Skip to content
Gamut AI Gamut AI Docs

Govern an agentic workflow

When AI stops answering and starts acting, calling tools, moving data, making changes, design-time assessment is no longer enough. This guide puts an agentic workflow under enforced runtime governance.

When to use this

Section titled “When to use this”

You have, or are building, an agent that takes action: it calls tools and APIs, retrieves and writes data, or runs multi-step workflows, whether on Gamut Claw or your own framework.

What you will produce

Section titled “What you will produce”

A registered, ATF-assessed agent whose every action is enforced by policy at runtime, with no credentials held by the agent and complete runtime evidence.

Steps

Section titled “Steps”
  1. Register the agent. Add it to the Agentic CISO agent register with a human owner and a security owner. An unregistered agent is blocked from acting at all.
  2. Set its autonomy. Assign an ATF level (Intern through Principal). Gateway enforces a different action boundary at each level, from read-only to strategic autonomy.
  3. Score its capability risk. Run an ACRS assessment to set how tightly to govern, and model the threats its capabilities introduce with MAESTRO.
  4. Authorise its tools. Grant tool permissions in Agentic CISO and confirm the matching governed connectors exist. An agent can use a tool only when both layers agree.
  5. Configure approval gates. Require human approval for sensitive or mutating actions (external calls, financial actions, code changes). Gateway enforces them on every request.
  6. Choose the runtime. Run it on Gamut Claw or, for an external framework, the BYO runtime. Either way the rule holds: think anywhere, act through Gateway. Credentials live on Gateway, never with the agent.
  7. Simulate, then watch. Run a Gateway simulation to see what Gateway would decide and close gaps before going live, then rely on the hash-chained runtime evidence and the audit log for ongoing oversight.

Modules and frameworks involved

Section titled “Modules and frameworks involved”

Agentic CISO, Gateway, Claw, BYO runtime, ATF, ACRS and MAESTRO.

Next

Section titled “Next”