Skip to main content

What is Control Zero?

Control Zero is the governance layer for AI agents. You define what your agents are allowed to do. We enforce it at runtime, audit every decision, and stay out of the way the rest of the time. Works with any LLM provider, any agent framework, and any of the surfaces your agents touch.

Hello World

A real, runnable Python "hello world." No signup. No API key. No network.

pip install controlzero
# hello_controlzero.py
from controlzero import Client

# Define what your agent is allowed to do.
# Read operations: allowed. Write operations: blocked.
# Note: `database:query` and `database:execute` are legacy action names
# that remain supported. The canonical names are `database:read` and
# `database:write`; both forms match the same calls.
cz = Client(policy={
    "rules": [
        {"allow": "database:query",   "reason": "Reads are fine"},
        {"deny":  "database:execute", "reason": "No writes from this agent"},
    ]
})

# Your agent tries to read; allowed.
result = cz.guard("database", method="query", args={"sql": "SELECT id FROM orders"})
print(result.decision)   # "allow"

# Your agent tries to write; blocked before it ever runs.
result = cz.guard("database", method="execute", args={"sql": "DROP TABLE orders"})
print(result.decision)   # "deny"
print(result.reason)     # "No writes from this agent"

Run it:

$ python hello_controlzero.py
allow
deny
No writes from this agent

That's the whole loop. You wrote a policy, you called guard() before each tool call, and the SDK decided allow or deny. The denied call never happened. You wrote no enforcement code, no auth check, no allowlist logic.

Legacy and canonical action names both work

Both legacy (database:query, database:execute, database:delete) and canonical (database:read, database:write, database:admin) action names match the same calls. Use canonical names for new policies; existing rules with the legacy names continue to work without changes. See Policies for the full mapping.

The next step is moving the policy out of your code into the Control Zero dashboard so you can change it without redeploying. See Quickstart for the 5-minute version with the dashboard.

The problem it solves: AI agents call tools, run code, hit APIs, and access services through MCP. As they get more autonomous, you need guardrails that work the same way across every provider and framework. Control Zero gives you one place to define those guardrails and one consistent enforcement layer that runs at every surface.

Why Control Zero

  • Gateway proxy: A transparent drop-in proxy that governs LLM traffic with zero code changes. Change your base URL and you are done.
  • Local enforcement: Every action is evaluated against your policies without a per-call network round-trip.
  • Tool call interception: Every tool_use (Anthropic) and function_call (OpenAI) is evaluated against your policies. Denied calls are replaced inline before reaching your agent.
  • PII detection and masking: Detect, mask, or block personally identifiable information in prompts before they reach the LLM provider.
  • Model blocking: Deny requests to unauthorized models at the gateway level.
  • Cost caps: Reject requests when estimated token cost exceeds your budget.
  • Secret injection: Store LLM provider keys in an encrypted vault. The SDK and gateway inject them at runtime.
  • Tamper detection: Policy bundles are encrypted at rest and cryptographically signed. Tampering triggers fail-closed mode.
  • Fail-closed mode: When policies are unavailable, expired, or tampered with, all traffic is blocked. No silent failures.
  • Multi-provider support: Anthropic, OpenAI, Ollama, DeepSeek, MoonshotAI, HuggingFace TGI, LangChain, CrewAI, and more.
  • Official SDKs: Python, Go, and Node.js. Install and wrap your AI client in two lines of code.
  • MCP server: Manage governance directly from AI coding clients like Claude Code, Cursor, and Windsurf.
  • CLI scanner: Scan your codebase for ungoverned AI tool calls with npx @controlzero/scanner. Produces a governance grade (A through F).
  • MCP-native: First-class governance for MCP tool calls across any MCP-compatible client.
  • Complete audit trails: Every decision (allow or deny) is logged with action, resource, result, timestamp, and agent identity.
  • Free tier: 10,000 governed actions per month at no cost. No credit card required.

The Key Idea: Policies Live in the Dashboard, Not in Your Code

This is the core design principle:

  • Policies are defined in the Control Zero dashboard (or via the API). They describe what actions are allowed or denied.
  • Your code calls tools through the SDK client. No references to specific policies, no action names hardcoded in your application.
  • The SDK handles enforcement automatically. Every guard() invocation is evaluated against the locally cached policy bundle.

You can change policies at any time in the dashboard without touching your code. New policies take effect within 60 seconds (or immediately with a manual refresh).

What Gets Enforced

Every call made through guard() is checked against your active policies. The policy action is derived from the tool name and method you pass:

guard() argumentsPolicy action checked
guard("github", method="list_issues", ...)github:list_issues
guard("database", method="query", ...)database:query (canonical class: database:read)
guard("filesystem", method="write_file", ...)filesystem:write_file
guard("slack", method="post_message", ...)slack:post_message

You define policies using these tool:method action strings in the dashboard. The SDK evaluates them locally from a cached policy bundle, so each guard() call doesn't make a network request.

Architecture

The flow:

  1. You define policies in the dashboard.
  2. The server compiles them into an encrypted, signed bundle.
  3. The SDK downloads the bundle once at startup, caches it locally.
  4. Every wrapped API call is checked against the locally cached policy. No network round-trip per call.
  5. Every decision (allow or deny) is logged for audit.

Enforcement Flow

When your agent calls guard(), Control Zero checks the call against your policy and either allows it (your tool runs) or denies it (your tool never executes, and a PolicyDeniedError is raised).

Key Capabilities

  • Gateway proxy: Transparent drop-in proxy for LLM traffic. Zero code changes required. Supports Anthropic, OpenAI, Ollama, DeepSeek, MoonshotAI, and HuggingFace TGI.
  • Local policy evaluation: Policies are evaluated locally with no per-call network round-trip.
  • Tool call interception: Every tool_use and function_call is evaluated and denied calls are replaced inline, in both streaming and non-streaming responses.
  • Pre-flight request guard: Model blocking, cost caps, and PII detection/masking before requests reach the LLM provider.
  • Fail-closed mode: Blocks all traffic when policies are unavailable, expired, or tampered with. No silent failures.
  • Tamper-proof bundles: Policy bundles are encrypted at rest and cryptographically signed.
  • Offline enforcement: After the initial bundle download, SDK enforcement runs locally with no further network calls per request.
  • Secrets vault: Store LLM provider keys in an encrypted vault. Injected at runtime by the SDK and gateway.
  • Audit trail: Every decision is logged with action, resource, result, timestamp, token usage, and agent identity.
  • Multi-provider: Anthropic, OpenAI, Ollama, DeepSeek, MoonshotAI, HuggingFace TGI, LangChain, CrewAI, and more.
  • Multi-language SDKs: Official SDKs for Python, Go, and Node.js.
  • MCP server: Manage governance directly from AI coding clients like Claude Code, Cursor, and Windsurf.
  • MCP tool control: Restrict which MCP servers and tools an agent can invoke.
  • CLI scanner: Scan your projects for governance gaps with npx @controlzero/scanner.
  • Notification channels: Get alerts via Telegram, Slack, Email, Discord, or webhooks.

Control Zero for Shadow AI

Not every AI risk comes from your own agents. Control Zero for Shadow AI discovers unauthorized AI tools, exposed credentials, and hidden model traffic across your infrastructure. Deploy the Scout agent with a single command and get full visibility into what AI is running in your environment. See the Shadow AI Scout guide for installation and configuration.

Next Steps

The free tier includes 10,000 governed actions per month. No credit card required.

  • Quick Start: Get up and running in 5 minutes (gateway or SDK).
  • Shadow AI Scout: Discover unauthorized AI usage across your fleet.
  • Gateway Proxy: Deploy the transparent proxy for zero-code governance.
  • Policies: Learn how to construct policies in the dashboard.
  • Pricing: Free, Solo, and Teams plans.
  • MCP Server: Manage governance from AI coding clients.
  • CLI Scanner: Scan projects for governance gaps.
  • Integrations: OpenAI, Anthropic, Ollama, DeepSeek, LangChain, and more.
  • Blueprint Library: Implementation patterns for Enterprise SRE, HR, and Finance.
  • Guides: Build real applications with automatic policy enforcement.