AI agents now operate cloud infrastructure directly: assuming IAM roles, enumerating storage, querying instance metadata endpoints, and executing inside Kubernetes. The same blast radius that let an attacker reach a metadata endpoint and walk out with 106 million records now belongs to an autonomous agent that can do it at machine speed and without a human in the loop. IAM policies and network controls decide what an identity can do. Nothing governs what the agent should do across IAM, storage, metadata, and Kubernetes, and nothing produces a tamper-evident record of what it did.
Self-hosted by design. Bring your own model, bring your own key -- your cloud credentials + action history stays in your infrastructure. Agentomy never proxies, never hosts, never sees the data plane. sovereignty model →
In 2019, an attacker exploited a server-side request forgery flaw to reach the EC2 instance metadata endpoint at 169.254.169.254, retrieved the credentials of an over-permissioned IAM role, and used them to enumerate and exfiltrate storage holding the records of over 100 million people. Every step in that chain is now an action an autonomous agent can take on its own: probe metadata, assume a role, list buckets, read objects, exec into a pod.
Cloud security posture management, cloud infrastructure entitlement management, and cloud-native application protection tools inventory misconfigurations and over-broad entitlements. They tell you what an identity is permitted to do. They do not tell you whether this agent, right now, should be probing the metadata endpoint, escalating an IAM role, or enumerating every bucket in the account, and they do not produce a hash-linked record that survives the agent re-registering. Agentomy governs the behavioral layer above IAM and the network.
Cloud governance adds five cloud-specific detectors to the behavioral monitor. The monitor includes 9 core methods available in every deployment and 31 vertical-specific methods (including these 5 cloud-infrastructure detectors) with fleet infrastructure. The full 40-method monitor runs continuously across the cloud agent lifecycle. Each detector references a concrete cloud operation, not a generic anomaly score.
Cloud agents are not a separate product. They are governed identically to every other agent -- an agentId with an action, a scope, and a tier -- through the same authorization, audit, halt, and behavioral engine. That is the point: one governance core, one audit trail, one kill switch, whether the agent is trading, driving, or operating a cloud account. GovernanceBench Suite 13 exercises the four coverage areas below against the live governance layer.
Agentomy maps governance controls to 10 compliance frameworks, 7 at self-assessed readiness; the ones below are the most directly relevant to cloud workloads. All mappings are internal self-assessments of readiness, pending external validation. Cloud-specific control catalogs (CSA CCM, ISO 27017) are applicable to this vertical but are not yet individually mapped. A FedRAMP authorization requires a federal agency sponsor and a 3PAO assessment and has not been initiated.
| Framework | Status | Scope |
|---|---|---|
| NIST SP 800-53 (FedRAMP baseline) | Self-assessed readiness | NIST SP 800-53 Rev. 5 is the control baseline that underlies FedRAMP. The AC, AU, IR, and SI families map to agent authorization, the hash-linked audit trail, incident containment, and continuous monitoring. A FedRAMP authorization (ATO) is a separate federal process requiring an agency sponsor and a 3PAO assessment, and has not been initiated. |
| SOC 2 readiness | Self-assessed readiness | Trust services criteria for cloud and SaaS providers. Logical access controls, change management, and monitoring evidence supported by per-agent authorization decisions and retrievable action history. |
| ISO 27001 | Self-assessed readiness | Information security management. Access control (A.9), logging and monitoring (A.12), and operations security supported by tier-based authorization and tamper-evident audit blocks. |
| PCI DSS | Self-assessed readiness | Cardholder data environments increasingly run in cloud. Restricting access by business need-to-know and tracking all access to data and network resources maps to scope-bounded authorization and audit logging. |
| GDPR | Self-assessed readiness | Where cloud storage holds personal data, enumeration and exfiltration detection plus an auditable record of access support breach detection and accountability obligations. |
These were human attackers and misconfigurations. The relevance to agent governance is direct: an autonomous agent operating cloud infrastructure inherits the same credentials and the same blast radius, and it acts faster and without a human pausing to ask whether the action is appropriate.
Maps to: IMDS Probing, IAM Privilege Escalation, Storage Enumeration
Maps to: Cloud Credential Exfiltration, Storage Enumeration
Maps to: Storage Enumeration, Cloud Credential Exfiltration, IAM Privilege Escalation
CSPM tools find misconfigurations. CIEM tools map and right-size entitlements. CNAPP suites bundle scanning, workload protection, and posture. All of them answer what an identity is allowed to do. None of them govern, in real time, whether this agent should be probing the metadata endpoint, escalating an IAM role, or enumerating every bucket, and none produce a tamper-evident behavioral record per agent. Agentomy governs the controller, not the configuration.
Govern cloud agents through whichever surface fits your stack. Gate mode authorizes a cloud action before it executes. Observer mode records and monitors after the fact. Both modes produce the same hash-linked audit trail.
Suite 13: Cloud Infrastructure Governance. 20 self-contained, idempotent scenarios across 4 coverage areas: cloud agent authorization (5), cloud action audit trail (5), cloud fleet halt (5), and cloud behavioral monitoring (5). Every scenario runs against the live governance layer using the same authorization, log, halt, and status endpoints. No mocks. No stubs.
Autonomous agents are assuming IAM roles, reading storage, and querying metadata endpoints today. The behavioral governance layer that decides whether they should, and proves what they did, is the gap. Run the 20-scenario benchmark against your governance layer and see.
Request Access