WhiteFin is the execution layer of the AI agent stack — the layer that governs the gap between what the agent decides and what the tool actually runs. It sits inline between agent and tool, denies by default, and provides verifiable evidence that the action came from the agent's stated intent.

How is WhiteFin different from prompt filters or monitoring tools?

Prompt filters look at what the model says. Monitoring tools observe what already happened. WhiteFin sits on the data path between agent and tool, decides whether each call may run, and refuses calls that should not. Observation is useful but it is not enforcement — agents do not slow down for monitors that cannot say no.

What is Causal Provenance?

Causal Provenance is the verifiable evidence that an agent's action actually came from its stated intent. Cryptographically signed. Tamper-evident. Independently verifiable without trusting WhiteFin.

How long does it take to get to enforcement?

Fifteen days. Two weeks of shadow-mode observation, one day of policy review, one day to flip the switch. You do not author the policies; we generate them from what your agents actually do, and you approve them before anything goes live.

Can WhiteFin be deployed air-gapped?

Yes. Three deployment options: managed, self-hosted, and air-gapped. The enforcement guarantees are identical across all three; you pick by data-residency and audit posture.

Why Execution Governance

Knowing where your data lives
does not stop an agent from taking it.

The Visibility Layer

Where the data is.

Discover · Classify · Score · Alert

The Execution Layer

What the agent does with it.

Inspect · Govern · Refuse · Prove

The Problem With Visibility

Visibility vs. Enforcement.

The security industry spent the last three years solving a real problem: enterprises didn't know where their sensitive data was. What cloud bucket. What SaaS application. What database. What file.

That problem is largely solved. The platforms that solved it are impressive. They scan petabytes. They classify billions of records. They tell you exactly what you have and where it lives.

And then an AI agent — authorized, credentialed, and fully visible to every one of those platforms — takes that data somewhere it shouldn't.

And none of them stop it.

Because visibility is not enforcement.

What the Current Generation Does

What today's platforms do well — and what they don't.

Today's data security platforms are built around a powerful idea: if you can see everything, you can protect everything.

They discover your data. They classify it. They track who accessed it. They alert when something looks wrong. They integrate with your DLP tools to block suspicious transfers. They give you dashboards, scores, remediation workflows, and compliance reports.

This is genuinely useful. It answers the question: what do we have, and is it exposed?

It does not answer a different question: what is my AI agent doing with it right now?

The Question That Isn't Answered

Five things visibility platforms cannot do.

When an AI agent accesses a credentials file, reads customer records, queries a production database, or sends a message to another agent — the current generation of platforms observes that activity at the application layer or the network layer.

GAP 01

They cannot inspect the argument inside the tool call.

They see that an agent called a delete function. They do not see that the argument was volume_id=prod, force=true, include_backups=true. The difference between a safe delete and a catastrophic one is in the argument. The argument is invisible to them.

GAP 02

They cannot stop an action that produces no network traffic.

An agent that reads a credentials file and writes it to a local temporary directory has not made a network call. No DLP tool sees it. No access trail captures it. The data has moved — entirely inside the host — and every monitoring system in the environment recorded: nothing.

GAP 03

They cannot link what happened to why it happened.

A classification platform can tell you that sensitive data was accessed. It cannot tell you which agent reasoning step caused that access, whether the instruction that triggered it was legitimate or injected, or whether the action was within the agent's approved scope. It can show you the event. It cannot show you the cause.

GAP 04

They cannot enforce in real time before execution.

Alerting after an action completes is not enforcement. Remediating after data has moved is not prevention. The platforms that score risk and notify security teams are doing something valuable — but they are doing it after the decision has already been executed.

GAP 05

They cannot guard a probabilistic system with a probabilistic guard.

An LLM-based security tool shares the same failure mode as the agent it monitors — natural language reasoning. A sufficiently crafted input can manipulate both. Probabilistic guards on a probabilistic entity are not mathematically aligned with the security guarantee. Enforcement has to happen in a non-linguistic medium.

The Structural Reason

A scanning model cannot govern a runtime.

Data security platforms are built on a scanning model. They connect to your cloud APIs, your SaaS applications, your data stores — and they observe what is there. They are designed to answer questions about the state of your data at rest.

AI agents don't operate at rest. They operate in motion. They read, write, move, transform, and transmit — in milliseconds, across system boundaries, in sequences that no human is watching in real time.

Scanning Model

Data at rest.

Connect to stores. Observe state. Answer questions about what exists and where.

Runtime

Data in motion.

Sit inline on the path. Decide every action in milliseconds. Refuse before it runs.

A scanning model cannot govern a runtime. Observation cannot substitute for enforcement. A map of where your data lives cannot stop an agent from moving it.

The gap is not a product gap in the platforms that exist. It is a category gap. The category of real-time, inline enforcement at the moment of agent execution — before the action completes — does not exist in the platforms built around data visibility.

What Execution Governance Adds

Execution governance does not replace data visibility. It completes it.

Knowing where your sensitive data lives tells you what needs to be protected. Execution governance is the layer that actually protects it — at the moment an agent tries to act on it.

What data visibility answers

What execution governance answers

Where is our sensitive data?

What is our agent doing with it right now?

Who has access to it?

Is this specific action within the agent's approved scope?

Was it accessed?

Was the access legitimate — or injection-triggered?

What does our posture look like?

What happened, why, and can we prove it?

Are we compliant on paper?

Can we prove compliance with cryptographic evidence?

These are not competing answers. They are sequential ones. Visibility tells you what you have. Enforcement governs what happens to it.

The Specific Scenarios That Fall Through

Four ways the gap shows up in practice.

The authorized agent with destructive intent.

Your data platform knows the agent has access to the production database. It does not know that the specific tool call the agent is about to make will delete it — with force — including backups. That determination requires inspecting the argument at the moment of execution, before the call completes. No visibility platform does this.

The local exfiltration that leaves no network trace.

Your DLP sees network traffic. Your access trail sees API calls. Neither sees a file read followed by a local file write — two system calls, no network hop, data staged inside the host for later pickup. The exfiltration is complete before any monitoring system registers an anomaly.

The agent that was told to do something wrong.

An AI agent can be manipulated through its data inputs — a document it was asked to summarize, a tool result it received, an email it was processing. When that happens, the agent takes a real action with real credentials in a real system. The action looks authorized. The identity looks valid. The tool call looks legitimate. The data access trail shows a normal access event. Nothing in the visibility layer reveals that the instruction that caused it was injected.

The inter-agent instruction you didn't see.

In multi-agent environments, agents communicate with each other. A compromised agent can instruct a healthy one to take actions outside its approved scope — through an internal channel that produces no external network traffic and no application-layer event. The communication is invisible to every platform that monitors at the network or application layer.

What This Means If You Have a Data Visibility Platform

Your investment is not wasted. It is the input.

Your investment in data classification, access governance, and risk scoring is not wasted. It tells you what matters — which data stores require the tightest controls, which access patterns are anomalous, which compliance requirements apply.

Execution governance uses that knowledge. The data your visibility platform identified as sensitive is exactly the data that WhiteFin's enforcement policies protect at the moment of agent execution.

Your Visibility Platform

identifies what is sensitive

WhiteFin Enforcement

protects it at execution time

The two layers are not redundant. One tells you what to protect. The other actually protects it.

The Close

You can know where every sensitive record in your environment lives.

You can classify it, score it, monitor access to it, and generate compliance reports about it.

And an AI agent — authorized, credentialed, and fully visible to your entire security stack — can still take it somewhere it shouldn't.

Unless something governs the execution.

Talk to us →See it in your environment →

Knowing where your data livesdoes not stop an agent from taking it.