Platform

An enclave for your agents. A harness around every turn.

Tovel gives each workload an isolated, hardened workspace, connected to your own application, governed by six layers, observable end to end.

The lifecycle

From shadow agents to a governed fleet.

Tovel takes an agent estate from unknown to accountable: find what is already running, stand up hardened replacements, bind them to policy, and keep them in line while they operate.

01

Discover

Surface every agent and MCP already running, including the shadow ones nobody registered.

02

Provision

Replace them with hardened agents and MCP servers from a vetted catalog, each in its own enclave.

03

Govern

Bind each enclave to a policy and the framework packs it has to answer to.

04

Operate

Watch them live, trip breakers on drift or spend, and re-score posture continuously.

01 · Discover

You cannot govern what you cannot see.

Tovel scans your repositories, cloud accounts and CI/CD for anything acting like an agent: scheduled scripts, MCP servers, copilots and autonomous jobs. Each one is inventoried with its identity, its reach and whoever owns it.

The estate you did not know about surfaces first — shadow agents with no owner, no policy and standing credentials — because that is where the risk concentrates.

discovered · your-orgscanning
PB
payments-bot
owner · platform-team
Governed
SC
support-copilot
owner · cx-eng
Governed
FS
finance-scraper
no owner · standing creds
Shadow
DA
deploy-agent
no policy · prod access
Shadow
catalog · hardenedvetted
Code-review agent
role-scoped · least-privilege
Hardened
Security agent
SAST · secrets · IaC
Hardened
GitHub MCP
scoped tokens · read-gated
Vetted
AWS MCP
tier-bound · region-locked
Vetted
02 · Provision

Stand up hardened agents and MCPs from a catalog.

Instead of ungoverned scripts, deploy from a catalog of hardened agent and MCP templates — each pre-scoped to least privilege, bound to a trust tier, and dropped into its own enclave with a cryptographic identity and a named owner.

Connectors — repositories, cloud accounts, CI/CD and knowledge bases — attach through the same vetted catalog, so nothing joins an enclave without review.

The enclave

An isolated workspace, wired to your stack.

An enclave is where a small team of role-scoped agents operates on one of your applications (its repository, cloud account, CI/CD and MCP tools) under a single governance policy. Nothing crosses the boundary that the policy has not allowed.

Every agent carries a cryptographic identity, a trust tier and a named human owner. The enclave is the unit you assess, score and export.

enclave · juice-shoplive
Agent fleet
ARorchestrator SEsecurity FOcode-review VEverifier
repoAWS · prodCI/CDMCP ×3KB
The harness · six layers

What every turn passes through.

The same six layers apply to every agent, on every turn, from the orchestration loop down to an independent verifier.

01
Agent loop
A bounded plan-act-observe loop. The agent declares a plan, and every step is checked against it: the basis for plan-divergence detection.
Plan declaredStep-bounded
02
Model
Calls run only against an allow-list of foundation models on AWS Bedrock in Sydney. No data leaves the AU region for inference; model choice is tier-scoped.
Bedrock · SydneyAllow-listed
03
Role-scoped tools
Each tool is classified by its data, content and communications reach. The Rule-of-Two gate stops any action from holding all three at once without a human.
Rule-of-TwoLeast-privilege
04
Context
Retrieval, memory and caching are provenance-tracked. Memory writes carry content-hash preconditions and recall carries its source, so context cannot be silently poisoned.
ProvenanceKB + memory
05
Guardrails
Content, safety and policy guardrails run on every turn, aligned to the framework packs you have enabled. High-consequence actions escalate to a human.
Policy-alignedHITL escalation
06
Independent verification
A separate Verifier reviews the trajectory against the declared plan and policy before output is released. Its verdict is sealed into the evidence locker.
IndependentSealed verdict
Runtime governance

Intervene while it runs, not in the post-incident review.

Every agent is observed live. Plan divergence is flagged, spend and behaviour thresholds trip breakers, and any agent can be paused or stopped through a deliberate confirmation step. When a breaker fires, the agent pauses itself and the event is sealed.

BA
billing-agent
paused · breaker tripped
Breaker
Budget
$1,000 / $1,000
Composition & posture

Know what is inside, and how sound it is.

AI-system bill of materials (AIBOM)

A signed bill of materials for every enclave, with runtime attribution: what actually ran, and under whose authority.

Models · MCP · tools · connectors · sub-agents · KBs34
Attributed vs implicit authorityruntime
Signed export for auditsigned

Security posture pipeline

The application inside each enclave is scanned continuously and prioritised by exploitability, not raw CVE counts.

OSV · SAST · IaC · secrets · container5 scanners
Prioritised by KEV & EPSSreachability
Findings flow into the evidence lockersealed

Put an enclave around your riskiest agent first.

In the demo, we deploy one on your own architecture and walk the harness end to end.