ifivo
The agent control plane · runtime guardrails at the action layer

Let agents ship refunds,
without losing control.

ifivo is the runtime control plane for AI agents. See what they do, approve what matters, and stop them instantly, with audit-grade logs across every tool, API, and payment rail.

Runtime guardrails, not content filters — here’s the difference.

Pressto try the engine. Keyboard shortcut K.Start free
Non-custodial Shadow mode first Policy enforcement Instant kill switch Immutable audit
curl -X POST https://www.ifivo.com/api/gateway/actions \
  -H "content-type: application/json" \
  -d '{
    "agent_api_key": "sk_live_…",
    "vendor": "stripe",
    "action": "refund",
    "amount_cents": 22000,
    "risk_score": 0.55
  }'
# → { "decision": { "outcome": "pending_approval",
#                   "reason": "Refunds over $150 require approval" } }
Same endpoint /api/gateway/actions runs in the public simulator.
ifivo dashboard showing live spend, approvals, and anomaly feed for a seeded tenant
Sunset Radar · live feed

Vendor changes break agents quietly. Catch them before they ship.

Every entry is a real public deprecation, retirement, or pricing change pulled from the vendor’s own documentation. ifivo treats these as policy signals: agents calling a deprecated endpoint can be paused, alerted, or surfaced for review before the change date lands.

No vendor partnerships are implied. Sources link to the official public notice for each event.

GET /api/vendor-health/feed →public · 60s edge cache · CORS *
OpenAI·model deprecation
in 1d
gpt-4o-realtime-preview

OpenAI gpt-4o-realtime-preview retires; migrate to a successor realtime model.

Vendor source
Anthropic·model deprecation
in 40d
claude-sonnet-4-20250514

Anthropic claude-sonnet-4-20250514 deprecated; plan migration window.

Vendor source
Azure OpenAI·model retirement
36d ago
gpt-4o-2024-05-13

Azure OpenAI gpt-4o-2024-05-13 retires from Standard deployment.

Vendor source
Google Gemini·model deprecation
58d ago
gemini-3-pro-preview

Google Gemini gemini-3-pro-preview is shut down.

Vendor source
Twilio·pricing change
107d ago
messaging/t-mobile-10dlc-carrier-fees

T-Mobile 10DLC carrier-fee changes flow through Twilio Messaging.

Vendor source
Slack·platform sunset
in 194d
apps/classic

Slack classic apps sunset; migrate to Slack's modern apps platform.

Vendor source
Subscribe to the feed

One public endpoint. Verified-only by default.

The same rows you see above are exposed at /api/vendor-health/feed. No auth, no rate-limit keys, 60-second edge cache, CORS open. Wire it into your CI, your agent registry, or a Slack digest.

  • ?vendor=openai — filter by vendor slug
  • ?kind=model_retirement — filter by event kind
  • ?since=2026-01-01 — only changes after a date
  • ?include=candidate — opt into the watchlist
Open the feedSchema & verification rules
Quick start
# Live verified events
curl https://www.ifivo.com/api/vendor-health/feed

# Filter by vendor
curl 'https://www.ifivo.com/api/vendor-health/feed?vendor=openai'

# Watchlist (verified + candidate)
curl 'https://www.ifivo.com/api/vendor-health/feed?include=candidate'
Response shape
{
  "version": 1,
  "generated_at": "2026-05-04T...",
  "source": "db" | "fallback",
  "events": [{
    "vendor": "openai",
    "event_kind": "model_retirement",
    "identifier": "gpt-4-32k",
    "state": "verified",
    "effective_at": "2025-06-06",
    "announced_at": "2024-06-06",
    "superseded_by": "gpt-4o",
    "impact_summary": "...",
    "recommended_action": "...",
    "source_url": "https://platform.openai.com/..."
  }]
}
Open standard

Sunset Radar is verified-only by default. Candidate events live in a separate watchlist behind ?include=candidate. Schema and verification process are public.

Schema and verification rules
MIT-licensed · runs locally

Start with the OSS runtime. Bring SaaS in when you need it.

The audit sink, policy runtime, and Microsoft Agent Framework middleware adapter ship as MIT-licensed npm packages. Run them against a local JSONL file with zero network dependency. Connect an ifivo API key when you want approvals, the kill switch, or the immutable ledger.

Microsoft Agent Framework provides middleware hooks; governance implementation remains the responsibility of the application team. We are not a Microsoft partner.

View source on GitHubp50 ≤ 50 ms · p95 ≤ 120 ms · canonical SLO
@ifivo/mcp-server

Drop-in MCP adapter with policy + audit

  • Wraps any MCP server
  • Local JSONL audit sink
  • Optional ifivo:// remote sink
@ifivo/maf-middleware

Microsoft Agent Framework middleware

  • Approval gates per action
  • Vendor allowlist + budget caps
  • Kill-switch propagation
@ifivo/audit-cli

Replay your audit log offline

  • Reads .ifivo/audit.jsonl
  • No network, no signup
  • CI-friendly exit codes
# Local-only by default. Records every tool call to ./.ifivo/audit.jsonl.
npm install -g @ifivo/mcp-server
ifivo --help

# Wrap your existing MCP server. Audit + policy run as a sidecar, no SaaS.
ifivo wrap --policy ./policies.yaml -- node my-mcp-server.js
Read the docs See all integrations

Four screens. One command center.

See the money, approve the risky moves, and shut it all down instantly. ifivo turns scattered agent logs into an operational control plane your security, finance, and engineering teams actually use.

Overview

Daily spend, pending approvals, blocked actions, and active agents, all at a glance.

ifivo Overview dashboard showing spend, approvals, blocked actions, and active agents.

See → Control → Intervene → Contain

1

See

Route agent actions through ifivo. Every call and payment attempt is logged with identity, intent, and risk.

2

Control

Define budgets, vendor allowlists, and risk thresholds. Deterministic rules run at the edge. No LLM required.

3

Intervene

Send anything above threshold to a human. Approve in-app, Slack, email, or signed webhooks to PagerDuty/Opsgenie/Twilio. Full diff of what the agent intended.

4

Contain

Quarantine an agent, freeze spend, or pull the org-wide kill switch. Authority is always revocable.

Shadow mode

Not just onboarding. A permanent second opinion.

Most teams turn shadow mode on to de-risk the first rollout. The strongest governance programs keep it on — running every proposed policy change against real traffic before it goes live. Shadow and live run side by side, forever if you want. No surprise incidents at 2 a.m.

  • Observe. Shadow policies log decisions without changing the outcome.
  • Diff. Every transaction shows the live decision next to the shadow decision.
  • Tune. Adjust thresholds in the policy editor; every diff stays in the ledger.
  • Keep it on. New policies, upgraded rules, and what-ifs all run in shadow first — then get promoted when the numbers hold.
See a shadow decision on /try Shadow mode docs
Last 7 days · refunds-over-150
Shadow
Shadow (observed) Live (enforced)
Approvals sent
82
0
Blocked actions
17
0
Allowed actions
312
411
Next step: flip shadow: false. 82 would-be approvals will start going to the approvals queue.
Decision ledger

The system of record for why risky actions were allowed.

For every agent action that touches money, data, or a customer: what was requested, which policy version ran, who approved or overrode, what executed, what happened next. Immutable, replayable, and queryable. When an auditor, a CISO, or your board asks why an agent was allowed to do something, the answer is already written down.

Sealed at decision time

Each row carries the policy version, the matched rule, the approver (if any), the timestamp, and the outcome. No edits, no retroactive justifications.

Overrides are first-class

When a human reaches past policy, the override is captured with reason code and free-text justification — not buried in a comment.

Shadow-vs-live diffs live here too

Every proposed policy change leaves a shadow decision next to the live one. Filter on the diff to see exactly which actions would have changed.

Export without permission

SIEM, S3, CSV, or a signed archive for an audit. Your evidence, exportable at any time. Lock-in is the record, not the contract.

See a real ledger row Ledger API docs
New · Free audit

Audit your last 30 days. See what we’d have caught.

Upload your OpenAI logs or a generic JSONL. We replay every action against a curated policy pack and show you exactly which refunds, sends, and tool calls would have been blocked, paused for approval, or flagged as prompt-injection signal. No signup, auto-deletes in 30 days.

Run a free audit How runtime guardrails work

Simple pricing. Ship today.

Start free. Upgrade when your agents touch real money.

Full pricing & comparison →

Starter

Free

For early pilots

  • 1 org · 5 agents
  • 1k actions / month
  • Shadow mode + dashboards
  • Community Slack
Get started

Team

Most popular
$499/mo

For production agents

  • Unlimited agents
  • 500k actions / month
  • Approvals + kill switch
  • SSO, 15-min SIEM export
  • Slack, email, and signed-webhook approvals
Get started

Enterprise

Custom

For regulated orgs

  • SOC 2 / ISO artifacts
  • On-prem gateway option
  • Custom policy rules
  • Dedicated support
  • Stripe MPP + TAP integrations
Get started

A category of one.

Observability tools watch. Vendor limits react. Homegrown code drifts. ifivo is the control plane, and it runs before the action does.

Capability
ifivo
Runtime control plane
Homegrown gateway
Internal middleware
LLM observability
Traces & logs
Vendor-native limits
Per-tool rules
Deterministic policy enforcement
Budgets, allowlists, thresholds evaluated before the action runs.
Human-in-the-loop approvals
Slack, email, or in-app. With a full diff of what the agent intended.
Cross-tool view (LLM + API + payment rail)
Instant kill switch (per-agent, org-wide)
Shadow mode before enforcement
Observe traffic for a week, then turn rules on with confidence.
Immutable, exportable audit log
Hash-chained records, SIEM-ready export.
Non-custodial (no agent credentials stored)
Runs in under an hour

Partial means it is possible but not turnkey. Our take, based on what teams tell us during onboarding.

FAQ

Straight answers to the common questions.

How is this different from LangSmith, Arize, or Helicone?+
Those tools are observability for LLM calls, great for debugging prompts and tracking quality. ifivo is a control plane for the actions agents take after the LLM decides. It blocks, approves, or routes for humans, and it does it deterministically in the hot path. They're complementary; we see most teams running both.Full breakdown: ifivo vs LangSmith.
How does ifivo compare to Galileo Agent Control or the Microsoft Agent Governance Toolkit?+
They ship real enforcement primitives and we take them seriously. The honest differences: Galileo ships Agent Control alongside a rich evaluation and observability suite — great if you already live in that stack; heavy if you just need a runtime control plane. Microsoft's open-source toolkit is strong on policy enforcement and free, but it's a set of building blocks your platform team has to integrate, operate, and ship upgrades for. ifivo is a hosted control plane: you get the policy engine, approvals UI, Slack workflow, kill switch, and SSO-grade audit log as a product, with a 50 ms p50 target and shadow mode to onboard traffic without behavior change. If you have a platform team that wants to build on open primitives, we'll happily tell you when a DIY is the right call. Most teams we work with want the product.Full breakdowns: ifivo vs Galileo · ifivo vs Microsoft Agent Governance.
Is ifivo the same as NeMo Guardrails or Guardrails AI?+
No. Those are content-filter guardrails — they evaluate the model's text output for toxicity, schema, or policy violations. ifivo is a runtime guardrail at the action layer: it evaluates the tool call, payment, refund, or external send before it executes. Different layers of the stack, both useful, and most teams end up running both.Full breakdown: Runtime guardrails explained.
Does ifivo prevent prompt injection?+
We contain it rather than claim to detect every instance. A deterministic pattern scanner flags 15+ signals of injection — override instructions, role hijacks, credential asks, zero-width encoding, hidden HTML — and tracks which context sources are untrusted. The durable control isn't the classifier, though. It's that an action with untrusted input heading to an external destination gets blocked or queued for a human, regardless of whether the model was fooled. Detection buys time; containment stops the damage.See it in action on the poisoned-ticket walkthrough or audit your own agent traffic.
Can I get approvals routed somewhere other than Slack?+
Yes. Every pending approval lives in the in-app queue on every plan — that's the durable record. On top of that you can add any combination of Slack, email (via your SMTP relay), and HMAC-signed webhook channels that reach PagerDuty, Opsgenie, Grafana OnCall, Twilio SMS (via a ~20-line relay), n8n, Zapier, or any custom HTTPS endpoint. Channels can be scoped to P1 only so your on-call pager stays quiet for routine approvals.Deep dive: approval routing.
Do I need to route 100% of agent traffic through ifivo?+
No. Most teams start by wrapping one high-risk action (refunds, provisioning, external emails) and expand from there. Shadow mode lets you onboard more traffic without affecting live behavior.
What latency does the gateway add?+
Target is ≤ 50 ms p50 for a policy decision with the gateway in the same region as your agent. The engine is deterministic JSON. No LLM in the hot path.
Does Shadow Mode affect production behavior?+
No. Shadow policies record what would have happened and return it on the response, but the live outcome is unchanged by them.
What counts as an action?+
One agent call routed through the gateway equals one action. Dashboard reads, webhook deliveries, and MCP tool calls made by humans do not count.
Can I self-host?+
Yes, on Enterprise. You get the same container and policy engine we run in production, deployable in your VPC or on-prem.
How do I define policies?+
Use the visual builder in the dashboard, start from a template, or POST JSON to the policies endpoint. See the policy language reference in the docs.
What happens when the kill switch is triggered?+
Every agent in the org starts receiving blocked from the gateway until a human releases it. Individual agents can also be quarantined without touching the org-wide switch.

Ship an agent you can actually govern.

Route one action through ifivo, flip the kill switch, and watch the audit log fill in. Free plan covers the first thousand actions a month.

Pressto start free. Keyboard shortcut S.Try the policy engine

No card. No commit. Non-custodial by default.