Does your AI have an HR system? Seven stages. One runtime. Every existing vendor covers one.
Every human organization has a seven-stage lifecycle for managing employees. You interview, onboard, watch during probation, evaluate performance, promote when trust is earned, discipline when behavior wavers, and offboard when the relationship ends. Aegis is building the same seven stages for AI agents as a single runtime. Each stage maps to a specific capability that composes into one enforcement layer.
purpose), Onboard (a
scope limits the fields it can ever see), and Probation
(each access is recorded to a local audit log, or to the aegis-core gateway in FULL
mode). The later stages — continuous evaluation, dynamic promotion, automated
discipline, provable offboarding — are the category roadmap, not claims about the
current SDK. See Product and
LITE / FULL modes for what is provable today.
The seven stages of hiring an AI agent
-
Hire
Identity + contractEvery agent enters with a declared identity, a stated purpose, and a formal registration with the control plane. No agent operates without a signed contract of what it is allowed to attempt. Anonymous agents, shadow agents, and agents whose purpose cannot be stated in one sentence do not exist here.
-
Onboard
Minimum tools, entry badgeOn day one, an agent receives only the narrowest set of permissions it needs to begin its stated job. Not the permissions it might eventually need. The permissions required today, for the task in front of it. Nothing more. Expansion happens later, through earned trust, not through default access.
-
Probation
Narrow duties, close observationDuring probation, every data access the agent makes is recorded. The observation is not a log you review quarterly. In the shipping SDK this is an append-only audit record — written locally in LITE mode, or to the aegis-core gateway in FULL mode, where it becomes a tamper-evident, server-verified chain (
/audit/verify). New agents begin at zero trust. Trust is an outcome of behavior, not a starting condition. -
Evaluate
Performance review, continuousEvaluation is not an annual event. It is a continuously updated signal, recomputed on every action. Successful outcomes raise the agent's standing. Anomalous behavior lowers it. The signal is carried by the control plane, not by a human reviewer, and it is available to every policy decision the runtime makes downstream.
-
Promote
Permission expansion, earnedWhen an agent's evaluation signal crosses a threshold, new permissions become available. The promotion is not a manual ticket. It is a runtime decision, made by the control plane, based on demonstrated behavior over time. The new permissions are scoped, audited, and revocable. The agent does not keep them forever; it keeps them as long as it continues to earn them.
-
Review & Discipline
Suspension, demotion, added auditWhen behavior wavers, the control plane reduces the agent's scope before any human notices. The reduction is immediate, automatic, and auditable. It may be a temporary restriction while additional audit runs, or a permanent demotion if the anomaly is severe. Nothing is decided later. The response happens in the same decision path as the original request.
-
Offboard
Badge revoked, residual risk clearedWhen an agent leaves service, its access is revoked and the data it could reach is bounded by the same purpose-and-scope policy that governed it from day one. The goal is the provable disappearance of an agent's capability to act, and a clear record of what it touched while it served. Offboarding is a first-class lifecycle event, not a cleanup job. This stage is part of the category roadmap; the shipping SDK enforces the data boundary, not full secret lifecycle management.
Where existing vendors reach
The seven-stage lifecycle is not proprietary to Aegis as a concept. It is proprietary to Aegis as a complete implementation. Every existing vendor in the adjacent space covers exactly one stage, because their architecture is committed to a particular point in the lifecycle and cannot naturally extend to the others.
| Vendor | Covers |
|---|---|
| Okta | Stage 1 (Hire — identity) |
| Kong | Stage 2 (Onboard — tool routing) |
| Palo Alto Networks | Stage 6 partial (Discipline — anomaly detection) |
| CrowdStrike | Stage 6 partial (Discipline — endpoint scope) |
| Microsoft Purview | Stages 3 + 5 partial (classification, labeling) |
| HashiCorp Vault | Stage 2 partial (Onboard — secret delivery) |
| Aegis | Stages 1 through 7, as a single runtime |
Identity-first vendors (Okta)
Built around the premise that the atomic unit of security is the identity. Stage 1 is their home. Stages 2 through 7 require a different atomic unit (the action, the data, the behavior over time) that their sales motion and runtime do not represent. They can partner with an AI licensing authority, but they cannot become one without abandoning their existing position.
Gateway-first vendors (Kong, Vault)
Architected around request routing and secret delivery. Stage 2 is their home. They handle onboarding because onboarding is a routing problem. Probation, evaluation, and promotion are continuous behavioral problems, and gateways do not carry state across requests by design. Adding state would require a second product built on opposite principles.
Anomaly detection vendors (Palo Alto, CrowdStrike)
Designed to identify the bad actor after it has acted. Stage 6 is their home. Their pattern assumes a long-lived subject (a host, an endpoint, a user) that can be observed over time. When the subject is an ephemeral AI agent with a thousand concurrent instances, the assumption collapses. Their detection budget runs out before the behavior is classified.
Classification-first vendors (Microsoft Purview, Adobe)
Built on the premise that data exists to be classified and retained. Stages 3 and 5 (partial) are their home. Their business model depends on data persisting long enough to be catalogued and labeled. Aegis treats data cessation as a first-class state. These are not opposite product roadmaps. They are opposite business models.
Why only Aegis covers all seven
The seven stages look separable on paper. They are not separable in practice. An agent cannot be onboarded with minimum permissions if its identity was not formally declared at hire. It cannot be evaluated continuously if its probation audit trail is not reconstructible (tamper-evident in FULL mode, via the aegis-core gateway). It cannot be promoted dynamically if the control plane does not carry state from evaluation into authorization. It cannot be disciplined in the same decision path as the original request if discipline and request are handled by different runtimes. And it cannot be offboarded with provable disappearance if the data it touched was not wrapped in policy from the beginning.
Aegis is the only existing runtime that treats the seven stages as one lifecycle instead of seven products. The unit of enforcement is not the subject (who), because a subject with a thousand instances cannot be the unit. The unit of enforcement is the object (what data, under what purpose, carrying what policy). Every stage of the lifecycle reads from, writes to, and is bounded by the same object layer. That integration is the reason all seven stages are possible in a single runtime. It is also the reason competitors cannot reach stages two through seven without rebuilding their foundations.
We do not expect them to. We expect them to continue doing what they do well, and we expect the licensing authority for AI to be a new category that sits alongside them. Aegis is building that category.