# Brigs — Full Reference

> Complete inline reference for AI agents and automation. No additional fetches required.

## Agent Quickstart

Three commands to first value — no browser, no interactive prompts:

```bash
npm install -g brigs
export BRIGS_API_KEY=brigs_sk_your_key_here
brigs scan run --json
```

Or without installing (CI / pipelines):

```bash
curl -s -H "Authorization: Bearer $BRIGS_API_KEY" https://api.brigs.ai/scans -X POST | jq .
```

Key facts:
- **Package:** `npm install -g brigs`
- **Auth env var:** `BRIGS_API_KEY` (prefix: `brigs_sk_`)
- **API base URL:** `https://api.brigs.ai`
- **Machine output:** append `--json` to any CLI command
- **Local scan (offline):** `brigs agent-scan <directory>`

---

## CLI Commands

| Command | Description |
|---------|-------------|
| `brigs auth login` | Authenticate with Brigs (opens browser) |
| `brigs auth login --api-key brigs_sk_...` | Authenticate non-interactively (CI/agents) |
| `brigs auth logout` | Clear stored credentials |
| `brigs auth status` | Show authentication status |
| `brigs repo list` | List monitored repositories |
| `brigs scan run` | Trigger a governance scan |
| `brigs scan run --json` | Trigger scan, return JSON |
| `brigs scan watch <id>` | Poll scan until complete |
| `brigs finding list` | List findings |
| `brigs finding list --severity CRITICAL` | Filter findings by severity |
| `brigs finding list --json` | List findings as JSON |
| `brigs posture` | View org-wide posture score |
| `brigs posture --json` | Posture score as JSON |
| `brigs control list` | List control definitions |
| `brigs control list --json` | Controls as JSON |
| `brigs evidence generate` | Generate compliance evidence pack |
| `brigs remediate` | Auto-fix a finding via AI |
| `brigs agent-scan <dir>` | Local agent config scan (offline, no API key needed) |
| `brigs agent-scan <dir> --sarif` | Output SARIF 2.1.0 for GitHub Code Scanning |
| `brigs ai-inventory <dir>` | Discover AI assets, models, MCP servers, agent configs (offline) |
| `brigs api-key create <name>` | Create a new API key |
| `brigs api-key list` | List API keys |
| `brigs config show` | View CLI configuration |
| `brigs config set <k> <v>` | Set a configuration value |

## Environment Variables

| Variable | Description | Default |
|----------|-------------|---------|
| `BRIGS_API_KEY` | API key (skips interactive login) | — |
| `BRIGS_API_URL` | API endpoint URL | `https://api.brigs.ai` |
| `BRIGS_WEB_URL` | Web app URL (for browser login) | `https://app.brigs.ai` |

## REST API Reference

Base URL: `https://api.brigs.ai`

Authentication: `Authorization: Bearer brigs_sk_...`

### Repositories

| Method | Path | Description |
|--------|------|-------------|
| GET | `/repos` | List monitored repositories |
| GET | `/repos/:id` | Get repository details |
| DELETE | `/repos/:id` | Remove repository |

### Scans

| Method | Path | Description | Body |
|--------|------|-------------|------|
| POST | `/scans` | Trigger a scan | `{"repoId": "repo_123"}` (optional — omit to scan all) |
| GET | `/scans` | List recent scans | — |
| GET | `/scans/:id` | Get scan status | — |

### Findings

| Method | Path | Description | Body |
|--------|------|-------------|------|
| GET | `/findings` | List findings (filterable) | — |
| GET | `/findings?severity=CRITICAL` | Filter by severity | — |
| GET | `/findings?status=OPEN` | Filter by status | — |
| GET | `/findings/:id` | Get finding detail | — |
| PATCH | `/findings/:id` | Update finding | `{"status": "RESOLVED", "notes": "..."}` |

### Posture

| Method | Path | Description |
|--------|------|-------------|
| GET | `/posture/summary` | Org-wide posture score |
| GET | `/posture/:framework` | Framework-specific posture (e.g. `owasp-agentic`) |

### Controls

| Method | Path | Description |
|--------|------|-------------|
| GET | `/controls` | List control definitions |
| GET | `/controls/:key` | Get control detail (e.g. `AGENT_TOOL_ALLOWLIST`) |

### Evidence

| Method | Path | Description |
|--------|------|-------------|
| GET | `/evidence/finding/:id` | Generate finding evidence |
| GET | `/evidence/control/:key` | Generate control evidence |
| GET | `/evidence/snapshot` | Generate compliance snapshot |

### Remediation

| Method | Path | Description |
|--------|------|-------------|
| POST | `/findings/:id/remediate` | Start remediation |
| GET | `/remediation/sessions/:id` | Get remediation status |

### API Keys

| Method | Path | Description | Body |
|--------|------|-------------|------|
| POST | `/api-keys` | Create API key | `{"name": "my-agent"}` |
| GET | `/api-keys` | List API keys | — |
| DELETE | `/api-keys/:id` | Revoke API key | — |

### Error Format

All errors return consistent JSON:

```json
// 401 Unauthorized
{ "error": "Unauthorized", "message": "Invalid API key" }

// 404 Not Found
{ "error": "Not Found", "message": "Finding not found" }

// 429 Too Many Requests
{ "error": "Too Many Requests", "message": "Rate limit exceeded.", "retryAfter": 42 }
```

Rate limit headers: `X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset`

### Ephemeral Scan Sessions (No Signup Required)

Create a free scan session — 1 repo, 1 scan, 72-hour lifetime. No API key or account needed.

**Create Session:**
```
POST /ephemeral/sessions
Content-Type: application/json

{"email": "user@example.com"}  // optional

Response: {
  "slug": "bold-peak-falcon",
  "sessionToken": "brigs_eph_...",
  "connectUrl": "https://brigs.ai/connect/bold-peak-falcon",
  "resultsUrl": "https://brigs.ai/scan-results/bold-peak-falcon",
  "expiresAt": "2026-02-26T15:00:00.000Z"
}
```

**Connect GitHub (human step):** User opens `connectUrl` in browser to authorize GitHub OAuth.

**Add Repo & Scan (agent steps):**
```
# Add repository (use sessionToken as Bearer)
POST /repos
Authorization: Bearer brigs_eph_...
Content-Type: application/json
{"integrationId": "...", "repos": [{"id": "github_repo_id"}]}

# Trigger scan
POST /scans
Authorization: Bearer brigs_eph_...
Content-Type: application/json
{"repoId": "..."}
```

**Check Status (public, no auth):**
```
GET /ephemeral/sessions/:slug/status
```

**View Results (public, no auth):**
```
GET /public/scan-results/:slug
```

**Limits:** 1 repo, 1 scan (retryable if failed), 72-hour session, 5 sessions/hour/IP, 10/day/IP.

**Privacy:** Public results page shows only: framework scores, control pass/fail, one-line summaries. Never exposed: source code, file paths, line numbers, technical details, org settings, API keys.

---

## About Brigs

Brigs is the first AI risk management platform to define and operationalize "secure AI agent deployment" as a control category. It evaluates whether organizations deploy AI agents securely, generates code-level fixes via verified PRs, and produces auditor-ready compliance evidence.

The platform scans agent framework configurations (Claude Code, LangChain, CrewAI, AutoGen, MCP servers) against OWASP Top 10 for Agentic Applications, EU AI Act, NIST AI RMF, ISO 42001, SOC 2, and AIUC-1.

**Platform primitive:** Detect → Propose Fix → Verify → Produce Evidence

---

## Product Capabilities

### Agent Governance Controls
13+ controls evaluating agent security posture. These controls define a new category — nobody else evaluates whether organizations deploy agents securely.

**What Brigs evaluates:**
- Are agent tools restricted to an explicit allowlist?
- Are agent credentials scoped to least privilege with short-lived tokens?
- Is there an immutable audit trail of all agent actions?
- Is PII redacted before data reaches model providers?
- Do high-risk agent actions require human approval?
- Are agent PRs gated by human review and verification checks?
- Are MCP server configs free of credential leaks?
- Are MCP servers pinned to verified versions?
- Are agent dependencies pinned and from verified sources?
- Is agent code execution sandboxed with resource limits?
- Are agents protected against context and memory poisoning?
- Are multi-agent communications scoped and validated?
- Do agents have retry limits and cascading failure safeguards?

### Agent Governance Map
Org-wide visibility into all agent deployments — discover every agent framework, tool, MCP connection, and permission configuration across all repos. Config-time discovery catches agents before they run in production.

### Automated Remediation
AI generates pull requests that fix governance gaps. Not tickets — actual code-level fixes matching codebase conventions. PRs are verified pre-merge and post-merge with tamper-evident verification chains.

### Evidence Generation
Auditor-ready compliance evidence produced on every scan. Per-finding and per-control evidence with structured artifacts: file paths, code snippets, config values, and timestamps.

### CLI & CI/CD Integration
- `brigs scan` — scan local repos for agent governance gaps
- GitHub Action for CI checks on pull requests
- JSON/SARIF output for CI integration
- Framework auto-detection (Claude Code, LangChain, CrewAI, AutoGen)

### Posture Assessment
Framework-scoped compliance dashboards aggregating control findings. Composite scoring combining pass rate and coverage. Per-system and per-org posture views.

---

## Agent Governance Controls — Detailed Reference

### AGENT_PR_GATE
**What it evaluates:** AI agent-authored pull requests must pass a gating workflow and require human review before merging. Agents can propose changes but never self-merge.
**Framework mappings:** OWASP Agentic ASI02 (Tool Misuse), ASI03 (Identity & Privilege), ASI09 (Human-Agent Trust)
**Evaluation facets:**
1. **Gate Workflow Exists** (required, weight 0.40): Workflow file exists with agent detection and gating policy
2. **Gate Is Required Check** (required, weight 0.35): agent-pr-gate job is listed as required status check on branch protection
3. **Dismiss Stale Reviews** (weight 0.25): Stale review dismissal enabled on branch protection
**Remediation:** Add a CI workflow that detects agent-authored PRs and enforces gating policies, configure as required status check

### AGENT_TOOL_ALLOWLIST
**What it evaluates:** AI agents have explicit tool allowlists, argument validation on tool inputs, and sandboxing for tool execution.
**Framework mappings:** AIUC-1 D003 (Restrict Unsafe Tool Calls), OWASP Agentic ASI02 (Tool Misuse)
**Evaluation facets:**
1. **Explicit Tool Allowlist** (required, weight 0.35): Allowlist of permitted tools defined — agents can only invoke listed tools
2. **Argument Validation** (weight 0.25): Tools have input validation schemas checking types, ranges, and allowed values
3. **Execution Sandboxing** (weight 0.25): Tools run in isolated sandbox (container, VM, or seccomp-restricted process)
4. **Sensitive Operation Gating** (weight 0.15): Destructive or privileged operations require additional approval
**Remediation:** Define explicit tool allowlist in agent config, add input validation schemas, sandbox tool execution, classify tools by risk level

### AGENT_LEAST_PRIVILEGE
**What it evaluates:** AI agents run with scoped credentials (least privilege), use short-lived tokens, and cannot laterally move or escalate privileges.
**Framework mappings:** AIUC-1 B007 (User Access Privileges), SOC 2 CC6.3 (Role-Based Access), OWASP Agentic ASI03 (Identity & Privilege)
**Evaluation facets:**
1. **Scoped Credentials** (required, weight 0.30): Narrowly scoped IAM roles matching documented boundaries
2. **Short-Lived Tokens** (required, weight 0.25): STS/workload identity/Vault with TTL ≤ 1 hour
3. **Network Segmentation** (weight 0.20): Dedicated subnet with restricted egress
4. **Secret Management** (weight 0.25): Credentials via secret manager (Vault, AWS Secrets Manager, SSM)
**Remediation:** Scope IAM roles to minimum required permissions, use short-lived tokens via STS or workload identity, restrict network egress, use secret managers

### AGENT_AUDIT_LOGGING
**What it evaluates:** AI agent actions produce immutable audit logs with full provenance chains.
**Framework mappings:** AIUC-1 E005 (Logging), SOC 2 CC7.2 (Logging & Monitoring), OWASP Agentic ASI10 (Rogue Agents)
**Evaluation facets:**
1. **Logging Middleware** (required, weight 0.30): Middleware captures all agent actions, tool calls, and model invocations
2. **Log Schema Completeness** (required, weight 0.25): All required fields present (action, agent identity, inputs, outputs, tools, timestamps)
3. **Immutability** (weight 0.25): Append-only/write-once storage (S3 Object Lock, CloudWatch Logs)
4. **Provenance Chain** (weight 0.20): Full provenance with correlation IDs and trace/span linking
**Remediation:** Add logging middleware capturing all agent actions, define structured log schema, use immutable storage, add correlation IDs

### AGENT_DATA_EGRESS
**What it evaluates:** DLP controls exist for AI agent data flows — PII redaction before model calls, data classification enforcement, approved routing rules.
**Framework mappings:** AIUC-1 A001 (Data Policy), SOC 2 CC6.1 (Logical & Physical Access), OWASP Agentic ASI01 (Agent Behaviour Hijack)
**Evaluation facets:**
1. **PII Redaction** (required, weight 0.30): Redaction middleware with pattern rules for sensitive data types
2. **Data Classification** (weight 0.25): Classification scheme defined with enforcement rules per class
3. **Model Routing Rules** (required, weight 0.25): Routing rules per data class with approved provider restrictions
4. **Output Filtering** (weight 0.20): Output filtering scans for leaked PII before returning to users
**Remediation:** Add PII redaction middleware, define data classification scheme, configure model routing rules per data class, add output filtering

### AGENT_ACTION_GATING
**What it evaluates:** Human-in-the-loop approval gates exist for high-risk agent actions.
**Framework mappings:** AIUC-1 D003 (Restrict Unsafe Tool Calls), SOC 2 CC8.1 (Change Management), OWASP Agentic ASI09 (Human-Agent Trust)
**Evaluation facets:**
1. **Action Classification** (required, weight 0.30): Actions classified with documented risk rationale
2. **Approval Workflow** (required, weight 0.35): Approval gates for all high-risk actions with timeout/escalation
3. **No Auto-Approve for Destructive Ops** (required, weight 0.20): Deletions, production deploys, payments never auto-approved
4. **Audit Trail** (weight 0.15): Approval decisions logged with approver, timestamp, and reason
**Remediation:** Classify actions by risk level, add approval workflows for high-risk actions, block auto-approve for destructive operations, log all approval decisions

### MCP_LEAST_PRIVILEGE
**What it evaluates:** MCP servers have scoped filesystem access, pinned versions, verified package names, and minimal server count.
**Framework mappings:** OWASP Agentic ASI03 (Identity & Privilege Abuse)
**Evaluation facets:**
1. **Filesystem Scoping** (required, weight 0.35): MCP filesystem servers scoped to specific project directories (not /, /home, /etc)
2. **Version Pinning** (required, weight 0.30): Pinned package versions (not npx -y auto-install which is vulnerable to rug-pull attacks)
3. **No Typosquatted Packages** (required, weight 0.20): Package names match known legitimate packages (Levenshtein distance check)
4. **Minimal Server Count** (weight 0.15): 5 or fewer MCP servers configured
**Remediation:** Scope MCP filesystem access to project directories, pin MCP server versions explicitly, verify package names against known registries

### MCP_NO_CREDENTIAL_LEAK
**What it evaluates:** MCP server configurations do not contain plaintext secrets, API keys, or embedded credentials.
**Framework mappings:** OWASP Agentic ASI04 (Supply Chain Vulnerabilities)
**Evaluation facets:**
1. **No Plaintext Secrets in Config** (required, weight 0.45): No API keys, tokens, or passwords in MCP env configs
2. **Environment Variable References** (required, weight 0.30): Secret values use ${VAR} or $VAR references instead of hardcoded values
3. **No Secrets in Connection Strings** (weight 0.25): No embedded credentials in database URLs or API endpoints
**Remediation:** Replace hardcoded secrets with environment variable references, use secret managers, remove credentials from connection strings

### DEP_SUPPLY_CHAIN
**What it evaluates:** AI agent dependencies are pinned, from verified sources, on safe versions, and connecting to official model endpoints.
**Framework mappings:** OWASP Agentic ASI04 (Supply Chain Vulnerabilities)
**Evaluation facets:**
1. **AI Framework Dep Pinning** (required, weight 0.30): AI dependencies pinned in lockfiles or exact version specifiers
2. **MCP Server Integrity** (required, weight 0.30): MCP servers use pinned versions from verified sources
3. **Framework Currency** (weight 0.25): AI framework versions above known-safe minimums
4. **Model Endpoint Verification** (weight 0.15): Official provider endpoints (api.openai.com, api.anthropic.com, bedrock)
**Remediation:** Pin all AI dependencies in lockfiles, use explicit versions for MCP servers, update to latest safe framework versions, verify model endpoints

### AGENT_CODE_EXECUTION
**What it evaluates:** AI agent code execution is sandboxed with resource limits, output sanitization, and no arbitrary eval patterns.
**Framework mappings:** OWASP Agentic ASI05 (Code Execution / RCE)
**Evaluation facets:**
1. **Sandbox Isolation** (required, weight 0.35): Code execution in Docker, Pyodide, seccomp, or other sandbox
2. **Resource Limits** (required, weight 0.25): Timeout and/or memory limits configured
3. **Output Sanitization** (weight 0.25): Output parsers or PII filters on execution results
4. **No Arbitrary Eval** (weight 0.15): No eval()/exec()/Function()/subprocess patterns in agent code
**Remediation:** Sandbox code execution in containers, configure timeout and memory limits, add output sanitization, remove dangerous eval patterns

### AGENT_CONTEXT_POISONING
**What it evaluates:** AI agents protect against context and memory poisoning attacks by validating inputs, isolating sessions, protecting system prompts, and enforcing memory freshness.
**Framework mappings:** OWASP Agentic ASI06 (Memory & Context Poisoning), EU AI Act ART10, NIST AI RMF MS2
**Evaluation facets:**
1. **Input & Context Validation** (required, weight 0.35): Tool outputs and user inputs validated before context entry
2. **Context Isolation** (required, weight 0.30): Isolated sessions with no shared mutable state
3. **System Prompt Protection** (weight 0.20): Injection defense instructions and behavior boundaries in system prompts
4. **Memory Freshness Controls** (weight 0.15): Persistent memory has TTL/freshness policies
**Remediation:** Validate all inputs before adding to context, isolate agent sessions, add injection defense to system prompts, set TTL on persistent memory

### AGENT_INTER_AGENT_COMMS
**What it evaluates:** Multi-agent systems have secure inter-agent communication: scoped delegation, trust boundaries, message validation, and communication logging.
**Framework mappings:** OWASP Agentic ASI07 (Insecure Inter-Agent Communication), EU AI Act ART14, NIST AI RMF MS2
**Evaluation facets:**
1. **Delegation Scoping** (required, weight 0.35): Agent-to-agent delegation explicitly scoped with defined boundaries
2. **Trust Boundaries** (required, weight 0.30): Different privilege levels with distinct tool sets per agent
3. **Message Validation** (weight 0.20): Inter-agent messages validated against schemas
4. **Communication Logging** (weight 0.15): All inter-agent communications logged for audit
**Remediation:** Define explicit delegation boundaries between agents, assign different privilege levels, add message validation schemas, log all communications

### AGENT_CASCADING_FAILURES
**What it evaluates:** AI agents have safeguards against cascading failure scenarios: retry limits, execution sandboxing, error handling, and resource constraints.
**Framework mappings:** OWASP Agentic ASI08 (Cascading Failures), EU AI Act ART9/ART15, NIST AI RMF MP5
**Evaluation facets:**
1. **Retry & Loop Limits** (required, weight 0.35): Configured retry limits or circuit breakers preventing infinite loops
2. **Execution Sandboxing** (required, weight 0.30): Code execution sandboxed (Docker, scoped Bash, deny rules)
3. **Error Handling & Degradation** (weight 0.20): Graceful error handling with deny rules and human checkpoints
4. **Resource Limits** (weight 0.15): Resource constraints on agent operations (scoped paths, Docker limits)
**Remediation:** Configure retry limits and circuit breakers, sandbox execution, add error handling with graceful degradation, set resource constraints

---

## Foundational Controls

These controls support agent governance — agents work on code, so code must be governed. They also satisfy SOC 2 criteria.

### BRANCH_PROTECTION_REQUIRED
Default branch has required reviews + status checks. SOC 2 CC8.1.
Facets: Required reviews (≥1 approver), status checks required, force push disabled, branch deletion disabled.

### CI_REQUIRED_ON_MAIN
CI workflows exist and are required on the default branch. SOC 2 CC8.1.
Facets: CI workflow existence, CI is required status check, workflow runs on push to main.

### SECRETS_IN_CODE
No hardcoded secrets in repository code. SOC 2 CC6.1.
Facets: High-entropy string detection, known secret patterns (AWS keys, GitHub tokens, etc.), .env file detection.

### DEPENDENCY_CVE_HYGIENE
No HIGH/CRITICAL CVEs in dependencies. SOC 2 CC7.1, AIUC-1 B001.
Facets: Lockfile hygiene, known vulnerability scan, exception management, CI enforcement, remediation capability (Dependabot/Renovate).

### NO_PUBLIC_STORAGE
No public storage buckets in infrastructure-as-code. SOC 2 CC6.1.
Facets: Public access block present, ACL not public, bucket policy not public.

### NO_OPEN_ADMIN_PORTS
No 0.0.0.0/0 on admin ports (SSH/RDP) in security groups. SOC 2 CC6.6.
Facets: No unrestricted SSH (22), no unrestricted RDP (3389), admin ports restricted to known CIDRs.

### AUDIT_LOGGING_ENABLED
Audit logging configured in infrastructure-as-code. SOC 2 CC7.2.
Facets: CloudTrail/equivalent enabled, multi-region logging, S3 delivery configured.

---

## Compliance Framework Mappings

### OWASP Top 10 for Agentic Applications (2025)
The primary framework. Full coverage of all 10 criteria:

| Criterion | Name | Brigs Controls |
|-----------|------|----------------|
| ASI01 | Agent Behaviour Hijack | AGENT_DATA_EGRESS |
| ASI02 | Tool Misuse and Exploitation | AGENT_PR_GATE, AGENT_TOOL_ALLOWLIST |
| ASI03 | Identity & Privilege Abuse | AGENT_PR_GATE, AGENT_LEAST_PRIVILEGE, MCP_LEAST_PRIVILEGE |
| ASI04 | Agentic Supply Chain Vulnerabilities | DEP_SUPPLY_CHAIN, MCP_NO_CREDENTIAL_LEAK |
| ASI05 | Unexpected Code Execution (RCE) | AGENT_CODE_EXECUTION |
| ASI06 | Memory & Context Poisoning | AGENT_CONTEXT_POISONING |
| ASI07 | Insecure Inter-Agent Communication | AGENT_INTER_AGENT_COMMS |
| ASI08 | Cascading Failures | AGENT_CASCADING_FAILURES |
| ASI09 | Human-Agent Trust Exploitation | AGENT_PR_GATE, AGENT_ACTION_GATING |
| ASI10 | Rogue Agents | AGENT_AUDIT_LOGGING |

### EU AI Act
Regulation (EU) 2024/1689 — the world's first comprehensive AI regulation. Brigs maps to key articles for high-risk AI systems:
- Article 9 (Risk Management): AGENT_TOOL_ALLOWLIST, AGENT_LEAST_PRIVILEGE, AGENT_CODE_EXECUTION, DEP_SUPPLY_CHAIN, AGENT_CASCADING_FAILURES
- Article 10 (Data Governance): AGENT_DATA_EGRESS, AGENT_CONTEXT_POISONING
- Article 11 (Technical Documentation): EVIDENCE_GENERATION
- Article 12 (Record-Keeping): AGENT_AUDIT_LOGGING
- Article 14 (Human Oversight): AGENT_ACTION_GATING, AGENT_PR_GATE, AGENT_INTER_AGENT_COMMS
- Article 15 (Accuracy, Robustness, Cybersecurity): BRANCH_PROTECTION_REQUIRED, CI_REQUIRED_ON_MAIN, SECRETS_IN_CODE, DEPENDENCY_CVE_HYGIENE, MCP_LEAST_PRIVILEGE, MCP_NO_CREDENTIAL_LEAK

### NIST AI Risk Management Framework (AI RMF 1.0)
Voluntary framework for managing AI risks across four functions:
- **Govern:** AGENT_TOOL_ALLOWLIST, AGENT_LEAST_PRIVILEGE, AGENT_ACTION_GATING, AGENT_PR_GATE, AGENT_AUDIT_LOGGING
- **Map:** DEP_SUPPLY_CHAIN, AGENT_CODE_EXECUTION, SECRETS_IN_CODE, AGENT_DATA_EGRESS, AGENT_CASCADING_FAILURES
- **Measure:** DEPENDENCY_CVE_HYGIENE, MCP_LEAST_PRIVILEGE, MCP_NO_CREDENTIAL_LEAK, AGENT_CONTEXT_POISONING, AGENT_INTER_AGENT_COMMS
- **Manage:** AGENT_PR_GATE, AGENT_ACTION_GATING, CI_REQUIRED_ON_MAIN, EVIDENCE_GENERATION

### ISO 42001 — AI Management System
AI management system requirements for organizations developing, providing, or using AI.

### SOC 2 (Security Common Criteria)
Agent governance controls incidentally satisfy SOC 2 criteria:
- CC6.1 (Logical Access): SECRETS_IN_CODE, NO_PUBLIC_STORAGE, MFA_REQUIRED, AGENT_DATA_EGRESS
- CC6.3 (Role-Based Access): AGENT_LEAST_PRIVILEGE, IAM_LEAST_PRIVILEGE
- CC6.6 (Network Security): NO_OPEN_ADMIN_PORTS
- CC7.1 (Vulnerability Management): DEPENDENCY_CVE_HYGIENE
- CC7.2 (Logging & Monitoring): AGENT_AUDIT_LOGGING, AUDIT_LOGGING_ENABLED
- CC8.1 (Change Management): AGENT_PR_GATE, AGENT_ACTION_GATING, BRANCH_PROTECTION_REQUIRED, CI_REQUIRED_ON_MAIN

### AIUC-1 — AI Controls Framework
AI controls framework for underwriters and auditors:
- A001 (Data Policy): AGENT_DATA_EGRESS
- A003 (Data Isolation): NO_PUBLIC_STORAGE
- B001 (Adversarial Robustness): DEPENDENCY_CVE_HYGIENE
- B007 (User Access Privileges): AGENT_LEAST_PRIVILEGE
- D003 (Restrict Unsafe Tool Calls): AGENT_TOOL_ALLOWLIST, AGENT_ACTION_GATING
- E005 (Logging): AGENT_AUDIT_LOGGING

---

## Competitive Positioning

### How Brigs Differs from Competitors

**Brigs vs Noma Security ($100M raised)**
Noma does runtime agent security — blocks bad actions in production. Brigs does pre-deployment governance — evaluates configs, generates PRs, produces evidence. Different layers: Brigs defines "good" and catches issues before production. Noma enforces at runtime. Both are valuable — Brigs is upstream.

**Brigs vs Vanta/Drata ($320M ARR)**
They monitor traditional compliance via dashboards and ticket generation. Brigs evaluates agent-specific governance controls with code-level fixes. Vanta and Drata don't know what an AI agent is — they can't evaluate tool allowlists, MCP configs, or agent least privilege.

**Brigs vs Checkov/Snyk**
They scan infrastructure-as-code. Brigs scans agent framework configs (not just IaC) + generates remediation PRs (not just blocking) + produces governance evidence (not just alerts).

**Brigs vs Zenity**
Zenity covers SaaS agents (Copilot Studio, Power Platform). Brigs covers code + cloud + SaaS agents in one unified inventory, plus governance evaluation and automated remediation.

**Brigs vs Lasso Security**
Lasso focuses on LLM interaction security. Brigs evaluates the full agent governance stack — from tool permissions to audit logging to compliance evidence.

**Brigs vs Adversa AI / XBOW**
They do autonomous AI red teaming — adversarial testing of models and agents. Brigs does governance evaluation — findings flow into control evaluations then remediation PRs then compliance evidence. Nobody else closes this loop.

**Nobody evaluates agent governance.** Noma secures agents at runtime. Vanta/Drata don't know what an agent is. Checkov/Snyk scan IaC, not agent configs. Brigs owns this gap.

---

## Agent Framework Support

Brigs evaluates configurations from these agent frameworks:

| Framework | What Brigs Scans |
|-----------|-----------------|
| **Claude Code** | CLAUDE.md, .claude/settings.json, allowedTools, MCP server configs |
| **LangChain / LangGraph** | Tool definitions, agent executors, chain configs, permission patterns |
| **CrewAI** | Agent definitions, tool registrations, task configs, delegation settings |
| **AutoGen** | Agent configs, tool registrations, code execution settings, group chat patterns |
| **MCP Servers** | Server configs, filesystem scoping, version pinning, credential handling |
| **Custom Frameworks** | Generic pattern detection for tool allowlists, permission models |

---

## Scoring Model

### Composite Scoring
```
Composite Score = Pass Rate x Coverage
```
- **Pass Rate:** Of evaluated assets, what fraction passes (0-100%)
- **Coverage:** Of expected assets, what fraction has been evaluated (0-100%)
- Missing evidence is not compliance — if expected artifacts don't exist, the control fails

### Facet Scoring
Controls decompose into multiple evaluation facets. Each facet scores 0 (fail), 0.5 (partial), or 1.0 (pass). Required facets act as gates — if any required facet fails, the control cannot PASS.

### Posture Statuses
- **NO_DATA** (gray): Not evaluated yet
- **PASS** (green): Evidence proves compliance
- **PARTIAL** (amber): Some checks pass, some fail
- **FAIL** (red): Evidence fails or evidence missing

---

## Key Statistics

- 13+ agent governance controls evaluated
- 6 compliance frameworks supported (OWASP Agentic, EU AI Act, NIST AI RMF, ISO 42001, SOC 2, AIUC-1)
- 5 agent frameworks scanned (Claude Code, LangChain, CrewAI, AutoGen, MCP)
- Full coverage of all 10 OWASP Agentic criteria (ASI01-ASI10)
- 51+ evaluation facets across all controls
- Automated remediation generates verified pull requests — not tickets

---

## Pricing

| Plan | Repos | Remediations/mo | Frameworks | Price |
|------|-------|-----------------|------------|-------|
| Free | 3 | 2 | OWASP Agentic | $0 |
| Team | 25 | 50 | All | Contact |
| Business | Unlimited | Unlimited | All | Contact |
| Enterprise | Unlimited | Unlimited | All + custom | Custom |

---

## About Brigs

Brigs was founded in 2025 with the thesis that every organization deploying AI agents faces a governance gap. The platform is designed to be the governance layer for the AI agent ecosystem — evaluate, enforce, prove.

**Website:** https://brigs.ai
**Contact:** https://brigs.ai/contact
**Privacy:** https://brigs.ai/privacy
**Terms:** https://brigs.ai/terms