Scrutineer governs autonomous AI agents on Kubernetes: per-session policy, human approvals, and runtime evidence produced outside the agent’s trust domain. A compromised agent can’t bypass the rules or edit the record.

Not an agent framework. You bring your own agent image; Scrutineer wraps it in governance it can’t reach.

How it works

Each run is an AgentSession. The controller starts the agent pod, a per-session Envoy proxy, and a default-deny NetworkPolicy that makes the proxy the agent’s only way out — enforced in the kernel, outside the agent’s reach.

flowchart LR
  agent["agent pod<br/>unprivileged · credential-empty"]
  proxy["per-session Envoy proxy<br/>own pod · own identity"]
  up["allowed upstreams"]
  rep["evidence reporter"]
  drop["dropped in the kernel<br/>default-deny NetworkPolicy"]

  agent -->|governed traffic| proxy
  proxy --> up
  proxy -->|observed evidence| rep
  agent -.->|bypass attempt| drop

  classDef dead stroke:#e5534b,stroke-dasharray:4 3
  class drop dead

Every decision lands in the session’s status, labeled by source: observed (the proxy) or self-reported (the agent). Neither pretends to be the other.

Quick start

git clone https://github.com/grantbarry29/scrutineer.git
cd scrutineer
make quickstart   # kind cluster + verified enforcement (~5 min)
make demo         # a denial, a dead bypass, the evidence (~2 min)

Start here

Learn more