Non-human identity
Agents need scoped tools and department tenancy, not shared API keys.
LoopCompound™ · Build · Steer · Compound
In 2026 the bottleneck is agent governance — tool identity, memory tenancy, and request-level audit — not another model subscription. I/O Mesh keeps institutional context inside org → workspace → tenant boundaries with policy-gated MCP, TLS and encryption paths, and compliance readiness packs. SOC 2 and HIPAA are readiness programs here, not blanket certifications until your agreement says so.
Enterprises treat AI agents as mission-critical, yet most identity stacks still assume human-only principals. OWASP’s LLM and Agentic Top 10 put prompt injection, memory poisoning, excessive agency, and tool misuse at the top of the risk list. I/O Mesh answers with a governed operational context plane — not another chat sandbox.
Agents need scoped tools and department tenancy, not shared API keys.
Long-term recall is optional and department-bound — never a cross-firm vector dump.
SOC 2 / HIPAA readiness mappings and continuous gates — attestation only when your agreement says so.
Product surfaces platform teams can staff and measure — mapped to LoopCompound™ Build (tools + gates), Steer (portal context + memory), and Compound (usage proof + private evals).
Agent context stays inside firm boundaries — org → workspace → tenant with dept.* subject namespaces, not a shared agent memory bucket.
Humans and support operators are first-class principals — sessions, SSO/SCIM path, and audited privilege elevation.
Agents are non-human principals — tool access is policy-gated, rate-limited, and department-scoped, not free-form chat to production systems.
Operational facts are token capital — protect them in transit, at rest, and under customer-controlled key policy when required.
Evaluators need request-level truth — who published, who invoked, what enriched, and what support did.
Trust is a continuous gate, not a PDF — SAST, dependency, container, and optional DAST in the release path.
How common 2026 agentic risk classes land on I/O Mesh controls — for security questionnaires, not as a certification claim.
| Risk class | I/O Mesh control | Surface |
|---|---|---|
| Prompt injection / tool hijack | Policy-gated MCP invoke + subject ACLs at ingress | MCP tools · mesh policy preview |
| Memory poisoning / context bleed | Department-scoped memory chambers; no cross-tenant indexes | Agentic Memory Palace (optional add-on) |
| Excessive agency | Plan entitlements, rate limits, dry-run validation on automation paths | Entitlements · automation studio |
| Shadow tools / sprawl | Cataloged dept.* products + governed connectors with OAuth/HMAC | Integrations · data products |
| Privileged support abuse | Role-gated impersonation with paired audit events | Admin console audit |
| Vulnerable components | govulncheck, Trivy, SBOM/Grype, pnpm audit in release gates | CI security-scan |
Readiness mappings and commercial packs for regulated evaluators. We do not claim SOC 2 Type II or a signed BAA on this page.
AICPA Trust Services Criteria mapped to product controls (access, tenancy, monitoring, change gates). Control mapping is a readiness artifact — not an auditor report until Type II is issued under your commercial path.
Administrative and technical safeguard mapping for care-adjacent B2B workloads. BAA and production PHI handling remain agreement-bound — marketing packs do not replace a signed BAA.
SSO/SCIM, IdP scope sync, dedicated compliance reviewer path, and evidence-pack packaging for enterprise evaluators.
Visual Rego policy editor, field-level ABAC federation grants, traffic analytics, and federation audit exports for regulated mesh operators.
SAST/dependency/container gates on every security-scan, chaos isolation tests, optional ZAP DAST, and pentest sign-off or documented waiver before major releases.
A public status page ships with production GA so platform teams can subscribe to incidents and maintenance without a sales ticket. Until then, treat pre-launch workspaces as evaluation surfaces and use kickoff / notify channels for availability questions.