Skip to content
Agentic Control Plane

The incidents you're one bad tool call away from

Nobody adopts a control plane in the abstract. You adopt it because an agent can refund the wrong 200 customers, delete the wrong table, or email the wrong person's data — and your hand-rolled checks won't hold when you're not watching. Here's the failure mode by failure mode version.

Six failure modes, one choke point

The refund fan-out

An agent misreads a policy and starts refunding customers — each one valid on its own, catastrophic in aggregate. Flat daily caps don't help; the agent cheerfully spends them to zero. ACP gates money tools on the outliers: unusual size asks a human, the Nth call in an hour trips, everything routine keeps flowing.

Stop your agent from making payments without approval →

The destructive write

rm -rf, DROP TABLE, repo.delete — the calls you can't undo. Prompt rules are advisory; the model ignores them under pressure or a poisoned tool response. ACP enforces deny-by-default on destructive operations at the call itself, outside the model, scoped by agent and by who it's acting for.

Stop your agent from deleting your database →

The wrong customer's data

An agent acting for user A pulls something only user B should ever see — because the backend saw a valid service token, not a person. ACP binds every call to the identity of the user the agent is acting for, scopes access to what they can touch, and redacts PII before it reaches the model.

The three-party identity gap →

The runaway bill

A loop that retries, re-plans, and re-reads until the invoice arrives. ACP meters every tool and model call, shows you which step is actually burning the money (it's usually one), and enforces hard budgets that warn the agent before cutting it off mid-task.

The loop tax: why agents are expensive →

The talked-into-it agent

A poisoned web page or tool response instructs your agent to do something it shouldn't — and anything that lives in the prompt can be talked past. ACP's enforcement sits outside the model: whatever the agent was convinced of, the call still hits deterministic policy on the way through.

What's actually inside 7,522 agent skills →

“Prove what every agent did — and why it was allowed”

The question you can't answer when your logs say service_account: 200. ACP logs the decision, not just the action: who asked, which agent acted, which rule allowed it, what it touched, what it cost — per call, exportable.

What 210,000 governed tool calls look like →

Same control plane, any industry

The failure modes above don't care what business you're in — only the data changes. A few concrete shapes:

Healthcare SaaS

Diagnostic assistants query patient records with the physician's identity verified on every call, access scoped by license type, PII redacted before the model, every query logged — the audit trail HIPAA asks for.

Fintech & lending

Credit queries scoped to each officer's assigned borrowers, SSNs masked before the model, per-officer rate limits on data pulls, identity on every row.

SaaS shipping AI features

Every tool call arrives with the customer's verified identity, tenant isolation enforced at the gateway, per-customer budgets that catch abuse — ship the AI integration without building the control layer first.

Internal copilots

SSO identity through every request, tool access scoped by role, per-user spend limits, every action attributed — the answer to “what did the copilot just do, and as whom?”

Put a control plane between your agents and the incident

Self-host with the MIT-licensed modules, or use ACP Cloud — one install, and your next agent run shows up governed in the console.