Authorization for AI agents.
Beyond credentials.
Your existing identity stack answers "is this permitted?" When an AI agent gets prompt-injected, every layer says yes — because the credentials are valid. IntentGate adds the missing layer: capability tokens, policy, audit, and a human in the loop for the decisions that matter.
Runs in your environment
Agent traffic, audit data, policy decisions — all inside your cluster. No IntentGate B.V.-operated control plane between your agents and your tools. →
Apache 2.0 gateway forever
The authorization control point is Apache 2.0. The Pro tier adds the enterprise operator console — SSO, SCIM, audit verify, JIT elevation. We commit to never moving control features behind a paywall. →
Cryptographic audit chain
Every authorization decision is hashed into a per-tenant SHA-256 chain. One-click verification proves the log wasn't tampered with. Export as CSV or NDJSON for your auditor. →
Direct mitigation for 14 of 20 risks
Maps to the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic AI Applications. Direct for 11 risks, partial for 4 more, honest about the 5 out of scope. →
The four-control bypass
A prompt-injected agent attempts to read your customer database and email it externally. Every layer of your existing stack evaluates the call and approves it — because the credentials are valid.
| Control | Question it answers | Verdict |
|---|---|---|
| Identity (OIDC) | Is the user real? | PASS — Alice exists |
| IGA | Is the user entitled to financial data? | PASS — Entitled |
| PAM | Is the JIT credential valid for this tool? | PASS — Credential ok |
| ABAC / PBAC | Does policy permit this action on this resource? | PASS — In policy |
| IntentGate | Did the user actually request this specific action? | BLOCK — Never asked |
Four controls answer "is this permitted?" — all say yes. Only IntentGate asks "did the user ask?" That's the missing layer.
Six capabilities, all shipping today
Every feature below is in production code as of v0.5 — not on a roadmap, not behind a flag. Buyers can deploy and run them this week.
Four-check pipeline
Capability tokens, intent classification, Rego policy, budget ceilings. The agent's authorization runs every call through all four. Apache 2.0.
Tamper-evident audit
Per-tenant SHA-256 hash chain. Operator dashboard verifies in one click. Stream CSV / NDJSON export to your auditor. Pro dashboard
JIT admin elevation
No standing admin. Request elevation with a reason, get TOTP-gated approval from a different admin, role auto-expires. Pro
OIDC SSO + SCIM
Operators sign in via Okta, Entra, Auth0, Keycloak, Google. SCIM push handles off-boarding automatically. Pro
TOTP step-up
Destructive operations — policy rollback, clear active, high-risk approvals — gate behind a fresh TOTP code. Pro
Per-tenant notifications
Slack Block Kit, Teams Adaptive Card, PagerDuty Events v2 — fan out HMAC-signed gateway webhooks per tenant. Pro
Built to clear procurement
SOC 2, ISO 27001, GDPR Article 30, AI Act Article 12 — every audit framework asks the same question. "Show me the log, prove it wasn't tampered with." IntentGate hands the auditor a verified chain and a CSV. That conversation now takes minutes, not weeks.
For your security team
-
Standing admin replaced by JIT elevation
SOC 2 CC6.3 evidence — "prove no operator held admin without approval" — answers in one query.
-
Step-up on every destructive operation
Policy rollback, clear active, approve high-risk all require a fresh TOTP factor. Captured session cookies aren't enough.
-
Cryptographic audit chain
SHA-256 hash chain over canonical event JSON. Tamper detected in one click via the operator dashboard.
For your platform team
-
Two containers, one database
Gateway, console. Postgres. Helm chart deploys both in one
helm install. No SaaS dependencies. -
OIDC, SCIM, OCSF, SIEM — vendor-agnostic
Wire Okta or Entra. Push SCIM. Stream audit to Splunk, Datadog, Sentinel side-by-side. Existing stack stays as is.
-
Open source you can fork
Apache 2.0 components remain Apache 2.0 in perpetuity. You're never locked into our cloud — there isn't one.
About IntentGate
IntentGate is the runtime authorization layer for AI agents. It evaluates an agent's proposed actions against policy at the moment of execution. In-scope actions pass. Out-of-scope actions refuse. Every decision is logged to a tamper-evident audit trail.
IntentGate is the eighth domain of AI security: agent runtime authorization. It is the control category that sits where identity, access control, DLP, CASB and EDR don't reach — the moment an already-authorized agent decides what to do with that authorization.
Founded November 2024 by Joe Cordoba. Based in IJsselstein, Utrecht, the Netherlands. Self-hosted, Apache 2.0 core, vendor-neutral. Read the full definition →
Ready to evaluate?
A standard pilot is 4 weeks against your real OIDC IdP, your real Slack workspace, and your real audit volume — no synthetic demos.