoped to each officer's assigned borrowers, SSNs masked before the model, per-officer rate limits on data pulls, identity on every row.
SaaS shipping AI features
Every tool call arrives with the customer's verified identity, tenant isolation enforced at the gateway, per-customer budgets that catch abuse — ship the AI integration without building the control layer first.
Internal copilots
SSO identity through every request, tool access scoped by role, per-user spend limits, every action attributed — the answer to “what did the copilot just do, and as whom?”
Put a control plane between your agents and the incident
Self-host with the MIT-licensed modules, or use ACP Cloud — one install, and your next agent run shows up governed in the console.