WhiteFin — Execution Governance for AI Agents

The Layer 4 of AI security — inline argument-level enforcement of every tool call between agent and API.

Four layers of AI security exist. Only one stops the action. Layer 1 (Model Security) is solved. Layer 2 (Prompt Security) is solved. Layer 3 (IAM & Endpoint) is contested. Layer 4 — Execution Governance — was open until WhiteFin. The platform sits inline between agent and tool, intercepts every call at argument level, denies by default, and signs every decision into a tamper-evident audit chain. Authentication and authorization tell you who the agent is and what tools it can use; only execution governance answers is this specific action permitted, right now?

Three Pillars Hold the Moat

The product is built around three coordinated primitives that make Layer 4 work in practice — and five additional surface products that let a customer adopt WhiteFin without a multi-vendor stitching project.

1. ToolGuard — The Function-Call Firewall

Deny-by-default policy engine for every tool call. A 7-guard chain — Regex → Keyword → Schema → Policy → Semantic → LLM → MoralCompass — cost-ordered so the first block wins. Sub-150ms added latency. This is the centerpiece product.

2. Agent Passport — Cryptographic Identity

ECDSA-signed identity for every AI agent. A 9-state lifecycle FSM, scoped tool universe, delegation chains with scope narrowing. Trust stages: STRANGER → KNOWN → TRUSTED → EXTENSION.

3. Dry-Run Preview — Impact Before Execution

See affected rows, blast radius, and estimated cost before a destructive tool call executes. 0 of 19 competitors in our benchmark offer this capability. This is what enables CISOs to approve agentic AI for production.

4. Output Assurance — Post-Execution Verification

Verify that the AI agent did what it claimed. Behavioral comparison, contract validation, page walking, API probing. Closes the loop after the tool call.

5. Kill Switch — Instant Revocation

Immediate halt of any agent mid-execution, with cryptographic proof of the kill signal.

6. WORM Audit Chain — Banking-Grade Chain of Custody

SHA-256 hash-chained, Ed25519-signed, immutable audit logs with 7-year retention and 5-sink fan-out. WORM-compliant. Tamper with one entry, break the entire chain.

7. Warden & the Governance Score

Open-source governance scanner. Scores AI environments across 17 measurable dimensions. WhiteFin scores 91/100. Market average across 19 AI frameworks and gateways: 28/100. Run Warden yourself — it takes 60 seconds.

What WhiteFin Is Not

WhiteFin is not a prompt filter (Pangea, Lakera — input-only). Not an out-of-band monitor (Zenity, Protect AI — observes but does not enforce). Not a JIT access tool (Oasis Security — permissions only, no execution audit). WhiteFin is the only product that intercepts, governs, AND audits at the function-call layer with cryptographic proof.

Technical Architecture

A 14-step pipeline runs on every request: ingestion → rate limiting → PII detection (54 entity types across 13 regions) → ToolGuard policy evaluation → Agent Passport verification → semantic routing → cache → LLM processing with provider failover → Output Assurance → PII re-hydration → response validation → audit chain entry (SHA-256 linked) → metrics → delivery.

Infrastructure: FastAPI, PostgreSQL + pgvector, Redis, Docker/Kubernetes. OpenAI-compatible API — change one line (base_url) and your existing code works unchanged.

Deployment Options

Cloud Gateway — Cloud-hosted, deploy in 5 minutes.
Private VPC — Your cloud, our software. 1 day setup.
Air-Gapped On-Premise — Complete isolation for banking, defense, government. 1 week setup with offline licensing.

Compliance

Designed compliant by architecture, not by audit: SOC 2, GDPR, HIPAA, ISO 27001, BOI 364, EU AI Act Article 14 (human oversight of high-risk AI).

Company

WhiteFin was founded by Gilad Gabay, Co-Founder & Chief Architect. Mission: make enterprise AI adoption safe, governed, and auditable.

LinkedIn · GitHub · info@whitefin.ai

Explore

WardenOpen-source AI scannerExplore →

Execution Governance for AI Agents

EverytoolcallbetweenagentandAPI—
governed.

Inline argument-level enforcement. Deny-by-default. Cryptographically attested audit. The missing fourth layer of AI security — between the agent's decision and the API that performs the action.

WhiteFin is the managed enforcement layer of the agentic-AI stack. It sits inline between agent and tool — intercepting every call, inspecting every argument, denying by default, and signing every decision into a tamper-evident audit chain. The only product that governs at the execution layer with cryptographic proof.

Talk to us →Read the framework

4 layers · 24 dimensionsInline · argument-levelAir-gapped ready

WhiteFin

Without Layer 4

Nine seconds.
Production database, gone.

A Y Combinator startup. April 2026. Anonymized for confidentiality. An AI coding agent, holding a valid Railway token with blanket scope, decided that a corrupted staging volume should be deleted — and resolved the corruption against production.

9s

Total elapsed

0

Recovery options

100%

Of legitimate auth

agent > task: fix credential mismatch in staging

agent > reading .env.staging · token: domain-ops

agent > scope: all envs · production included

agent > staging volume corrupted

agent > decision: delete and recreate

{
  "tool": "railway.volume.delete",
  "args": {
    "volume_id": "vol-prod-db-main",
    "force": true,
    "include_backups": true
  }
}

→ HTTP 200 OK — volume deleted, backups deleted

Anatomy of the Failure

Every security layer passed. The destructive payload was never inspected.

✓ IDENTITY

Valid Railway token. Authorized user.

Layer 3 — passed

✓ TOOL ACCESS

railway.volume.delete exists, callable.

Layer 1–2 — passed

✗ PAYLOAD

volume_id = prod, force=true, backups=true

Layer 4 — absent

The agent was authenticated, used an authorized tool, and sent a destructive payload that nobody inspected.

The Same Scenario, Replayed

Same agent. Same token. Same call.
Stopped before it left the host.

ToolGuard · 7 Guards · evaluated 4.7 ms

01RegexGuardpattern scan0.3 msPASS

02KeywordGuardblocklist0.2 msPASS

03SchemaGuardJSON validation0.4 msPASS

04PolicyGuarddeny-by-default3.8 msDENY ←

05SemanticGuard——SKIP

06LLMGuard——SKIP

07MoralCompass——SKIP

Outcome

Blocked.

Rule matched: volume.delete on production requires explicit HITL approval.

→ payload intercepted at proxy

→ audit chain: Ed25519 logged

→ CISO alert: dispatched

→ agent session: preserved

4.7ms total

The Four Layers

Over $1B in acquisitions covered Layers 1–3.

Only Layer 4 — execution governance — sits inline between intent and the API that performs the action.

LayerNameCore questionMarket status

L1Model SecurityIs the model safe?SOLVED

L2Prompt SecurityIs the input clean?SOLVED

L3IAM & EndpointWho is the agent?CONTESTED

L4Execution GovernanceIs this action permitted, right now?OPEN

← WHITEFIN

Microsoft Agent 365 (GA · May 2026) shipped the strongest L3 product ever built. L4 remains open — Agent 365 proves it, not disproves it.

Why Layer 4 Cannot Be Commoditized

The same structural reality that created the API gateway market in 2008–2012.

01

Cloud Providers

A conflict of interest.

AWS, Azure, GCP are the infrastructure agents act upon. Governing actions against AWS while being AWS makes the governor a stakeholder, not an arbiter.

02

LLM Providers

Wrong jurisdiction.

OpenAI, Anthropic, Google govern what the model says. They don't control the third-party MCP servers, databases, and APIs the tool call reaches.

03

Existing Security

Out-of-band, not inline.

Monitoring observes. Enforcement decides. You cannot retrofit decision-time control into a side-channel that was never on the data path.

The Platform

Three pillars hold the moat. Five more close the gap.

ToolGuard, Agent Passport, and Policy Bootstrap are the moat — three primitives that turn agentic AI from probabilistic action into governed execution. The supporting surface lets you adopt WhiteFin without stitching together a six-vendor stack.

ToolGuard

L4 · Inline enforcement

7-guard chain. Inline interception, deny-by-default, argument-level inspection. The proxy that says NO before the call leaves the host.

Agent Passport

L3 · Cryptographic identity

ECDSA-signed identity for every agent. Lifecycle FSM, JIT access, scope narrowing on delegation. Who is the agent — provable, revocable.

Policy Bootstrap

L4 · Day-0 ceremony

Shadow-mode learning auto-generates policies from observed behavior. Fifteen days, not ninety. Zero hand-written rules.

And the supporting surface · adopt WhiteFin without stitching vendors

WORM Audit + Kill Switch

Ed25519 hash chains, 7-year retention

A2A Delegation Governance

Taint propagation, scope narrowing

PII / PHI Tokenization

54 entity types · inline masking

Trap Defense + RAG Shield

Six detectors, environmental injection

Gulliver · Adversarial Testing

37 attack templates

Warden (Open Source)

Free self-scan · Apache 2.0

Policy Bootstrap

From a blank policy to enforcement in fifteen days.

Industry baseline · hand-written90 days

WhiteFin · shadow-mode bootstrap15 days

6×

Faster to enforcement

0

Policies handwritten

100%

Derived from traffic

Three phases

01

Observe

Shadow-mode proxy logs every tool call. No enforcement, no friction.

02

Generate

Policies auto-synthesized from observed agent behavior — argument distributions, time-of-day patterns, blast radius.

03

Enforce

Operator approves; the proxy flips to deny-by-default.

Research-Backed

Five independent papers converge:
deterministic enforcement is necessary.

Google DeepMind

Q4 2025

"80%+ attack success via environmental manipulation." Behavioral monitoring is bypassed entirely.

LAYER 4 NEEDED

Anthropic

Nature · Q1 2026

Misalignment transmits through clean training data. Guardian Agents inherit the model's compromise.

EXTERNAL ENFORCEMENT

Rivasseau & Fung

arXiv:2604.02500

A majority of 16 frontier models autonomously suppressed evidence of fraud when given the means.

TRUST INSUFFICIENT

Liu, Zhang, Chen et al.

arXiv:2510.13825

MCP toolchains exhibit systemic exploitability — prompt-injection and tool-poisoning bypass model-side defenses.

INLINE PROXY REQUIRED

Bhattarai & Vu

arXiv:2602.09947

"Probabilistic compliance is not security. Deterministic enforcement is necessary."

WHITEFIN'S THESIS

Category Formation

The market is naming this layer. Independently. Concurrently.

01

Forrester

AEGIS framework · Q1 2026

Names "Agent Control Planes" + GRC-01 (33 regulatory mappings) as the governance foundation for agentic AI.

NAMES THE CATEGORY

02

Gartner

Guardian Agents Market Guide

"90% of enterprises will require a Universal Orchestrator by 2029."

TRACKS THE MARKET

03

Capital

2025–26 funding velocity

Funding is accelerating across the agent-control-plane category. The bet is being capitalized at velocity.

CAPITALIZES THE BET

Competition validates the category. Nobody else provides inline enforcement at the execution layer.

OPEN SOURCE

How governed are your AI agents?

One command. One score.

Warden scans your AI infrastructure and scores governance across 16 dimensions. No WhiteFin deployment required. MIT licensed.

pip install warden-ai && warden scan

Explore Warden →

YOUR SCORE

24/100

UNGOVERNED

Market average: 28/100 · WhiteFin: 91/100

2012 · API gateways enforced HTTP boundaries.—2026 · AI agents need the same enforcement for tool calls.

Whoenforcesthetoolcall?

Microsoft validated the question. WhiteFin is the answer.

Talk to us →Read the framework

We use cookies for analytics to understand how visitors use our site. No advertising cookies. Privacy Policy