HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Glossary Architecture

Agent control plane

The layer in the path of every agent action that decides, enforces, and records what each agent can do.

An agent control plane is the layer that sits between your AI agents and the tools, APIs, and secrets they act on. Every action an agent takes routes through it, which gives the plane three powers: it decides what each agent is allowed to do (scope), enforces your rules before the action runs (guard), and writes an immutable record of what happened (log).

The defining property is interposition — the agent cannot reach a resource without going through the plane. This is what separates a control plane from advisory controls like system prompts or code review. A prompt is a suggestion the model may ignore; the control plane is enforcement in the path that the model cannot route around.

Architecturally, the agent never holds raw upstream credentials. It authenticates to the control plane with its own identity, and the plane brokers the call to the real resource. That single move — credentials behind the plane, identity in front of it — is what makes scope, guard, log, and attribution possible at all.

A control plane is not a model, a framework, or an observability dashboard. It governs whatever agents you already run, and it acts in real time on what’s allowed — not just what already happened.

Related terms

MCP (Model Context Protocol)

An open standard for how agents discover and call tools — powerful, and easy to over-grant without governance.

PDP (Policy Decision Point)

The 'brain' that decides whether an agent action is allowed — evaluating the request against the agent's scope and guard rules and returning allow, deny, or needs-approval.

PEP (Policy Enforcement Point)

The component, in the path of every action, that enforces the policy decision — letting an action through, blocking it, or sending it for approval.

Attribution

Tracing every agent action back through the agent identity to the accountable human who owns it.

Put every agent your company runs under one policy.

Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.

Book your 30-min demo Talk to us