PolicyStrata

PolicyStrata Agent Assurance

Release gates for enterprise AI agents.

Verify live context and governed-data policies before agent releases reach production. DocPull checks sources; PolicyStrata checks invariants; the control plane stores evidence.

pip install docpull policystrata
project sync
$ agent-assurance runner init support-bi-copilot
$ docpull sync --source customer-support-docs
$ policystrata scan --suite customer-data-access
$ agent-assurance evidence upload
project: saas-bi-agent
context checked: 2 findings
policy blocker: tenant_scope_required
wrote evidence-pack.demo.json
release blocked before production

Control plane for agent releases

Agent Assurance is the commercial system of record around OSS evidence engines, self-hosted runners, release blockers, and audit state.

Ship control

Release gates

Every run lands against a project and release candidate with an explicit pass, fail, blocked, or needs-review state.

  • Track projects, release candidates, runner executions, and current blockers
  • Separate context findings from policy findings without hiding either signal
  • Keep a reviewable history of what changed before an agent shipped

Audit state

Evidence packs

Runners upload normalized metadata, findings, hashes, artifact references, and reviewer decisions.

  • Summarize DocPull and PolicyStrata outputs for security review
  • Store artifact references and checksums instead of raw customer data by default
  • Create compact release narratives for engineering, security, and compliance

Local execution

Self-hosted runners

Customer-sensitive source data, traces, policies, and schemas stay inside the customer environment.

  • Run DocPull and PolicyStrata in CI, developer machines, or customer VPCs
  • Upload evidence through scoped runner tokens
  • Fail CI when configured gates should block release

B2B base

Tenant-aware SaaS

Better Auth organizations, Neon Postgres, and tenant policies make the control plane behave like enterprise software from day one.

  • Organization-scoped projects, runs, findings, evidence packs, and runner tokens
  • Application queries filter by organization and database policies enforce tenant context
  • Separate runtime, auth, and migration connection profiles

DocPull

Source risk

DocPull remains the open-source engine for context freshness, source diffs, citation gaps, and reproducible packs.

  • Freshness and source-diff checks for docs, schemas, runbooks, and APIs
  • Citation and evidence-missing findings normalized into assurance runs
  • Local-first execution with hashes and artifact references for the control plane

PolicyStrata

Policy risk

PolicyStrata remains the open-source engine for tenancy, PII, SQL, RLS, and governance invariants.

  • Find tenant-scope, data-access, and release-policy drift across agent layers
  • Produce minimized witnesses and affected-surface metadata
  • Feed high-severity blockers into release decisions

Product boundary

Engines create evidence. Agent Assurance controls release state.

runner -> evidence -> review -> release decision

Clear product boundaries

The open-source engines stay useful on their own. The paid product is the enterprise system of record around release evidence and review.

Product boundary between DocPull, PolicyStrata, and Agent Assurance.
SurfaceOwnsEmits / StoresDoes Not Own
DocPullContext/source evidenceFreshness, source diffs, citation gaps, fetch failures, hashes, pack refsOrganizations, releases, reviewers, billing, or dashboards
PolicyStrataPolicy and data-access evidenceTenant-scope failures, SQL/RLS drift, PII signals, witnesses, invariant refsHosted approval workflow or enterprise account state
Agent AssuranceRelease control planeProjects, runs, findings, evidence packs, release blockers, approvals, audit stateCrawling, source locking, policy scanning, or witness minimization internals

FAQ

Questions teams ask before using Agent Assurance as an AI release gate.