Authorize agent actions before they run. Prove the decision after.
This page is for security leaders reviewing AI agents, MCP tools, and workflows that are moving from read-only access into production actions.
Keel is the decision boundary for governed execution. Before an AI system calls a tool, spends budget, writes to a workflow, or asks for approval, Keel evaluates policy and records the decision as evidence that can be verified later.
The Security Question
The useful CISO question is not only "which agents exist?" It is whether the company can answer, for each action:
- what was the agent allowed to do?
- which policy allowed, denied, throttled, or challenged it?
- who approved the risky path?
- can a third party verify the record without trusting a reconstructed log?
Where Keel Fits
| Security need | Keel control |
|---|---|
| Agent write access | Policy evaluates the action before execution. High-risk write paths can be denied, throttled, or challenged for approval. |
| MCP tool control | Registered upstream MCP servers and tool allowlists gate each governed tools/call before upstream dispatch. |
| Approval evidence | Challenged permits attach actor identity, authorization basis, rationale, policy snapshot, and request metadata to the same permit. |
| Audit proof | Governance events are hash-chained, compliance exports are signed, and verifier workflows can check evidence independently. |
| Spend exposure | Budget and cost-permit controls can block or constrain expensive execution before provider spend lands. |
The Read-Only To Write-Access Moment
Read-only agents are usually search, summarization, and retrieval. The security problem changes when an agent can mutate production state, move data, spend money, create tickets, merge code, or call tools with side effects.
- Low-risk read - allow with budget and rate limits.
- Routine write - allow only for scoped tools, tenants, and workloads.
- Irreversible or sensitive action - challenge for approval or deny by default.
What Keel Proves
Keel does not claim that every AI system is safe. It proves something narrower and more useful: for governed execution, the decision happened before the action, the policy and approval context were recorded, and the resulting evidence can be checked later.
What Keel is not
Not a router
Routers decide where to send a request. Keel decides if the request should run at all.
Not observability
Observability explains what happened after execution. Keel controls what happens before.
Not a model firewall
Firewalls inspect inputs and outputs. Keel authorizes whether the action should execute at all.
Not an identity provider
Keel consumes identity, role, team, and service-principal signals. It does not replace Okta, Entra, SSO, or SCIM.
Not an MCP marketplace
Keel registers upstream MCP servers and governs tool calls. It does not host customer agents or certify third-party tools.
What To Review First
Start with one agent or workflow that wants write access and has a real consequence if it acts incorrectly. Good candidates are MCP tool calls, data export, payment or invoice workflows, production ticket mutation, and code or infrastructure changes.