      db      \`7MM"""Mq.   .g8"""bgd     db      \`7MN.   \`7MF'\`7MM"""YMM
     ;MM:       MM   \`MM..dP'     \`M    ;MM:       MMN.    M    MM    \`7
    ,V^MM.      MM   ,M9 dM'       \`   ,V^MM.      M YMb   M    MM   d
   ,M  \`MM      MMmmdM9  MM           ,M  \`MM      M  \`MN. M    MMmmMM
   AbmmmqMA     MM  YM.  MM.          AbmmmqMA     M   \`MM.M    MM   Y  ,
  A'     VML    MM   \`Mb.\`Mb.     ,' A'     VML    M     YMM    MM     ,M
.AMA.   .AMMA..JMML. .JMM. \`"bmmmd'.AMA.   .AMMA..JML.    YM  .JMMmmmmMMM

trustidentitypermissions

Issue short-lived credentials. Enforce every tool call. Sign every decision.

Talk to founders

see how it works

1.0 · The shift

Agents aren't users. They aren't service accounts either.

They act on a person's behalf, choose their tools at runtime, and run for minutes — not days. Existing IAM was designed for neither shape.

USERS

Auth at the door. Sessions. Cookies.

What you've built for humans.

SERVICES

Static keys. Wide scopes. Long-lived.

What you've tolerated for machines.

AGENTS

Acting on a user's behalf. Calling tools. Making choices.

Neither of the above.

← arcane operates here

2.0 · The control planeSee architecture

A control plane for agent identity and permissions.

Every agent gets short-lived, task-bound credentials. Every tool call is evaluated against policy. Every decision is signed evidence — ready for audit.

Federates with your IdP — not a replacement
SDK or transparent proxy — your choice
Evidence exports built for audit, in the formats your reviewer accepts

3.0 · How it works

Three calls. Identity to enforcement.

Bind once at boot. Mint per task. Enforce on every call. The whole control plane fits behind three SDK methods.

Bind identity

Arcane composes the user from your IdP, the agent from your registry, and the workload from runtime attestation into a single signed principal.

arcane.tsSDK

// At agent boot
const principal = await arcane.bind({
  user: req.identity,           // verified IdP token
  agent: { id: "release-bot", version: "1.2" },
  workload: await runtime.attest(),
});
// → { principalId, boundAt, expiresAt }

Issue a task-bound grant

Each grant names the task, the resources it covers, and the actions allowed. Short TTLs replace standing access; nothing else carries.

arcane.tsSDK

// Per-task grant
const grant = await arcane.issue({
  principal,
  task: "rotate-staging-keys",
  resources: ["aws:iam:role/staging-*", "vault:kv/staging/*"],
  actions: ["iam:UpdateAccessKey", "kv:read"],
  ttl: "5m",
});
// → { token, exp, jti }

Enforce on every call

SDK at the call site, or transparent proxy in front of any service. Same policy, same signed evidence — evaluation happens inline, not out of band.

arcane.tsSDK

// Guarded call — policy evaluates before the SDK forwards
await arcane.guard(grant, () =>
  aws.iam.updateAccessKey({
    UserName: "ci-deploy",
    Status: "Inactive",
  }),
);
// decision: allow · signed · evidenceId=ev_3f9c…

6.0 · The console

Every decision, in plain view.

The same record that flows to your audit log shows up live — who, what, why, and which rule matched. Filter by agent, task, or outcome.

arcane / decisions

time

outcome

agent · task

resource

matched rule

14:02:11

allow

release-bot@v1.2 / deploy-staging

vault.kv/staging/*

rule.deploy.staging

whyrule.deploy.staging

release-bot is on staging allowlist for vault.kv/staging/*. Token TTL: 5m. Principal binding fresh.

14:02:09

deny

support-agent@v3.0 / lookup-customer

billing.customers.write

rule.support.read-only

whyrule.support.read-only

support-agent is bound to a read-only role. The call requested write on billing.customers — outside declared actions.

14:02:04

allow

support-agent@v3.0 / lookup-customer

billing.customers.read

rule.support.read-only

whyrule.support.read-only

Read on billing.customers is in support-agent's declared action set. Caller user verified at task start.

14:01:57

review

research-agent@v0.4 / fetch-document

drive.files.read

rule.research.pending

whyrule.research.pending

research-agent is in shadow mode. Decision logged; promotion of rule.research.* awaits operator review.

14:01:51

allow

release-bot@v1.2 / rotate-keys

aws.iam.rotate

rule.deploy.rotation

whyrule.deploy.rotation

Key rotation is a declared task action for release-bot@v1.2. Token is single-use; one rotation per grant.

14:01:42

deny

release-bot@v1.0 / deploy-prod

aws.ecs.deploy

rule.deploy.version-gate

whyrule.deploy.version-gate

release-bot@v1.0 is below the minimum approved version (v1.2). Version gate denies deploy-prod for older builds.

showing 6 of 1,284live

7.0 · The loop

Policy that tightens as the agent runs.

A posture agent watches traffic, drafts changes, and queues them for operator review. Nothing promotes without a human in the loop.

arcane / policy loop

01 · Observe

30d traffic + denials + drift

active

02 · Propose

Posture agent drafts change

03 · Review

Operator inspects + replays

04 · Promote

Active policy set updated

watching traffic

tool calls · 30d

18,432

denials · 30d

agents drifted

baseline → proposal → operator → activecontinuous

arcane / proposal · 1 of 3

proposed by posture agent

allow research-agent to read drive.files when delegated by an engineering-org user

reasoning

research-agent attempted drive.files.read 47 times in the last 30 days — all from engineering users. No matching rule. Promoting shadow → active would convert 47 reviews to allows.

impact if applied

+47 newly allowed362 unchanged

cedar

permit (
  principal in Group::"research-agent",
  action == Action::"read",
  resource in ResourceType::"drive.files"
) when {
  principal.delegated_by.org == "engineering"
};

posture agent · proposal queuepolicy stays in shadow until you promote

11. Get started

One conversation.
Your agents get an identity.

$book a briefing

or request access

A control plane for agent identity and permissions.

Bind identity

Issue a task-bound grant

Enforce on every call

allow research-agent to read drive.files when delegated by an engineering-org user

One conversation.Your agents get an identity.

One conversation.
Your agents get an identity.