ifivo is the runtime control plane for AI agents. It routes agent actions through a gateway that enforces deterministic policies, sends high-risk actions to human approvers, and provides an instant kill switch, with audit-grade logs.

How do I connect ifivo to ChatGPT, Claude, or Gemini?

ifivo exposes an MCP (Model Context Protocol) server at https://www.ifivo.com/api/mcp. Add it as a custom MCP connector in ChatGPT, Claude Desktop, or Gemini with your org API key as a Bearer token. Full copy-paste config is at https://www.ifivo.com/docs/mcp and https://www.ifivo.com/integrate.

How does the Agent Gateway work?

Your agent POSTs intended actions (vendor, action, amount_cents, metadata) to https://www.ifivo.com/api/gateway/actions with the agent's sk_live_ API key. ifivo evaluates policies and returns allow, require_approval, or block. Block-wins precedence applies when multiple policies match.

Is ifivo non-custodial?

Yes. ifivo never holds your money or credentials. It sits in front of the tools your agents already use (Stripe, AWS, ad platforms, OpenAI) and returns an allow/deny decision. Your systems execute the action.

What MCP tools does ifivo expose?

list_agents, list_transactions, list_pending_approvals, approve_transaction, deny_transaction, engage_org_kill_switch, release_org_kill_switch, quarantine_agent, create_policy, summarize_today.

Deterministic enforcement vs probabilistic detection

A practical guide to the two layers every AI-agent governance stack needs, why the distinction matters at audit time, and where ifivo fits.

The short version

AI-agent governance is two jobs, not one. Probabilistic detection answers does this look risky? using a model. Deterministic enforcement answers is this allowed? using a policy you wrote down. The first job is the input to the second.

Most teams pick one and skip the other. Buying only probabilistic detection means your governance decisions inherit the model's non-determinism — which makes audit defensible only as far as the model is auditable. Building only deterministic enforcement means you have to express every threat as an explicit rule, and you miss the ones you didn't anticipate. The right architecture uses both, layered, with a clear separation between the signal and the decision.

What each layer does

Property	Probabilistic detection	Deterministic enforcement
Input	Prompt, output, tool args	A typed envelope: `vendor`, `action`, `amount`, `destination`, signals
Output	A score (e.g. injection probability 0.78)	An explicit decision: `allow` \| `block` \| `require_approval`
Replayability	Re-running may give a different score	Same input, same policy = same decision, every time
Auditability	Defensible only as far as the model is	Each decision traces to a named, versioned policy and a hash-chained audit row
Examples in market	Galileo, Arize, Helicone, LangSmith, Lakera, prompt-injection classifiers	ifivo, MCP policy adapters, hand-rolled middleware allow-lists
When it shines	Catches threats you did not anticipate; works on unstructured payload	Holds at audit; survives a regulator asking why a payment was approved
When it fails	False positives, false negatives, version drift, opaque thresholds	Rules you forgot to write

Why the distinction matters at audit time

Imagine your agent sent $4,200 to a supplier that turned out to be fraudulent. Two reconstructions of that event:

Probabilistic-only: “The model classified the recipient as low-risk (score 0.12 at the time, threshold 0.30). The policy was ‘block if score > 0.30.’ The threshold was set on 2026-01-14.” This is a defensible answer only if the model's scoring decisions are themselves auditable, the threshold-set event is logged, and you can replay the score deterministically. Most production probabilistic stacks do not preserve all three.

Deterministic-with-signals: “The agent attempted action stripe.payment_intents.create with amount_cents=420000, recipient_first_seen=true, and injection_score=0.12. Policy pmt.high-amount-approval (priority 200) matched and required human approval. The approver was Maria Chen at 2026-01-14T13:08Z, decision id dec_8a3f..., audit hash 7c2e9....” The probabilistic score is recorded as evidence. The decision is its own row, replayable.

The second reconstruction is what enterprise audit, SOC 2 Type II, and any regulator-adjacent buyer actually needs. It is not that probabilistic detection is wrong — it is that it cannot be the boundary that gets audited. The boundary has to be deterministic.

How to layer them in practice

Run probabilistic detectors as evidence collectors. Inject scores and signals into the gateway envelope alongside the structured fields. ifivo accepts injection_score, has_untrusted_input, destination_is_external, recipient_first_seen, and destination_kind as fields a deterministic policy can reference.
Write the policy against the signal, not the model. A rule like “injection_score > 0.7 AND destination_is_external == true ⇒ require approval” is auditable. The rule cites the model's score, but the decision is your decision.
Make every decision a row. No silent allows. The enforcement layer should write a hash-chained audit row for every gateway call — including the matched policy id, the input envelope, the score, and the decision. Replay must be possible.
Never let the model write the policy. An LLM can help draft a rule, but the rule itself must be a versioned JSON object a human signed off on.

Where ifivo sits

ifivo is the deterministic layer. The gateway accepts probabilistic signals — from your detector of choice, from @ifivo/prompt-injection-signals, or from a vendor like Lakera or Galileo — and applies a typed policy bundle written in the open @ifivo/policy-schema. The decision, the matched policy, and every input field are written to a hash-chained audit ledger. Same input, same policy, same decision. Every time.

Where vendors like Galileo, Arize, Helicone, and LangSmith fit: upstream as evidence sources and observability tooling. ifivo's stance is complementary, not competitive. The deterministic layer wants more signals, not fewer.