Nothing leaves the perimeter, every operation is on one record, and even maintenance is evidence — by construction.
You're accountable for agents you didn't build and can't fully see. Hosted AI vendors are data egress you can't sign off; a self-hosted stack stitched from a dozen projects hands you a dozen identity models and audit trails to correlate by hand — plus hand-run maintenance that never appears in the evidence at all. Visca makes the answers structural: every agent is a named principal, every access is a scoped credential, and every operation — maintenance included — passes through one governed gateway onto one tamper-evident ledger. Most of what you'd write as policy is a property of the stack.
Why the data can't leave
Production agents hold broad, long-lived credentials. Your policy says least-privilege; the infrastructure offers all-or-nothing.
Answering an incident or an examiner means correlating framework traces, tool logs, identity events, and model-provider logs by hand. The answer takes hours; the question is urgent.
SSH sessions, console clicks, tribal knowledge — how the stack is kept alive never shows up in the evidence. You find out what was changed, and by whom, during the incident it caused.
One stack, not a stitched one
Least-privilege starts with knowing who's acting. Every agent is a named principal with a verifiable identity, by construction — 'who is this agent' has one answer.
Long-lived credentials disappear. Every access is scoped, time-bound, consented where required, and audited — least-privilege as the only available mode.
Models, prompts, and data execute inside your walls. The egress finding never opens, and there's no vendor chain to review one contract at a time.
Every operation is a principal acting within a scope through one governed gateway — append-only, chained, exportable to your SIEM and GRC tooling. The control isn't asserted; it's recorded.
Patches, rotations, and recoveries are performed by the stack's own operators as principals in scopes — signed, on the same ledger you read. Humans keep three jobs: declare intent, sign approvals, hold the kill-switch.
What you get
In practice
An application team wants to ship an agent with production access. The review is short: the agent is a named principal, its access is scoped and time-bound, every action lands tamper-evidently on one ledger — and the stack underneath is maintained by operators whose every patch and rotation is on the same record. The controls aren't promises in a doc; they're properties of the runtime, with evidence.
The Autonomy Stack for regulated industries
Identity, credentials, runtime, and audit — shipped as part of your product, run inside your customer's walls, operated by agents under the same ledger as everything else. Nothing leaves the perimeter. Nothing is off the record.