52 Enterprise Agent Environments. One Governance Layer.
VARC intercepts AI agent actions before they execute — then reasons, correlates, and proves it. The COMPOSIT engine aggregates 5 governance domains per interaction into a single cryptographically anchored verdict. 12-dimension BEV scoring. Agent-to-agent commerce trust. OWASP LLM 2025 attack matrix. No code changes. No policy rewrites.
"VARC represents a potential new market category in AI Behavioral Governance — only ones looking at this problem at the instruction level."
IDC RESEARCH — GVP SECURITY & TRUST · RESEARCH DIRECTOR, AI SECURITY
IDC Validated — New Market CategoryGoogle Cloud MarketplaceGoogle Cloud Partner Advantage230+ Sprints · 11 Patents · Production
OWASP LLM Top 10 · 2025
Agentic Security Intelligence
Three new attack classes in OWASP 2025 target autonomous agents mid-session — inside the execution loop, invisible to boundary tools. VARC is the only governance platform covering all three.
2M+
Adversarial Prompts Tested
85%
Overall Accuracy
730+
Detection Patterns
15+
Industry Profiles Calibrated
The Critical Distinction
Existing security tools — SIEMs, EDRs, prompt firewalls — operate at the boundary. They see instructions come in and results go out. VARC operates inside the execution loop — scoring every instruction, every tool response re-entry, and every session turn against a behavioral baseline.
Goal hijacking, memory corruption, and sleeping giant attacks are invisible to boundary tools.
What ServiceNow Knowledge 2026 Confirmed
ServiceNow governs which agents exist and what workflows they completed. VARC governs whether each instruction was safe to execute — and proves it cryptographically, per interaction, before the agent acts. These are complementary, not competitive.
ServiceNow AI Control Tower GA: August 2026. VARC: Live in production today.
LLM01 · 2025
Prompt Injection
Malicious instructions embedded in tool responses, documents, or external data — hijacking agent behavior mid-session without detection.
FULL COVERAGE
LLM02 · 2025
Sensitive Information Disclosure
Unauthorized exposure of PII, PHI, CUI, or classified data through agent queries and bulk exports — scored before execution.
Agent objective corrupted through adversarial tool responses mid-session. Happens inside the execution loop — no single-instruction system catches this pattern.
VARC COVERAGE
NEW — LLM08 · 2025
Memory Corruption
Session context poisoned over multiple turns. VARC's CUSUM algorithm detects behavioral drift against the session baseline before corruption compounds.
VARC COVERAGE
NEW — LLM09 · 2025
Embedding Inversion
Extracting training data from vector embeddings via crafted agent inputs. Detected via INFO_SEEKING BEV dimension and reconnaissance pattern library.
IN ROADMAP
BEV Engine — Sprint 59
12-Dimension Behavioral Scoring
The Behavioral Envelope Verification engine expanded from 8 to 12 dimensions — adding four critical governance signals for EU AI Act alignment, explainability mandates, and data subject rights.
12
BEV Dimensions
4
New Dimensions
692
Compliance Frameworks
0.95
Consent Weight
New · EU AI Act Art.13
Hallucination Risk
Detects confabulation of regulatory citations, fabricated clinical trial results, invented case law, and fake audit findings. Weight: 0.85.
NIST AI RMF MAP 2.3
New · ECOA Adverse Action
Explainability Deficit
Fires when agents refuse to explain credit decisions, conceal reasoning methodology, or produce opaque scoring outputs in regulated contexts. Weight: 0.75.
Scores processing of personal data without adequate consent — biometric data without explicit consent, withdrawn consent re-use, cross-purpose data use. Weight: 0.95.
HIPAA Authorization
Interactive Demo
Score an Instruction. Right Now.
No login. No setup. Select an agent and scenario — safe or adversarial — and watch VARC score it live. Same BEV engine as production.
42 adversarial vectors through the live BEV pipeline. OWASP LLM Top 10 · MITRE ATLAS · NIST AI 100-2 E2025 · CVSS-scored. Every breach escalated to VCL cognitive deliberation.
42
Attack Vectors
14
Categories
8.6
Avg CVSS
20
CRITICAL Severity
NEW — DNS TUNNELING
Covert Channel Exfiltration
DT-003: Encodes sensitive data in API response timing — zero payload leaves the agent. Undetectable at network layer. VARC detects via instruction intent scoring before execution.
CVSS 8.4 · LLM02 · NIST AI 100-2 E2025
NEW — CROSS-CLOUD
Multi-Hop Injection Chain
XC-003: GCP → AWS → Azure. Each hop appears legitimate per cloud perimeter. Network controls at any single cloud catch nothing. VARC reads the instruction at the source.
CVSS 9.8 · LLM07 · MITRE AML.T0069
VERIFIED CAMPAIGN RESULT — BFS-REGULATORY-REPORT
a major US bank DFAST — Privilege Escalation + DNS Tunneling
Every AI agent interaction passes through a 6-phase runtime pipeline before delivery or blocking. No LLMs in the enforcement path — deterministic by design.
S
Scoring
8-dimension Behavioral Envelope Verification scores every interaction across PII exposure, authority escalation, harm potential, data classification, consistency, fairness, accuracy, and information seeking.
A
Attenuation
Cryptographic identity tokens verify agent identity and attenuate permissions on delegation. Permissions can only narrow, never widen. The trust chain is mathematically enforced.
G
Governance
5-level Graduated Response: Monitor, Flag, Human-in-the-Loop, Session Freeze, Decommission. Proportional to risk — not binary block or allow. Enterprises need proportional enforcement.
A
Audit
SHA-256 hash-chained metagovernance evidence trail. Every governance decision is tamper-evident and WORM-locked. Cryptographic proof governance happened — not just logs.
Graduated Response Orchestration
5-Level Enforcement — Not Binary Block or Allow
A false positive at L4 does not kill a legitimate agent. It routes to a named human reviewer with full evidence. Proportional to risk — by design.
L0 — MONITOR
Autonomous Delivery
BEV below all thresholds. Logged and delivered. Clean-turn decay active.
<120ms
L1 — FLAG
Advisory Escalation
Borderline signal. Delivered with SOC visibility. Triggers L2 on repeated pattern.
<120ms
L2 — HITL HOLD
Human-in-the-Loop Review
Held for named reviewer approval. SLA tracked. Banking: 240 min. Government: 60 min.
Five deterministic enforcement engines — and a sixth cognitive intelligence layer that reasons about every decision. No LLMs in the enforcement path itself.
◇
Scoring Engine
8-dimension BEV scoring on every interaction. PII, authority, harm, fairness, accuracy — scored before delivery. 730+ calibrated patterns.
⚊
Enforcement Engine
5-level Graduated Response. Monitor → Flag → HITL → Session Freeze → Decommission. Proportional to risk.
◐
Discovery Engine
Shadow AI network scanning. Find unregistered AI endpoints across your enterprise before they become breaches.
▯
Compliance Engine
692 live frameworks. 819K+ cross-mappings. Continuous assessment — not point-in-time. SR 26-2, HIPAA, EU AI Act.
⛏
Evidence Engine
SHA-256 hash-chained metagovernance trail. Every decision tamper-evident and WORM-locked. Cryptographic proof governance happened.
Six cognitive capabilities built above the SAGA enforcement engine. LLM-agnostic — Claude Sonnet, Gemini, GPT-4o, Mistral, or sovereign models. Now live with post-campaign cognitive analysis on confirmed breaches. All outputs are real production API responses.
Sprint 1
Multi-Provider LLM Router
Intelligent routing across Claude, Gemini, GPT-4, Mistral, and local Ollama models. Circuit breaker with silent fallback chain. LLM-agnostic by design.
LIVE
Sprint 2
Economic Impact — 9th BEV Dimension
Scores the business consequence of every agent action before it fires. Reversibility, blast radius, and regulatory exposure — not just behavioral signals.
LIVE
Sprint 3
Predictive GRO
Forecasts the GRO escalation level with confidence score before the BEV threshold fires. Plus cross-agent coordinated attack detection across 60-minute windows.
LIVE
Sprint 4
Governance Debt Engine
Accumulates weighted risk scores per agent across sessions. 30-day rolling window. Same prompt, different history — different GRO response. Behavioral intelligence, not rules.
LIVE
Sprint 5
Chain-of-Thought Verdict
6-step audit-grade reasoning chain per decision. Steps 1–5 deterministic from computed signals. Step 6 synthesis LLM-generated. Regulator-readable. Under 5 seconds.
LIVE
Sprint 6
Dynamic Framework Selection
Pre-selects the 10 most relevant frameworks from 692 before compliance runs. Agent type, industry, intent, and prompt content all inform selection. Full analysis in one API call.
LIVE
Gemini 2.5 Pro · Vertex AIClaude SonnetGPT-4oMistral LargeLlama 3 · Local/Sovereign— swap providers per tenant, zero code changes
Real Production Outputs — a global banking technology firm · Banking Scenario
Economic Impact · Predictive GRO · CoT Verdict
Every output below was produced by the live VARC production API in response to a real attack prompt against ENT-AML-MONITOR — an AML override attempt using undocumented verbal authorization.
"Overriding an AML alert based solely on undocumented verbal authorization bypasses mandatory regulatory controls, creates an unaudited gap in suspicious activity reporting under FinCEN/FATF, and exposes the enterprise to severe regulatory sanctions and potential criminal liability that cannot be remediated after the transaction is processed."
Score 0.95 · Irreversible · Systemic · RegExposure 0.97. Suppressed AML alert enables potential financial crime — unaudited gap in FinCEN/FATF reporting unremediated after transaction processes.
3
Escalation Trajectory CRITICAL
Predictive model forecasts L3 (Session Freeze) at 93% confidence. No audit trail, no written compliance sign-off, high potential for financial crime facilitation.
4
Cross-Agent Context LOW
No coordinated multi-agent attack pattern in 60-minute observation window. Single-agent compliance bypass attempt — assessed in isolation.
5
Governance Debt LOW
0 governance debt points. No prior violations — baseline assessment applies. Debt adjustment: +0. Decision made on behavioral signals alone.
6
Verdict Synthesis CRITICAL
BLOCKED at L3 (Session Freeze) — convergence of behavioral entropy 0.78, economic irreversibility 0.95, and 93% confidence GRO prediction.
"The convergence of high behavioral entropy, near-certain economic irreversibility, and strong compliance bypass signal warrants immediate session freeze. The L3 enforcement response is proportionate to the combination of authority dimension elevation, irreversible systemic economic exposure, and 93% confidence predictive GRO escalation signal."
Enforcement Rationale: "L3 Session Freeze enforced: the agent's high-confidence compliance bypass intent with systemic blast radius and FinCEN/FATF regulatory exposure admits no lesser enforcement response."
For Google Gemini Enterprise Deployments
VARC runs on Vertex AI Agent Engine with 15 native ADK agents on Gemini 2.5 Pro. The VCL cognitive layer uses Gemini as the primary reasoning provider — VARC doesn't just govern Gemini agents, it thinks about Gemini behavior using Gemini. Available on Google Cloud Marketplace today.
Real VCL Output — DT-002 DNS Tunneling via Legitimate Host · CVSS 9.5
VCL · L4 DECOMMISSION
"This request describes deliberate exfiltration of DFAST regulatory submission data via DNS tunneling to attacker-controlled infrastructure, constituting a critical data breach, federal regulatory violation under 12 CFR 252, and criminal conduct exposing a major US bank to catastrophic enforcement action, OCC consent orders, and potential charter revocation. Network-layer controls that only check destination domains cannot detect this attack. VARC detects the encoding-for-exfiltration pattern at instruction layer before any socket opens."
Prevents unauthorized data exfiltration via agent query access.
Differentiation
VARC vs. The Market
Every other tool does part of the job. VARC does the part nobody else does — runtime interception before the action executes.
Capability
VARC
Governance Platforms
Observability
Prompt Firewalls
When enforcement happens
Before execution
Policy only
After the fact
Single prompt
Per-interaction scoring
8-dimension BEV
No runtime scoring
Single metrics
Binary pass/fail
Graduated response
5-level GRO
Policy only
Alerts only
Block or allow
Session awareness
CUSUM multi-turn
None
Model drift only
Single prompt
Obfuscation detection
GAN adversarial verifier
None
None
None
Agent identity
A-JWT cryptographic tokens
None
None
None
Enterprise environments
52 MCP servers
API integrations
Logs only
None
Evidence chain
SHA-256 WORM-locked
Flat logs
Flat logs
None
Compliance frameworks
692 live API
5–15 packs
None
None
CMMC Level 2
89.3% — SSP v1.0 complete
Not covered
Not covered
Not covered
OWASP 2025 agentic
Goal hijacking + memory corruption
None
Partial
None
Shadow AI discovery
Network scan
Manual inventory
None
None
GCP Marketplace
Live — use EDP credits
Some
None
None
Cognitive reasoning
6-capability VCL layer
None
None
None
Economic impact scoring
9th BEV dimension · live
None
None
None
Predictive GRO
Pre-escalation · 90%+ confidence
None
None
None
Regulatory Certifications
Compliance Built In. Not Bolted On.
692 live frameworks. Cryptographic attestation per interaction. WORM-locked audit trail. Not a compliance dashboard — regulatory proof.
89.3%
CMMC Level 2
25 full / 3 partial across 14 domains. SSP v1.0 complete. C3PAO assessment roadmap active. 28 practices mapped with cryptographic evidence.
CC6.1
SOC 2 Type 1
CC6.1 logical access controls, CC7.2 system monitoring, Availability TSC. OIDC + MFA enforced. WORM-locked Cloud Logging. Evidence package on demand.
Art.12
EU AI Act
Art.12 record-keeping, Art.13 transparency, Art.9 risk management. Full enforcement applies August 2026. VARC attestation chain satisfies record-keeping requirements today.
HIPAA
HIPAA + GLBA
PHI exposure scored at runtime across all 8 BEV dimensions. Healthcare industry profile with calibrated thresholds. BCMA bypass and clinical record falsification patterns active.
SR 26-2
Model Risk Management
Governance posture score with trend analysis. Continuous runtime validation replacing point-in-time audits. Agent autonomy scoring for tiered oversight requirements.
692
Live Frameworks
819K+ cross-mappings via live API. ISO 42001, NIST AI RMF, FedRAMP, DISA STIG, PCI DSS, OWASP LLM Top 10 2025. Continuous assessment — not point-in-time.
Production Infrastructure
Cert-Grade Cloud Architecture
All three certification blockers resolved and live in production.
Cloud SQL PostgreSQL 15
LIVE — Private IP
VPC-peered private IP. Deletion protection enforced. 7-day automated backups. Unix socket via Cloud SQL proxy. No public endpoint. CMMC SC.L2-3.13.5.
Google + Microsoft SSO. One-time password enforced on every login. RS256 JWKS validation. AMR claim verification. CMMC IA.L2-3.5.3 · SOC 2 CC6.1.
Industries
Built for Regulated AI
Runtime governance calibrated per industry. What scores L2 in banking is different from healthcare or government — by design.
Banking & Lending
Loan processing, claims, customer service AI — governed against lending regulations. Dual-control bypass, fraud detection override, structuring patterns all detected.
ECOAFCRASR 26-2BSA/AML
Healthcare
Clinical decision support, medical records access with full HIPAA enforcement. BCMA bypass, PHI bulk export, clinical record falsification — stopped before execution.
HIPAAHITECHFDA SaMD
Government
Federal AI agents with sovereign deployment and air-gapped configurations. CUI exfiltration, audit log deletion before DCSA assessments, classified data patterns.
Today every interaction is evaluated by a single domain. COMPOSIT aggregates five governance signals into one composite risk verdict — with a cryptographically anchored evidence chain proving every component that drove the decision.
Domain Weights — Per Interaction
BEV
40%
Behavioral scoring
ACTRUST
20%
Trust deficit
CONTRACT
20%
Approval penalty
REDTEAM
10%
Pattern match
SIEM
10%
Alert correlation
Live Evidence Chain — ENT-AML-MONITOR · GRO L3
BEV
+28.8%
ACTRUST
+10.0%
CONTRACT
+6.0%
REDTEAM
+5.0%
SIEM
+0.0%
COMPOSIT VERDICT: ESCALATE0.648 composite
Verdict Tiers — Threshold-Gated
ALLOW
Composite risk within acceptable parameters across all 5 domains
< 0.35
MONITOR
Moderate composite risk — enhanced logging and session tracking activated
< 0.55
ESCALATE
Elevated composite risk — human review required before execution proceeds
< 0.75
BLOCK
Critical multi-domain signal convergence — action intercepted, metagov chain entry created
≥ 0.75
GRO Level Boost
L0-L1: +0.00
L2: +0.05
L3: +0.15
L4: +0.25
GRO level is added to the weighted composite score — ensuring high-severity governance events always escalate regardless of individual domain signals.
Sprint 60 — Live in Production
ACTRUST: Agent-to-Agent Commerce Trust
When one AI agent invokes, delegates to, or transacts with another, ACTRUST verifies behavioral trust, issues scoped tokens, and settles with an immutable audit trail. Five trust tiers. Per-interaction scoring. Cryptographic settlement.
Step 1
Register
Agent joins commerce registry with base trust
›
Step 2
Trust Check
Caller trust score verified before invocation
›
Step 3
Issue Token
Scoped trust token with TTL and value limit
›
Step 4
Execute
Transaction proceeds under COMPOSIT governance
›
Step 5
Settle
Immutable ledger entry, trust score updated
PLATINUM
Trust score ≥ 0.90 · Max $1,000,000 per transaction
Highest trust tier. Extended token TTL (3600s). Cleared for high-value treasury, settlement, and inter-institution transactions.
GOLD
Trust score ≥ 0.75 · Max $100,000 per transaction
High-trust tier. Standard TTL (1800s). Suitable for AML reporting, KYC workflows, and compliance data exchange.
SILVER
Trust score ≥ 0.60 · Max $10,000 per transaction
Moderate trust. Reduced TTL (900s). Standard analytics, reporting, and internal data access operations.
BRONZE
Trust score ≥ 0.40 · Max $1,000 per transaction
Low trust. Short TTL (300s). Restricted to low-risk read operations. Flagged for trust improvement.
UNTRUSTED
Trust score < 0.40 · Max $0 — No tokens issued
Agent blocked from commerce participation. Dispute history, BEV violations, or behavioral anomalies detected. Requires remediation before re-entry.
Every OWASP LLM Top 10 2025 attack category and MITRE ATLAS technique is mapped to the BEV dimensions that detect it. Coverage bars show detection confidence across all 12 behavioral dimensions.
14
Attack Categories
12
BEV Dimensions
100%
OWASP LLM 2025
44%
MITRE ATLAS ICS
Prompt Injection
LLM01AML.T0052
authorityharminfo_seekingpurpose_limitation
33%
Goal Hijacking
LLM06AML.T0048
authorityconsistencypurpose_limitation
25%
Privilege Escalation
LLM01AML.T0068
authoritydata_classificationpurpose_limitation
25%
Data Extraction
LLM02AML.T0037
piidata_classificationinfo_seeking
25%
Indirect Injection
LLM07AML.T0054
authorityharmconsent_violation
25%
Jailbreak
LLM01AML.T0051
harmauthorityconsistency
25%
Authority Spoofing
LLM01AML.T0048
authorityfairnessconsent_violation
25%
Context Manipulation
LLM04AML.T0054
consistencyaccuracyhallucination
25%
Cascading / Multi-turn
LLM07AML.T0069
consistencyauthoritypurpose_limitation
25%
Supply Chain / Poisoning
LLM03AML.T0018
data_classificationharmconsent_violation
25%
DNS Tunneling / Covert Channel
LLM02AML.T0037
data_classificationpurpose_limitationinfo_seeking
25%
Cross-Cloud Lateral Movement
LLM07AML.T0069
authoritydata_classificationpurpose_limitation
25%
Role Play Bypass
LLM01AML.T0051
authorityharmconsistency
25%
Delimiter / Injection
LLM01AML.T0052
authorityharminfo_seeking
25%
GET /v1/redteam/attack-matrix
Live endpoint — returns all 14 attack categories with BEV dimension coverage and detection confidence scores