AGEI

Security

Enterprise-grade security for AI governance infrastructure

Security Controls Disclaimer

Security controls reduce risk and strengthen evidence integrity, but they do not eliminate all security, operational, or compliance risk. AGEI should be deployed as part of a broader governance, security, privacy, and compliance program.

Encrypted

Data at rest & in transit

Multi-Tenant

RLS isolation

Immutable

Tamper-evident logs

Monitored

Anomaly detection

Authentication & Authorization

Supabase Auth

Built on Supabase Auth with JWT tokens for session management. Supports email/password, magic links, and SSO.

Features:

Secure password hashing (bcrypt)
JWT token rotation
10-minute inactivity timeout
Email verification

Role-Based Access Control

Granular permissions system with 10 specialized reviewer roles and organization-level access control.

Reviewer Roles:

model_risk_reviewer

compliance_reviewer

data_privacy_officer

security_reviewer

legal_counsel

ethics_board

Data Security

Row-Level Security (RLS)

PostgreSQL RLS enforces multi-tenant isolation

Every table has RLS policies that enforce organization-level isolation. Users can only access data belonging to their organization.

CREATE POLICY "Users can only access their org data" ON receipts FOR SELECT USING (organization_id IN ( SELECT organization_id FROM principals WHERE id = auth.uid() ));

Coverage:

• All tables with organization_id have RLS policies
• Service role bypasses RLS for API operations
• Client-side queries enforce RLS automatically

Cryptographic Evidence

SHA-256 hashing for tamper detection

Content Hashing

• SHA-256 hash of all evidence payloads
• Hash stored with 'sha256:' prefix
• Verification on retrieval
• Detects any tampering

Digital Signatures

• Optional cryptographic signing
• Non-repudiation proof
• Vault objects require signatures
• Audit pack sealing

Encryption

Protection at rest and in transit

At Rest

• Supabase encrypts all database data
• AES-256 encryption
• Automated key rotation
• Secure backups

In Transit

• TLS 1.3 for all connections
• HTTPS enforced
• Certificate pinning available
• Secure WebSocket connections

Token Security

HITL approval token protection

HITL approval tokens are generated as 64-character hex strings (32 random bytes) and hashed before storage.

Generation

• Cryptographically random
• 32 bytes (256 bits)
• Hex encoded

Storage

• SHA-256 hashed
• Only hash stored
• Constant-time comparison

Expiration

• Time-based (SLA-driven)
• Limited use count (10)
• Auto-expiration job

Threat Protection

Agent Behavior Monitoring

Real-time anomaly detection for AI agents with statistical deviation analysis and automated threat response.

Detected Threats:

• Compromised credentials
• Privilege escalation attempts
• Volume-based attacks
• Off-hours suspicious activity
• Geographic anomalies

Automated Response

Critical threats trigger automatic defensive actions to contain damage before manual investigation.

Response Actions:

• Session termination
• API key suspension
• Access restriction
• Rate limiting
• Alert notification

Rate Limiting

API quota buckets prevent abuse and ensure fair resource allocation across organizations.

Starter

1K/hour

Professional

10K/hour

Enterprise

Custom

Audit Logging

Complete immutable audit trail of all system operations for forensic analysis and compliance.

Logged Events:

• API access attempts
• Policy evaluations
• HITL decisions
• Agent tool invocations
• Security alerts

Security Best Practices

For Administrators:

• Rotate API keys regularly
• Use service role key only server-side
• Review anomaly alerts daily
• Grant minimum necessary roles
• Enable MFA for admin accounts

For Developers:

• Never expose service role key client-side
• Validate all evidence payloads
• Use HTTPS for all API calls
• Implement retry with backoff
• Handle rate limits gracefully