The AI Era · Shift Left AI Governance

AI Governance at
Developer Speed.

Write AI policy in plain English.
Enforce it before the AI acts.

Install Design partner
$ pip install iris-security-sdk iris-security-cli && iris quickstart
# Optional: Claude integration via MCP
pip install "iris-security-sdk[mcp]"
14
Compliance frameworks
<5ms
Cedar evaluation
Apache 2.0
Open source
# iris policy compile --agent loan-processor
# Compiling policy-intent.md → Cedar...

permit(
  principal == iris::Agent::"loan-processor",
  action == iris::Action::"call",
  resource == iris::API::"credit-bureau-api"
) when {
  context.region in ["us-east-1"] &&
  context.user_consent_logged == true
};

✓ Policy compiled. Enforcing at runtime.
The problem

AI agents are deployed.
Governance is not.

Teams are shipping agents that call APIs, access customer data, and make decisions in employment, housing, credit, healthcare, and insurance — without knowing what systems they have running, what those agents are allowed to do, or how to prove they exercised reasonable care when a regulator asks.

Colorado AI Act — updated May 2026

The law changed. The old June 30 deadline no longer applies — the new effective date is January 1, 2027. Requirements were narrowed, but the obligations did not disappear. You still must tell people when AI makes decisions about them. Consumers still have the right to appeal. Violations carry civil penalties up to $20,000 each. The safe harbor still exists — but only for organizations that can demonstrate reasonable care. Six more months is not permission to wait. It is time to build real controls.

June 12, 2026 — Fable 5 and Mythos 5 suspended

On June 12, Anthropic received a US government export-control directive at 5:21pm ET and had to disable Fable 5 and Mythos 5 for all customers — with no advance notice. If your agent hardcodes a model string, your production system breaks when the provider or government acts. IRIS treats models as governed resources: declare allowed tiers in your passport, define fallback chains in the registry, and flip a directive kill switch in Git — your agent routes to an approved baseline on the next call, no redeploy. Read Anthropic's statement ↗

Where most teams are today

Ungoverned agents, no audit trail

Developers ship agents fast. Security and compliance find out later — if at all. When the law asks what your agent did, you have screenshots and spreadsheets, not enforceable policy.

  • No inventory of AI systems making consequential decisions
  • Model hardcoded in source — breaks when providers suspend access
  • No policy enforced before the agent acts
  • Nothing version-controlled that an auditor can verify
What IRIS gives you

Policy as Code — govern before execution

Register every agent. Write what it is allowed to do in plain English. IRIS compiles to Cedar and enforces policy on every LLM call — with an evidence trail your compliance team can actually use.

  • Agent inventory via AgentPassport — your first compliance step
  • Model registry + directive kill switches with auto-fallback
  • Plain English policy compiled to formally verified Cedar
  • Runtime enforcement before every call — fail closed in production
How it works

Declare. Compile. Enforce. HITL. Witness.

IRIS is what comes after Terraform — runtime governance, not deployment management. Each command describes what IRIS does right now.

01

iris declare

Declare what the agent is allowed to do. Creates the AgentPassport — owner, team, compliance scope, data classification.

02

iris compile

Write policy-intent.md in plain English. IRIS compiles to Cedar — formally verified policy in Git.

03

iris enforce

Verify runtime enforcement is active — Cedar evaluated on every call, not just at deploy time.

04

iris hitl

Human-in-the-loop approval for high-risk actions — queue, review, approve or reject before execution proceeds.

05

iris witness

Live attested feed of every policy decision — who acted, what was permitted, evidence logged.

06

iris certify

Prove compliance readiness to Colorado AI Act, HIPAA, SOC 2, AIUC-1, ISO 42001, or any bundled framework.

07

iris sentinel

Continuous monitoring — drift, score degradation, cost anomalies, and ungoverned agents.

Ask Claude to govern your agents
IRIS connects to Claude Desktop and Cursor via MCP. Ask Claude "which regulations apply to my agent?" and Claude scans your codebase, checks your compliance, and shows you exactly what to do — no CLI required.
pip install iris-security-mcp
Integrations

Govern everywhere
your agents run.

GH

GitHub App

Install IRIS Governance from the GitHub Marketplace. Every PR automatically scanned. Critical findings block merge. No CLI required.

MCP

Claude & Cursor

Connect via MCP. Ask Claude in plain English: "scan my codebase for ungoverned agents" or "which regulations apply to my hiring AI?"

CI

GitHub Actions

Use the reusable iris-governance.yml workflow when you prefer CI over the GitHub App.

Policy as Code

Write policy in plain English.
Enforce it everywhere.

01
Discover — find what's running ungoverned
iris scan --discover surfaces LLM clients and agent patterns in your codebase that lack a passport or policy. See what actually runs before you govern it.
02
Inventory — register agents in your fleet
iris register creates an AgentPassport — owner, team, compliance scope, allowed models. The inventory regulators ask for. Not a deployment manifest — a record of what runs.
03
Define & guard — policy enforced at runtime
Write policy-intent.md, run iris policy compile, then guard every call with IrisAnthropic or @agent.guard(). Cedar evaluates before execution — not after.
governance/agents/loan-processor/policy-intent.md
# Source of truth — plain English policy intent

This agent processes loan applications.
It may call the credit bureau API in US regions only.
User consent must be logged before any loan decision.
It must never call any API not listed here.

# Compile to Cedar:
# iris policy compile --agent loan-processor
governance/agents/loan-processor/policy.cedar — compiled by IRIS
# Generated by IRIS from plain English intent
# iris policy compile --agent loan-processor

permit(
  principal == iris::Agent::"loan-processor",
  action == iris::Action::"call",
  resource == iris::API::"credit-bureau-api"
) when {
  context.region in ["us-east-1", "us-west-2"] &&
  context.user_consent_logged == true
};

forbid(
  principal == iris::Agent::"loan-processor",
  action, resource
) unless {
  resource in [
    iris::API::"credit-bureau-api",
    iris::API::"anthropic-api"
  ]
};

# Committed to Git. Reviewed. Auditable. Enforced.
Formally verified · Evaluates in <5ms · Human readable Cedar by AWS ↗
Trust model

Policy in Git.
Enforcement in code.
Trust verified.

SLSA Level 3 provenance on every release
Every IRIS release is built by GitHub Actions and attested with SLSA Level 3 provenance via Sigstore. The attestation is recorded in the public Rekor transparency log. Run pip audit signatures after installing IRIS to verify the package was built from the exact commit you see on GitHub. Zero trust required.
Policy in Git — not in our cloud
Your policies live in your repository. IRIS never holds your policy data, agent configs, or prompts. The SDK runs fully local with zero network required for enforcement.
Open source — verify the engine yourself
The Cedar evaluation engine, policy compiler, and CLI are all open source under Apache 2.0. Read the code. Run the tests. Audit the compliance bundles.
Human in the loop — when it matters
When a governed agent attempts a high-risk action, IRIS pauses the call and notifies your team via Slack, email, or PagerDuty. One click to approve or reject. The agent waits. The full decision — who approved, when, and why — is recorded in the Evidence Vault with a tamper-evident approval token.
AIUC-1 evidence export + ISO 42001 mapping
AIUC-1 evidence export (B006-format) and ISO 42001 coverage mapping — derived from AIUC-1's published crosswalk, not independent interpretation. Export auditor-ready JSON keyed by AIUC-1 sub-control IDs (B006.1, B006.2, B006.3). All exports query the same ControlMapping index in the Evidence Vault.
Evidence Vault — append-only system of record
Every policy evaluation, HITL decision, and CI/CD run is an immutable, HMAC-signed, hash-chained event. One write path, many read paths — tamper-evidence by architecture. Query any control (CO-004, AIUC-B006, HIPAA-001) from a single store. Record pipeline evidence with iris evidence record-cicd.
# Verify the package signature
$ pip install iris-security-sdk
$ pip audit signatures
iris-security-sdk-0.1.8-py3-none-any.whl
✓ Signed by GitHub Actions (OIDC)
✓ SLSA Level 3 provenance verified
✓ Commit: a3f8c2d · Workflow: publish.yml

# Verify policy enforcement locally
$ iris compliance check --framework colorado-ai-act
✓ Agent: loan-processor — PASS
✓ All 6 Colorado AI Act rules satisfied
Verify it yourself
# Verify SLSA Level 3 provenance
# Links the package to the exact commit and
# workflow run that built it via Sigstore
pip install iris-security-sdk
pip audit signatures
# Or verify the full provenance chain:
slsa-verifier verify-artifact \
  iris_security_sdk-*.whl \
  --provenance-path *.intoto.jsonl \
  --source-uri github.com/gimartinb/iris-sdk
PASSED: SLSA Level 3
Verified: commit · workflow · build inputs · Sigstore
View workflow runs ↗ Rekor transparency log ↗
FAQ

Common questions.

Is IRIS like Terraform for AI agents?
No. Terraform governs what gets deployed — infrastructure, configs, resources standing up in an environment. IRIS governs what runs after deploy: which APIs an agent calls, which models it uses, whether each LLM request passes policy. Think of IRIS as what comes after Terraform — the runtime governance layer. iris scan discovers what's running, iris register inventories your fleet, and @agent.guard() enforces policy on every call.
Does IRIS require cloud infrastructure?
No. IRIS runs fully local. Cedar policy evaluation happens in-process with zero network required. You can govern agents on your laptop, in CI, or in production without any IRIS-hosted service.
What is Cedar and why does IRIS use it?
Cedar is a formally verified policy language from AWS, designed for authorization at scale. It evaluates in microseconds, is human-readable, and has mathematical proofs of correctness. IRIS compiles your plain English intent to Cedar so you never write policy syntax yourself.
How is IRIS different from LLM output monitoring tools?
Monitoring tools scan outputs after the fact. IRIS governs the full agent lifecycle — declaring what is allowed before execution, blocking violations at runtime, and maintaining an auditable policy history in Git. Detection tells you what happened. Governance determines what is allowed to happen.
How does Policy as Code help with a regulatory audit?
Policy as Code means your AI governance is version-controlled, reviewable, and auditable in the same way your infrastructure code is. When a regulator asks what your agent is allowed to do, you show them the Cedar policy in Git — a document with a reviewer, a timestamp, and a commit hash. Not a screenshot. Not a PDF someone generated. The actual policy that is actually enforced at runtime on every call.

IRIS also generates the evidence package: the audit trail, impact assessments, compliance check results, and certification readiness score. The auditor reviews it and signs off. We are honest about what IRIS handles and what your team handles.
What happens when a provider or government suspends a model my agent uses?
It already happened. On June 12, 2026, Anthropic disabled Fable 5 and Mythos 5 for all users after a US government export-control directive — received at 5:21pm with no advance warning. Agents with hardcoded model strings broke. IRIS governs models separately from APIs: define tiers and fallback chains in governance/models/registry.yaml, suspend models via directive kill switches in governance/directives/active.yaml, and IrisAnthropic auto-routes to your approved baseline on the next call. The event is logged to the Evidence Vault.
Did the Colorado AI Act change? What do I need to do now?
Yes. Governor Polis signed a replacement law on May 14, 2026. The effective date moved to January 1, 2027, and some requirements were scaled back — but notice, transparency, consumer appeal rights, and the reasonable-care safe harbor remain. Start by inventorying every AI system that touches employment, housing, credit, healthcare, or insurance decisions. IRIS gives you that inventory (AgentPassport), enforced policy (Cedar), and the evidence package auditors expect — locally, with no cloud required.
Do you cover AI in hiring and recruiting?
Yes. IRIS covers NYC Local Law 144 (the most actively enforced AI hiring law in the US), the Illinois AI Video Interview Act, and the employment-domain provisions of CCPA/CPRA ADMT and the EU AI Act. These are available in IRIS Pro. The free tier shows you the rules and your top gaps — Pro unlocks the full evidence package and certification report that an auditor or the NYC DCWP will ask for.
Does IRIS work inside Claude?
Yes. Install iris-security-mcp or pip install "iris-security-sdk[mcp]" and connect IRIS to Claude Desktop. Ask Claude in plain English: "scan my codebase for ungoverned agents" or "which regulations apply to my hiring AI?" Claude uses IRIS tools to answer with real data from your actual codebase.
Can we install IRIS from GitHub Marketplace?
Yes. Install the IRIS Governance GitHub App and every PR in your organization is automatically scanned for ungoverned AI agents. Critical findings block the merge. The developer gets a comment with the exact one-line fix. No CLI required.
Can we have different compliance requirements per environment?
Yes. IRIS uses a dynamic environment model where your security team defines environments in iris-security.yaml and attaches compliance frameworks and enforcement levels to each one. dev might have no frameworks enforced. production-eu enforces GDPR and EU AI Act. production-fedramp enforces FedRAMP Moderate. Set IRIS_ENV in your deployment config and IRIS applies the right policy automatically.
What is the Evidence Vault and how is it different from a log file?
The Evidence Vault is an append-only, signed ledger — not a rotating log. Each event is HMAC-signed and hash-chained to the previous one; tampering with any event breaks the chain for everything after it. Events are mapped to compliance controls (Colorado CO-004, AIUC-B006, HIPAA-001, …) so one collection satisfies every framework report. CI/CD pipelines record evidence with iris evidence record-cicd — even when the governance gate fails. See the Evidence Vault guide.
Does IRIS help with AIUC-1 certification?
Yes. AIUC-1 is a third-party certifiable AI agent standard — Schellman is the first accredited auditor. IRIS generates technical evidence in AIUC-1's own evidence-ID format (B006.1, B006.2, etc.) for the controls IRIS's runtime enforcement directly produces evidence for — agent access restrictions, HITL review records, activity logs, PII leakage prevention. IRIS does not replace the accredited auditor or AIUC-1's required third-party adversarial and hallucination testing — those remain separate engagements.
Do you have paid tiers?
Not yet, by design. Community is free, open source, and fully real today — Cedar policy engine, HITL, the built-in encrypted vault, Evidence Vault, GitHub integration, all of it. We are building Business and Enterprise capabilities in the open and will turn pricing on once they are real, tested, and something we'd stand behind in a customer conversation — not before. Track progress at BACKLOG.md.
14 compliance frameworks — Colorado AI Act (SB 26-189) is available in Community today. NIST AI RMF, SOC 2, GDPR, HIPAA, EU AI Act, FedRAMP, CCPA/CPRA ADMT (ccpa-admt), China PIPL (china-pipl), NYC LL 144 (nyc-ll144), Illinois AI Video (illinois-ai-video), AIUC-1 (aiuc-1), and ISO/IEC 42001 (iso-42001) are on the Business roadmap — see BACKLOG.md. Run iris framework suggest to see which apply to your agents.
Start with Community

Free, open source, and built for real use.
More tiers are coming as we build them in the open.

Community
Cedar policy engine
Compile plain-English intent to formally verified Cedar. Enforce before every LLM call.
Community
Policy compile & diff
GitOps policy workflow — intent in Git, Cedar compiled in CI, drift detected automatically.
Community
All LLM client integrations
Anthropic, OpenAI, Gemini, Vertex, LangChain — governed with the same Cedar engine.
Community
HITL (local)
Human-in-the-loop approval queue via CLI — pause, review, approve or reject high-risk actions.
Community
Built-in encrypted vault
Local secrets storage with AES-256 — no cloud required for credential governance.
Community
Evidence Vault (local)
Append-only signed ledger with hash chain, control mappings, retention lifecycle, and CI/CD evidence recording.
Community
CI/CD recording
GitHub Actions workflow and compliance checks in your pipeline.
Community
GitHub App (personal)
PR comments with inline findings and one-line fix commands on your repos.
Community
MCP free tools
Connect IRIS to Claude Desktop and Cursor — scan, check compliance, list HITL reviews.
Community
SLSA Level 3 provenance
Every PyPI release signed and attested — verify with pip audit signatures.
Community
Org policy validate
Validate .iris-security org policy files locally before merge.
Community
RBAC (basic)
Role-based access in the CLI and local SDK — viewer, engineer, admin roles.

Building Business and Enterprise capabilities in the open. Follow progress: BACKLOG.md

Community
$0 — available now
Install free →

January 1, 2027 is closer than it looks.
Inventory your agents. Write the policy.
IRIS enforces the rest.

Open source. Five-minute install. Zero cloud required. Start building reasonable care now — not in December.

Install Design partner