SharkRouter is the deterministic data plane for agentic AI. It sits between AI agents and tool execution, providing a 14-step governance pipeline that includes ToolGuard (function-call firewall), Agent Passport (cryptographic identity), Dry-Run Preview (impact preview before execution), Output Assurance (post-execution verification), Kill Switch (immediate halt), and an immutable WORM audit chain.

How is SharkRouter different from prompt filters or monitoring tools?

SharkRouter is not a prompt filter, not an output scanner, and not a monitoring tool. It is a stateful gateway that intercepts every function call an AI agent makes and enforces deterministic business rules before execution. Prompt filters (Pangea, Lakera) only inspect input. Out-of-band monitors (Zenity, Protect AI) observe but cannot enforce. JIT access tools (Oasis Security) manage permissions but do not audit execution. SharkRouter is the only product that intercepts, governs, and audits at the function-call layer with cryptographic proof.

Is SharkRouter OpenAI-compatible?

Yes. SharkRouter is a drop-in replacement for the OpenAI API. Change your base_url to https://api.sharkrouter.ai/v1 and your existing code works unchanged. One line. Full governance. Zero lock-in.

ToolGuard is the function-call firewall at the heart of SharkRouter. It is a deny-by-default policy engine that evaluates every tool call through a 7-guard chain (Regex, Keyword, Schema, Policy, Semantic, LLM, MoralCompass) cost-ordered so the first block wins. Typical added latency is under 150ms. ToolGuard enforces business rules at the execution layer — the only layer where AI agents actually do something.

What is Agent Passport?

Agent Passport assigns cryptographic identity (ECDSA-signed) to every AI agent in your environment. Each passport carries a scoped tool universe, a 9-state lifecycle FSM, and delegation chains with scope narrowing. Trust stages progress STRANGER → KNOWN → TRUSTED → EXTENSION based on observed behavior.

What is Dry-Run Preview?

Dry-Run Preview shows the impact of a destructive tool call before it executes — affected rows, blast radius, estimated cost. Zero of 19 competitors in our State of AI Governance benchmark offer this capability. It is what enables CISOs to approve agentic AI for production systems.

Can SharkRouter be deployed air-gapped?

Yes. SharkRouter offers three deployment tiers: Cloud Gateway (5 minutes), Private VPC (1 day), and Air-Gapped On-Premise (1 week). The air-gapped tier uses offline licensing and runs with zero outbound connectivity — designed for banking, defense, and government environments that cannot use cloud AI services.

What compliance frameworks does SharkRouter support?

SharkRouter is designed compliant by architecture: SOC 2, GDPR, HIPAA, ISO 27001, BOI 364, and EU AI Act Article 14 (human oversight of high-risk AI). The WORM audit chain provides cryptographic chain-of-custody that satisfies banking and regulated-industry audit requirements.

Warden is SharkRouter's open-source governance scanner. Run it against any AI framework or environment and it produces a 17-dimension governance score out of 100. Across 19 AI frameworks and competing gateways, the market average is 28/100. SharkRouter scores 91/100. Warden is free, runs in 60 seconds, and is the first tool a CISO uses in our evaluation funnel.

Enterprise AI governance doesn't require writing thousands of rules manually. Shadow Mode observes your agents for 7 days, auto-generates a deny-by-default policy draft, and ENFORCE mode activates on Day 15 via canary deployment. The onboarding objection — 'we can't write all those rules' — is solved.

From One Line of Code to Full AI Agent Governance in Two Weeks

The most common objection CISOs raise about inline AI agent governance is not about security, latency, or architecture. It's about onboarding.

"We have 50 AI agents talking to 200 internal APIs. You want us to write allow-rules for every combination? That's thousands of rules. My team doesn't have the capacity. We'll be writing YAML for six months."

This objection is valid. And it's the reason most governance deployments stall before they start.

Policy Bootstrap eliminates it.

The Onboarding Problem

Traditional security policy deployment follows a familiar pattern: security teams manually define rules, test them in staging, deploy to production, and iterate when something breaks. This works when the number of entities is small and their behavior is predictable.

AI agent environments are neither. A single enterprise may run dozens of agents across engineering, finance, HR, customer support, and operations. Each agent uses a different combination of tools — database queries, email, file access, API calls, fund transfers, permission management. Each tool has parameters that vary by context. The combinatorial space is enormous.

Writing policies manually means a security team must understand every agent's purpose, every tool it uses, every argument pattern it employs, and every edge case in its workflow. For 50 agents with 200 APIs, this is months of work — during which agents run ungoverned.

The alternative is what most organizations do today: deploy agents without governance and hope nothing goes wrong.

How Policy Bootstrap Works

Policy Bootstrap inverts the process. Instead of writing rules from scratch, the security team deploys the gateway in observation mode and lets the system learn normal behavior before generating rules.

Day 0. The developer changes one line of code — the base_url parameter in the OpenAI SDK client. All agent traffic now routes through the gateway. The gateway activates in Shadow Mode: it sees every tool call, logs everything, and blocks nothing. Zero impact on operations. Agents continue working exactly as before.

During Shadow Mode, the system builds three datasets simultaneously. The Tool Registry auto-populates with every tool name, schema, risk classification, and call frequency observed. Agent behavioral profiles accumulate via EWMA (Exponentially Weighted Moving Average) baselines across five dimensions: request volume, operating hours, tool mix, risk profile, and data sensitivity. The WORM audit chain records every tool call with cryptographic hash chaining — creating immutable compliance evidence from day one.

Day 7. Policy Bootstrap runs automatically. It reads the full week of observations from the audit chain, groups them by agent, tool, and argument pattern, and generates a deny-by-default YAML policy draft.

A typical output for a mid-size enterprise:

23 agents discovered and mapped
47 tools with parameter constraints
312 rules generated
89% confidence score (based on observation volume)
5 patterns flagged for human review

The flagged patterns are the critical output. These are combinations the system identifies as potentially risky — not necessarily malicious, but requiring a human decision:

Exfiltration pattern. "Agent hr-bot uses read_file and send_email together. This could be a legitimate reporting workflow or a data exfiltration path. Verify."

High-value transactions. "Agent finance-bot executed fund transfers exceeding $50,000 on three occasions. Set an approval threshold?"

Unknown agent. "An unidentified agent with no passport made 847 tool calls over seven days. No identity, no owner, no declared purpose. Authorize or block?"

Broad scope. "Agent ops-bot uses 31 different tools. This scope is unusually wide. Consider splitting into narrower agents with fewer permissions."

Cross-environment access. "Agent dev-bot accesses the production database. Restrict to staging?"

Day 8. The security team reviews the draft in the portal. They don't write rules — they review, adjust, and approve rules the system generated. For the five flagged patterns, they make explicit decisions: accept, modify, or block. They activate WARN mode.

Day 8-14. WARN mode flags violations but doesn't block them. The security team sees exactly what would be blocked under the proposed policy. They tune thresholds where the system is too aggressive or too permissive. This is calibration, not construction.

Day 15. ENFORCE mode activates through mandatory canary deployment. The new policy deploys to a single gateway node (10% of traffic) for 15 minutes. If the block rate spikes above twice the simulation prediction, the policy auto-rolls back. If the canary passes, rolling deployment promotes the policy to all nodes.

Full governance. Deny-by-default. Two weeks from a single line of code change.

Continuous Learning: Handling Seasonality

A seven-day observation window doesn't capture everything. End-of-month financial reconciliation, quarterly reporting, annual compliance audits — these legitimate workflows may not appear in the baseline.

When an agent governed under an ENFORCE policy attempts a tool call that wasn't observed during the baseline period, the system doesn't blindly block it. For known agents (those with valid passports and clean behavioral history), the system generates a Policy Update Suggestion:

"Agent finance-bot attempted close_fiscal_period (first seen). This tool was not observed during the 7-day baseline. Action: Approve and add to policy / Block / Extend Shadow Mode for this agent."

The security team decides. The system doesn't auto-allow unknown behavior — that would defeat deny-by-default. But it distinguishes between a known, trusted agent encountering a seasonal workflow and an unknown agent attempting an unauthorized action.

Shadow Mode continues running in the background even after ENFORCE activates. It observes new patterns, detects behavioral drift, and surfaces suggestions. Governance is not a one-time configuration — it is a continuous process.

What This Replaces

Without Policy Bootstrap, the enterprise AI governance journey looks like this:

Month 1-3: Security team manually catalogs all agents and tools. Month 4-6: Security team writes YAML policies by hand, testing each rule individually. Month 7-8: Policies deployed with immediate false positives, breaking agent workflows. Month 9-12: Iterative debugging and tuning. Month 13: Governance nominally active but fragile, with frequent exceptions.

With Policy Bootstrap:

Day 0: One line of code. Day 7: Automatic policy generation. Day 15: Full enforcement via canary deployment. Ongoing: Continuous learning and seasonal adaptation.

The difference is not incremental. It is the difference between governance that ships and governance that stalls in committee.

The Policy Canary: Why Safe Deployment Matters

A misconfigured policy rule deployed to all gateway nodes simultaneously can disable every AI agent in the organization. This is the logical equivalent of a firewall rule that blocks all traffic — except worse, because it affects background business processes that humans may not notice for hours.

Policy canary deployment prevents this. Every policy change — whether from Policy Bootstrap, manual editing, or automated suggestion — follows the same three-step process:

First, Policy Simulation replays the last 24 hours of audit data through the proposed policy. The security team sees exactly what would change: how many calls would be blocked, how many would be allowed, and what the estimated false positive rate is. If the simulation predicts more than 10% false positives, the deployment is refused.

Second, the policy deploys to a single canary node. For 15 minutes, 10% of traffic runs under the new policy while 90% continues under the current policy. The system monitors the block rate in real time. If it spikes above twice the predicted rate, auto-rollback activates.

Third, only after the canary passes does rolling deployment promote the policy to all nodes.

For VPC and air-gapped deployment tiers, canary deployment is mandatory. It cannot be bypassed. This is a hard constraint, not a recommendation. A single misconfigured rule should never take down an entire organization's AI operations.

Integration with Enterprise Security

Policy Bootstrap generates YAML, but governance doesn't live in isolation. Every observation, flag, and policy decision integrates with existing enterprise security infrastructure:

SIEM integration (Splunk, Datadog, Syslog, Microsoft Sentinel) exports every policy decision in real time. The security operations center sees AI governance events alongside traditional security events in a single pane.

Compliance evidence starts accumulating from Day 0. Shadow Mode observations are written to the WORM audit chain with cryptographic hash chaining. When an EU AI Act auditor asks for evidence of AI oversight, the organization has immutable records dating back to the first day of deployment.

Agent discovery feeds into the existing identity management lifecycle. Unknown agents flagged during Policy Bootstrap are escalated to the IAM team for identity assignment, owner linkage, and passport issuance.

The Bottom Line

The governance objection — "we can't write all those rules" — is solved. The security team reviews and approves. They don't write from scratch.

One line of code. Two weeks. Full governance. No manual rule writing.

Deploy SharkRouter in Shadow Mode today. Policy Bootstrap generates your governance baseline automatically.

Read the full platform overview for architecture details and deployment models.

From One Line of Code to Full AI Agent Governance in Two Weeks

From One Line of Code to Full AI Agent Governance in Two Weeks

The Onboarding Problem

How Policy Bootstrap Works

Continuous Learning: Handling Seasonality

What This Replaces

The Policy Canary: Why Safe Deployment Matters

Integration with Enterprise Security

The Bottom Line

Gilad Gabay