Kyvvu
A behavioral firewall for AI agents
Your organization has rules. About customer privacy, data handling, decision transparency, escalation, and what your agents are and aren't allowed to do. When you deploy AI agents, those rules have to be enforced at runtime — not hoped for in a prompt, not checked after the fact in a log.
Kyvvu sits between your agents and everything they touch. Every atomic behavior an agent attempts — every LLM call, every tool invocation, every write to a system of record — is intercepted, evaluated against your policies in the context of the full execution path so far, and either allowed, blocked, or routed to human approval. In under a millisecond per policy evaluation.
Think of it as Cloudflare for agents: the same architectural pattern — a thin, always-on control layer that sees every request and enforces your rules — applied to non-deterministic AI systems instead of HTTP traffic.
See it in action
# Install and scaffold an agent in under a minute
$ pip install kyvvu
$ kyvvu register
✓ Account created and verified.
Your API key: KvKey-784f0cc2...
Free tier: 1,000 active agent-hours/month at no cost.
$ kyvvu init my-agent && cd my-agent
✓ Created my-agent/
# Run without policies -- everything passes
$ python agent.py
task.start → started
step.resource → fetch_user_data
step.model → call_llm
step.exec → run_script
task.end → ended
# Assign the OWASP manifest -- same code, different outcome
$ python agent.py
task.start → started
step.resource → fetch_user_data
step.model → call_llm
step.exec → BLOCKED
⛔ Policy blocked: Code execution requires a preceding gate
Risk score: 1.00 • Severity: critical
Read the docs Open the dashboard
How it fits together
Two audiences, one runtime. On the left, developers integrate their agent via an SDK (Python, LangChain, LangGraph), a proxy (Claude Code), or a connector (Microsoft Copilot Studio, MS Agent SDK). On the right, CISO and legal teams define governance rules in plain language. The Kyvvu Engine mediates between the two: it consumes agent behaviors, evaluates them against the policy library, and enforces the decision back on the agent — allow, block, or stop.
How it works
Wrap your agent's actions with the Kyvvu SDK. Each step is intercepted by the policy engine before it executes:
from kyvvu import Kyvvu, KyvvuBlockedError, RiskClassification, StepType, Verb
kv = Kyvvu(api_url="https://platform.kyvvu.com", api_key="KvKey-...")
kv.register_agent(
agent_key="support-agent",
risk_classification=RiskClassification.HIGH,
name="Customer Support Agent",
declared_tools=["call_llm", "lookup_customer", "send_email"],
)
@kv.step(StepType.step_model, Verb.POST)
def call_llm(prompt: str) -> str:
return openai.chat(prompt)
@kv.step(StepType.step_resource, Verb.GET)
def lookup_customer(customer_id: str) -> dict:
return crm.get(customer_id)
@kv.step(StepType.step_exec)
def send_email(to: str, body: str) -> str:
# Blocked by policy unless a human approval gate precedes it
return smtp.send(to, body)Policies are defined in version-controlled YAML manifests — browse the open-source library — and evaluated in-process by the Kyvvu Engine. No network call per step, sub-millisecond evaluation, path-dependent enforcement.
Path-dependent enforcement
Most governance tools evaluate each action in isolation. Kyvvu evaluates actions in context — what the agent did earlier in the task determines what it's allowed to do next.
# Clean path -- no sensitive data read
step.model POST → ALLOW
step.resource GET [public] → ALLOW
step.message POST → ALLOW
# Exfiltration path -- sensitive data read, then external send
step.model POST → ALLOW
step.resource GET [data.classification=pii] → ALLOW
step.message POST → BLOCK
The same outbound message -- allowed in one context, blocked in another.
The exfiltration guard uses five layers of defense, three of which are path-dependent. A stateless per-call policy can't do this — it doesn't know what happened before. View the manifest source.
Three outcomes, one layer
- Runtime enforcement — Policies on paths, evaluated in sub-millisecond time before the next behavior executes. Allow, block, or escalate — deterministically.
- Structured observability — Every intercepted behavior and every enforcement decision becomes a hash-chained, tamper-evident log entry. Audit-ready by construction.
- Incident escalation — When a policy is violated or human approval is required, Kyvvu generates a structured incident with the full execution path as context, routed to your existing workflows.
Works with the frameworks you already use
Kyvvu is framework-agnostic. We have production integrations for:
- Core Python agents (SDK)
- LangChain and LangGraph (callback handlers)
- Microsoft Copilot Studio and MS Agent SDK (connector)
- Claude Code (local proxy)
- Any other framework — via our locally running kyvvu-engine
EU AI Act compliance, from the bottom up
Most compliance tooling is top-down: policies written in documents, referenced in audits, with no mechanical link to what agents actually do. Kyvvu is the opposite. Because every atomic behavior is intercepted and logged, and every policy is enforced at the step level, you get the runtime evidence Articles 9, 12, 14, and 15 of the AI Act actually require — continuous risk management, automatic logging, meaningful human oversight, and accuracy/robustness monitoring.
One unified vocabulary (atomic behaviors), clear policies, demonstrable enforcement — across every agent you deploy.
See how policies on paths map to the AI Act →
Where we are
Kyvvu is deployed in enterprise environments across regulated industries in the Netherlands — financial services, insurance, healthcare — inspecting agent behavior in production. Our approach to runtime governance is documented in our arXiv paper Runtime Governance for AI Agents: Policies on Paths, and has been discussed in a joint perspective with a leading AI conformity and certification partner.
How to engage
Kyvvu is delivered through a small set of authorized partners — tier-1 consultancies and AI governance specialists who handle integration, policy design, and ongoing support. We work alongside them on every deployment.
For end-customers: free proof-of-value
If you're deploying AI agents in a regulated industry, we offer a scoped, no-cost proof-of-value in your environment. We deploy the Kyvvu Engine alongside one or more of your agents, work with you to define policies on paths aligned with your internal rules and AI Act obligations, and produce a structured report on what we observed and enforced.
- Kyvvu runs on your infrastructure — your data stays with you
- Typically scoped around one agent and a defined policy set
- Outcome is a runnable enforcement layer plus a report you can take to your CISO, legal team, or auditor
- No commercial commitment during the evaluation
To start a proof-of-value: email jeroen@kyvvu.com.
For prospective partners
We work with a select group of consultancies, systems integrators, and AI governance specialists who deliver Kyvvu to their clients. If you're advising enterprises on AI agent deployment or AI Act readiness and want runtime enforcement as part of your offering, we'd like to talk.
To discuss partnership: email jeroen@kyvvu.com.
Technical questions, integration details, and research: maurits@kyvvu.com
Recent Posts
- "Guardrails" Now Means Everything. Here's the Map It's Hiding. Jun 2, 2026
- Everyone Shipped a Governance Layer This Month. They're All Stateless. May 26, 2026
- Nine Seconds, Two CVEs, and a Three-Axis Vocabulary May 12, 2026
- The Hot Path Tax: Why Runtime Governance Has to Be Sub-Millisecond Apr 29, 2026
- Agents Don't Share a Language — And That's a Governance Problem Apr 16, 2026
About Kyvvu
Kyvvu is an enterprise AI governance company founded by Maurits Kaptein and Jeroen Ghijsen, based in the Netherlands. We build runtime infrastructure for governing autonomous AI agents in regulated industries.
Learn more about us or see open positions.