arcane / product

four primitives. one control plane.

What Arcane is made of, how it compares to what you have today, and why security teams use it to enable more, not block more.

4.0 · Primitives

Four primitives. One control plane.

Each composes with the others. Together they replace the IAM, secrets-vault, and audit duct-tape that agents currently run on.

01 · Identity

Composite identity

User, agent, and workload composed into a single signed principal. Attribution is a query, not a forensics project.

02 · Policy

Contextual policy

Drafted from observation, not imagined from roles. Arcane reads what your agent declares and does — then proposes baseline rules before its first production call.

03 · Governance

Policy that learns from traffic

Arcane proposes tighter rules from observed behavior; you promote when ready. Drift becomes a review item, not a paging event.

04 · Audit

Evidence-grade audit

Every allow, deny, and review signed and chained. Not a log dump — a structured chain of custody, exportable in the formats your auditor expects.

5.0 · Real examples

Where service-account auth breaks for agents.

Three failure modes you've already seen — and what happens with Arcane in the loop.

WITHOUT ARCANEservice account

Agent leaks a credential

Static key with broad scope. Rotation requires a deploy. Blast radius = every system the key touches.

Agent makes an unexpected call

No per-call enforcement. Allowed by default. You find out from the audit log — after the fact.

Auditor asks who did what

Service-account-X did everything. Attribution to a specific user or task is reconstructed from logs.

WITH ARCANEcomposite identity

Agent leaks a credential

Credentials are task-bound with a short TTL — minutes, not days. The leaked credential expires before anyone notices.

Agent makes an unexpected call

Policy evaluates the call at the boundary. Out-of-scope tools are denied. Decision is signed and surfaced.

Auditor asks who did what

Each request carries user · agent · workload · task. Attribution is a query, not a forensics project.

8.0 · The frame

Enable more agents on real data. Without expanding your blast radius.

The longer an agent runs, the tighter Arcane's understanding of what it should do. Security teams gain confidence to enable more — not block more.

Approval lanes — explicit

Escalations become review points instead of hidden side-effects inside an agent run.

Static keys — gone

Short-lived, task-bound tokens replace standing credentials. The blast radius shrinks with the TTL.

Policy — proposed, you approve

Arcane drafts. A human acks, edits, or rejects. Security keeps the pen.

Inline

Per-call evaluation

Signed

Every decision

Task-bound

Every token

None

Standing credentials