Security & Audit

Platform Security

Enterprise-grade security and auditability designed for regulated environments—implemented as defense-in-depth architecture with audit artifacts available under NDA.

Defense-in-depth architecture aligned with NIST Zero Trust principles: network segmentation, mTLS service identities, KMS/HSM key management, policy-as-code with signed packages, and immutable audit trails enabling decision replayability.

Trust & Security contact

security@axiosky.com

For security reviews, architecture assessments, and responsible vulnerability disclosure.

Request Security Review (NDA)

Axiosky is in active development with pilot deployments. The security controls and design principles below represent current architecture and implementation targets. Operational SLAs, third-party audit reports, and detailed artifacts are provided to qualified prospects under NDA after initial security consultation.

Security principles

Security is designed into the architecture: governance is enforced by network topology and cryptographic controls, not reliant solely on application-level code discipline.

Least privilege by default

Minimal entitlements for users, agents, and services with explicit grants over implicit trust.

Defense in depth

Layered controls across network segmentation, identity verification, policy enforcement, and audit.

Policy-as-code first

Deterministic, testable, versioned rules with cryptographic signatures as the basis of enforcement.

Fail-safe defaults

Ambiguous authorization checks escalate or block rather than permit.

Zero-Trust segmentation

Authenticated and encrypted service-to-service communication—never trust, always verify.

Immutable audit trails

Append-only decision logs with cryptographic chaining enabling replayability and forensics.

Data minimization & privacy-by-design

PII access limited; pseudonymization supported for audit records.

Secure-by-default configurations

TLS 1.3, AEAD ciphers, and hardened defaults aligned with industry standards.

Architecture overview

The platform architecture implements Zero Trust principles where agents operate in restricted network segments and all execution is mediated through governance layers.

Trust boundaries

Agent Runtime

UNTRUSTED ZONE

Restricted egress — Orchestrator only

No direct execution layer access

mTLS + TLS 1.3

Orchestrator

COORDINATION LAYER

Resource locks & dependency graphs

Mandatory Governor routing

mTLS

Governor

POLICY ENFORCEMENT

Signed policy evaluation

APPROVE / BLOCK / ESCALATE decisions

Immutable audit logging

mTLS

Execution Layer

AUTHORIZED ACCESS ONLY

Databases, APIs, Cloud Resources

Reachable only via authorized path

Network segmentation

Agents operate in isolated network segments with egress restricted to Orchestrator endpoints only.
Orchestrator–Governor–Execution paths protected via dedicated firewall rules.
Direct agent-to-execution connectivity blocked at network level per reference architecture.

Cryptographic verification

All inter-service communication encrypted via TLS 1.3 with AEAD ciphers.
Mutual TLS (mTLS) for bidirectional authentication using X.509 certificates.
Policy packages cryptographically signed and verified before loading.

Architectural enforcement depends on proper network configuration, IAM policies, and Orchestrator deployment as the required execution path. Reference architectures and hardening checklists are provided during security consultation.

Identity & access management

Human users authenticate via enterprise SSO; agents and services authenticate via mTLS; authorization is enforced through RBAC and ABAC policies.

Human authentication

SSO via SAML 2.0 / OIDC — Okta, Azure AD, Google Workspace, Ping Identity.
SCIM provisioning for automated user lifecycle management.
Short-lived JWTs (15–60 min TTL). MFA required via IdP assertion.

Agent & service authentication

mTLS with X.509 certificates; automated rotation via cert-manager (90 day lifetime).
CRL/OCSP revocation for compromised certificates.
Time-limited scoped API keys and service accounts.

RBAC / ABAC & key management

Permission model: resource:action:scope — default-deny with explicit grants only.
Context-aware ABAC based on time, location, device posture, and risk score.
KMS: AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault.
BYOK and HSM (FIPS 140-2 Level 2+) for regulated deployments.

roles:
  - name: procurement_officer
    permissions:
      - workflow:execute:procurement_*
      - audit:read:own_workflows

  - name: compliance_reviewer
    permissions:
      - audit:read:*
      - decision:replay:*

Data protection & privacy

Encryption, classification, pseudonymization, and retention controls aligned with privacy-by-design principles.

Data classification

Tier	Definition	Examples
Public	Public disclosure intended	Marketing, public docs
Internal	Internal, no sensitivity	Operational logs, config
Confidential	Business-sensitive	Financial reports, IP
Restricted	Regulated data	PII, PHI, PCI

Encryption

AES-256-GCM at rest; DEKs wrapped by customer or platform master keys.
TLS 1.3 + mTLS for all network communication.
BYOK: customer master keys in AWS KMS, Azure Key Vault, or GCP KMS.

PII & PHI handling

Audit logs use pseudonymous identifiers; mapping table stored with separate access controls.
GDPR Article 25 (privacy-by-design) and right-to-erasure workflows supported.

{
  "audit_id":       "act_20250115_143218_a8f2",
  "user_pseudonym": "user_9a8b7c6d5e4f",
  "action":         "approve_contract",
  "policy_version": "v2.3.1",
  "decision":       "APPROVE"
}

Retention

Audit logs: 7 years default. Workflow state: 90 days default.
Policy versions: indefinite, Git-managed.
Right-to-erasure: pseudonym mapping removed; audit records preserved per legal obligation.

Policy security & auditability

Policy-as-code is versioned, cryptographically signed, tested, and produces deterministic, replayable audit records.

Policy lifecycle security

Git-based policy code with inline regulation citations and mandatory CI gates.
Signed with Ed25519 / RSA-4096; HSM-backed in production.
Staged rollout: shadow → canary (10%) → staged (50%) → full (100%).

$ axiosky policy verify \
    --package financial_controls_v2.3.1.axp \
    --public-key /etc/axiosky/keys/policy-signing.pub

✓ Signature valid
  Signer: compliance@example.com
  Algorithm: Ed25519

Immutable audit trail

Append-only storage — no updates or deletes permitted.
Cryptographic chaining between records for tamper detection.
Audit log write access restricted to the audit service only.

Decision replayability

$ axiosky audit replay --audit-id act_20250115_143218_a8f2

REPLAY RESULTS:
  Original Decision:  APPROVE
  Replayed Decision:  APPROVE
  Rules Evaluated:    3/3 matched
  Verdict:            DETERMINISTIC

Operational security & monitoring

Structured logging, metrics, distributed tracing, and alerting integrate with enterprise SIEM and observability stacks.

Observability integration

Structured JSON logs with automatic PII redaction and pseudonymized user identity.
Compatible with ELK, Splunk, Datadog, Sumo Logic, Azure Monitor.
Prometheus/OpenMetrics metrics; OpenTelemetry distributed traces across all layers.

{
  "service":       "governor",
  "action":        "policy_evaluation",
  "decision":      "APPROVE",
  "duration_ms":   42
}

Security monitoring & alerting

GovernorUnavailable — critical if down >1 min.
HighEscalationRate — warning if >20% for 5 min.
AnomalousAgentActivity — warning if 3× normal rate.
AuditLogWriteFailure — critical on any write error.
SIEM export: Splunk, QRadar, Azure Sentinel, Google Chronicle.

Resilience, incident response & forensics

High-availability deployment options, configurable fail modes, documented incident lifecycle, and deep forensic capabilities.

High availability & disaster recovery

Active-active Governor/Orchestrator across multiple AZs; multi-region active-passive or active-active.
Design target: 99.9–99.99% uptime. RPO <1 min; RTO <5 min.

Fail modes

Fail-closed (default): Governor unreachable → Orchestrator blocks all actions and escalates to human review.
Fail-open (per workflow): configurable with compliance sign-off; all events flagged in audit logs.

Incident response

NIST SP 800-61 lifecycle: Detection → Triage → Containment → Eradication → Recovery → Post-mortem.
Critical (P0): acknowledge <1h; High (P1): acknowledge <4h.

Forensic capabilities

Full decision history with policy versions, inputs, outcomes, and cryptographic chain verification.
Time-range and attribute filtering; export as JSON, CSV, or Parquet.
Decision replay and "what-if" analysis with alternative policy versions.

Compliance, assessments & artifacts

Audit artifacts and assessment reports made available to customers and auditors under NDA.

Compliance alignment targets

SOC 2 Type II — Security, Availability, Confidentiality (target).
ISO 27001, NIST CSF, NIST SP 800-207 (Zero Trust) (alignment target).
GDPR, DPDP Act (India), and SOC 2-aligned data protection controls.

Formal third-party certifications are on the roadmap. Readiness documentation and architecture reviews are available under NDA. Axiosky does not claim certifications until independently verified.

Artifacts available under NDA

SOC 2 readiness documentation and third-party audit reports (in progress).
Penetration test summaries and remediation status (upon completion).
SBOM (CycloneDX / SPDX) with CVE references.
Architecture diagrams, data-flow diagrams, and threat models.
Policy mapping matrices and incident response plans.

How to request artifacts

Email security@axiosky.com with subject "Audit Pack Request — [Your Organization Name]" including your organization, requestor details, purpose, and NDA preference.

Acknowledgment within 2 business days; delivery within 1–2 weeks after NDA execution.

Secure development & supply chain

Secure SDLC across code review, automated security testing, dependency management, SBOM generation, and signed releases.

Development security

Branch protection: main and release/* require reviewed PRs.
SAST via Semgrep; Critical/High findings block merge.
Dependency scanning with Snyk, Dependabot, and Trivy — daily scans.
Distroless container base images; image scanning on build and daily re-scan.

SBOM & artifact signing

SBOMs at build time in CycloneDX / SPDX with versions, licenses, SHA-256 hashes, and CVE refs.
Policy packages signed with Ed25519/RSA-4096; images signed via Cosign/Sigstore.
SLSA provenance attestations; signature verification enforced at deploy.
GPG-signed release artifacts with published SHA-256 checksums.

Penetration testing & vulnerability disclosure

Periodic third-party security assessments and an open responsible disclosure channel.

Penetration testing program

Pre-release, annual, and post-significant-change assessments by independent third parties.
Scope: OWASP Top 10, API security, network segmentation, auth bypass, audit log tampering, policy signing bypass, privilege escalation.
Reports distributed under NDA with remediation validation.

Responsible vulnerability disclosure

Report to security@axiosky.com — subject: "Vulnerability Report".
Acknowledgment within 2 business days; triage within 5 business days.
Critical — hotfix within 7 days. High — patch within 30 days.
Coordinated disclosure: 90 days default (negotiable).
Good-faith research will not result in legal action.

Deployment models & hardening

Managed cloud, on-premises, air-gapped, and hybrid deployments — all with reference architectures and hardening checklists.

Managed cloud (SaaS)

Axiosky operates infrastructure on AWS, Azure, or GCP.
VPC peering, PrivateLink, or IP-allowlisted HTTPS.
Regional data residency; optional customer-managed keys.

On-premises

Customer-operated Kubernetes or VMs.
Signed container images, Helm charts, deployment playbooks.
Customer manages network policies, CAs, and backups.

Air-gapped & hybrid

No external connectivity; updates via signed media with offline verification.
Hybrid: Governor/Orchestrator on-prem; agents in cloud via VPN/mTLS tunnels.

STILL HAVE DOUBT?

Axiosky

The Standard for
AI Governance.

Request a Demo