HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Enforcement

Decide and act on every action.

Most agent tools watch and log. HiveKey decides and acts — allow, block, or approve — on every tool and MCP call, in the path, before anything happens. These are the capabilities that put your policy to work.

Book a demo See Guard
How it works

One decision, in the path, on every call.

Every capability below is the same four beats — only the rule in the middle changes. The agent attempts an action, HiveKey evaluates it against your policy, enforces a verdict before anything reaches the tool, and writes it to one trail.

01

Intercept

Catch the action in the path — nothing reaches the tool yet.

02

Evaluate

Check scope, ceilings, and signals against your policy.

03

Enforce

Allow, block, or route to a human — per action, per role.

04

Log

Write the verdict to one trail, attributable to the owner.

in the path
mail_send → digest to customer allow
payments_pay $42 (under cap) allow
deploy → prod (review not approved) block
key_rotate prod (awaiting 2nd approver) approve
payments_pay $5,000 → new vendor block
allow

Allow

The call is in scope and under every limit. It runs — and is logged.

block

Block

It breaks a rule — out of scope, over a cap, or wrong order. It never reaches the tool.

approve

Approve

Risky but legitimate. It's held for a human to release before anything happens.

Core enforcement

The verdict on every call — allow, block, or approve — plus the scope and ceilings that decide it.

4 capabilities
Guard block

Real-time allow / block / approve

Every tool and MCP call gets a verdict before it runs.

on action → evaluate(scope, guard) → allow | block | approve
Learn more
Scope block

Least-privilege scoping

An agent gets exactly the tools its job needs — and not one more.

role: support-agent → scope [mail.send, crm.read]
Learn more
Guard allow

Spend caps & budget ceilings

A hard ceiling on what an agent can spend, per agent and per day.

payments_pay → sum(24h) + amount ≤ $100/day
Learn more
Guard block

Rate limits

Bound how fast and how often an agent can act.

tool.calls ≤ 20 / hour / agent
Learn more

Workflow control

Put a human in the loop where it matters: approvals, dual-control, and the right order of operations.

2 capabilities
Guard block

Sequencing rules

An agent can't call X until Y has happened first.

deploy(prod) requires approved(review)
Learn more
Guard approve

Dual-control / four-eyes

The highest-risk actions need a second, named human to sign off.

wire_transfer requires 2 named approvers
Learn more

Containment

When something looks wrong, shrink or cut an agent's reach in a single move — no redeploy.

2 capabilities
Guard block

Kill switch & circuit breaker

Cut an agent off in one click — or let it trip automatically on a breach.

breach detected → revoke(agent) + quarantine
Learn more
Guard approve

Quarantine & step-down

Step a breaching agent down to read-only instead of killing it outright.

trigger → role = read-only + flag(review)
Learn more

Data protection

Keep sensitive data from walking out through an agent's tools and integrations.

1 capability
Guard block

Secret & data egress controls

Keep secrets and sensitive data from leaving the boundary.

send.destination in allow_list AND no secret_pattern
Learn more

Operations

Tune and prove a policy against real traffic before you turn enforcement on.

1 capability
Log approve

Policy dry-run & simulation

See exactly what a policy would do against real traffic before it enforces.

mode: shadow → report would-be verdicts
Learn more

Detection signals

Feed detectors into the decision — anomalies and injection raise the bar; deterministic rules still decide.

2 capabilities
Guard approve

Behavioral anomaly detection

Turn an agent's drift from normal into a guard decision you can act on.

risk_signal(high) → require approval
Learn more
Guard block

Prompt-injection & jailbreak detection

Enforce on a trusted injection verdict, right at the tool boundary.

untrusted_context AND sensitive_call → deny | escalate
Learn more
One spine

Every capability rides Scope, Guard, and Log.

Enforcement isn't a separate product — it's what the spine does on each call. Scope sets what an agent could do, Guard decides this action in the path, Log makes it provable.

Scope

Grant each agent exactly the tools its job needs — and nothing it doesn't.

Explore Scope

Guard

Decide every action in the path — allow, block, or hold for approval.

Explore Guard

Log

Every action on one immutable, attributable trail you can replay.

Explore Log

Put every agent under one policy — and enforce it.

See HiveKey decide, enforce, and log every action your agents take, in the path.

Book your 30-min demo Talk to us