DocsOverview

Security & Compliance

How AKIOS protects your data, enforces policies, and helps you meet regulatory requirements across GDPR, EU AI Act, SOC 2, and HIPAA.

Security Model#

AKIOS implements a zero-trust security model. No agent, tool, or request is trusted by default. Every action requires explicit policy authorization, regardless of origin.

Default-Deny

All tool calls and external requests are blocked unless explicitly allowed by policy.

Least Privilege

Agents receive only the permissions necessary for their task. No ambient authority.

Immutable Audit

Every decision is logged with cryptographic signatures. Logs cannot be modified or deleted.

Data Privacy#

Zero-Retention Policy

By default, the AKIOS control plane is pass-through. We do not store your prompts or completions unless you explicitly enable the Audit Log feature. Your data is encrypted in transit (TLS 1.3) and never used to train our models.

Encryption in Transit

TLS 1.3 for all connections. Certificate pinning available for enterprise deployments.

Encryption at Rest

AES-256-GCM for all stored data. Customer-managed keys (BYOK) available on Pro plans.

Data Residency

EU-first infrastructure. Data stays in the region you choose. No cross-border transfers without consent.

Data Deletion

Full data deletion on request within 30 days. Automated cleanup for expired sessions.

Secret Management#

Encryption at Rest

API keys (OpenAI, Anthropic, Mistral) stored in AKIOS Cloud are encrypted using AES-256-GCM. Keys are decrypted only within the secure enclave of the runtime environment at the moment of execution.

Best Practice

Rotate your keys regularly. Use the akios secrets rotate command to update keys without downtime.

Tool Sandboxing#

Tools execute in isolated sandboxes. Each sandbox enforces network allowlists, file system restrictions, memory limits, and execution timeouts. A compromised tool cannot access other tools, agent memory, or the host system.

typescript
import { Agent, Tool, Sandbox } from '@akios/core'

const agent = new Agent({
  name: 'sandboxed-agent',
  model: 'gpt-4-turbo',
  tools: [myTool],
  sandbox: Sandbox.configure({
    network: {
      allowlist: ['api.weather.com', 'db.internal:5432'],
      denylist: ['*.competitor.com']
    },
    filesystem: {
      readOnly: ['/data/public'],
      writable: ['/tmp/agent-workspace'],
      denied: ['/etc', '/var']
    },
    resources: {
      maxMemoryMB: 256,
      timeoutMs: 10000,
      maxConcurrentTools: 3
    }
  })
})

Compliance Guardrails#

Automated Policy Enforcement

Enterprises can define global policies that apply to all agents in an organization. Policies are version-controlled and enforced deterministically at less than 2ms overhead.

PII Redaction

Automatically detect and mask credit cards, SSNs, emails, and phone numbers before they reach the LLM.

Topic Blocking

Prevent agents from discussing competitors, political topics, or any custom-defined forbidden subjects.

Rate Limiting

Prevent cost overruns and denial-of-service attacks. Per-user, per-agent, and per-organization limits.

Audit Trails

Log every input/output pair with cryptographic signatures. Tamper-proof and exportable for regulators.

typescript
import { Guardrails, DetectPII, BlockTopic } from '@akios/security'

const rails = new Guardrails({
  input: [
    DetectPII.configure({ types: ['email', 'phone', 'ssn', 'credit_card'] }),
    BlockTopic.configure({
      topics: ['competitor_names', 'politics'],
      sensitivity: 'high'
    })
  ],
  output: [
    DetectPII.configure({ types: ['ip_address', 'internal_url'] })
  ]
})

const agent = new Agent({
  name: 'secure-agent',
  guardrails: rails
})

Compliance Frameworks#

AKIOS is designed for regulated industries. The control plane provides the technical controls needed to meet major compliance frameworks.

EU AI Act

Paris-based and EU-first. AKIOS provides the technical infrastructure for EU AI Act compliance.

  • Risk classification — Tag agents by risk level (minimal, limited, high-risk) with corresponding controls.
  • Human oversight — Human-in-the-loop workflows for high-risk decisions. Configurable approval gates.
  • Transparency — Full audit trails and session replay for regulatory inspection.
  • Technical documentation — Automated generation of system cards for high-risk AI systems.

GDPR

  • Data minimization — Only the data necessary for the agent task is sent to the model provider.
  • Right to erasure — Full data deletion via API or CLI within 30 days of request.
  • Data residency — EU-hosted infrastructure. No cross-border transfers without explicit consent.
  • PII redaction — Automatic detection and masking before data leaves your infrastructure.
  • Consent management — Integration hooks for consent verification before agent processing.

SOC 2 Type II

  • Access controls — Role-based access with API key scoping per agent, team, and environment.
  • Monitoring — AKIOS RADAR provides continuous monitoring with anomaly detection and alerting.
  • Change management — Policy-as-code with version control. All changes tracked in audit log.
  • Incident response — Session replay for rapid root-cause analysis. Circuit breakers for automatic containment.

HIPAA

  • PHI protection — Guardrails configured to detect and redact Protected Health Information before LLM processing.
  • Audit controls — Immutable audit logs satisfy the audit trail requirements of the Security Rule.
  • Access management — Minimum necessary access enforced per agent and per tool.
  • BAA available — Business Associate Agreements available for AKIOS Pro customers.

Enterprise Compliance

Need help mapping AKIOS controls to your specific compliance framework? Contact our solutions team for a controls mapping document tailored to your regulatory requirements.

Threat Model#

AKIOS is designed to protect against the most common attack vectors in agentic AI systems.

Prompt Injection

Input guardrails detect and block injection attempts. System prompts are isolated from user inputs.

Data Exfiltration

Output rails scan for sensitive data. Network sandboxing prevents unauthorized outbound connections.

Tool Abuse

Sandboxed execution with resource limits. Dangerous tools require human approval before execution.

Cost Attacks

AKIOS FLUX enforces per-agent, per-user, and per-organization cost caps. Circuit breakers halt runaway execution.

NextWelcome