The Platform
Governance infrastructure for AI agents
Sielum gives you visibility into what agents do, control over what they are allowed to do, and the ability to intervene when behavior becomes risky — without blocking the teams building with AI.
Platform Capabilities
Everything you need to govern AI agents
See every AI agent on every machine
Sielum's lightweight endpoint agent scans running processes and config files to build a live inventory of all AI tools in your environment — without proxying traffic or touching file contents.
“From unknown shadow-AI to a live, auditable inventory”
Agent Inventory
Detects Claude Code, Cursor, Copilot, ChatGPT Desktop, Amazon Q, Windsurf, and Gemini CLI — automatically, across every enrolled endpoint.
MCP Server Inventory
Lists all configured MCP servers per endpoint: name, command, enabled/disabled state. Know exactly which extensions your agents have access to.
API Connection Tracking
Network-level monitoring of which external domains each agent contacts. No proxy, no MITM — tracking happens at the OS network layer.
Config Snapshots & History
Point-in-time snapshots of agent configuration files with full diff history. Reconstruct any past configuration state.
Define and enforce how agents operate
Set boundaries for which agents are allowed, which APIs they may contact, and which MCP servers are permitted — and enforce those boundaries at the network layer, not as suggestions.
“Policy-as-config — enforced, not just recommended”
Policy Engine
Four built-in policy types: unknown agent, unauthorized API domain, new MCP server, config violation. Alerts fire automatically when any policy is breached.
Config Guard
Push managed_settings.json to Claude Code endpoints fleet-wide — enforce allowed tools, disable specific MCP servers, and lock settings without touching developer machines manually.
Network-Layer Blocking
Firewall rules (iptables / pf / WFP) block unauthorized API domains at the OS level. There is no proxy and no MITM — blocking happens at the network layer.
Multi-Tenant Isolation
Row-Level Security ensures each team sees only its own agents and events. Tenant boundaries are enforced at the database layer, not the application layer.
Export audit evidence for every compliance framework
Sielum writes every policy event, enrollment, and config change to an immutable audit log. Export structured evidence for SOC 2, EU AI Act, and GDPR on demand — no manual data assembly.
“Audit-ready without audit prep”
Immutable Audit Log
Every policy event, enrollment, and configuration change is written to an append-only log. Tamper-evident, exportable as JSON/CSV, queryable by time range or endpoint.
Compliance PDF Reports
Pre-built report templates for SOC 2 and EU AI Act — generated from live audit data, ready for auditor review without manual compilation.
GDPR Art. 17 Controls
Process data deletion requests from the dashboard. Full endpoint data purge on demand — covering agent events, config snapshots, and enrollment records.
Structured Export
Export audit data as JSON or CSV for integration with your existing compliance tooling, ITSM systems, or external audit workflows.
Architecture
Self-hosted, secure by design
Sielum runs entirely in your infrastructure. No data leaves your environment. No SaaS dependency in the critical path.
Lightweight endpoint agent
A small Go binary deployed per host. Monitors AI tool processes at the OS level — no code changes required in agent applications. Direct process inspection, not a proxy.
Mutual TLS enrollment
Each agent authenticates via mTLS during enrollment. Device certificates are issued automatically — no shared secrets, no manual key distribution. Revocation is immediate.
Encrypted event stream
Events flow over gRPC with end-to-end encryption. The server receives structured event data and applies policy evaluations in real time — sub-100ms round trip.
Central control plane
The Sielum server aggregates events, evaluates policies, and stores audit logs. Self-hosted — your data never leaves your infrastructure.
Who Uses Sielum
Built for the teams responsible for AI
Enforce guardrails across every AI deployment
- Block agents from contacting unauthorized API domains at the network layer
- Alert on policy violations: unknown agents, new MCP servers, unauthorized APIs
- Maintain immutable audit trails for incident response
Operationalize AI agents at scale
- Deploy Config Guard policies to Claude Code endpoints fleet-wide
- Monitor which agents and MCP servers are active across all machines
- Manage enrollment, certificates, and policy assignments centrally
Make AI decisions explainable and auditable
- Export structured audit logs for SOC 2 and EU AI Act reviews
- Prove API domain restrictions were enforced at the network layer
- Process GDPR Art. 17 deletion requests from the dashboard
On our roadmap
What's coming next
These capabilities are in development and not yet available in the current release.
MCP Risk Scoring
Automatic Low / Medium / High / Critical risk rating for each MCP server based on its capabilities, permissions, and origin.
Anomaly Detection
Behavioral baselines per agent — statistical deviation from established patterns triggers alerts for unexpected tool access or off-hours activity.
SIEM Integration
Push policy events and audit log entries to Splunk HEC, Elastic, or any syslog-CEF receiver in real time.
AD / Entra / Okta SCIM
User attribution via directory sync — map endpoint agent events to display names and teams instead of machine hostnames.
Documentation
Technical Documentation
Full documentation is hosted in our Docusaurus portal — installation guides, API references, architecture diagrams, and operations runbooks.
Open Full DocumentationPowered by Docusaurus 3 — full-text search, versioned docs, MDX support
Need implementation support?
Our team provides hands-on onboarding and PoC support.