RBAC & ACL
Role-based scopes and per-resource ACL layers define exactly who can invoke which agent or MCP tool. Deny always wins. Policy is defined in the registry and enforced at the gateway in real time.
Jarvis enforces identity-based access control, data privacy rules, and registry validation at every invocation - then makes the entire agent execution chain visible through OTEL-native observability and real-time flow tracing.
Six enforcement layers that together ensure no agent invocation happens outside defined identity boundaries, validated registrations, and a complete observable record.
Role-based scopes and per-resource ACL layers define exactly who can invoke which agent or MCP tool. Deny always wins. Policy is defined in the registry and enforced at the gateway in real time.
PII detection, field-level masking, and data residency constraints are applied before payloads reach any agent or tool. Sensitive data never leaves its permitted boundary unredacted.
Every agent and MCP server must pass the registry's publish gate - security scan, capability validation, and policy compliance - before the gateway will route any invocation to it.
Protocol-aware OpenTelemetry spans capture every tool call and agent invocation with latency, token usage, and identity context. Export to any OTLP backend.
Client credentials stay encrypted at rest. Access tokens are acquired and refreshed automatically so agents authenticate to downstream services without handling credentials directly.
Standard OpenID Connect integration with Okta, Microsoft EntraID, Auth0, Keycloak, Amazon Cognito, and any OIDC-compliant auth server.
From the moment an identity presents a token to the moment a tool returns a result, every step is governed, validated, and observable.
// submitted card - pre-validation
{
"name": "diagnosis-agent",
"version": "2.3.1",
"owner": "marcus.t@co",
"auth": null
}// registry-enriched card
{
"name": "diagnosis-agent",
"auth": "oauth2-client-credentials",
"namespace": "sre",
"status": "pending-scan"
}// egress request - injected by gateway GET /api/resource HTTP/1.1 Authorization: Bearer eyJhbGciOiJSUzI1... X-Jarvis-Agent: diagnosis-agent/2.3.1 // client_secret never leaves the platform
GET /.well-known/openid-configuration -> issuer, token_endpoint, jwks_uri audience: agentcore.amazonaws.com audience: api.azureml.ms "groups": ["sre-team"] -> role: sre-engineer
OIDC-based federation with AWS AgentCore and Azure AI Foundry lets agents in those environments authenticate through Jarvis using standard OpenID Connect, inheriting the same RBAC, ACL, and audit trail as natively registered agents. Learn more about AgentCore federation
See how Jarvis Governed AI brings identity enforcement, data privacy, registry validation, and full observability to every agent and tool invocation in your enterprise.