Before (the problem)
AI environments proliferate fast: agents, skills, hooks, integrations, scheduled
tasks — each one a surface that can act. Observability tells you what an agent did.
It cannot tell you whether the agent was ever authorized to do it. With no
inventory and no approved baseline, drift is invisible and an audit has nothing to
stand on.
What we built
A configuration-management platform for AI agents, applying KRI/KPI analytics to
governance:
- Inventory of every governable surface — agents, skills, hooks, integrations,
scheduled tasks
- Baseline diff — the live environment compared against an approved baseline
- Drift reports when the live state diverges from what was authorized
- Audit-ready attestations an auditor accepts
How it works
- The environment is scanned and every governable item inventoried.
- An approved baseline records the authorized state (model, tool inventory, KRI
thresholds).
- The live environment is diffed against the baseline.
- Divergence emits a drift report; the chain produces an audit-ready attestation.
Outcomes
- Every governable surface inventoried and diff-able against an approved baseline
- Four mandatory artifacts per governed agent: BASELINE, KRI_THRESHOLDS, ROLLBACK,
CHANGE_LOG
- Rollback rehearsed on a non-production replica and passing before promotion
- Caught real, unanticipated drift on its first rehearsal — not a synthetic test
Stack & role
Node.js · Configuration Management discipline · KRI/KPI framework. Built & operated
in-house.
Timeline
Phase 1 implemented and observed in-house (three internal pilots). Live.
What it proves
This answers the question observability cannot: was this agent ever authorized to
do what it did — with evidence an auditor accepts. It is the firm’s most ownable
intellectual asset, built on configuration management for AI agents (CM-AI).