toani Control
Enterprise-grade AI Agent secure execution infrastructure. Hardware + policy dual boundaries control what Agents are allowed to do.
What is toani Control?
toani Control is an enterprise-grade secure execution infrastructure that defines and enforces what AI Agents are allowed to do. Through a three-plane architecture — Credential, Policy, and Execution — Control ensures every Agent action passes authorization checks, risk assessment, and configurable human-in-the-loop approval before touching any external system.
Built on dual TEE hardware (Intel SGX for key management + AMD SEV-SNP for connector sandboxing), Control provides hardware-enforced policy boundaries that cannot be bypassed by application code, Agent behavior, or even platform operators. Every execution produces a cryptographically verifiable receipt and immutable audit trail.
Three-plane architecture
Credential Plane
Who owns which credentials
Policy Plane
Authorization rules & risk tiering
Execution Plane
Hardware-isolated operations
Dual TEE hardware
Key features
Three-Plane Architecture
Credential / Policy / Execution strictly separated. No single layer can bypass authority alone.
Dual-TEE Model
Intel SGX handles key derivation and Action Token issuance; connector workloads run on AMD SEV-SNP + gVisor.
Policy Engine
Manage policies by tenant, namespace, Agent, action whitelist, quota, time window, etc. Supports versioning and admin signatures.
Risk Tiering & HITL
Tier 0/1/2 risk levels: auto-approval, soft approval (push notification), hard approval (PIN / biometric).
Connector Sandbox
Support Direct API, OAuth, browser automation, form submission, webhooks, and other connectors. Whitelist egress in gVisor sandbox.
Immutable Audit
Audit events written to immudb. Exportable compliance proof packages. Credential plaintext and sensitive parameters not logged.
How it works
Credential Plane
Who owns which credentials. Managed via HashiCorp Vault + TEE layer integration.
Policy Plane
Under what conditions, which actions are allowed. API Gateway, Policy Engine, Risk Scoring & HITL.
Execution Plane
Code that actually interacts with external systems. Only touches plaintext within hardware isolation boundaries.
Enterprise App / Agent
Policy Plane
- - API Gateway
- - Policy Engine
- - Risk Scoring & HITL
Execution Plane
- - SGX: Key Derivation, Decrypt
- - SEV-SNP + gVisor: Connectors
Execution Receipt → Agent
Agent Sends Request
Enterprise app or AI Agent sends an action request to toani Control API. The request includes intent, target service, and credential references.
Policy Evaluation
Policy Plane checks action whitelist, quota limits, time windows, and risk tier. Tier 0 auto-approves; Tier 1/2 triggers push notification or biometric HITL.
Secure Execution
SGX enclave derives keys and decrypts credentials. Action Token is issued via PASETO. Connector sandbox (SEV-SNP + gVisor) executes the actual API call or browser automation.
Result & Audit
Execution receipt is returned to the Agent. Every step is cryptographically logged to immudb with hash chain verification. Credential plaintext is wiped from memory.
Dual TEE hardware
Key Manager / Token Signer
Intel SGX — key derivation, decryption, PASETO Action Token issuance
Connector Sandbox
AMD SEV-SNP + gVisor — execute API calls, browser automation with strict policy constraints
Connector sandbox constraints
Fixed runtime (gVisor)Whitelist egress onlyRead-only root filesystemStrict SeccompResource quotasSingle container per execNo credential persistenceKey benefits
Plaintext only exists briefly in Execution Plane TEE
Decryption completed in SGX, short-term credentials injected into connectors via RA-TLS. Memory cleaned via memzero after execution.
Policies cannot be bypassed by Agent or end user
Agent calls Control API, not downstream systems directly. Execution Plane only trusts Action Tokens issued by Policy Plane Enclave.
Every execution has verifiable audit trail
Audit logs use immudb + hash chain + Merkle structure. Exportable, independently verifiable compliance proof packages for security and audit teams.
Use cases
Wealth & Brokerage Operations
Execute read-only position queries or limited trades under quota and policy control. Risk tiering determines auto-approval, push notification, or biometric confirmation.
Enterprise SaaS / DevOps
CTO configures SaaS credentials and access policies. DevOps Agent executes daily operations through policy-constrained API calls. Execution Plane produces auditable receipts for every change.
Government & Tax Automation
Execute scripted operations on government portals via browser automation within whitelist domains and strict policy boundaries.
Interested in early access?
Control is coming soon. Contact us for preview access.
