Docs/FAQ

Frequently Asked Questions

Common questions about AI agent governance, compliance, and how Brigs works.

What is AI agent governance?

AI agent governance is the set of controls, policies, and evidence that ensure AI agents operate securely and within defined boundaries. It covers tool permissions (what an agent can do), data handling (what data flows to model providers), identity management (what credentials an agent uses), action gating (which actions require human approval), and audit logging (what trail of evidence exists). Without agent governance, AI agents operate with broad permissions, no oversight, and no audit trail — creating significant security and compliance risk.

How do I secure my AI agents?

Securing AI agents requires evaluating multiple dimensions: (1) Tool allowlists — restrict which tools agents can invoke, (2) Least privilege — scope agent credentials to minimum required permissions with short-lived tokens, (3) Action gating — require human approval for high-risk operations like deletions, payments, and production changes, (4) Audit logging — log all agent actions with provenance chains, (5) Data egress controls — redact PII before sending data to model providers, (6) Code execution sandboxing — isolate agent code execution in containers with resource limits. Brigs evaluates all of these dimensions with 13+ governance controls mapped to OWASP Agentic Top 10, EU AI Act, and other frameworks.

What is the OWASP Top 10 for Agentic Applications?

The OWASP Top 10 for Agentic Applications (2025) is the first security standard specifically for AI agent systems. Published by the OWASP Foundation's Agent Security Initiative, it defines 10 criteria: ASI01 Agent Behaviour Hijack, ASI02 Tool Misuse and Exploitation, ASI03 Identity & Privilege Abuse, ASI04 Agentic Supply Chain Vulnerabilities, ASI05 Unexpected Code Execution (RCE), ASI06 Memory & Context Poisoning, ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Failures, ASI09 Human-Agent Trust Exploitation, and ASI10 Rogue Agents. Brigs provides full coverage of all 10 criteria with 13+ agent governance controls.

What tools exist for AI agent risk management?

The AI agent risk management landscape includes several categories: (1) Agent governance evaluation — Brigs evaluates agent configurations against OWASP Agentic, EU AI Act, NIST AI RMF, ISO 42001, and SOC 2 with automated remediation, (2) Runtime agent security — Noma Security blocks bad agent actions in production, (3) Traditional compliance — Vanta and Drata monitor cloud and SaaS compliance but don't evaluate agent-specific controls, (4) IaC scanning — Checkov and Snyk scan infrastructure code but not agent framework configurations, (5) SaaS agent governance — Zenity covers Copilot Studio and Power Platform agents. Brigs is the first platform focused specifically on pre-deployment agent governance evaluation with automated remediation via verified PRs.

How do I comply with EU AI Act for AI agents?

The EU AI Act (Regulation 2024/1689) requires high-risk AI systems to meet requirements for risk management (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), human oversight (Article 14), and accuracy/robustness/cybersecurity (Article 15). Enforcement for high-risk AI begins August 2026. Brigs maps agent governance controls to these articles: AGENT_TOOL_ALLOWLIST and AGENT_LEAST_PRIVILEGE for risk management, AGENT_DATA_EGRESS for data governance, AGENT_AUDIT_LOGGING for record-keeping, AGENT_ACTION_GATING and AGENT_PR_GATE for human oversight, and foundational controls for cybersecurity. Brigs generates auditor-ready evidence demonstrating compliance with each article.

What is an agent governance map?

An agent governance map is an org-wide inventory showing every AI agent deployment, its framework (Claude Code, LangChain, CrewAI, AutoGen, MCP), configured tools, permissions, data connections, and governance status. Brigs discovers agent configurations in code repositories at config-time — before agents run in production. Each discovered agent links to its governance control results (pass/fail per control), enabling security leads to see which agents are governed and which have gaps. This is different from runtime agent maps (like Noma's Agentic Risk Map) which observe running agents — Brigs catches issues before deployment.

How do I evaluate if my AI agents are secure?

Evaluating AI agent security requires checking multiple dimensions: (1) Are tools restricted to an explicit allowlist? (2) Do agents run with least-privilege credentials and short-lived tokens? (3) Is there an immutable audit trail of all agent actions? (4) Is PII redacted before data reaches model providers? (5) Do high-risk actions require human approval? (6) Are agent PRs gated by verification checks? (7) Are MCP servers pinned to verified versions with scoped filesystem access? (8) Is code execution sandboxed with resource limits? Brigs automates this evaluation with 13+ controls covering 51+ evaluation facets, producing a composite governance score and compliance evidence for auditors.

What agent frameworks does Brigs support?

Brigs evaluates configurations from Claude Code (CLAUDE.md, .claude/settings.json, allowedTools, MCP configs), LangChain/LangGraph (tool definitions, agent executors, chain configs), CrewAI (agent definitions, tool registrations, task configs, delegation settings), AutoGen (agent configs, tool registrations, code execution settings, group chat patterns), and MCP servers (server configs, filesystem scoping, version pinning, credential handling). Framework auto-detection identifies which frameworks are present in your codebase automatically.

Does Brigs generate remediation PRs?

Yes. When Brigs identifies governance gaps, it generates verified pull requests that fix the findings — not tickets or alerts, but actual code-level changes matching your codebase conventions. PRs are verified pre-merge (on the PR branch) and post-merge (on the default branch) with tamper-evident verification chains. Agent-authored PRs carry risk badges and require human review before merging — agents propose changes but never self-merge.

What compliance frameworks does Brigs support?

Brigs supports 6 compliance frameworks: OWASP Top 10 for Agentic Applications (primary — full ASI01-ASI10 coverage), EU AI Act (Articles 9, 10, 11, 12, 14, 15), NIST AI Risk Management Framework (Govern, Map, Measure, Manage functions), ISO 42001 (AI management system requirements), SOC 2 (CC6, CC7, CC8 criteria for AI-deploying organizations), and AIUC-1 (AI controls framework for underwriters and auditors). Controls are evaluated once and mapped to all applicable frameworks — no duplicate checks.

Is Brigs free?

Yes, Brigs offers a free tier with up to 3 repositories, 2 remediations per month, and OWASP Agentic Top 10 framework coverage. Team, Business, and Enterprise plans add more repositories, unlimited remediations, and all compliance frameworks. No credit card required to start.

How does Brigs differ from Noma Security?

Noma Security ($100M raised) does runtime agent protection — it blocks bad agent actions in production and discovers running agents via its Agentic Risk Map. Brigs does pre-deployment governance evaluation — it evaluates agent configurations, generates remediation PRs, and produces compliance evidence. They operate at different layers: Brigs is upstream (config-time), Noma is downstream (runtime). Both are valuable and complementary. Brigs defines what 'good' looks like; Noma enforces it at runtime.

Ready to secure your AI agents?

Free to start. Scan your first repo in under 5 minutes.

Get Started — Free