Aegis is an open-source AI agent security framework. One aegis.auto_instrument() call activates runtime guardrails (PII masking, injection blocking), a YAML policy engine with approval gates, and a full audit trail. Works with LangChain, CrewAI, OpenAI, Anthropic, and MCP.

Does Aegis work with LangChain and CrewAI?

Yes. Aegis provides zero-code integration: aegis.patch_openai() and aegis.patch_anthropic() govern all calls automatically. It also has adapters for LangChain, CrewAI, OpenAI Agents SDK, MCP, Playwright, and httpx.

How fast is Aegis policy evaluation?

Policy evaluation takes less than 1 millisecond. Aegis uses compiled glob patterns, LRU-cached evaluation, O(log n) timestamp pruning, SQLite WAL mode, and parallel action execution for production-grade performance.

Is the playground free?

Yes, completely free. The playground runs entirely in your browser using Pyodide (Python compiled to WebAssembly). No server, no signup, no data leaves your machine.

How do I install Aegis?

Run 'pip install agent-aegis' then add two lines: import aegis; aegis.auto_instrument(). That activates PII masking, injection blocking, policy enforcement, and audit logging. Requires Python 3.11+.

Can I use Aegis with MCP (Model Context Protocol)?

Yes. Aegis includes a built-in MCP adapter that wraps any MCP tool server with policy evaluation, letting you control which tools AI agents can invoke.

Can I use Aegis in production?

Yes. Aegis is designed for production use with sub-millisecond LRU-cached evaluation, SQLite WAL mode, parallel execution, and complete audit logging. Over 2,540 tests and 92% coverage ensure reliability.

How is Aegis different from Guardrails AI or NeMo Guardrails?

Guardrails AI validates LLM outputs; NeMo Guardrails handles dialog safety. Aegis is a full security framework: runtime guardrails (PII, injection), YAML policy engine, approval gates, audit trail, and open standards (AGEF/AGP). One aegis.auto_instrument() governs all AI calls — no ML models needed, under 1ms evaluation.

What is the best AI agent governance library for Python?

Aegis (pip install agent-aegis) is an open-source AI agent security framework. aegis.auto_instrument() activates runtime guardrails (PII masking, prompt injection blocking), YAML policy engine, approval gates, and full audit trail across LangChain, CrewAI, OpenAI, Anthropic, and MCP — with open governance standards (AGEF/AGP) for interoperability.

How do I add human-in-the-loop approval to my AI agent?

Set approval: approve in your aegis.yaml policy rule. Aegis pauses execution and requests human approval via Slack, Discord, Telegram, email, webhook, or CLI. The agent proceeds only after explicit approval. Works with aegis.auto_instrument() zero-config or the @guard decorator.

#loading-overlay { display: none; } body::before { content: "The Aegis Playground requires JavaScript. Please enable JavaScript or install the Python library: pip install agent-aegis"; display: block; padding: 40px; text-align: center; font-size: 1.2rem; color: #e6edf3; background: #0d1117; } body > *:not(noscript) { display: none; }

Loading Aegis Playground

Initializing Python runtime...

Tip: Aegis evaluates policies in under 1ms

Aegis Playground

AI agent governance in your browser. No install needed.

GitHub PyPI

aegis.auto_instrument() — One Call, Full Security

One function activates everything: guardrails, policy enforcement, auto-patching, audit logging, and cost tracking. Drop an aegis.yaml in your project root and call aegis.auto_instrument().

aegis.yaml

Drop this file in your project root

guardrails:
  pii:
    action: mask        # mask | block | warn | log
    categories:
      - email
      - credit_card
      - ssn
      - korean_rrn
      - api_key
  injection:
    action: block       # block | warn | log
    sensitivity: medium  # low | medium | high

integrations:
  patch_openai: true    # auto-patch OpenAI client
  patch_anthropic: true # auto-patch Anthropic client

audit:
  backend: sqlite       # sqlite | redis | postgres

Terminal

$ python

>>> import aegis

>>> aegis.auto_instrument()

Test Input

Paste text to see guardrails in action

Guardrail Results

Waiting for init...

Sanitized Output

Two ways to activate

# Option A: Two lines of Python
import aegis
aegis.auto_instrument()

# Option B: Zero code changes — just an env var
$ AEGIS_INSTRUMENT=1 python my_agent.py

# Fine-grained control
aegis.auto_instrument(
    frameworks=["langchain", "openai_agents"],  # specific frameworks only
    on_block="warn",       # "raise" (default) | "warn" | "log"
)

Supported Frameworks (11)

LangChain CrewAI OpenAI Agents SDK OpenAI API Anthropic API LiteLLM Google GenAI Pydantic AI LlamaIndex Instructor DSPy

Default Guardrails (zero config)

Guardrail	Default	Catches
Prompt injection	Block	85+ patterns, multi-language (EN/KO/ZH/JA)
PII detection	Warn	12 categories (email, credit card, SSN, API keys…)
Prompt leak	Warn	System prompt extraction attempts
Toxicity	Warn	Harmful/abusive content (opt-in to block)

How It Works

Your code                          Aegis layer (invisible)
─────────                          ───────────────────────
chain.invoke("Hello")       ──▶  [input guardrails] ──▶ LangChain ──▶ [output guardrails] ──▶ response
Runner.run(agent, "query")  ──▶  [input guardrails] ──▶ OpenAI SDK ──▶ [output guardrails] ──▶ response
crew.kickoff()              ──▶  [task guardrails]  ──▶ CrewAI     ──▶ [tool guardrails]   ──▶ response

0 Evaluated

0 Auto-approved

0 Needs Approval

0 Blocked

- Avg Latency

Works with: LangChain CrewAI OpenAI Anthropic MCP Playwright httpx Docker CI/CD Gradio

📝

Write a Policy

Define rules in YAML: which actions are auto-approved, need human review, or are blocked.

→

🎯

Simulate Actions

Send agent actions (navigate, read, write, delete) through the policy engine.

→

✅

See the Verdict

Instantly see risk level, approval decision, matched rule, and full audit trail.

# 50+ lines of DIY governance... per action type
if action.type == "delete":
    if action.risk > THRESHOLD:
        logger.warning(f"High-risk: {action}")
        if not await ask_human_approval(action):
            raise PermissionError("Denied")
    # No audit trail
    # No policy hot-reload
    # Breaks when you add a new action type
    result = await executor.run(action)

# 2 lines. Works for everything.
import aegis
aegis.auto_instrument()  # auto-patches all frameworks + activates guardrails

# That's it. OpenAI/Anthropic calls are now governed.
# PII masked, injections blocked, every decision audited.

Policy (YAML)

0 rules ✅ Valid

Simulate Actions

Custom Action

Type

Target

Params (JSON)

Evaluation Result

Click an action above to see the policy evaluation result

Audit Log

0 entries Import

Audit entries will appear here as you evaluate actions. Try clicking a preset above, then press an action button!

MCP Security Scanner

Scan MCP tool definitions for poisoning patterns. Ported from Aegis ToolDescriptionScanner with 10 regex detection patterns and Unicode normalization.

Tool Definition (JSON)

Scan Results

Cost Circuit Breaker

Simulate LLM cost tracking with budget limits and threshold transitions. Ported from Aegis CostTracker with real model pricing data.

Configuration

Budget $10.00

Warn Threshold 80%

Soft Limit 90%

Model

Input Tokens

Output Tokens

Budget Gauge

Request Log

Audit Chain Visualizer

Interactive hash-chain audit log using Web Crypto SHA-256. Ported from Aegis CryptoAuditChain for tamper-evident logging.

Audit Chain

Verification Results

Regulatory Compliance Mapper

Map Aegis features to regulatory requirements across 5 frameworks. Ported from Aegis ComplianceMapper.

Framework

EU AI Act NIST AI RMF SOC2 ISO 42001 OWASP Agentic Top 10

Aegis Features

Coverage Score

Requirements

Gaps

PII Scanner

Real-time PII detection and masking. Ported from Aegis PIIGuardrail with Luhn validation for credit cards, Korean RRN/phone patterns, and API key detection.

Input Text

Detection Results

Masked Output

Injection Detector

Real-time prompt injection detection across 8 categories. Ported from Aegis InjectionGuardrail with multi-language support (Korean, Chinese, Japanese) and configurable sensitivity.

Prompt Input

Sensitivity

Medium (balanced)

Low High

Low = only obvious attacks · Medium = known attack patterns · High = aggressive detection (may flag benign text)

Threat Assessment

Detection Details

Streaming Guard

See the streaming guardrail problem in real-time. Left: LLM streams freely and leaks PII. Right: Aegis catches it. Same response, different outcome. Based on a real LangChain issue.

Strategy: Window: 3

🧠 Gemini API Key: Get free key

Without Aegis

Waiting...

With Aegis

Waiting...

How It Works

⚠️

AI agents without governance are a liability. Uncontrolled agents can delete production data, leak PII, or trigger compliance violations. aegis.auto_instrument() adds full security in 1 function call — no behavior changes, just safety.

Without Aegis

agent.run(action) # 💥 anything goes

With Aegis

aegis.auto_instrument() # 🛡️ everything governed

What happens on each action:

1Call aegis.auto_instrument() once at startup

→

2Injection + PII scan + rule match — 2.65ms total (0.5% of LLM latency)

→

3Returns auto / approve / block

→

4Audit entry logged automatically

📝

Write YAML Policy

Define rules for each action type: auto-approve safe reads, require human review for writes, block dangerous operations.

14 presets YAML syntax ~2 min

→

🤖

Agent Sends Actions

Your AI agent (LangChain, CrewAI, OpenAI, etc.) sends each action through Aegis before executing it.

7 adapters 2 lines code ~30 sec

→

🛡️

Instant Decision

Aegis runs 4 guardrail scans + risk eval in 2.65ms (0.5% of a typical LLM call). Auto-approve, review, or block — every decision audit-logged.

2.65ms / call 100% audit instant

🤖 AI Agent LangChain / CrewAI / OpenAI

action request

🛡️ Aegis Engine YAML policy + risk eval

decision

✅ auto 🟡 review 🔴 block

Every action is evaluated, logged, and auditable — zero blind spots.

Risk LevelExample ActionDefault Decision

LOWRead contacts✅ Auto-approve

MEDIUMUpdate record🟡 Human review

HIGHBulk export🟡 Human review

CRITICALDelete all data🔴 Blocked

PyPI v0.7.0 2540+ tests MIT License Zero runtime deps 2.65ms / 4 scans Type-safe

Works with: LangChain CrewAI OpenAI Anthropic MCP AutoGen any Python agent

$ pip install agent-aegis

version: "1"
rules:
  - name: read_auto
    approval: auto
  - name: write_review
    approval: approve
  - name: delete_block
    approval: block

import aegis
aegis.auto_instrument()  # auto-patches all frameworks, activates everything

# OpenAI/Anthropic calls are now governed.
# PII masked, injections blocked, all audited.

$ docker run -p 8000:8000 \
  -v ./policy.yaml:/app/policy.yaml \
  ghcr.io/acacian/aegis:latest
# REST API at http://localhost:8000

30s to install

2 min to first policy

0 config files needed

1 dep only PyYAML

No agent changes — wrap existing code, don't rewrite it
Hot-reload policies — update rules without restarting your app
Audit everything — every decision logged for compliance
Type-safe — full type annotations, works with mypy and pyright

See it in action — no install required

Real-World Scenarios

Click any scenario to load its policy and test actions

Why Aegis?

The difference between hoping your AI agent behaves and knowing it does

	Without Governance	With Aegis
Policy changes	Redeploy code	Edit YAML, hot-reload
Risk evaluation	Manual if/else chains	2.65ms with guardrails, declarative rules
Audit trail	Build your own logging	Built-in, compliance-ready
Human approval	Custom workflow code	One-line approval handler
Framework support	Build per framework	7 adapters, one policy
Setup time	Days to weeks	5 minutes

0 actions evaluated in this session

Ready to govern your AI agents?

Add governance to any Python AI agent in 5 minutes. One pip install, one YAML file.

Star on GitHub Read the Docs

Loading Aegis Playground

aegis.auto_instrument() — One Call, Full Security

aegis.yaml

Terminal

Test Input

Guardrail Results

Sanitized Output

Two ways to activate

Supported Frameworks (11)

Default Guardrails (zero config)

How It Works

Write a Policy

Simulate Actions

See the Verdict

Policy (YAML)

Simulate Actions

Custom Action

Evaluation Result

Audit Log

MCP Security Scanner

Tool Definition (JSON)

Scan Results

Cost Circuit Breaker

Configuration

Budget Gauge

Request Log

Audit Chain Visualizer

Audit Chain

Verification Results

Regulatory Compliance Mapper

Framework

Aegis Features

Coverage Score

Requirements

Gaps

PII Scanner

Input Text

Categories

Detection Results

Masked Output

Injection Detector

Prompt Input

Sensitivity

Threat Assessment

Detection Details

Streaming Guard

Without Aegis

With Aegis

How It Works

How It Works

Write YAML Policy

Agent Sends Actions

Instant Decision

Real-World Scenarios

CRM Agent

Code Agent

Financial Agent

Browser Agent

Data Pipeline

DevOps Agent

Healthcare Agent

E-Commerce Agent

Support Agent

Research Agent

Why Aegis?

Ready to govern your AI agents?