Governance Plane · v0.1.0

Agent Sentinel

The control plane that gates every AI agent tool call, signs the audit trail, and meters per-business-unit spend. Built on Gemini 2.5 Flash + Pro with Cached Content over full policy documents. No chunking. No vector DB. Tamper-evident without a blockchain.

Live dashboard ↗ Gateway · real Gemini ↗ GitHub · MIT ↗ A2A agent card ↗

TRANSFORMING ENTERPRISE THROUGH AI · LABLAB.AI · MAY 2026 · TRACK 2 (GOOGLE AI STUDIO) + TRACK 1 (AGENT SECURITY)

01 · The problem

What it does

Drop Sentinel in front of any MCP-speaking or A2A-speaking agent. Every action — every email, every database read, every refund, every agent-to-agent delegation — passes through a four-stage gate and is recorded as a hash-chained, HMAC-signed receipt that cites the exact policy version used.

Compliance officer

"Who approved this action, and against which policy?"

Cited evidence in ~4 seconds instead of a 3-day audit pull.

CISO

"How do I stop my agent from doing the wrong thing?"

Drift detector + Pro reasoning block injections before execution.

CFO

"What does our agent fleet cost each business unit?"

Per-call cost ledger, base vs. Gemini split, BU-attributed.

02 · How it works

Architecture

Four gates in series. Each one cheaper than the next. ~33% of calls finish at the static engine. ~62% need Gemini Flash. ~5% escalate to Pro. Every decision is signed and chained.

Static engine — < 5 ms

Regex denylists, role ACL, refund cap, plaintext PII.

Drift detector — ~0 ms

Injection markers in arguments, tool-vs-declared-goal mismatch, fresh external recipients.

Flash gate — ~1.5 s p50

Gemini 2.5 Flash with response_schema and thinking_budget=0. Returns a typed allow/deny/rewrite decision.

Pro reasoner — 3–5 s

Gemini 2.5 Pro with cached_content over the full policy book (1M context). Cites the exact policy version. No chunking. No vector DB. ~75% token-cost savings on stable bundles via Cached Content.

∞

Audit ledger · cost meter · alerts · anchors

Postgres-backed hash-chained ledger, HMAC signatures via rotatable KMS keys, Slack/Teams webhooks on deny+rewrite, Merkle batches anchorable to OpenTimestamps or Circle Arc state channels, per-BU cost rollup for CFO chargeback.

Adapters

Google ADK, Anthropic Agent SDK, OpenAI tool-calling, CrewAI, generic MCP. Three-line wrap of an existing agent.

Stack

FastAPI · Postgres · Gemini 2.5 Flash + Pro · Files API · Cached Content · A2A · MCP · Next.js dashboard.

03 · What we measured

Results

Two evaluations matter for a governance plane: did it make the right decision, and is the audit trail trustworthy. We ran both.

Decision accuracy · 155 labeled scenarios

Real Gemini 2.5 Flash + Pro · ~$0.18 spent on the live API

Category	Cases	Correct	Δ
Happy path	42	42 / 42 (100.0%)	+0.0
Policy violation (PII / vendor / refund cap)	38	37 / 38 (97.4%)	−2.6
Indirect prompt injection	22	22 / 22 (100.0%)	+0.0
Tool-vs-goal drift	14	13 / 14 (92.9%)	−7.1
Static-engine edge cases	25	25 / 25 (100.0%)	+0.0
A2A delegation	14	11 / 14 (78.6%)	−21.4
Total	155	150 / 155 (96.8%)	—

Ledger integrity · production gateway + load test

sentinel ledger verify · re-derive HMAC, walk prev_hash → self_hash

Run	Receipts	Chains	Throughput	Result
Local load (laptop Postgres)	5,000	3	806 req/s	INTEGRITY: PASS
Live Railway gateway	703	3	~3 req/s	INTEGRITY: PASS
Tamper test (1 byte mutated)	1	1	—	BROKEN — exit 1

96.8%

Real Gemini eval

Pytests passing

5,000

Receipts · zero forks

~70%

Gross margin · modeled

04 · Run it yourself

Try it

Live dashboard

Live timeline · receipts · BU cost rollup · red-team console · policy library.

agent-sentinel-weld.vercel.app →

Live gateway

Real Gemini 2.5 Flash + Pro. Per-IP rate-limited (30/min, 500/day) so the public URL stays safe.

agent-sentinel.up.railway.app →

GitHub · MIT

Clone, run, audit. 88 pytests passing. Full architecture in README + CLAUDE.md.

github.com/SankarSubbayya/agent_sentinel →

Developer overview

HTTP API, adapter quickstart, curl examples for the five live endpoints.

/developer →

Local · 60 seconds

# clone, install, run
git clone https://github.com/SankarSubbayya/agent_sentinel
cd agent_sentinel
cp .env.example .env                  # GEMINI_API_KEY optional
uv sync && uv run sentinel init-db
uv run sentinel serve --port 8088     # gateway

# dashboard, in another shell
cd dashboard && npm i && PORT=3030 npm run dev

# walk the demo + verify
uv run sentinel demo run              # 6 beats
uv run sentinel ledger verify         INTEGRITY: PASS

05 · The cardinal rule

It enforces policy. It doesn't write it.

Sentinel is a governance plane — it gates, signs, and meters. It does not decide whether your policies are correct, complete, or current.

That responsibility stays with your compliance team. A production deployment must configure its own KMS, rotate its own signing keys, run its own red-team exercises against its own injection corpus, and treat the policy catalog as living code. The receipt chain proves what was decided; the policy library determines whether the decision was right. Don't conflate them.