LoopCompound™ · Build · Steer · Compound

Security & trust for agentic AI evaluators

In 2026 the bottleneck is agent governance — tool identity, memory tenancy, and request-level audit — not another model subscription. I/O Mesh keeps institutional context inside org → workspace → tenant boundaries with policy-gated MCP, TLS and encryption paths, and compliance readiness packs. SOC 2 and HIPAA are readiness programs here, not blanket certifications until your agreement says so.

Why agent security is the 2026 bottleneck

Enterprises treat AI agents as mission-critical, yet most identity stacks still assume human-only principals. OWASP’s LLM and Agentic Top 10 put prompt injection, memory poisoning, excessive agency, and tool misuse at the top of the risk list. I/O Mesh answers with a governed operational context plane — not another chat sandbox.

Non-human identity

Agents need scoped tools and department tenancy, not shared API keys.

Memory tenancy

Long-term recall is optional and department-bound — never a cross-firm vector dump.

Evidence over claims

SOC 2 / HIPAA readiness mappings and continuous gates — attestation only when your agreement says so.

Control layers on I/O Mesh

Product surfaces platform teams can staff and measure — mapped to LoopCompound™ Build (tools + gates), Steer (portal context + memory), and Compound (usage proof + private evals).

Tenancy & isolation

Agent context stays inside firm boundaries — org → workspace → tenant with dept.* subject namespaces, not a shared agent memory bucket.

  • Department-scoped publish enforces tenant isolation at ingress
  • Plan gates on memory, Kafka mappings, connectors, and MCP invoke
  • No cross-tenant shared memory indexes — Palace roots collocate with tenancy
  • Chaos isolation tests on cross-tenant publish/recall paths

Identity & access

Humans and support operators are first-class principals — sessions, SSO/SCIM path, and audited privilege elevation.

  • Portal sessions with HttpOnly / SameSite cookies (OIDC-ready)
  • SSO + SCIM provisioning with org/workspace hierarchy (Compliance add-on)
  • IdP group → dept.* subject scope sync for department ACL fidelity
  • Support impersonation requires privileged role; start/end audit pairs

Agentic TRiSM & MCP governance

Agents are non-human principals — tool access is policy-gated, rate-limited, and department-scoped, not free-form chat to production systems.

  • MCP tools scoped to department tenancy with policy preflight
  • Rego/OPA policy bundles and mesh policy preview before save
  • Rate limits + plan entitlements on tool invoke
  • Governance add-on: visual policy editor, field ABAC, federation audit exports

Encryption & data handling

Operational facts are token capital — protect them in transit, at rest, and under customer-controlled key policy when required.

  • TLS in transit for broker and control-plane APIs (min TLS 1.2+)
  • At-rest encryption for object storage sinks
  • AWS / GCP KMS envelope encryption path with enterprise BYOK policy
  • Connector webhook HMAC verification — failed verifies isolated, not silent

Audit, lineage & observability

Evaluators need request-level truth — who published, who invoked, what enriched, and what support did.

  • Impersonation start/end pairs exportable for GRC review
  • Publish lineage through enrich → memory advisories
  • Usage meters for publish, memory ingest, and MCP invoke (Compound loop proof)
  • Security headers on portal/admin surfaces; control-plane HSTS / nosniff middleware

Secure development & supply chain

Trust is a continuous gate, not a PDF — SAST, dependency, container, and optional DAST in the release path.

  • Go SAST + govulncheck + staticcheck on every security-scan gate
  • pnpm audit for portal/admin frontends; fail on high/critical
  • Container image Trivy + SBOM (syft) + Grype on foundation images
  • OWASP ZAP baseline available against broker/control-plane/portal origins

Buyer checklist map

How common 2026 agentic risk classes land on I/O Mesh controls — for security questionnaires, not as a certification claim.

Risk classI/O Mesh controlSurface
Prompt injection / tool hijackPolicy-gated MCP invoke + subject ACLs at ingressMCP tools · mesh policy preview
Memory poisoning / context bleedDepartment-scoped memory chambers; no cross-tenant indexesAgentic Memory Palace (optional add-on)
Excessive agencyPlan entitlements, rate limits, dry-run validation on automation pathsEntitlements · automation studio
Shadow tools / sprawlCataloged dept.* products + governed connectors with OAuth/HMACIntegrations · data products
Privileged support abuseRole-gated impersonation with paired audit eventsAdmin console audit
Vulnerable componentsgovulncheck, Trivy, SBOM/Grype, pnpm audit in release gatesCI security-scan

Compliance path

Readiness mappings and commercial packs for regulated evaluators. We do not claim SOC 2 Type II or a signed BAA on this page.

SOC 2 Type II path

Readiness mapping

AICPA Trust Services Criteria mapped to product controls (access, tenancy, monitoring, change gates). Control mapping is a readiness artifact — not an auditor report until Type II is issued under your commercial path.

HIPAA Security Rule mapping

Readiness mapping

Administrative and technical safeguard mapping for care-adjacent B2B workloads. BAA and production PHI handling remain agreement-bound — marketing packs do not replace a signed BAA.

Compliance add-on

Commercial add-on

SSO/SCIM, IdP scope sync, dedicated compliance reviewer path, and evidence-pack packaging for enterprise evaluators.

Governance add-on

Commercial add-on

Visual Rego policy editor, field-level ABAC federation grants, traffic analytics, and federation audit exports for regulated mesh operators.

Continuous security program

Engineering program

SAST/dependency/container gates on every security-scan, chaos isolation tests, optional ZAP DAST, and pentest sign-off or documented waiver before major releases.

Availability & status

A public status page ships with production GA so platform teams can subscribe to incidents and maintenance without a sales ticket. Until then, treat pre-launch workspaces as evaluation surfaces and use kickoff / notify channels for availability questions.

Get notified at launch →