Companies built systems to manage employees — identity, permissions, accountability, audit trails. Enterprises will require the same governance for AI agents. WorkingAgents is the infrastructure that makes autonomous agents trustworthy enough to run real parts of a business.
The Problem
AI agents are powerful. Ungoverned agents are dangerous.
Your agents can read databases, call APIs, send emails, and make decisions that affect real customers. Without governance, every agent is an insider threat:
- Credential sprawl — five agents connecting to ten tools means fifty sets of credentials scattered across environments. One leaked key exposes everything.
- Invisible actions — an agent deletes a production record, sends confidential pricing to a customer, or leaks PII. Without audit trails, nobody knows until the damage is done.
- Unbounded access — most frameworks give every agent access to every tool. A sales assistant reaches engineering databases. A support agent discovers it can modify billing records. Not malicious — just ungoverned.
A tool waits for instructions. An agent makes decisions. The governance model that worked for tools doesn’t work for agents.
Three Gateways, One Control Plane
WorkingAgents puts a governance layer between your agents and everything they touch.
AI Gateway
Unified proxy to 250+ LLMs. One API, automatic failover, smart routing by cost or latency. Simple queries go to cheaper models. Complex reasoning goes to capable ones. You control the routing, not the agent.
AI Agent Gateway
Control plane for agentic workflows. Multi-step execution with retries, timeouts, and fallbacks. Works with any agent framework via HTTPS and Secure WebSocket (WSS) APIs. When an agent gets stuck in a retry loop, the gateway catches it before it burns through thousands in API calls overnight.
MCP Gateway
Enterprise hub for Model Context Protocol. Centralized tool registry, per-user token management, permission boundaries, and guardrails on every tool call. Every agent gets exactly the access it needs and nothing more.
Access Control: Keycards, Not Master Keys
Virtual MCP Servers define permission boundaries per team, per role, per use case:
Sales Team Server
✓ CRM read/write
✓ Document generation
✓ Knowledge search
× Database admin
× Deployments
Engineering Server
✓ GitHub / CI-CD
✓ Issue tracker
✓ Deployments
× CRM data
× Financial recordsFour-layer authentication: gateway, team, service, and custom. Capability-based access control with encrypted permission keys. Per-user, per-service, per-endpoint rate limits. A single token replaces scattered credentials.
A sales agent sees CRM tools. An engineering agent sees deployment tools. Neither sees the other’s data. Agents inherit the user’s permissions — one identity, one set of rules, full accountability.
Guardrails: Three Checkpoints on Every Action
Automated safety checks before, during, and after every tool call.
Pre-execution — validate inputs before any tool runs. Block SQL injection, path traversal, prompt injection, and malformed requests before they reach your systems.
Real-time — monitor execution and require human approval for high-risk operations. “The agent wants to delete a production table — approve or deny?”
Post-execution — inspect outputs before they reach the agent. Redact PII, mask credentials, filter confidential data. Sensitive information never leaves your perimeter.
| Guardrail | What It Stops |
|---|---|
| Prompt injection prevention | “Ignore all previous instructions” and similar attacks |
| PII detection & redaction | 20+ categories: SSNs, credit cards, emails, phones, addresses |
| Content safety | Hate speech, self-harm, violence with configurable thresholds |
| Topic filtering | Block specific domains: medical advice, legal counsel, financial tips |
| Custom rules | Your own policies, your own logic, enforced at the gateway |
Access Control Administration — Role management, permission grants (with optional TTL for temporary access), user permission views, audit trail queries, and system health stats.
Observability: See Everything, Miss Nothing
Every agent action, tool call, model request, and guardrail evaluation is logged:
{
"agent": "sales-assistant",
"user": "[email protected]",
"tool": "crm.search_contacts",
"args": { "query": "Acme Corp" },
"guardrails": {
"pii_check": "passed",
"injection_check": "passed"
},
"latency_ms": 42,
"cost_usd": 0.0018
}- Token-level cost attribution by user, team, and model
- Request-level inspection with full prompt and response
- P99/P90/P50 latency tracking per endpoint
- Structured logging and request tracing for distributed debugging
Security: Your Data Never Leaves
WorkingAgents deploys inside your VPC, your data center, or your air-gapped network. The platform orchestrates workloads without extracting data.
Agent Request
→ WorkingAgents Gateway (your VPC)
→ Auth check
→ Guardrail scan
→ PII redaction
→ Tool execution (your infra)
→ Audit log (your storage)Zero data egress. Full audit trail. Self-hosted or cloud — your choice.
Technical Foundation
Built on OTP — the same platform that powers WhatsApp, Discord, and financial trading systems. This matters:
- Fault tolerance — OTP supervision trees automatically restart failed processes. A crashed task manager doesn’t take down the CRM or monitoring system. Each subsystem is independently resilient.
- Concurrency — lightweight processes handle thousands of simultaneous agent connections without thread contention. Every user gets isolated state.
- Hot code reloading — deploy updates without restarting the system or disconnecting active agents.
- Per-user isolation — each user gets their own permission set, their own process tree. One user’s agent cannot access another user’s data at the process level, not just the application level.
Protocol support:
- MCP (Model Context Protocol) — 86+ tools exposed as a governed MCP server. Any MCP-compatible client (Claude, Cursor, custom agents) connects with a single token.
- A2A (Agent-to-Agent Protocol) — Google’s protocol for cross-platform agent skill discovery and collaboration.
- WebSocket — real-time bidirectional communication for browser-based interfaces and live agent interaction.
- REST API — standard HTTP endpoints for integration with any system.
Who It’s For
Medium-size enterprises deploying AI agents who need governance before something goes wrong — not after.
Consulting firms and system integrators who help companies adopt AI. WorkingAgents is the governance infrastructure you deploy at every client.
Regulated industries (healthcare, finance, legal) where every AI decision must be auditable, permissioned, and compliant.
Companies using multiple AI frameworks (LangChain, CrewAI, OpenAI Agents SDK, custom) who need a unified governance layer that works across all of them.
The Goal
The autonomous AI agent market is estimated at $8.5 billion in 2026, potentially $35-45 billion by 2030. 75% of companies may invest in agentic AI by end of 2026. 40% of enterprise applications will feature task-specific AI agents by 2026, up from less than 5% in 2025.
The question is no longer whether to adopt AI agents. It’s whether you govern them before something goes wrong — or after.
WorkingAgents exists at the convergence point: the governance layer that becomes indistinguishable from the agent infrastructure itself. We’re building the system that makes AI agents accountable — so enterprises can deploy them with confidence, not anxiety.
Every action has a paper trail. Every agent has defined permissions. Every decision is auditable. Compliance and speed are no longer in conflict.
WorkingAgents: AI agents are powerful. Make sure they answer to you.
James Aspinwall is the founder of WorkingAgents, an AI governance platform specializing in agent access control, security, and integration services for enterprises deploying AI at scale.