Capx
Get Early Access
Platform / Governance

Trust through control. Not hope.

Agents are powerful. Governance makes them safe. Every action goes through configurable approval flows, spend limits, and kill switches.

Get Early AccessBack to Platform
Approval queuePreview
TSK-041marketerlow

Publish blog post to production CMS

auto-approved
TSK-042engineermedium

Deploy v2.3.1 to staging environment

pending
TSK-043strategisthigh

Send partnership outreach to 3 leads

pending
TSK-044supporthigh

Issue refund of $45 to customer #1892

pending
0%
actions audited
6
control layers
<1s
kill switch
$0
overages allowed

Six layers of control

Defense in depth. Each layer catches what the previous one missed. Combined, they make autonomous agents safe for production.

Configcompany.yaml
governance:
  approval:
    required: true
    auto_approve_below: 10
    escalation_timeout: "4h"
    reviewers:
      - founder
      - admin

  spend_caps:
    per_agent:
      daily: 50
      monthly: 500
    per_company:
      daily: 200
      monthly: 2000
    action: pause

  kill_switch:
    enabled: true
    preserve_state: true
    rollback_side_effects: true

  execution_policy:
    allowed_tools:
      - llm.prompt
      - file.read
      - file.write
      - http.request
    blocked_tools:
      - shell.run
    max_concurrent_agents: 4
    max_task_duration: "30m"
Tool policy

Define which tools each agent can access. Block dangerous operations like shell execution by default.

Spend limits

Hard caps per agent per day and per month. When an agent hits the limit, it pauses immediately.

Approval flow

Low-cost, low-risk actions auto-approve. Everything else enters a review queue.

Kill switch

Instant shutdown of any agent, any playbook, or the entire company. State preserved.

Escalation

When an agent encounters ambiguity or low confidence, it stops and asks a human.

Audit log

Every decision logged with full context: what happened, who approved, what it cost.

With governance vs. without

Autonomous agents without governance is not a feature. It is a liability. Here is what changes when you add each control layer.

DimensionWith governanceWithout governance
Cost overrunsHard caps pause agents at limit. Zero overages possible.Agents run unchecked. A single loop bug can burn your monthly budget overnight.
Sensitive actionsHigh-risk actions enter approval queue. You review before execution.Agents act autonomously on everything. Refunds, deploys, outreach happen without review.
Tool accessWhitelist-only. Agents cannot use tools outside their allowed set.Full tool access. An agent could execute shell commands or access external APIs freely.
Failure recoveryAuto-restart with state preservation. Exponential backoff. Rollback on side effects.Crashes are silent. Partial side effects left in inconsistent state.
Audit trailEvery action logged with agent reasoning, cost, approval status, and timestamps.No record of what happened or why. Debugging is guesswork.
Incident responseKill switch stops everything instantly. State preserved for forensics.No way to stop a runaway agent except pulling the plug on the whole system.

Kill switch

Instant shutdown of any agent, any playbook, or the entire company. State preserved. Side effects rolled back where possible. Under one second from trigger to full stop.

Budget drain

Agent enters a retry loop on an expensive model. Without a kill switch, it burns through $200 in minutes. With governance: spend cap triggers at $50, agent pauses, you are alerted.

Data leak risk

Agent attempts to send customer data to an external API. Tool policy blocks the HTTP call before it leaves the container. The action is logged and flagged for review.

Cascade failure

One agent's bad output feeds into three downstream playbooks. Kill switch halts the entire company in under a second. Side effects are rolled back. State is preserved for debugging.

Set up governance for your company.

Approval flows, spend caps, kill switches, and full audit trails. Control without friction.