fastpace · compliance — agent governance for AI development

Deployment model

Local by construction, not by promise

fastpace runs on the developer's machine. The audit signal lives in the repo. The optional org dashboard is self-hosted behind your firewall. No fastpace-hosted SaaS in the data path. Hooks operate as deterministic Layer 1 controls — a runtime policy engine with predictable behavior, not a reasoning-based defense. The coach agent and Layer-2 reasoning checks sit on top as a complement, never as the only line.

1

Developer machine

CLI, skills, agents, hooks, and fastpace ui all run locally. Context files, ADRs, audit log, and signed manifests live in the repo.

2

AI runtime (mediated)

Claude Code, Codex, Gemini CLI, OpenCode — whatever your team uses. fastpace mediates each call: prompt redaction inbound, manifest signing outbound, audit-log entry on either side.

3

Org dashboard (self-hosted, optional)

Lightweight aggregation server you host. Ingests signed audit summaries from each repo agent — no code, no prompts, no responses. Rolls up posture across N repos. SSO/SCIM/RBAC. Air-gap install path available.

Prove it

walks the hash-chained audit log; reports any tampering since install.

lists every agent, runtime, MCP server, and identity on this machine.

packages ADRs, audit.log, manifests, AI-BOM into one auditor-ready tarball.

The threat model

The lethal trifecta — and the three legs fastpace breaks

The unified threat model for autonomous AI dev: a successful exploit needs three legs at once — private data access, untrusted content exposure, and an external exfil channel. LLMs cannot reliably distinguish trusted instructions from adversarial ones embedded in content; the answer is deterministic Layer 1 controls that remove individual legs of the trifecta. Cited recent example: the EchoLeak zero-click prompt-injection exfiltration in Microsoft 365 Copilot.

Leg 1

Private data access

The agent can read secrets, PII, internal docs, customer records — whatever the developer has access to.

Pre-prompt redaction

Local hook strips secrets, PII, and sensitivity-tagged content before any prompt leaves the machine. Every redaction logged to the hash-chained audit log.

# fastpace.config.yaml
hooks:
  prompt_redactor:
    enabled: true
    pii: true
    pii_keywords: []
    block_on_redact: false
# Restricted-tagged context files are auto-stripped.
# Every redaction → fastpace/redaction.log + audit chain.

Breaks the leg: Even if untrusted content tries to extract secrets, they're no longer in the prompt to extract.

Leg 2

Untrusted content exposure

The agent processes content (URLs, MCP responses, files, error traces) that may carry adversarial instructions an LLM can't reliably distinguish from trusted user input.

Declared scope + injection scanner

Each agent's identity manifest declares allowed tools, paths, and command patterns. External content passes through an injection scanner before reaching the prompt. Attempts to escape scope log + block.

# .claude/agents/reviewer.md frontmatter
agent_id:        reviewer
allowed_tools:   [Read, Grep, Glob, Bash]
allowed_paths:   [src/**, tests/**, *.md]
allowed_command_patterns: [^git , ^rg ]
max_files:       40
max_tokens:      80000

Breaks the leg: Even if a malicious instruction lands in context, the agent can't execute outside its declared scope.

Leg 3

External exfil channel

The agent has a pathway to send data outward — a network call, a markdown image src, an open redirect on a trusted domain (cf. EchoLeak).

Runtime allowlist + MCP scopes + audit chain

fastpace.config.yaml restricts which AI runtimes and MCP servers the agent can reach. Outbound calls outside the allowlist are blocked. Every call writes a signed run manifest; the hash-chained audit log catches anomalous outbound patterns.

# fastpace.config.yaml
runtimes:
  allowed: [bedrock-claude-opus-4.7]
mcp:
  allowed_servers: [internal-jira, internal-confluence]
hooks:
  audit_logger: { hash_chain: true }

Breaks the leg: No exfil channel = no exfil. The leg of the trifecta that turns a breach into an incident is removed.

Defense-in-depth posture

Each leg above is broken by a deterministic Layer 1 control — a runtime hook with predictable behavior, not a reasoning-based defense. Layer 2 (the coach agent, Layer-2 reasoning checks) sits on top as a complement, never as the only line. As one CISO put it during our design-partner discovery: "a reported 95% effectiveness in security is often considered a failing grade."

What CISOs are budgeting for

The numbers driving the 2026 conversation

Every claim below pairs a publicly cited 2026 CISO concern with the fastpace primitive that closes it — and the framework control it satisfies.

83%

CISOs concerned about autonomous agent misuse

Every fastpace agent has a declared identity, a bounded scope, and a circuit breaker on behavioral divergence.

See agent governance →

NIST AI RMF MEASURE-2.6 · EU AI Act Art. 14

78%

CISOs worried about data leakage via AI prompts

Pre-prompt redaction strips secrets, PII, and tagged-sensitive content before any prompt leaves the box.

See the redaction layer →

ISO/IEC 42001 §8.3 · EU AI Act Art. 10

75%

orgs have discovered unsanctioned AI tools in production

fastpace announces itself to your discovery stack with a manifest at a well-known path. No shadow AI by construction.

See discovery →

NIST AI RMF MAP-1.1

95%

security leaders doubt they could detect a compromised AI agent — and 95% effectiveness on detection alone is a failing grade

fastpace pairs deterministic Layer 1 controls (redaction, scope, blast-radius limits) with Layer 2 behavioral baselines and circuit breakers — so detection isn't the only line of defense.

See the four primitives →

NIST AI RMF MEASURE-2.7 · ISO/IEC 42001 §9.1

Agent governance

Safe enablement, by primitive

83% of CISOs are concerned about autonomous agent misuse. fastpace answers with four primitives mapped to the three security-architecture principles governing AI agents — identity and inventory (well-defined human controllers), scope (power limitations), and observability (auditable actions). All deterministic Layer 1 controls — built into the runtime, not retrofitted on top.

Identity

Every fastpace agent declares what it can do. Nothing implicit. Nothing ambient.

# .claude/agents/reviewer.md frontmatter

agent_id: reviewer

allowed_tools: [Read, Grep, Glob, Bash]

allowed_paths: [src/**, tests/**, *.md]

allowed_command_patterns: [^git , ^rg ]

max_files: 40

max_tokens: 80000

Scope

Blast-radius limits per session. Circuit breaker on behavioral divergence.

$ fastpace agents log --agent reviewer --since 24h

reviewer · 12 files read · 0 written

reviewer · 1 shell command (rg)

! divergence: files 3.2× baseline (16 vs 5.0)

⏸ session paused — awaiting exception

fastpace exception request --agent reviewer …

Inventory

One command lists every agent, runtime, and identity on this machine.

$ fastpace inventory

REPOS (1)

acme-api · 7 agents · 15 hooks · 14 skills

AGENTS (7)

planner · reviewer · prd-guru · …

RUNTIMES (2)

bedrock-claude-opus-4.7 · vertex-*

HOOKS (15)

✓ runtime-guard · ✓ audit-logger · …

Observability

Every action and approval lands in a hash-chained, signed audit log. Tamper-evident by construction.

$ fastpace verify

AUDIT CHAIN

✓ chain integrity: 1,847 entries

✓ signatures verified 1,847

unsigned entries 0

LAST ENTRY

seq 1846

tool · phase Read · PostToolUse

entry hash 9961395dc0a22987…

Guardrails

Policies, not pleases

Configured in fastpace.config.yaml. Safe defaults out of the box.

fastpace.config.yaml click any tile above → the YAML updates live

fastpace will never silently weaken a guardrail — every change is approved by you and logged to fastpace/audit.log.

Framework coverage

Mapped to what auditors are actually asking about

Built into the product, not retrofitted onto it. Every fastpace primitive maps to a control in the frameworks the 2026 audit cycle is centered on — including the three new AI-specific ones.

Capability	AI-specific			Traditional infosec
	NIST AI RMF	ISO/IEC 42001	EU AI Act	SOC 2	ISO 27001	HIPAA
Discovery manifest	GOVERN-1.6	§7.4	Art. 12	CC6.1	A.5.9	§164.308
Agent identity & scope	GOVERN-3.2	§6.1.4	Art. 14	CC6.6	A.5.16	§164.312
Hash-chained audit log	MEASURE-3.1	§9.2	Art. 12	CC7.2	A.8.15	§164.312(b)
Run manifest signing	MEASURE-2.7	§8.5	Art. 12	CC8.1	A.8.34	§164.312(c)
Prompt redaction	MEASURE-2.10	§8.3	Art. 10	CC6.7	A.8.11	§164.308(a)(4)
ADRs & decision ledger	GOVERN-1.4	§7.5	Art. 11	CC8.1	A.8.32	§164.316(b)
Evidence snapshots	MEASURE-3.1	§9.3	Art. 11	CC2.2	A.5.32	§164.316(b)(2)
NHI inventory export	GOVERN-1.6	§7.4	—	CC6.2	A.5.16	§164.308(a)(3)

See full mapping & audit posture →

24 / 48 cells (50%) validated against the published framework text on 2026-05-03 — NIST AI RMF 1.0, EU AI Act (Regulation 2024/1689), and HIPAA Security Rule.

Cells marked • (ISO/IEC 42001, SOC 2, ISO 27001) remain illustrative pending validation against those paid standards. Specific requirements vary by audit firm, scope, and jurisdiction — confirm exact mappings with your auditor.

PERSONALISED REPORT

Get the framework-readiness PDF for your control set

Same matrix as above, packaged as a per-framework PDF with the exact CLI command for every piece of evidence and an honest "what we do not cover" appendix. Approx. 12 pages, delivered to your inbox in <60 seconds.

Request the PDF →

FAQ

Questions a CISO actually asks

Honest answers about deployment, data flows, agent misbehavior, and framework coverage — without the vendor-pitch handwaving.

Where does fastpace send my code?

Nowhere. fastpace runs entirely on the developer's machine. Skills, agents, hooks, and the UI all execute locally; the audit log, ADRs, and context files are committed to your repo. The only external request fastpace mediates is the developer's existing AI runtime call (Claude / Codex / Gemini) — and that mediation is what the prompt-redaction layer and run-manifest signing exist for.

How do you prove the code-stays-local claim?

Two ways. Run-manifest signing: every AI call writes a signed JSON manifest (model, endpoint, training-opt-out flag, prompt hash, response hash) under fastpace/manifests/. The signing key is generated per-install on first init. The hash-chained audit log: each entry signs the previous one, so any after-the-fact modification breaks the chain. fastpace verify walks the chain and reports tamper status.

What happens when an autonomous agent misbehaves?

Three layers. (1) Identity & scope: every agent declares allowed tools, allowed paths, max files modified, max tokens — violations log and block. (2) Blast-radius limits: hard caps per session; exceeding requires human approval with a logged reason. (3) Circuit breaker: per-agent behavioral baseline; sessions that diverge from baseline auto-pause for human review. The audit-log entry shows the divergence detected and the operator who approved or killed the session.

How does fastpace prevent EchoLeak-class attacks?

EchoLeak (the 2025 zero-click prompt-injection exfiltration in Microsoft 365 Copilot) succeeded because all three legs of the lethal trifecta were present: the agent had access to private data, was exposed to untrusted content, and had an external exfil channel through markdown links and open redirects on trusted domains. fastpace breaks each leg independently with deterministic Layer 1 controls — pre-prompt redaction (leg 1), declared scope + injection scanner (leg 2), runtime allowlist + MCP scope + hash-chained audit (leg 3). Even if any one leg slips, the others hold. See the lethal-trifecta section above for the per-leg detail.

How do we discover fastpace installs across the org?

fastpace writes a discovery manifest at two well-known paths: ~/.fastpace/manifest.json (machine-wide) and <repo>/fastpace/manifest.json (per repo). Both declare install ID, version, agents loaded, runtimes configured, hooks enabled, and last-activity timestamp. Any enterprise discovery / NHI governance tool that scans known paths (CrowdStrike, Beyond Identity, Wiz, Astrix, Oasis) will find fastpace announcing itself rather than hiding.

Which frameworks does fastpace map to?

Three AI-specific frameworks: NIST AI RMF (Govern / Map / Measure / Manage), ISO/IEC 42001 (AI management systems), and the EU AI Act (Articles 9–17). Plus the traditional infosec frameworks: SOC 2, ISO 27001, HIPAA, SOX, GDPR, PCI-DSS. Specific control mappings live in the matrix below — and we recommend confirming exact wording with your auditor before publishing claims.

How does prompt redaction work?

A pre-prompt hook (hooks/prompt-redactor.js) runs the same regex set as the secret scanner, plus a configurable PII keyword list and any sensitivity-tagged content from fastpace/context/. Redactions are logged as discrete events in audit.log. The redactor is on by default; the regex set and keyword list are versioned in fastpace.config.yaml so changes are reviewable.

Can we restrict which AI runtimes developers use?

Yes. fastpace.config.yaml accepts runtimes.allowed (e.g., bedrock-claude-opus-4.7, vertex-gemini-1.5). A pre-call hook blocks invocations to runtimes not on the allowlist. Combined with run-manifest signing, this lets the org enforce "Claude on Bedrock with training disabled — yes; raw Anthropic API — no" and prove it after the fact.

What does the org-level rollout look like?

Per-repo, fastpace runs locally and emits signed audit summaries. The optional self-hosted org dashboard ingests those summaries — no code, no prompts, no responses — and rolls them up: ADR coverage %, correction rate, framework readiness per repo, evidence-snapshot freshness. SSO/SCIM/RBAC sit on the org dashboard. Air-gapped install paths are available for federal civilian / defense / regulated finance.

What is on the roadmap that I should know about now?

The agent-governance core (identity manifests, scope enforcement, circuit breaker), the prompt-redaction layer, the hash-chained audit log, and the discovery manifest are all on the immediate near-term roadmap. The differentiators (correction-event tracking, AI-BOM generation, provenance-signed commits, continuous red-team harness) follow. Ask for a copy of the current roadmap under NDA.

Bring fastpace into your AI governance program

Open-source today, design-partner program for the org-tier capabilities. Reference customers under NDA. Roadmap and architecture deep-dive available.

Book an Enterprise briefing → Security review timeline Audit pack structure See pricing

Agent governance for AI‑powered development