Announcing Guard0: Accountability for AI Agents

Today, we are opening Guard0 in early access. Guard0 gives a company one place to see every AI agent running inside it, prove what each one did, and name who answers for it. We built it because the teams adopting agents fastest are the ones losing track of them fastest, and the tools they reach for were built for people.

What we keep hearing

For the last few months, we have been in rooms with the people responsible for AI governance and security at large banks, pharmaceutical companies, and public technology firms. The same picture keeps showing up.

A year ago, most agents advised. Now they act. They read records, call tools, move money, open tickets, and change production systems. The head of audit and risk governance at one large technology company put the gap plainly: knowing that "agent-1234 authenticated as the finance bot" tells you who is acting. It does not tell you what the agent did, whether the action was within policy, or who is accountable when it turns out to be wrong. Identity gets you the first thirty percent. The rest is behavior and accountability.

The second thing we hear is that no one can see what they already have. At one major bank, adding a single new tool can take several loops of governance review, and yet teams of five and six thousand engineers are spinning up their own agents on the side, and those stay untracked. As one security lead told us, everybody starts with ten or twenty AI applications, and it does not take long to get to ten thousand. The agents that were set up for a project and quietly left running are exactly the ones nobody can account for.

And the failures are not hypothetical. A "summarize this ticket" agent that emailed a customer on its own, because a field inside the ticket told it to. Agents holding read access to a customer PII database they never needed, or full admin on a storage bucket they never should have touched. Prompt injection from untrusted content steering an agent to write sensitive data to a place an attacker controls. None of this is exotic. It is the everyday shape of authority without accountability.

The gap

This is the gap we built Guard0 to close. For the first time, authority and accountability have come apart. We want the agents in your business to be as accountable as the people who run it: one place to see what your agents are, know what they did, and know who stands behind them. We do not think the answer is to slow agents down. Accountability is what lets you trust them with more.

We do it in three layers.

See what you have

Guard0 finds the agents, models, tools, and permissions running across your company by integrating with your code, cloud, and agent platforms, and by watching the actual calls to model providers, MCP servers, and tool endpoints. It does not wait for an agent to register, because agents rarely do. The shadow surface is large: Copilot extensions, custom GPTs living in Slack and Teams, agentic scripts inside IDEs, third-party SaaS assistants. In most environments, Guard0 surfaces around 95 percent of agents within twenty minutes of connecting, including the ones built by individual developers that never reached any registry. What lands on your desk is a live inventory of every agent, its owner, the model behind it, and what it can actually reach.

And reach is the word that matters. Issued permissions are theoretical. Guard0 maps the realized blast radius: the data each agent has actually touched over a rolling window, classified by sensitivity, read separated from write. That is the difference between a list of API tokens to chase down and an inventory that a governance team can sign off on.

Prove what they did

Knowing an agent exists is not the same as knowing what it did. Picture a simple case. An agent reviews a customer account, checks the refund policy, decides the customer qualifies, and calls the payment system. A week later, someone asks why.

Identity can tell you the agent signed in. An audit log can tell you the payment went out. Neither can reconstruct the run: what data the agent read, which tools it called, what policy allowed the action, and what evidence stood behind the decision. That context is live only while the agent is acting. By the time you investigate, the run is over.

So Guard0 records the decision trail as it happens: what the agent touched, what data moved, which tools it called, and what stood behind each decision that mattered. The result is a record you can search, review, hand to an auditor, and stand behind. When a regulator, a customer, or your own board asks what an agent did and why, you produce the answer instead of reconstructing it.

Put a name behind each one

A record explains the past. It does nothing about the present. Every person your company trusts with real authority has a defined scope and someone who answers for them. Your agents should have the same. So Guard0 gives every agent an owner who knows why it exists, a boundary that defines where it can act, and a way to step in when it approaches that line.

Underneath, Guard0 builds a behavioral baseline for each agent and flags the decisions that fall outside it, the kind of drift that turns a "summarize this ticket" agent into one that emails customers. You can require human approval for the classes of action that carry real blast radius: financial moves, customer-facing communications, production changes, mass data reads. No one has to approve every step, and the agent keeps working. The policies reflect each agent's job and the risk appetite of the team that owns it, they are version-controlled, and when your risk team revises a control it propagates without anyone re-instrumenting. Think of it the way your teams think about policy-as-code. No agent in your company should hold real authority with no name attached to it.

What teams are building on it

The reason this matters is the work people are handing to agents. One global pharmaceutical company is building agents to run parts of its clinical trials, where nearly every action touches regulated data, and a record you can stand behind is not a nice-to-have. A major bank is trying to give thousands of engineering teams room to build their own agents without losing the ability to account for any of them. Security teams are building their own views and red-team agents directly on top of the Guard0 graph, asking it for a specific governance report each morning in plain language instead of standing up another pipeline.

The pattern is the same everywhere: the more authority a team is willing to give an agent, the more it needs to be able to answer for it. In pre-production testing across these environments, Guard0's coverage of the ways an agent can be made to misbehave runs upward of 90 percent, because the attacks are generated from the agent's own business context rather than a generic checklist.

Why now

A year ago, most agents advised. Now they act, and the authority is arriving faster than the oversight around it. The rules are starting to move, but you do not want to be assembling answers about your agents for the first time when an auditor or an incident forces the question. Accountability is far easier to establish now than to reconstruct later. The teams that get the most out of agents will be the ones that can hand them real authority and still answer for everything they do.

Early access

Guard0 is in early access for governance, risk, and security teams running agents in production, or about to. We onboard teams directly, one at a time, and the platform can run fully on-premises and air-gapped where governance requires it. The record of what your agents did stays open, portable, and under your control, independent of whichever models and frameworks you run today or switch to next, because the company holding an agent to account should not be the same one that built it.

If you are responsible for proving your company can account for its agents, we would like to talk. Request early access at guard0.ai. Tell us what your agents are doing, and we will show you what accountability for them looks like.

Authority and accountability, back together.