Durable agent governance for the enterprise

Agent governance. Remarkably simple.

Declare your org. Bind your roles. Ship governed agents. Powerloom is the control plane IT teams use to run Claude agents at scale — with the access model and audit trail you already expect.

Request access →See how it works
Deployed on AWS Hash-chained audit Multi-runtime Community edition coming
Policy decisions · allow · deny · inherited
support-triagerun-as · kaipg-writerrun-as · servicerepo-analyzerrun-as · janefiles-supportpg-analyticsslack-opsgmail-sendPOWERLOOM · POLICY PLANErbac.checkokou.bindingsokdeny.mergeokpolicy.evalokDECISIONS files.read slack.post gmail.sendfiles.read
The governance gap

Your agents have permissions. Do they have governance?

Every Claude agent your teams ship is another identity with tools, credentials, and access to something it shouldn't outlive. Most orgs don't track them. Most can't revoke them. None can prove what they did.

Ad-hoc
Credentials in code.

API keys pasted into config files. Tokens shared over Slack. No revocation path when someone leaves.

Opaque
No audit trail.

Agents call tools. Tools hit systems. Nothing is reproducible, attributable, or reviewable after the fact.

Sprawl
No org model.

One person ships a pilot. Three teams ship copies. The compliance review is the week before the audit.

How it works

Three concepts. Every auth decision in your agent fleet.

If you've used Active Directory, you already know the model. OUs, security groups, role bindings, deny precedence — applied to agents, their tools, and their runtime.

Step 01

Model your org

Nest OUs the way engineering already does — by team, environment, or tenant. Agents, MCP deployments, and human members live inside an OU and inherit its policy.

▸ acme
▸ engineering
▾ platform · 2 agents · 2 MCPs
• pg-writer (service)
• repo-analyzer (user)
▸ support
▸ accounting
Step 02

Bind roles, merge denies

Grant AgentAuthor to eng-leads. Deny invocations outside business hours. Stacked bindings resolve with AD semantics — deny always wins, inheritance flows down.

allow
eng-leads
OUAdmin
allow
usr.raj
AgentAuthor
deny
contractors
inherited · acme
AgentAuthor
allow
svc.pg-writer
DeploymentOperator
Step 03

Run, and see every call

Agents call MCP tools through the Powerloom runtime. Every request is checked against the merged policy, logged with a decision, and streamed to the session console in real time.

14:22:07session.startpg-writer · usr.raj
14:22:08tool.callsql.explain
14:22:08policy.check✓ allow · rbac
14:22:09tool.resultrows=84 · 612ms
14:22:11tool.callsql.migrate
14:22:11policy.check✗ deny · out-of-hours
14:22:11session.idle_endreason=policy
Platform

A control plane for agent fleets.

The patterns you already know — organizational units, role bindings, audit trails — applied to the agents your teams are shipping.

Organizational units

Nest agents, groups, and MCP deployments under OUs that mirror your org chart. Policy inherits down. Admin delegates cleanly. Scoping is a structural property, not a code convention.

OUsinheritancedelegation

RBAC with deny precedence

Built-in roles (OrgAdmin, AgentAuthor, DeploymentOperator) plus custom roles scoped to an OU or the whole org. Deny wins. Merges are deterministic.

built-in + customdeny-mergedeterministic

Approval gates

Freeze high-risk tool calls behind a human reviewer. The agent waits. The request, the reviewer, and the decision are all rows in the audit trail.

requestreviewrecorded

Append-only audit

Every agent turn, tool call, policy decision, and approval lands in a hash-chained log. Replay any session. Export to Splunk, Datadog, or S3. Redact at read time.

hash-chainedreplayableSIEM-ready
Read the full technology brief →
Orchestration

Multi-agent workflows. Declarative.

Define DAG-based workflows in YAML — trigger, agent, condition, approval, subflow. The scheduler advances each step, the reconciler keeps state, the audit trail records every decision.

  • 6 node types — trigger, agent, condition, approval, subflow, transform
  • Version-locked runs — workflow definitions are immutable once pinned. Mutations create a new version.
  • Subflow nesting — a workflow step can start a child workflow. The parent waits, the scheduler advances both.
  • Approval gates — freeze a step behind human review. The agent waits. The decision is audited.
run_4f8a · deploy-and-verify · running
triggerpr.merged done
agentpg-writer done
conditionmigration? done
true
approvaldba-review running
false
agentdeploy-bot pending
outputnotify-slack pending
Coordination

Project threads. Agent dispatch.

Track work as threads — the same model as issues, but native to the agent fleet. Assign to humans, pluck for agents, dispatch via coordinator. Every status change in the event stream.

acme/platform · 3 open · 1 in progress
#14criticalFix auth token expiryin_progressplucked: pg-writer
#13highAdd rate limiting to /invokeopen
#12mediumUpdate onboarding flow copyopenusr.sarah
#11lowRefactor credential store testsopen
#10mediumMigrate session table indexesdone2h ago

Pluck mechanics

Agents claim threads from the backlog. Conflict guards prevent double-assignment. Status transitions are automatic.

Coordinator dispatch

The coordinator evaluates open threads, matches to agents by capability, and executes the plan. Dry-run available.

Vector search

Threads are auto-embedded on creation. Find duplicates and related work via cosine similarity. No config required.

SSE event stream

Subscribe to project events in real time. Thread changes, replies, pluck events — all streamed to the board.

Security

Security by absence. Trust is the product.

Every agent action is authenticated, authorized, and logged. Every policy decision is reproducible. The dangerous capabilities were never built.

Access
AD-native RBAC

OUs, security groups, role bindings, deny precedence. OIDC sign-in via Google, Microsoft, or GitHub.

Audit
Hash-chained

Append-only. Cryptographically linked. Replayable. Exportable to Splunk, Datadog, or S3.

Encryption
Envelope-encrypted

Per-tenant KMS keys. Secrets never land in plain text. Zero-backdoor by design.

Posture
In progress

SOC 2 audit initiated. HIPAA and ISO 27001 on the roadmap. Details on the security page.

Read the full security brief →
Intelligence

Agents that remember. Governed.

Session context persists across turns. Retrieval pulls relevant memories at invoke time. Consolidation compresses working memory into durable knowledge. The coordinator grades quality. All audited.

memory pipeline · pg-writer · 142 memories
Session12 events → 3 chunks
Consolidatemerge overlaps, compress
Hebbian+2 edges, decay 4
Retrievetop-5 by relevance
Gradecoordinator: thumbs_up
Retrieved at invoke:
"pg-analytics prefers EXPLAIN before any DDL. Last migration on 2026-04-18 added idx_sessions_agent_id."
"The acme/platform OU denies sql.migrate outside business hours (binding: out-of-hours-deny)."
  • Retrieval at invoke— relevant memories are injected into the agent's context window before the first turn. No manual prompt engineering.
  • Hebbian consolidation — memories that fire together strengthen. Co-retrieval patterns form edges. Low-use memories decay. The graph self-organizes.
  • Coordinator grading — the coordinator reviews session outputs, grades quality, and feeds structured feedback into the memory loop.
  • Drift detection — injection screening, quarantine, and admin approval for memories that look anomalous.
Read the memory deep-dive →
The reveal

All that governance. One conversation.

Ask in English. The meta-agent drafts the manifest, shows you the diff, applies with your approval. Sixty seconds from ask to ship. Every decision in the audit trail.

Alfred
youSpin up a support-ticket classifier for the customer-ops OU. Read from Zendesk. Flag anything billing-related for human review.
claudeDrafted agent.yml and a new role binding. Two changes:
+ agent            ticket-classifier          (ou=customer-ops, model=claude-sonnet-4-6)
+ approval-policy  billing-review             (gate: tag=billing)
+ mcp-binding      zendesk-read              (scope=customer-ops)
claudeApply now? y
claude✓ Applied in 1.2s. Run apl_7c3e91. Agent is live.
Infra-as-code

Declarative, reviewable, diff-able.

Every OU, binding, agent, workflow, and MCP deployment is a YAML manifest. Apply with the CLI, review in PR, roll back on drift.

  • weave apply — plan, diff, rollout
  • Policy simulator runs in CI on every PR
  • Git-native: the manifest is the source of truth
  • Drift detection alerts when the live state diverges
$ powerloom apply -f acme/
// planning changes against ou=acme …

+ ou               acme/engineering/platform
+ role-binding     eng-leads → OUAdmin        (scope=platform)
~ role-binding     contractors ✗ AgentAuthor  (effect: allow → deny)
+ agent            pg-writer                  (model=claude-sonnet-4-6)
+ mcp-deployment   pg-analytics               (template=postgres v3)

// 5 changes · 0 warnings. apply? [y/N] y
 applied in 1.4s · run apl_9f2ac4
Start governing

Govern your fleet.

Invite-only beta. Request access and we'll get you running.

Request access →Read the brief