Skip to content
Gamut AI Gamut AI Docs

Gamut Gateway

Gamut Gateway is the policy decision and enforcement engine of the agentic stack. It is the ATF runtime: every agent action passes through Gateway, which evaluates it against the full governance context, decides, performs the call only if permitted, and records the decision either way.

What Gateway does

Section titled “What Gateway does”

Gateway sits between agents and the models, tools and data they want to use. Nothing reaches a tool directly. For each requested action it assembles the governance context, agent register, tool permissions, approval gates, data flows, incident playbooks, red-team tests, linked risks and findings, and runs a sequence of controls before allowing anything.

The decision model

Section titled “The decision model”

Gateway resolves every request to one of four runtime decisions:

DecisionMeaning
allowAll controls passed. The action proceeds, and is logged.
require_approvalA high-impact action with control gaps. A named human must approve first.
degradeThe action proceeds in a reduced, safer form.
blockThe action is refused.

For high-risk or external actions that pass, the decision becomes allow and log with mandatory detailed audit logging. Where critical control failures coincide with an open critical finding, the decision escalates to block and open incident.

The controls Gateway evaluates

Section titled “The controls Gateway evaluates”

For each action, Gateway runs an ordered series of checks. Any of the first two short-circuit to an immediate block:

  1. Agent registration. An unregistered agent is blocked at critical severity. No exceptions.
  2. Lifecycle status. A suspended agent is blocked until formally reactivated.
  3. Human owner is assigned.
  4. Security owner is assigned.
  5. ATF maturity level is assigned, and the action sits within that level’s boundary (see below).
  6. Tool permission. The tool is registered for this agent in Agentic CISO, with audit logging enabled, and human approval required if it is a critical-risk tool.
  7. Approval gate. External, financial or code-modification actions are covered by an active approval gate that matches the action type, tool, target system, data class and environment.
  8. Data movement. Customer or regulated data (PII, confidential, restricted) has a documented data-flow record.
  9. Incident playbooks. High-risk agents have playbooks for prompt injection, unauthorised external action and rogue-agent scenarios.
  10. Linked risks and findings. Open risks or findings tied to the agent are surfaced; open critical findings can escalate the decision.
  11. Red-team validation. High-risk or external actions have at least one passed red-team test on record.

Each check contributes to a decision path and, on failure, a rule trigger, so every decision is fully explainable: which controls passed, which failed, what evidence is missing, and exactly what would change the decision.

ATF-level action boundaries

Section titled “ATF-level action boundaries”

Gateway enforces the agent’s ATF level as a hard ceiling on autonomy:

  • L1 Intern may only read, observe and report. Writes and external actions are blocked.
  • L2 Junior may take routine actions; every external or financial action requires an approval gate.
  • L3 Senior operates within guardrails; financial and high-risk external actions require approval.
  • L4 Principal has strategic autonomy; critical or top-secret data access still requires documented approval.

Why enforcement lives in one place

Section titled “Why enforcement lives in one place”

Concentrating enforcement in Gateway is what makes the zero-trust model work:

  • Credentials stay on Gateway. Model provider keys and connector credentials live only on the Gateway side, never with the agent. A compromised agent cannot leak keys it never held.
  • Policy is consistent. Every action is judged by the same engine, so governance does not depend on each agent behaving well.
  • Evidence is complete. Because every action flows through one point, the runtime evidence fed back to Agentic CISO is comprehensive.

Signed, short-lived authorisation

Section titled “Signed, short-lived authorisation”

Gateway does not just return a verdict, it issues signed, time-bounded authorisation. An allow decision is accompanied by an HMAC-signed decision token, scoped to the agent, tenant and a short expiry (around five minutes), and verified before execution. Service-to-service calls between Gamut, Gateway and Claw are themselves signed and nonce-protected against replay. Only an allow decision can authorise execution; nothing else carries a valid token.

Connectors and approval gates

Section titled “Connectors and approval gates”

Tools are exposed to agents as governed connectors registered in Gateway, model gateways, retrieval, HTTP and webhook adapters, ticketing, notification, storage, CRM and more, each with its own action type, risk tier, payload limits and response handling. See the connector catalog. Sensitive or mutating actions can require explicit human approval; those approval gates are defined as governance in Agentic CISO and enforced here.

Fail-closed by default

Section titled “Fail-closed by default”

If Gateway cannot reach a dependency, cannot verify a signature, or encounters an error mid decision, it fails closed: the action does not proceed. Safety never depends on a call succeeding.

Next

Section titled “Next”
  • Connector catalog: the governed tools Gateway can expose.
  • Gamut Claw: the execution layer that calls through Gateway.
  • Agentic CISO: where the policy Gateway enforces is defined.
  • ATF: the framework Gateway is the runtime for.