Agentic CISO
Agentic CISO is the governance home for agentic AI inside Gamut AI. It is the system of record: it owns the truth about which agents exist, what they are allowed to do, who is accountable for them, and what they have actually done. Gateway enforces that truth at runtime, and Claw (or a BYO runtime) executes the work. Nothing an agent does at runtime is valid unless it traces back to a record held here.
The separation of duties
Section titled “The separation of duties”Agentic CISO = governance system of record (this page)Gamut Gateway = runtime policy decision and enforcementGamut Claw = secure execution layerAgentic CISO never executes agent work and never holds provider credentials. Its job is to define and hold the governance state that Gateway reads on every single agent action. This is what keeps Gamut a trust plane rather than just another agent orchestrator.
What Agentic CISO holds
Section titled “What Agentic CISO holds”Governing an agent across its lifecycle takes more than an inventory entry. Agentic CISO brings together a connected set of records, each one a control surface that Gateway can enforce against:
| Record | What it governs |
|---|---|
| Agent register | The inventory of agents, their owners, purpose, ATF level, risk tier and lifecycle status. |
| Org nodes & identity profiles | Where an agent sits in the organisation and the identity it acts under. |
| Access matrix | Which systems and data domains an agent is positioned to reach. |
| Tool permissions | The business authorisation binding an agent to the specific tools it may use. |
| Data flows | What classified data an agent may process, and how it must be handled. |
| Approval gates | The human approval required before sensitive or mutating actions run. |
| ATF assessments | The trust and autonomy assessment for each agent. |
| Incident playbooks | The pre-agreed response for prompt injection, rogue-agent and unauthorised-action events. |
| Red-team tests | Adversarial test scenarios and their results, evidence that the agent was challenged. |
| Gateway simulations | Recorded “what would Gateway decide” runs against a policy snapshot. |
| Memory & checkpoints | Governed agent memory and resumable state, kept inside the trust boundary. |
| Trajectory events | The stream of what agents actually did at runtime, fed back from Gateway. |
Every one of these is workspace-scoped and access-controlled. Reading them requires the
AGENT_READ permission; registering an agent or creating governance records requires
AGENT_REGISTER; running a Gateway simulation requires GATEWAY_SIMULATE. See
users & roles.
The agent register
Section titled “The agent register”The agent register is the precondition for everything else. No unregistered agent may take any autonomous action. Gateway blocks it outright with a critical severity. A register entry carries, at minimum:
- A human owner and a security owner, both named. Gateway fails the action if either is missing.
- An ATF current level (L1 Intern through L4 Principal), which sets the agent’s autonomy boundary.
- A risk tier (low through critical) and capability flags such as can spend money and can access customer data, which raise the bar on what controls Gateway demands.
- A lifecycle status. A
suspendedagent is blocked from all actions until it is reactivated through formal change control.
Whether an agent runs on Claw or an external runtime, it is registered here first. Registration is what makes a runtime identity issuable at all.
The two layers of tool authorisation
Section titled “The two layers of tool authorisation”Agentic CISO and Gateway divide tool authorisation cleanly, and an agent may use a tool only when both layers agree:
- Tool permissions in Agentic CISO are the business authorisation layer: a deliberate decision that this agent may use this tool, with an approved capability scope, an audit-logging requirement, and an approval requirement for critical-risk tools.
- Connector registration in Gateway is the technical capability layer: the governed adapter that actually performs the call, holding the credential and the endpoint policy.
If a tool is permitted here but no connector exists, the action cannot run. If a connector exists but the tool is not permitted here, Gateway blocks it. Capability and authorisation are deliberately kept on different sides of the boundary.
How ATF level bounds autonomy
Section titled “How ATF level bounds autonomy”The ATF level on the register entry is not a label, it is an enforced ceiling. Gateway applies a different action boundary at each level:
| Level | Boundary enforced at runtime |
|---|---|
| L1 Intern | Read, observe and report only. Any write or external action is blocked. |
| L2 Junior | Routine actions allowed; every external or financial action requires an approval gate. |
| L3 Senior | Operates within guardrails; financial and high-risk external actions require approval. |
| L4 Principal | Strategic autonomy; critical or top-secret data access still requires documented approval. |
Raising an agent’s autonomy is therefore a governed decision made here, with immediate runtime consequences. See ATF for the full level model and promotion gates.
Runtime evidence and accountability
Section titled “Runtime evidence and accountability”Because every agent action flows through Gateway, Agentic CISO receives a continuous stream of trajectory events: what was requested, which controls passed or failed, what Gateway decided, and what happened. Combined with the journal that Claw keeps for each task, this turns agent activity from an opaque black box into the same reviewable, auditable evidence and findings model the rest of Gamut uses. Open risks or findings linked to an agent are surfaced back into the Gateway decision, so an agent with unresolved critical findings cannot quietly keep operating.
Simulating before you authorise
Section titled “Simulating before you authorise”Before an agent goes live, you can run a Gateway simulation from Agentic CISO: choose an agent (or a transient template agent), a tool, an action type, a data classification, a target system and an environment, and Gateway returns the full decision it would make, the controls passed, the controls failed, the missing evidence, and the decision path, against a frozen policy snapshot with a 90-day validity and explicit retest triggers. This lets you close control gaps before any real action is ever attempted.
- Gamut Gateway: how the records here are enforced on every action.
- Gamut Claw: the secure execution layer governed agents run on.
- ATF: the trust and autonomy model Agentic CISO assesses against.
- ACRS: scoring agent capability risk to set how tightly to govern.