# The AIEGIS Harness — A Universal Runtime Wrapper for AI Agents

> The aiegis Harness is the runtime layer that sits between an AI agent and the world. Every action the agent attempts is observed, policy-checked across 15 enforcement layers, and logged to an append-only audit ledger. The same architectural pattern that wraps Claude Code, applied universally to autonomous AI agents.

## What is the aiegis Harness?

The aiegis Harness is the runtime layer that sits between an autonomous AI agent and the world. Every action the agent attempts — every tool call, every API request, every outbound message — is intercepted, evaluated against a 15-layer policy enforcement chain, and logged to an append-only audit ledger with a 5-year retention floor. The agent cannot reach the outside world except through the harness. The pattern is the same one Anthropic's Claude Code uses to wrap its own tool calls: observe, permission-check, log, allow or block.

## Why does an AI agent need a harness?

Without a runtime wrapper, an AI agent's actions are unbounded. Policies live in prose (a system prompt or a usage policy) and depend on the model voluntarily following them. The harness pattern moves the boundary out of the model and into the runtime: the model can intend whatever it likes, but it can only act through the harness, and the harness enforces the policy whether the model cooperates or not. This is how Claude Code stays governable; aiegis is the same pattern applied to any AI agent.

## How is aiegis the harness?

The aiegis stack is a four-product harness: (1) Identity issues the cryptographic passport that names the agent and binds it to a principal and a machine; (2) Governance's POST /api/protect runs every action through 15 enforcement layers (L1 Identity through L15 Correlation) and returns a signed decision; (3) Eye is the endpoint-side half — a sensor on every laptop that captures the agent's actions at the network layer; (4) Grid is the marketplace where harness-pinned agents transact, with every interaction recorded on the same append-only ledger.

## Can an agent bypass the aiegis Harness?

Bypass is the threat model the harness is designed against. Three structural protections prevent it: (1) every action presents a verifiable Ed25519 passport at /api/protect — without a signed passport the call is rejected at L1-Identity; (2) every governance decision is appended to agent_logs and every Grid commerce event is appended to grid_ledger — both tables enforce append-only at the storage layer via SQL BEFORE DELETE / BEFORE UPDATE triggers that physically reject any rewrite (verified live at /grid/ledger/retention); (3) the grid_ledger is hash-chained (prev_hash + event_hash) so any tampering breaks the chain and is detectable by auditor-callable verification at /grid/ledger/verify/<seq>.

## How is the aiegis Harness different from a guardrail library or a prompt firewall?

Guardrail libraries and prompt firewalls operate at the model boundary — they sit between user input and the model, or between model output and a downstream consumer. The aiegis Harness sits at the action boundary — between the agent and the world. A prompt firewall can stop a bad prompt; it cannot stop an agent that has already decided to send a transaction. The harness intercepts the transaction itself. The two patterns are complementary, not substitutes.

## Is the aiegis Harness EU AI Act compliant?

The harness is the mechanism by which an aiegis deployment satisfies EU AI Act Article 12 (audit retention, 5-year floor enforced in SQL) and Article 26 (deployer obligations, signed reason codes per sub-paragraph). The full per-sub-paragraph Article 26 mapping is at /article-26-walkthrough; the machine-readable version is at /audit/article26-mapping.json. Built in Ireland, deployed on customer infrastructure, EU sovereign.

## What is runtime AI governance?

Runtime AI governance is the discipline of enforcing AI policy at the moment of action, not at design time. Where design-time governance produces policy documents, model cards, and risk registers, runtime governance places a harness between the AI agent and the world so every action is observed, evaluated against the live policy, and logged to an append-only ledger. The aiegis Harness is a runtime AI governance implementation: policy lives in the runtime, the agent cannot reach the world except through it, and the audit ledger is the contemporaneous proof.

## How does the aiegis Harness compare to prompt-injection-only solutions?

Prompt-injection-only solutions sit at the model boundary and inspect the prompt or the model output for injection patterns. They handle one threat class (input manipulation) at one boundary (model in/out). The aiegis Harness sits at the action boundary and evaluates every action across 15 enforcement layers, of which prompt injection (L6 Input Sanitizer) is one. The harness still catches an agent that was successfully prompt-injected, because the malicious action it tries to take must still pass L1 Identity, L2 Authorisation, L4 Scope, L10 Egress and L11 Jurisdiction before it reaches the world.

## What enforcement layers does the aiegis Harness include?

The harness includes 15 layers: L1 Identity, L2 Authorisation, L3 Data Sentinel, L4 Scope, L5 Rate, L6 Input Sanitizer, L7 Memory Integrity, L8 Supply Chain, L9 Meta Security, L10 Egress, L11 Jurisdiction, L12 Drift, L13 MCP Registry, L14 Confidence Scoring, L15 Correlation. Preventive layers (L1, L2, L4, L5, L8, L10, L11, L13) fail closed; detective layers (L7, L9, L12, L14, L15) fail open with audit. The per-layer fail-mode is published in /api/protect response metadata.

## Does aiegis offer a Python SDK or HTTP API?

HTTP API is the canonical surface and is live today at POST /api/protect using the Ed25519-signed contract. Reference Python and Rust client implementations are in development as part of the aiegis-harness reference release; request access via hello@aiegis.ie. Any language can call the HTTP API directly and receive the same decision envelope plus append-only ledger entry.

## What is the deployment shape — daemon or sidecar?

Both deployment shapes are designed. Daemon shape (local Unix-socket-backed process; all agents on the host route through it) is the default for laptops and developer workstations. Sidecar shape (per-pod or per-VM container alongside the agent) is the default for Kubernetes and serverless. Reference implementations are in development as part of the aiegis-harness release. Both shapes target the same /api/protect ledger and produce identical signed reason codes; today the canonical surface is the HTTP API.

## What is the fail-mode semantics of the aiegis Harness?

Preventive layers fail closed by design: if the layer cannot reach its decision input within budget, the action is denied. This is the procurement-grade default for L1 Identity, L2 Authorisation, L4 Scope, L5 Rate, L8 Supply Chain, L10 Egress, L11 Jurisdiction, L13 MCP Registry. Detective layers fail open with audit: L7 Memory Integrity, L9 Meta Security, L12 Drift, L14 Confidence Scoring, L15 Correlation emit a warning and a follow-up audit event so observability never silently degrades.

## What SLA and latency does the aiegis Harness offer enterprise customers?

The production SLA is 99.95 percent availability on /api/protect with a 100 ms p99 decision budget, EU-residency-pinned. Measured latency on the public production endpoint is p50 12 ms, p95 38 ms, p99 84 ms over a 30-day rolling window. The SLA is measurable from outside the customer organisation using the three publicly verifiable curl commands published on this page.

## Part of the AIEGIS umbrella

AIEGIS is four products under one stack: AIEGIS Identity (Ed25519 agent passports), Governance (15-layer runtime enforcement), EYE (endpoint visibility), and Grid (agent-to-agent marketplace). EU sovereign. Built in Ireland. Deployed on customer infrastructure.
