How does Enforgate address the OWASP Agentic AI Top 10?

What Enforgate has today

• Deny-by-default policy engine — unrecognised tool patterns are blocked, not allowed.
• HITL approval gate — high-risk actions pause for a human before executing.
• Immutable audit log with hash-chain tamper evidence so drift is detectable after the fact.
• Loop detection — identical calls within a time window are blocked automatically.

On the roadmap

• Behavioral baseline per agent (normal call patterns → deviation alerts).
• Per-agent kill switch for instant freeze from the dashboard.

What Enforgate has today

• Policy conditions on tool-call arguments intercept injection at the point it becomes an action (not in text).
• Argument-level deny rules can block calls whose arguments match injection patterns (regex conditions).

On the roadmap

• Deterministic injection-pattern scanner on tool-call arguments at the gateway.
• Taint-tracking on untrusted upstream responses before they reach subsequent tool calls.

What Enforgate has today

• Glob/regex deny-by-default policy engine: any tool not explicitly allowed is blocked.
• Argument-level policy conditions: allow db.query only when the query field matches SELECT, block DROP/DELETE.
• Visual policy rule builder with color-coded verdict cards, move-up/down, and duplicate-rule controls.
• HITL approval gate for high-sensitivity actions (send_email, delete_file, …).
• MCP proxy namespaces upstream tools (upstream__tool) so a policy can target one upstream without affecting others.
• Standing grants: permanent allow/deny that bypass the approval queue for known-safe or known-dangerous calls.
• Dry-run simulation: replay the last 7 days of real traffic against a new policy before saving.

What Enforgate has today

• API keys stored as SHA-256 hashes — a database leak exposes nothing usable.
• Short-lived scoped session tokens (bws_ prefix, ASI04): agents exchange a long-lived key for a session token with a TTL (15 min – 24 h) and an optional tool-scope restriction.
• Sessions are issuable from the dashboard — human issues a scoped token, hands it to the agent.
• Secrets vault: org-managed credentials stored AES-256-GCM encrypted; agents reference them as {{secret:name}} — the plaintext is substituted at the gateway and never reaches the agent or the audit log.
• Every audit row links to the session that made the call (per-conversation attribution).
• API key expiry and revocation — immediate effect at the gateway.

On the roadmap

• OAuth-on-behalf-of: agents act as the user who authorized them, not as a service account.
• Key rotation UI with zero-downtime handover.

What Enforgate has today

• Deny-by-default: no policy → every call is blocked. A malformed rule fails closed, not open.
• Shadow mode: evaluate the policy and audit the verdict, but always forward the call — test guardrails risk-free before enabling them.
• Enforcement mode per key: enforce / shadow / off, switchable from the dashboard.
• Audit write failure → 500, no verdict returned — a call that can't be recorded can't proceed.

On the roadmap

• Explicit guardrail-config UI distinguishing 'always allow', 'always block', and 'hold for human'.
• Public conformance statement for SAFE-MCP and OWASP MCP Top 10.

What Enforgate has today

• Secrets vault prevents agents from ever seeing raw credentials (substituted at the gateway).
• Tool-call arguments are hashed before audit logging — no PII reaches the database.
• Response-side DLP: gateway scans every tool response for API keys (OpenAI/AWS/GitHub/Slack/Enforgate), credit cards, SSNs, and email addresses before the result reaches the agent. Configurable action per org: block (return error) or redact (inline replacement with [REDACTED:pattern]).

On the roadmap

• Custom regex rules per org (bring your own PII patterns).
• Per-upstream DLP override (e.g. disable email redaction for a CRM upstream).
• DLP event feed — surface redaction events in the audit log.

What Enforgate has today

• Upstream allowlists: only registered MCP servers can be connected; ad-hoc URLs are rejected.
• MCP upstream configuration is org-scoped — an agent can't add its own upstreams.

On the roadmap

• Response integrity checks on upstream results (signature verification where the upstream supports it).
• Data lineage in the audit trail linking a tool output to the subsequent calls it triggered.

What Enforgate has today

• Loop detection: identical tool calls within a configurable time window are blocked (org-level setting).
• Daily budget cap: maximum allowed calls per key per UTC day; only forwarded calls count.
• Usage tracking with per-key monthly counters and dashboard charts.
• Plan-level soft limits with over-limit warnings (hard enforcement on the roadmap).

What Enforgate has today

• MCP upstreams are registered per key by a developer-role member — not by the agent itself.
• Upstream names are namespace-checked (__-separator enforcement) to prevent tool-name collisions.

On the roadmap

• Signed/verified MCP manifest registry: Ed25519 signing + pinned upstream versions.
• Integration audit log (who added which upstream, when, from which IP).

What Enforgate has today

• HITL approvals: high-risk calls pause for a human to approve or deny with full attribution.
• Approvals inbox with live pending count, inline approve/deny, reversal window, and audit timeline.
• Feed-level inline approve/deny so approvers don't leave the live feed.
• On-call schedules route approval notifications to the right team based on day and time.
• Approver groups: named sets of team members notified together.
• Reversal: approved decisions can be undone within a configurable window.

On the roadmap

• Decision explainability: why was this call allowed/blocked (matched rule, arg values, policy name).
• 'Earned autonomy' gating: new agents start with tight constraints and loosen automatically as trust is established.