Eleven controls. Every deployment.
Keyra agents operate inside regulated environments. The trust model below is enforced on every customer tenant, every subscription, and every agent instance.
Every deployment runs inside a customer-specific tenant world. No agent ever crosses tenant boundaries.
From Ciright parent → Keyra catalog → subscription → tenant instance, every agent is fully traceable.
All operations are gated by roles. Operators, reviewers, sovereign admins, and tenant admins have distinct capability scopes.
Material actions require human-in-the-loop approval. Approval is recorded for every decision.
Append-only audit log on every action. Sovereign deployments include ministry-level audit packaging.
Permission templates are bound at deployment time. Agents cannot self-elevate.
Outbound API calls are scoped to required integrations. No external network access by default.
Knowledge packs are explicit, versioned, and revocable. Customer-private knowledge stays in the tenant world.
Each subscription carries a legal approval status that must be set to Approved before activation.
Each subscription carries a security approval status that must be set to Approved before activation.
Subscriptions are fully revocable. Revocation cascades to all tenant agent instance IDs.
Sovereign deployments
For ministry-level and country-resident deployments, Keyra operates under a dedicated sovereign control envelope: in-country infrastructure, sovereign-admin role, regulator-visible audit, and contract-grade billing.