An agent that can act in production is a privileged workload. Powerloom treats it like one — per-tenant isolation, deny-first RBAC, hash-chained audit, and second-approver gates on the decisions that matter. The blast radius of a rogue agent is whatever your directory and your approvals allow it to be, and not a degree more.
What follows is plain language. What we ship today, what is underway, and what is on the roadmap. We do not claim certifications we have not earned.
Every tenant gets its own VPC, its own KMS customer master key, and its own database. No shared compute. Deployed on AWS; infrastructure-as-code via Terraform.
shippingGoogle Workspace, Microsoft Entra ID, and GitHub. OUs mirror your directory. Agents run with workspace-scoped service identities, not human credentials.
shippingRole bindings allow or deny on OUs, agents, MCP servers, and tools. Deny wins every merge. Simulator runs before enforcement.
shippingEvery policy decision, every tool call, every manifest apply is written to a hash-chained audit log. Each record hashes the previous — silent edits are detectable.
shippingData at rest envelope-encrypted with per-tenant KMS keys. TLS 1.3 in transit. Secrets in AWS Secrets Manager, never in environment variables.
shippingHigh-impact actions — create OU, deploy MCP, bind role to sensitive scope — require a second approver. The approval is itself a first-class audit event.
shippingAudit engagement underway. We'll link the report here when it's issued. Not before.
Follows Type I with the required observation window.
BAA availability is planned for enterprise tier once the control set is audited. Not available today.
On the roadmap. No commitment date.
Today: export audit log via API. Planned: push to Splunk, Datadog, and AWS Security Lake.
We don't have SAML support. We don't have SCIM user provisioning. We don't have a FedRAMP authorization. We don't host in regions outside US-East and EU-Central. If any of these are blocking for you — tell us. It helps us sequence the roadmap.
Email security@powerloom.org. We respond within one business day. No bounty program yet; we acknowledge reporters on request.