The decision-trace and policy-enforcement layer for AI agents. Sovereign. Air-gapped capable. Apache 2.0.
Sentinel is the decision-trace and policy-enforcement layer for AI agents. Every agent call passes through a policy, produces a decision record, and contributes to an evidence store. The layer runs inside your infrastructure, under your jurisdiction, and keeps the same behaviour in cloud, on-premise, edge, and air-gapped environments.
A procurement agent — procurement-assistant, running
mistral/large-2 — receives a request to approve a
€200,000 invoice from a new supplier. The call is
wrapped with @sentinel.trace. The request enters
Sentinel before any payment function runs. Nothing about Sentinel
is visible to the agent.
Sentinel loads policies/procurement.py, version
2.1.0. SimpleRuleEvaluator runs the rule
amount_exceeds_threshold, comparing the invoice
amount against the agent's configured ceiling of
€100,000. The rule triggers. Evaluation is
deterministic, in-process, and takes microseconds.
The policy returns DENY. Sentinel raises
PolicyDeniedError before any call to the payment
function is made. The agent sees the denial. The downstream
system is never touched. The decision is append-only from this
moment on.
Sentinel writes a DecisionTrace to the local
SQLiteStorage. The record captures the timestamp,
the agent, the hashed inputs (never the raw invoice), the policy
identifier and version, the rule that triggered, the rationale,
and the EU-DE data residency assertion. Storage is
synchronous — there is no async backend to lag or lose the write.
A senior approver, finance.lead@org.eu, reviews the
record out-of-band and records a HumanOverride with
justification "approved escalation for Q2 capex".
Sentinel appends a second, linked record. The first record is
never modified.
At quarter-end, the audit lead runs
sentinel evidence-pack --since 2026-04-01 --until 2026-07-01 --financial-sector --output audit-q2.pdf.
Every record in the window — including this one — is bundled with
the EU AI Act and DORA coverage snapshot, a SHA-256 hash manifest,
and a sovereign attestation. The PDF is handed to the external
auditor.
Every field on this page is a real field on
sentinel.core.trace.DecisionTrace.
The override record is a separate, linked entry — the first record
is never mutated.
| trace_id | 5f8a2c91-7d3e-4a6b-b2f1-8e09c4f5b0a2 |
|---|---|
| started_at | 2026-06-14T09:42:11.337Z |
| agent | procurement-assistant |
| project | eu-operations |
| model | mistral/large-2 |
| inputs_hash | sha256:a3f8c2d1e4b67f0c1a5d8e2b9c3f4a7b |
| policy | policies/procurement.py @ 2.1.0 |
| policy_result | DENY |
| rule_triggered | amount_exceeds_threshold |
| rationale | request=200000; ceiling=100000 |
| data_residency | EU-DE |
| storage_backend | sqlite |
| signature_algorithm | ML-DSA-65 |
| override_id | b7c2e4f9-1a3d-4b85-9e6c-0f4d2a8c7b13 |
|---|---|
| parent_trace_id | 5f8a2c91-7d3e-4a6b-b2f1-8e09c4f5b0a2 |
| approver_id | finance.lead@org.eu |
| approver_role | senior_approver |
| justification | approved escalation for Q2 capex |
| approved_at | 2026-06-14T11:07:52.119Z |
| result_after | EXCEPTION |
| # | Node | What actually happens | Real API |
|---|---|---|---|
| 1 | Runtime trace | Every agent call produces one DecisionTrace written to the bound storage backend. Append-only. Schema-versioned. Hashed inputs by default. |
SQLiteStorage.save(trace) |
| 2 | Queryable store | Records filter by project, agent, policy result, and time window. No service, no index server — the storage backend answers directly. | sentinel.query(…) |
| 3 | Framework checker | The live store is evaluated against EU AI Act / DORA / NIS2 articles. Each checker returns a structured report with per-article status and human-action gaps. | EUAIActChecker().check(sentinel) |
| 4 | Attestation | A self-contained JSON document with a SHA-256 digest over canonical content. Verifiable offline with sentinel attestation verify. No external service, no phone-home. |
generate_attestation(…) |
| 5 | Evidence pack | A signed PDF bundling cover, executive summary, framework coverage, trace samples, hash manifest, sovereign attestation, and dependency scan. Reproducible input-to-output. | sentinel evidence-pack --output … |
| Mode | Storage | Network | Control logic |
|---|---|---|---|
| Cloud | SQLite or Postgres on EU-sovereign cloud (Scaleway, Hetzner, OVH). | Egress to a policy source only if explicitly configured. | Identical. |
| On-premise | Local Postgres or SQLite on your infrastructure. | Internal only. SOC-visible. | Identical. |
| Edge | SQLite on the device. | Intermittent. Replicates when connectivity returns. | Identical. |
| Air-gapped | Filesystem NDJSON. | None. Transport is physical media. | Identical. |
Two ways to wire a runtime control layer for an agent system. This comparison is about operational consequences, not vendor names.
| Axis | Hyperscaler-native stack | Sovereign control layer |
|---|---|---|
| Control path | Runtime decisions flow through a vendor-managed service. | Runtime decisions flow through code you run, on infrastructure you operate. |
| Jurisdiction | The vendor's home jurisdiction governs the path regardless of server region. | The operator's jurisdiction governs the path by default. |
| Evidence | Audit trails are exported on request and depend on vendor availability. | Records are append-only in a local store you own and can verify offline. |
| Portability | Schema, API, and SDK are vendor-specific. | NDJSON interchange, Apache-2.0 code, documented schema. |
| Deployability | Cloud and cloud-adjacent contexts. | Cloud, on-premise, edge, air-gapped — same control logic. |