Skip to main content

Setup for AI engineers

Surface: SDK (Python / Node / Go) Modes supported: Hosted Hybrid Local Tiers: Free Solo Teams

Who this is for

You build agents and AI features. You own the code, you call the models, and you want a programmatic guardrail on what your agent can do, without ripping apart your architecture.

What you typically want governed

  • Model allow-list. Only the models you have vetted and budgeted for can be called.
  • Tool access. The agent can search and read, but cannot execute code or delete things unless you say so.
  • Data boundaries. Reads from approved stores; no writes to internal collections.

Which surface to install

The SDK. You add one guard() call before each tool invocation. It works the same in a custom loop, LangChain, or any framework.

pip install controlzero

Starter policy

A model allow-list plus a read-only tool posture. Begin permissive (default_action: allow) while you confirm it matches your traffic, then flip to deny to enforce. Drop this in controlzero.yaml:

version: '1'
settings:
  # Start in observe; switch to "deny" once the audit log looks right.
  default_action: allow
  default_on_missing: deny
  default_on_tamper: warn
rules:
  - id: allow-vetted-models
    allow: 'llm:generate'
    reason: 'LLM generation is permitted (scope further with conditions per model).'
  - id: allow-tool-reads
    allow: 'data:read'
    reason: 'Agents may read from data sources.'
  - id: block-code-exec
    deny: 'tool:call'
    reason: 'No arbitrary code/tool execution from this agent.'

Wire it in with no architectural change:

from controlzero import Client

cz = Client(policy_file="./controlzero.yaml")

# Check before you call the model.
decision = cz.guard("llm", method="generate", context={"resource": "model/claude-sonnet-4-6"})
print(decision.decision)  # "allow"

# Check before a tool runs.
decision = cz.guard("data", method="read", context={"resource": "vectorstore/public-docs"})
print(decision.decision)  # "allow"

cz.close()

To pin specific models, add a deny catch-all and allow only what you vet -- see LLM model allow-list.

What you'll see

  • Every guard() decision -- allow or deny -- in the Audit Log (hosted) or your local audit file (local mode), with the model or tool, the decision, and the reason.
  • Set CZ_DEBUG=1 to print each policy evaluation to stderr while you develop.

Next steps