WhiteFin — The execution layer of the AI agent stack

Your AI agents are authorized. Governed. And still doing things you haven't approved.

Every security investment you've made protects the decision your agents make. Not the action they take. The agent decides to call a tool. The tool decides what to do. Between those two — every authorization in your stack stops at the boundary. WhiteFin governs the gap.

What WhiteFin Does

Inline enforcement. Every tool call between agent and tool passes through WhiteFin. If we are not in the path, the call does not run.
Argument-level inspection. Not just which tool — which argument, against which resource, in what context. Allowing "database.query" means nothing. Allowing the specific call means everything.
Agent Passport. Cryptographic identity for every agent. An agent without identity is an unmanaged actor with your credentials.
Policy Bootstrap. You don't write the policies. You watch your agents run for two weeks in shadow mode, then review the generated rules in plain English, then enforce. Fifteen days from blank policy to live.
Dry-Run Preview. See what a proposed rule would have blocked before you turn it on.
Causal Provenance. Verifiable evidence that the action actually came from the intent — cryptographically signed, tamper-evident, independently verifiable.

What WhiteFin Does Not Govern

What the model says. Tools your agent reaches outside our path. Identity at the human layer. Cloud-provider primitives themselves. We are explicit about scope; see the Security page for the full read.

Deployment Options

Managed. WhiteFin runs the gateway. You point your agents at it.
Self-hosted. You run the gateway inside your own cloud.
Air-gapped. No outbound dependency on WhiteFin infrastructure.

Company

WhiteFin is built by Gilad Gabay (Co-Founder).

gilad@whitefin.ai · GitHub

Explore

WardenOpen-source AI scannerExplore →

The execution layer of the AI agent stack

YourAIagentsareauthorized.Governed.Andstilldoingthingsyouhaven'tapproved.

Every security investment you've made protects the decision your agents make. Not the action they take. The agent decides to call a tool. The tool decides what to do. Between those two — every authorization in your stack stops at the boundary.

WhiteFin governs the gap.

Talk to us →Read the framework

Inline · argument-levelDeny-by-defaultAir-gapped ready

WhiteFin

The 7-Layer AI Security Stack

Seven layers. Two planes. One bridge between them.

Above the bridge — language and logic. Where the agent reasons, plans, and selects tools.

Below the bridge — OS and hardware. Where the action actually executes.

The gap between the two is where most attacks succeed. L4 is that bridge.

▲ Semantic Control Plane · language & logic ▲

L7

Application / Prompt

DLP · Fine-tuning · System Prompts

"Is the model safe?"

Prompt safety vendors

L6

Reasoning / Agent SDK

AutoGPT · LangChain · CrewAI

"What is the agent planning to do?"

Agent observability vendors

L5

Orchestration / Tool-Calling

MCP · RAG · SaaS · Agent Identity

"Who is the agent?"

Identity & access vendors

━━━━ Process Boundary · THE BRIDGE ━━━━

L4

Deterministic Execution Governance

Kernel Enforcement · eBPF Hooks · Causal Provenance

"What is the agent ACTUALLY doing — right now?"

WHITEFIN

▼ Execution Infrastructure · OS & hardware ▼

L3

Kernel

System-Level Hardening · SYSCALL

"Is this process authorized by OS rules?"

Kernel security vendors

L2

Virtualization / Container

CNAPP · Cloud Native Security

"Is the container environment secure?"

CNAPP vendors

L1

Physical / Infrastructure

CPU · GPU · Cloud Compute

"Is the hardware and cloud foundation trusted?"

Cloud / hardware vendors

L4 — the Bridge — is where WhiteFin lives. The full methodology is at /methodology.

The Connection

For the first time, every action an agent takes ties back to the prompt that caused it.

Most security tools see the system action. Some see the tool call. None connect both back to the reasoning that caused them — and none do it with cryptographic proof. We do.

01

Prompt arrives

Instruction enters the agent — including the source: legitimate channel or injected data.

02

Agent reasons

The agent decides what to do. The choice is recorded as the reasoning step.

03

Tool call issued

Name, arguments, target — exactly as the agent constructed them.

04

System action executed

What actually happened at the host: a file written, a connection opened, a process spawned.

05

Chain signed

All four prior links bound into one tamper-evident record. Independently verifiable.

What this means

When something goes wrong, you don't reconstruct from logs.
You produce a signed chain — and the signature does the persuading.

Causal Provenance →

Three Things You Have Not Yet Approved

The same gap. Three stakeholders. Three different bills when it pays out.

CISO

The agent had the credential. It used it.

A support assistant with read access to the customer database issued a delete on the production table. The token was valid. The role was assigned. The action was permitted by every layer of authorization you own. The model decided. The tool executed. Nothing in between asked whether this specific argument, against this specific resource, should run.

Where WhiteFin enforces →

CIO

A subprocess call became an exfil channel.

Your code assistant runs in a sandbox. The sandbox can shell out. Shell-out is the integration. One indirect prompt later, the agent's next tool call piped a credential file into a request to an attacker-controlled domain — all inside a fully approved session. The decision was the model's. The action was the runtime's. No human approved the gap between them.

How Policy Bootstrap learns first →

CEO

One compromised agent moved your other agents.

Inter-agent injection is not a future threat. A vendor agent your team integrated last quarter started returning instructions in its responses. Your internal agents read those responses as input. They acted. The board does not care which agent was breached — they care that the action was taken with your company's name on it. Liability moves at execution speed.

How provenance proves intent →

Policy Bootstrap

From a blank policy to live enforcement — in fifteen days.

One-line integration. Three deployment options — managed, self-hosted, or air-gapped. You do not write the policies yourself; we generate them from what your agents actually do, and you approve them before anything goes live.

Industry baseline · hand-written90 days

WhiteFin · shadow-mode bootstrap15 days

6×

Faster to enforcement

0

Policies handwritten

100%

Derived from traffic

Three phases

01

Days 1–14 · Observe

WhiteFin sits inline in shadow mode. Every tool call is recorded. Nothing is blocked. Your agents run normally; you collect ground truth about what they actually do.

02

Day 15 · Review

A proposed policy set is generated from observed behavior. Your team reviews it. You see, in plain English, what each rule allows and what it would have blocked.

03

Day 16 · Enforce

You flip the switch. Deny-by-default goes live. Approved tool calls pass; everything else stops or routes to human approval — no surprises, because you saw the rules before they shipped.

Your agents are running through it right now.—The only question is whether someone is watching.

Theexecutionlayerisopen.

Tell us what you're running and what you're worried about. We'll show you what's actually happening between your agents and your tools.

Talk to us →Run a free scan

We use cookies for analytics to understand how visitors use our site. No advertising cookies. Privacy Policy