Built like the systems it serves
Investment platforms are engineered for auditability and failure isolation. The agent layer on top of them is built the same way — control plane and execution plane, ports and adapters, tenancy in the database.
The big picture
From catalog to trace
Declared in Git, gated by evals, executed under policy, observed end to end.
Control plane
Decides what may run. Nothing undeclared is callable, injectable or provisionable.
Catalog (Git)
agents · tools · skills · environments · eval datasets — all via PR review
Eval gate (CI)
baseline scores re-checked on every change — advisory in Beta, blocking at GA
Tool policies
allow / ask / deny declared per tool in each descriptor
Console
API-first UI — every action shows its curl equivalent
Execution plane
Product surfaces
Agents invoked from the screens teams already use — the app decides what and when.
Runner
auth · tenant resolution (RLS) · rate limits · descriptor resolution · prompt compilation · schema validation · run lifecycle (SSE, cancel)
Harness — the agentic loop
swappable by configuration · never imported by product code
Tool servers (MCP)
Every run emits
Two planes
Governance that does not rely on good behavior
Control plane
ShippedThe catalog (Git), the console, policies, RBAC and audit. This is where agents are declared, reviewed, gated by evals and authorized — nothing reaches production except through it.
Execution plane
ShippedThe runner executes one run at a time: it loads the pinned descriptor version, mounts only the declared MCP tools, enforces ceilings and policies, and emits the trace.
Harness, swappable
Pydantic AI todayAgent execution sits behind a harness port — Pydantic AI today, with a Claude Agent SDK adapter designed in. The platform's governance does not depend on any single agent framework.
Ports and adapters, enforced
ShippedDomain logic depends on ports; adapters implement them — and an import linter fails the build on violations. The architecture is tested, not aspirational.
Tenancy & deployment
Isolation enforced below the application
Isolation in the database
ShippedRow-level security enforces tenant boundaries in the data layer itself — application bugs cannot read across tenants, because the database refuses to.
Scoped credentials
ShippedTool credentials live in per-tenant vaults and are injected per run with the narrowest possible scope. Agents never hold standing secrets.
Workspaces within organizations
GA Q3 2026Organization → workspace → agent: the full hierarchy with delegated administration arrives with the multi-tenant GA.
Kubernetes & sovereign topologies
GA Q3 2026The EU SaaS runs today; the Kubernetes packaging behind hybrid, on-prem and sovereign deployments is in integration for GA.
FAQ
Frequently asked questions
Why separate the control plane from the execution plane?
Because governance must not depend on runtime good behavior. Declaration, review, gating and authorization happen in the control plane; the execution plane can only run what the control plane has pinned and permitted. The separation is what makes 'no agent without a descriptor' enforceable.
Is the platform tied to one agent framework?
No. Execution sits behind a harness port; Pydantic AI is the adapter in production today and a Claude Agent SDK adapter is designed into the same port. Catalog, policies, audit and tenancy live outside the harness, so the framework can evolve without re-platforming.
How is multi-tenancy actually enforced?
At three layers: row-level security in the database (the hard boundary), per-tenant credential vaults with per-run scoped injection, and per-tenant rate limits. Workspace hierarchy and delegated administration complete the model at GA.
What runs where in the SaaS topology?
The current SaaS runs in the EU (Frankfurt region) with the trace store and database under the same residency. Hybrid and on-prem topologies at GA move the execution plane — and optionally the trace store — inside your boundary while the catalog discipline stays identical.
How do new agents reach production?
Through Git: a descriptor change opens a pull request, evaluation baselines run as checks, reviewers approve, and the merged SHA becomes the pinned, auditable version the runner executes. Rollback is a revert.
Keep exploring
More of the platform
- Platform overviewThe governed agentic platform, end to end.
- Agents & catalogDeclared, versioned agents — descriptors, skills, modes.
- Governance & evalsPR review, eval baselines, allow/ask/deny policies.
- Security & trustIdentity, tenant isolation, vaults, append-only audit.
- DeploymentEU SaaS today; hybrid, on-prem and sovereign at GA.
- Integrations & MCPMCP tools, NeoXam products, open standards, models.
- Observability & costOpenTelemetry traces, budgets, cost per run and tenant.
General availability comes in Q3 2026. The Early Adopter Program is open now.
A limited cohort, a one-year platform trial and three workshop streams — Business ROI, Compliance, Operational fit. Bring one workflow; leave with a governed agent and the evidence to certify it.