Kevros — Agentic Identity Trust

Get currently active scheduled policies.

Add an agent to a group.

Add an agent to an organization.

Add a compliance timeline event.

Advance a playbook execution to the next step.

Advance a workflow to the next step.

Get all communications involving an agent.

Get per-agent compliance scorecard: decision rates, trust score, intent closure, delegation status, anomalies.

Report an agent heartbeat with optional metadata.

Get the behavioral profile for a governance agent. Shows action type distribution, payload field patterns, decision rates, temporal activity, and per-action conformance. Use for investigation, ML features, and audit context. Requires API key.

Get per-agent rate limit and quota analytics. Shows current usage (minute/hour/total), remaining quota, configured limits, and per-operation-type breakdown. Requires API key.

Compare governance metrics between two time periods.

Get overall governance analytics summary.

Get governance decision trend indicators.

Get recent anomaly alerts from the drift detector. Filters by agent_id and/or severity (low/medium/high/critical). Returns alerts with z-scores, baseline vs current rates, and messages. Requires API key.

Get the decision anomaly baseline for an agent. Shows historical decision distribution, current sliding window, and anomaly detection thresholds. Use before investigating drift alerts. Requires API key.

Apply an approved change request.

Approve a governance change request.

Approve an agent enrollment request.

Approve a deployment gate.

Link a software artifact to a governance decision for supply chain traceability.

Get the full provenance chain for a software artifact.

Assess risk for an agent action.

Create a hash-chained provenance record for an action you've taken. Each attestation extends the append-only evidence chain. The hash can be independently verified by any third party. Cost: $0.02 per call.

Compare original decision at epoch vs what current policy would decide.

Get comprehensive audit summary for certifier review — decisions, chain, agents, intents, anomalies, PQC, policies.

Execute up to 100 governance operations (verify, attest, bind) in a single call. Each operation is executed sequentially with full provenance recording. If stop_on_deny is true, processing halts on the first DENY decision. Returns per-operation results and a summary with integrity hash. Requires API key.

Declare an intent and cryptographically bind it to a command. Proves that the command was issued in service of the declared intent. Use governance_verify_outcome after execution to close the loop. Cost: $0.02 per call.

Get transfer history for a trust bridge.

Browse available policy templates in the marketplace.

Generate a certifier-grade compliance evidence bundle. Contains hash-chained provenance, intent bindings, PQC attestations, and verification instructions. Independently verifiable without Kevros access. Cost: $0.25 per call.

Look up a cached decision.

Get decision cache statistics.

Cancel a scheduled policy.

List all capability certifications in the registry.

Revoke a delegation and cascade to all sub-delegations.

Cast a vote on a pending consensus decision.

Certify an agent's capability.

Issue an evidence completeness certificate.

Check if an auditor has access to an agent's governance records.

Check another agent's trust score and provenance history. Returns chain_length, attestation_count, trust_score. Free, no API key needed.

Check whether a bound intent can be reversed. Analyzes intent type, execution status, child dependencies, and time elapsed to determine if rollback is possible and what constraints apply. Use for pre-abort safety checks, mission planning, and risk assessment. Requires API key.

Get classification statistics.

Identify clusters of frequently communicating agents.

Mark a workflow as completed.

Get control coverage for a compliance framework.

One-page CISO compliance dashboard with overall score, NIST coverage, and all governance metrics.

Get live compliance evidence for a specific governance operation with NIST control mapping.

Get NIST 800-53 Rev 5 compliance control mapping for governance operations.

Generate a certifier-ready compliance evidence package.

Compose multiple policies into a unified policy with conflict resolution.

End an A/B test and declare a winner.

Configure decision cache settings.

Configure reputation decay parameters.

Convert audit data to a specified format.

Analyze cross-agent behavioral correlations. Three modes: temporal (synchronized calls), payload (identical payloads), decision (correlated DENY/CLAMP patterns). Use for fraud investigation and botnet detection. Requires API key.

Simulate an action against multiple policies simultaneously. Multi-policy what-if analysis: 'What would happen under each policy?' Returns a decision matrix with consensus detection. Use for policy selection, impact analysis, and sensitivity testing. Requires API key.

Create a policy A/B test experiment.

Create a governance alert rule.

Create an integrity anchor point for the audit chain.

Create an archive summary of provenance records before a given time.

Create a formal compliance attestation.

Create a canary rollout for a candidate policy with shadow evaluation and divergence tracking.

Create a new governance change request requiring multi-reviewer approval.

Create an auto-escalation rule that triggers on anomaly alerts (auto-quarantine, notify, or both).

Create a temporary policy exception.

Create a deployment gate.

Create an agent group.

Create a service mesh routing rule.

Create an organization for multi-tenant governance.

Create an incident response playbook.

Create a policy override layered on organizational defaults.

Create a compliance questionnaire.

Create an isolation sandbox for an agent.

Schedule a policy for time-based activation.

Create a scoped access token with fine-grained permissions.

Create a point-in-time snapshot of all governance state (provenance, policies, delegations, agents, PQC).

Create a trust bridge between governance domains.

Create a consensus vote for a high-risk decision.

Register a webhook endpoint for governance event notifications. Supported events: governance.verify.allow, governance.verify.deny, governance.verify.clamp, governance.attest.recorded, governance.bind.created, governance.delegate.created, governance.delegate.revoked. The returned HMAC secret is shown ONCE — store it to verify payloads. Requires API key.

Create a multi-agent workflow.

Cross-reference evidence across multiple agents.

Get full decision record with structured violation breakdown.

Declare a dependency between two agents.

Declare a cross-organization trust federation.

Permanently decommission an agent.

Define a Service Level Objective for governance operations.

Grant scoped, time-limited capabilities to another agent. The delegatee receives an HMAC-signed delegation token that constrains which endpoints they can call and with what policy limits. Requires API key. Cost: $0.01.

Delegate a permission from one agent to another.

Delete an agent sandbox.

Get dependency tree for an agent.

Detect conflicts between multiple policies.

Download a generated export.

Download a compliance report.

Activate an emergency policy override.

Get audit trail for an emergency override.

Emergency key rotation — immediately invalidates old key.

Check if an action is permitted within a sandbox.

Escalate an SLA violation.

Manually evaluate an alert rule against current metrics.

Analyze event correlations across agents and time windows.

Get stored event patterns and anomalies.

Identify missing evidence in the provenance chain.

Execute an incident response playbook.

Execute a scheduled secret rotation.

List expired capability certifications.

List expired policy exceptions.

Find delegations expiring within the specified time window.

Explain multiple governance decisions in batch.

Explain why a governance decision was made.

Export full audit trail with integrity verification.

Export governance provenance as structured evidence for certifier audit. Supports CSV, SARIF, and Merkle tree formats. CSV for spreadsheet review, SARIF for SecOps tools (GitHub Advanced Security), Merkle tree for cryptographic subset verification. Filters by agent_id, record_type, epoch range, and time range. Requires API key.

Analyze blast radius if an agent fails.

Finalize a compliance report with cryptographic hash.

Get per-agent health status across the fleet.

Get aggregate fleet health metrics.

Generate a compliance report.

Get A/B test details and metrics.

Get all capabilities for an agent.

Get health status for an agent.

Get compliance attestation details.

Get the learned behavioral baseline for an agent.

Get capability scores for an agent.

Get data classification label details.

Get a previously composed policy.

Get enrollment details.

Get policy exception details.

Get deployment gate details.

Get agent group details.

Get mesh route details.

Get notification preferences for a user.

Get organization details.

Get permission delegation details.

Get playbook details.

Get protocol requirements for an agent.

Get questionnaire details.

Get compliance report details.

Get rotation schedule details.

Get sandbox details by ID.

Get simulation details by ID.

Get compliance timeline events with pagination.

Get trust bridge details.

Get workflow details by ID.

Grant an auditor access to an agent's governance records.

Check the governance gateway health status. Free.

Get agent health overview dashboard.

Get the overall governance health score (0-100). Combines chain integrity, decision quality, anomaly status, activity level, and PQC signing into a single grade (A-F). Includes component breakdown and recommendations. Requires API key.

Import and instantiate a policy template with optional overrides.

Check audit trail hash chain integrity.

Generate an integrity verification report.

Get current audit trail integrity status.

Walk up the intent hierarchy from a child to the root intent. Shows the full chain of delegation for auditing. Requires API key.

List all direct child intents of a parent intent. Enables auditing of multi-agent delegation hierarchies. Requires API key.

Get the lifecycle timeline for a bound intent. Shows current state (BOUND/AUTHORIZED/EXECUTING/COMPLETED/FAILED/TIMED_OUT), all transitions with timestamps and reasons, and terminal status. Requires API key.

Explicitly transition an intent to a new state. Valid transitions: BOUND→AUTHORIZED, AUTHORIZED→EXECUTING, EXECUTING→COMPLETED/FAILED, BOUND→FAILED. Requires API key.

Invalidate decision cache entries.

Get status of API key: age, rotation history, recommendations.

Apply a classification label to data.

Learn a behavioral baseline from an agent's recent decisions.

Link a system outcome to contributing governance decisions for root cause analysis.

List all A/B test experiments.

List registered identity keys for an agent.

List all registered agents with optional status filter.

List all alert rules.

List all integrity anchor points.

List all archived period summaries.

List compliance attestations.

List active audit consent grants for an agent.

List all trust bridges.

List all canary rollouts with live divergence statistics.

List all registered agent capability declarations.

List governance change requests with optional status filter.

List all data classification labels.

List credentials, optionally filtered by agent.

List active delegation tokens for an agent (as delegator or delegatee). Shows scope, expiry, and usage counts. Requires API key.

List all emergency overrides.

List all enrollment requests.

List all auto-escalation rules with fire counts.

List all policy exceptions.

List all export schedules.

List active trust federation declarations for an organization.

List supported compliance frameworks (NIST 800-53, CMMC L2, SOC 2).

List all deployment gates.

List all agent groups.

List all mesh routes.

List all members of an organization.

List all outcome-to-decision linkages.

List all permission delegations.

List all incident response playbooks.

List all active policy overrides.

List policy change proposals with optional status filter.

List all currently quarantined agents.

List all compliance questionnaires.

List all registered governance regions.

List remediation actions taken.

List all compliance reports.

List all secret rotation schedules.

List all agent sandboxes.

List all policy schedules.

List all available governance scopes.

List all policy simulations.

List SLA violations with optional filters.

List governance snapshots, newest first.

List webhook delivery history.

List webhook subscriptions registered by this operator. Shows subscription ID, URL, event types, active status, and delivery stats. Requires API key.

List all workflows.

Pull-based audit log streaming with checkpoint support. Poll with after_epoch for incremental sync.

List all client stream cursors (checkpoint positions).

Get service mesh topology overview.

Get operational metrics: decision distribution, throughput, chain integrity.

Get replay protection nonce tracking status.

Get notification delivery history.

Get recommended peers based on trust network analysis.

Get the full permission delegation chain for an agent.

Get the full policy chain for an agent: org → team → agent overrides.

Generate a policy coverage report from provenance records.

Compare two policy configurations and show differences.

Get the history of policy snapshots.

Replay historical verify decisions against a proposed policy to predict impact before deploying.

Create a named snapshot of a policy configuration.

Promote canary to production — activates candidate policy as new baseline.

Propose a policy change for multi-signature approval. Does NOT activate immediately.

List protocol violations.

Publish a reusable policy template to the marketplace.

Quarantine an agent — all future verify calls will return immediate DENY with provenance.

Query the provenance ledger with filtering and pagination.

Assign an RBAC role to an API key, controlling which endpoints it can access.

List all available RBAC role definitions (admin, operator, auditor, viewer).

Reactivate a suspended agent.

Reconstruct an incident timeline from governance provenance for root cause analysis.

Record a communication event between agents.