SharkRouter is the deterministic data plane for agentic AI. It sits between AI agents and tool execution, providing a 14-step governance pipeline that includes ToolGuard (function-call firewall), Agent Passport (cryptographic identity), Dry-Run Preview (impact preview before execution), Output Assurance (post-execution verification), Kill Switch (immediate halt), and an immutable WORM audit chain.

How is SharkRouter different from prompt filters or monitoring tools?

SharkRouter is not a prompt filter, not an output scanner, and not a monitoring tool. It is a stateful gateway that intercepts every function call an AI agent makes and enforces deterministic business rules before execution. Prompt filters (Pangea, Lakera) only inspect input. Out-of-band monitors (Zenity, Protect AI) observe but cannot enforce. JIT access tools (Oasis Security) manage permissions but do not audit execution. SharkRouter is the only product that intercepts, governs, and audits at the function-call layer with cryptographic proof.

Is SharkRouter OpenAI-compatible?

Yes. SharkRouter is a drop-in replacement for the OpenAI API. Change your base_url to https://api.sharkrouter.ai/v1 and your existing code works unchanged. One line. Full governance. Zero lock-in.

ToolGuard is the function-call firewall at the heart of SharkRouter. It is a deny-by-default policy engine that evaluates every tool call through a 7-guard chain (Regex, Keyword, Schema, Policy, Semantic, LLM, MoralCompass) cost-ordered so the first block wins. Typical added latency is under 150ms. ToolGuard enforces business rules at the execution layer — the only layer where AI agents actually do something.

What is Agent Passport?

Agent Passport assigns cryptographic identity (ECDSA-signed) to every AI agent in your environment. Each passport carries a scoped tool universe, a 9-state lifecycle FSM, and delegation chains with scope narrowing. Trust stages progress STRANGER → KNOWN → TRUSTED → EXTENSION based on observed behavior.

What is Dry-Run Preview?

Dry-Run Preview shows the impact of a destructive tool call before it executes — affected rows, blast radius, estimated cost. Zero of 19 competitors in our State of AI Governance benchmark offer this capability. It is what enables CISOs to approve agentic AI for production systems.

Can SharkRouter be deployed air-gapped?

Yes. SharkRouter offers three deployment tiers: Cloud Gateway (5 minutes), Private VPC (1 day), and Air-Gapped On-Premise (1 week). The air-gapped tier uses offline licensing and runs with zero outbound connectivity — designed for banking, defense, and government environments that cannot use cloud AI services.

What compliance frameworks does SharkRouter support?

SharkRouter is designed compliant by architecture: SOC 2, GDPR, HIPAA, ISO 27001, BOI 364, and EU AI Act Article 14 (human oversight of high-risk AI). The WORM audit chain provides cryptographic chain-of-custody that satisfies banking and regulated-industry audit requirements.

Warden is SharkRouter's open-source governance scanner. Run it against any AI framework or environment and it produces a 17-dimension governance score out of 100. Across 19 AI frameworks and competing gateways, the market average is 28/100. SharkRouter scores 91/100. Warden is free, runs in 60 seconds, and is the first tool a CISO uses in our evaluation funnel.

Crypto Shredding: The Nuclear Option for AI Data Sovereignty

There's a problem that most AI governance vendors quietly ignore: deletion is harder than it looks.

When a user requests erasure under GDPR Article 17, your instinct is to delete their database record. But their data exists in other places: request logs, semantic cache entries, audit trails, vector embeddings, conversation histories. Some of these locations are append-only by design. You can't easily "delete" from an immutable audit log.

Crypto shredding is the solution. And it's more elegant than it sounds.

What Is Crypto Shredding?

Crypto shredding (also called cryptographic erasure) is a data deletion technique where, instead of deleting the data itself, you delete the encryption key used to protect it. Without the key, the ciphertext is computationally indistinguishable from random noise. The data is effectively destroyed even though the bytes remain on disk.

The core insight: encryption transforms a deletion problem into a key management problem.

Instead of "find and delete every copy of Alice's data across all systems," you simply destroy Alice's encryption key. Every piece of data encrypted under that key — regardless of where it lives — becomes permanently inaccessible.

This works because:

Modern encryption (AES-256-GCM) is computationally secure: recovering plaintext without the key requires more energy than the sun will produce in its lifetime
Key deletion is atomic: you destroy one key, not thousands of records
Immutable systems remain intact: the ciphertext stays in your audit log, preserving sequence integrity, but no one can read it

How SharkRouter Implements Per-Tenant Crypto Shredding

SharkRouter uses a hierarchical key architecture with three levels:

Level 1: Master Key (KMS)

The root key lives in your KMS backend — local, AWS KMS, or HashiCorp Vault. This key never leaves the KMS; all cryptographic operations happen inside the KMS boundary.

Level 2: Tenant Data Keys (TDK)

Each tenant (organization) gets a unique data key, encrypted under the master key. TDKs are stored in the database as ciphertext. To use a TDK, SharkRouter decrypts it in memory using the master key for the duration of the operation, then discards it.

Level 3: User Encryption Keys (UEK)

Each user gets their own encryption key, derived from the TDK using HKDF with a user-specific salt. This is the key that encrypts the user's actual data: conversation history, memories, PII detections, audit events.

```
Master Key (KMS)
└── Tenant Data Key (encrypted with Master Key)
└── User Encryption Key (derived via HKDF)
└── User Data (encrypted with UEK)
```

The Shredding Operation

When a GDPR erasure request arrives for user Alice:

```python
async def shred_user_data(tenant_id: str, user_id: str):
# 1. Revoke the user's encryption key
await kms.revoke_user_key(tenant_id, user_id)

# 2. Delete the key derivation salt (makes UEK unrecoverable)
await db.execute(
    "DELETE FROM user_key_salts WHERE user_id = $1",
    user_id
)

# 3. Log the shredding event (this log entry itself is
#    encrypted under the TENANT key, not the user key)
await audit.log_shredding_event(tenant_id, user_id)

# 4. Optionally: overwrite ciphertext with zeros for belt-and-suspenders
if config.overwrite_on_shred:
    await db.execute(
        "UPDATE user_data SET payload = '' WHERE user_id = $1",
        user_id
    )

```

After step 2, Alice's UEK cannot be reconstructed. All her encrypted data — regardless of where it lives in the system — is permanently inaccessible.

What Gets Protected by Per-User Encryption

In SharkRouter, user-scoped encryption covers:

Conversation histories — Each message stored encrypted under the UEK
Universal Memory entries — User-specific facts and preferences
PII detection results — The actual detected PII values (though category labels are stored unencrypted for analytics)
Semantic cache entries — User-personalized cache responses
Request/response logs — The content of AI interactions

Metadata required for system operation (timestamps, sequence numbers, tenant IDs) is stored unencrypted but contains no user content.

GDPR Right-to-Be-Forgotten: How Crypto Shredding Satisfies It

The GDPR right to erasure (Article 17) requires that personal data be erased "without undue delay." Courts and data protection authorities have clarified that this means the data must be practically inaccessible, not just deleted from the primary database.

Crypto shredding satisfies this requirement because:

Completeness: All copies of the data — logs, caches, backups, replicas — are covered. You don't need to know where every copy lives.
Verifiability: You can prove to regulators that you deleted the key, and therefore prove the data is inaccessible. Key deletion is auditable in a way that distributed data deletion is not.
Immutability preservation: Your audit log remains intact (critical for financial regulators), but the content of shredded entries becomes unreadable.
Backup coverage: Even encrypted backups taken before the erasure request become useless for accessing that user's data. You don't need to identify and purge individual user records from backup tapes.

The KMS Backend Options

Local KMS — SharkRouter generates and stores keys in an encrypted key store on your infrastructure. Shredding is immediate: delete the key entry, done. No external dependencies.

AWS KMS — User keys are stored as AWS KMS key aliases. Shredding schedules key deletion (AWS enforces a 7-30 day waiting period before physical deletion). For immediate revocation, SharkRouter disables the key, making it immediately unusable, while the scheduled deletion completes.

HashiCorp Vault (Transit Secrets Engine) — Vault's transit engine handles all cryptographic operations. Key deletion in Vault is immediate and permanent. SharkRouter uses Vault's key versioning to support rotation while maintaining read access to older data during migration periods.

Beyond GDPR: Other Use Cases for Crypto Shredding

Employee offboarding: When an employee leaves, shred their key. Their AI interaction history becomes inaccessible without deleting audit evidence of their activity.

Tenant offboarding: When an enterprise customer churns, shred the tenant data key. All their data across all users becomes simultaneously inaccessible. One operation, complete data separation.

Regulatory hold expiry: Some data must be retained for 7 years (financial records) but should be inaccessible afterward. Crypto shredding lets you satisfy both requirements: keep the ciphertext for the retention period, shred the key when retention expires.

Breach containment: If a subset of user keys is compromised, shredding them limits the blast radius without requiring a full system migration.

The Limits of Crypto Shredding

Crypto shredding is not magic. It has limits worth understanding:

Key escrow: If copies of the key exist outside your KMS (in memory dumps, log files, crash reports), shredding the KMS record may not destroy all copies. SharkRouter's design ensures keys are never logged or persisted outside the KMS.
Quantum future: AES-256 is considered quantum-resistant for practical purposes, but organizations with very long data retention horizons should monitor post-quantum cryptography standards.
Analytics on encrypted data: Once data is shredded, you lose the ability to query it even for legitimate purposes. Plan your data architecture to separate analytics-relevant metadata (stored unencrypted) from personal content (encrypted).

Conclusion

Crypto shredding reframes data governance as a key management problem — and key management is a solved problem with well-understood tooling. For AI systems that inevitably scatter user data across logs, caches, and audit trails, it's the only practical path to complete and verifiable erasure.

SharkRouter makes crypto shredding a first-class feature: every user's data is encrypted under their own key from the moment it enters the system, and deletion is a single API call.

Questions about our key management architecture? Read the KMS documentation or contact our security team.

Crypto Shredding: The Nuclear Option for AI Data Sovereignty

Crypto Shredding: The Nuclear Option for AI Data Sovereignty

What Is Crypto Shredding?

How SharkRouter Implements Per-Tenant Crypto Shredding

Level 1: Master Key (KMS)

Level 2: Tenant Data Keys (TDK)

Level 3: User Encryption Keys (UEK)

The Shredding Operation

What Gets Protected by Per-User Encryption

GDPR Right-to-Be-Forgotten: How Crypto Shredding Satisfies It

The KMS Backend Options

Beyond GDPR: Other Use Cases for Crypto Shredding

The Limits of Crypto Shredding

Conclusion

Gilad Gabay