Operator Tiers

Last updated: 2026-05-31

Five operator tiers. Each unlocks specific governance capabilities. The same TierFeatureMatrix that powers the SDK, the dashboard, and the CLI also powers this page. The matrix is queryable at GET /api/tiers.

Pick the lowest tier that covers what you need today. Upgrade when the next capability is required -- every denial response from the API includes the exact upgrade path. No surprises.

16,602 tests verified GovernanceBench 224/224 VIGIL 125/125 Kevlar OWASP 10/10

Tier 1 -- Evaluator

Evaluator

Auditor, regulator, first-time evaluator

TTFV target: 10 minutes to first benchmark report

Verifies claims, runs benchmarks, reads reports. Issues + verifies certs for own agents. Runs the full benchmark battery against any deployment.

Identity

Issue AgentCertificate for your own agent · Verify a presented AgentCertificate

Trust

Query Sovereignty + Integrity Dyad for own agent

Authorization

Classify risk of a proposed action

Verification

Run GovernanceBench against your deployment · Run VIGIL adversarial battery · verify-cert / verify-provenance / verify-attestation CLI

Next: Upgrade to Analyst to unlock the full enforcement chain + dashboard Fleet view + Audit Trail view. Quickstart: docs/quickstart-evaluator.md

Tier 2 -- Analyst

Analyst

Developer adding governance to an existing agent

TTFV target: 5 minutes to first governed action

Wraps an existing agent with @governed. Sees the dashboard Fleet view + Audit Trail. Inherits every Evaluator feature.

Authorization

Full enforcement chain (classify + chain + compose) via POST /api/enforcement/evaluate

Dashboard

Fleet view dashboard · Audit trail dashboard

Next: Upgrade to Builder to unlock MCP attestation + provenance chain recording + secret-binding format + Compliance / Explainability / Trust Surface dashboards. Quickstart: docs/quickstart-analyst.md

Tier 3 -- Builder

Builder

Engineer building agents at scale with custom policies

TTFV target: 30 minutes to first custom capsule policy + attested MCP

Issues certs for delegated agents. Attests MCP servers. Records cross-registry provenance. Formats secret-binding for 5 vault adapters. Sees the Trust Surface dashboard. Inherits every Analyst feature.

Identity

Issue AgentCertificate for delegated agents

Attestation

Attest an MCP server manifest · Record cross-registry provenance entries

Audit

Format governance events for SIEM ingestion

Secret

Format secret-fetch requests for 5 vault adapters (CyberArk CCP, HashiCorp Vault, Azure Key Vault, AWS Secrets Manager, GCP Secret Manager)

Dashboard

Compliance · Explainability (EU AI Act Article 13) · Trust Surface (6 panels)

Next: Upgrade to Operator to unlock halt + resume + quarantine + cert-bound operator sessions + fleet-wide dyad + live SIEM streaming + GDPR Article 22 view. Quickstart: docs/quickstart-builder.md

Tier 4 -- Operator

Operator

Ops / SRE running an agent fleet in production

TTFV target: 3 minutes from dashboard login to first halt-and-resume drill

Halts agents. Starts cert-bound operator sessions. Queries fleet-wide dyad + audit. Exports audit chains to regulators (hashes-only). Inherits every Builder feature.

Trust

Query Dyad across all governed agents

Authorization

Override risk classification per-action

Attestation

Start cert-bound operator session · Export-controlled session record (hashes-only)

Operator

Halt a single agent · Resume a halted agent · Quarantine an agent to scoped permissions

Audit

Read fleet-wide audit chain · Export audit chain to regulator · Live SIEM streaming

Dashboard

Steer Console (manual override) · GDPR Article 22 view

Next: Upgrade to Strategist to unlock fleet-wide halt + Dyad factor weight tuning + enforcement profile gate composition. Quickstart: docs/quickstart-operator.md

Tier 5 -- Strategist

Strategist

Executive, risk owner, board member, CISO

TTFV target: 5 minutes to executive summary

Fleet-wide halt authority. Tunes Dyad factor weights per vertical. Composes enforcement profile gates. Inherits every Operator feature.

Trust

Customize Dyad factor weights per vertical

Authorization

Tune enforcement profile gate composition

Operator

Halt the entire agent fleet (incident response)

Strategist is the top tier. Pricing + enterprise extensions: governance@agentomy.com. Quickstart: docs/quickstart-strategist.md

How tier-cap works: Issue a cert for any tier you want. If you request a tier higher than your account, the cert is silently capped to your current tier and the response includes the upgrade path. No failed transactions, no missing capabilities -- you always get a usable cert plus the remedy to get the next one.

Live tier matrix: Every value on this page is queryable at runtime. GET /api/tiers returns the full 5xN matrix. GET /api/tiers/:tier returns features + nextTier + unlocksAtNext. POST /api/upgrade-hint returns the upgrade payload for any (current, required) tier combination. GET /api/onboarding/:tier returns the persona + TTFV + first-action for any tier.

This is not a pricing page. Pricing terms: pricing. This page describes what each tier does, not what it costs.