*Published: April 2026 | Tags: AI agent security, agent governance, MCP security, AI safety*
AI agents are shipping to production faster than anyone predicted. Claude can call APIs. GPT can execute code. Open-source agents are booking flights, deploying infrastructure, and moving money. But here is the question nobody is asking loudly enough: who is watching the agents?
The answer, for most teams, is nobody. And that is a ticking time bomb.
When you give an AI agent access to tools, you are handing it the keys to your infrastructure. Consider what a typical production agent can do:
Now imagine that agent hallucinates a tool call. Or an adversarial prompt injection tricks it into exfiltrating data. Or it simply burns through your budget because nobody set a limit.
These are not hypothetical scenarios. They are happening today in every organization that deploys agents without governance.
Credential leakage. Agents store API keys in plaintext config or environment variables. A single prompt injection can extract them. Once leaked, those keys grant full access to your Stripe account, your database, your cloud provider.
Runaway spend. An agent authorized to make purchases has no concept of "too much." Without budget enforcement, a coding agent can spin up 50 GPU instances. A marketing agent can blow through an ad budget in minutes.
Zero audit trail. When something goes wrong, you need to know exactly what the agent did, in what order, and why. Most agent frameworks log nothing. You are flying blind.
No human oversight. The entire value proposition of agents is autonomy. But autonomy without oversight is recklessness. Some actions — deleting production data, authorizing large payments, sending external communications — require a human in the loop.
What agents need is the same thing every other system with elevated privileges needs: identity, access control, secrets management, and audit logging. This is not a new concept. It is IAM and SIEM applied to AI.
The governance layer sits between your agent and its tools. Every tool call passes through it. Every action is authorized, logged, and optionally approved by a human before execution.
Here is what that looks like with Haldir:
from haldir import HaldirClient
h = HaldirClient(api_key="hld_xxx", base_url="https://haldir.xyz")
# Create a scoped session — the agent can only read and spend up to $50
session = h.create_session(
agent_id="order-processing-bot",
scopes=["read", "spend:50"],
ttl=3600 # Session expires in 1 hour
)
# Store secrets in an encrypted vault — agents never see raw keys
h.store_secret("stripe_key", "sk_live_xxx", scope_required="spend")
# When the agent needs the key, Haldir checks session scope first
key = h.get_secret("stripe_key", session_id=session["session_id"])
# Authorize a payment — Haldir enforces the $50 budget
h.authorize_payment(session["session_id"], amount=29.99)
# Every action is logged immutably
h.log_action(
session["session_id"],
tool="stripe",
action="charge",
cost_usd=29.99
)
# When the agent's job is done, revoke access
h.revoke_session(session["session_id"])
Compare this to the alternative: raw API keys in env vars, no spend limits, no logs, no session expiry. The difference is the difference between a production system and a liability.
Every agent session gets scoped permissions. An agent that needs to read data cannot write. An agent authorized for $50 in spend cannot authorize $500. Sessions have TTLs and can be revoked instantly.
curl -X POST https://haldir.xyz/v1/sessions \
-H "Authorization: Bearer hld_xxx" \
-H "Content-Type: application/json" \
-d '{
"agent_id": "data-analyst",
"scopes": ["read"],
"ttl": 1800
}'
Credentials are AES-encrypted at rest. Agents request access through the Vault, which checks their session scope before decrypting. Payment authorization enforces per-session budgets. No more plaintext keys. No more runaway charges.
Every tool call, every secret access, every payment authorization is logged with timestamps, agent IDs, session IDs, and cost data. Anomaly detection flags unusual patterns — spend spikes, access to tools outside normal hours, repeated permission denials.
# Query the full audit trail for an agent curl "https://haldir.xyz/v1/audit?agent_id=order-processing-bot" \ -H "Authorization: Bearer hld_xxx"
This is not optional for regulated industries. Banks, healthcare companies, and government contractors cannot deploy agents without audit trails. SOC2 and ISO 27001 require it.
The Model Context Protocol (MCP) is becoming the standard interface for agent-tool communication. As MCP adoption accelerates, every agent session needs a governance checkpoint. Haldir is MCP-native — it works as both a standalone API and an MCP server that intercepts tool calls at the protocol level.
The window for building governance into your agent stack is now, before an incident forces you to bolt it on retroactively.
pip install haldir
Haldir is open-source, model-agnostic, and works with Claude, GPT, Gemini, LLaMA, or any agent framework. Free tier includes 1 agent and 1,000 actions per month.
Read the full docs at haldir.xyz/docs or check the source on GitHub.
---
*Haldir is the guardian layer for AI agents. Identity, secrets, audit, and human oversight in one platform. Start free at haldir.xyz.*
© 2026 Haldir · haldir.xyz