Runtime security and compliance evidence for AI agents.

Ancilis evaluates every tool call your agent makes against a security policy, produces tamper-evident evidence records, and maps everything to the compliance frameworks your customers care about — SOC 2, HIPAA, PCI-DSS, EU AI Act, and 15 more. No manual framework crosswalking. Declare what data your agent handles; get the right controls automatically.

pip install ancilis

Create ancilis.yaml next to your agent code:

agent:
  name: my-agent
security:
  tools:
    allowed:
      - search_docs
      - send_reply

Wrap your tools:

from ancilis import ToolActionProducer, load_config
from ancilis.engine import Engine

config = load_config()
engine = Engine(config)
producer = ToolActionProducer(config=config, engine=engine)

# Wrap any function — calls are now evaluated and evidence is recorded
search_docs = producer.wrap_tool(search_docs, tool_name="search_docs")
result = search_docs("account billing")

Check posture:

ancilis status

Ancilis — my-agent
  Mode: audit
  Controls: 26 active, all passing
  Tool calls: 1 evaluated, 0 blocked

That's it. Every tool call is evaluated against 26 security controls and recorded in a local evidence store with SHA-256 hash chaining.

If your agent uses Model Context Protocol, Ancilis wraps the MCP client session transparently — your agent and the MCP server don't know it's there:

pip install ancilis[mcp]

from ancilis import AncilisMiddleware

# Wraps any MCP ClientSession — every tool call is now evaluated
async with AncilisMiddleware(mcp_session, config_path="ancilis.yaml") as middleware:
    result = await middleware.call_tool("query_database", {"sql": "SELECT ..."})
    # Tool call evaluated against policy, evidence recorded, then forwarded to MCP server

Works with any MCP server. Supports audit mode (log everything) and enforce mode (block policy violations before they reach the server). See examples/mcp-middleware/ for a full walkthrough.

If your agent runs shell commands — kubectl, curl, database queries, file operations — the CLI producer wraps subprocess execution with the same policy evaluation:

from ancilis import CLIActionProducer, load_config
from ancilis.engine import Engine

config = load_config()
producer = CLIActionProducer(config=config, engine=Engine(config))

# Evaluated against policy before execution — blocked commands never run
result = producer.execute(["kubectl", "get", "pods", "-n", "production"])

Allowed commands execute normally. Blocked commands are intercepted before the subprocess runs. Every evaluation is evidence-recorded. See examples/cli-agent/.

Ancilis ships producers for every major LLM SDK and the top agent frameworks. Each producer wraps the SDK's call surface so every model invocation, agent step, or framework callback becomes an evaluated, evidence-recorded Action. None of them require their upstream SDK to be installed — the producers are duck-typed.

Auto-wire whatever's installed in your environment:

from ancilis import load_config
from ancilis.engine import Engine
from ancilis.producers import auto_register

config = load_config()
engine = Engine(config)
producers = auto_register(config, engine)
# producers == {"anthropic": AnthropicActionProducer(...), "openai": OpenAIActionProducer(...), ...}

auto_register detects which upstream SDKs are importable in your environment and instantiates one producer per detected SDK. Use include= / exclude= to scope.

Or wire individual producers explicitly:

from anthropic import Anthropic
from ancilis.producers import AnthropicActionProducer

producer = AnthropicActionProducer(config=config, engine=engine)
client = Anthropic()
wrapped = producer.wrap_create(client.messages.create, agent_name="support-bot")

# Each call is observed before the request goes out
response = wrapped(model="claude-sonnet-4-6", messages=[{"role": "user", "content": "..."}])

LangChain / LangGraph (drop-in callback handler):

from langchain_anthropic import ChatAnthropic
from ancilis.producers import LangChainActionProducer, LangChainCallbackHandler

producer = LangChainActionProducer(config=config, engine=engine)
handler = LangChainCallbackHandler(producer)

llm = ChatAnthropic(callbacks=[handler])
# Every llm/tool/chain start emits an Action — works with LangGraph too

Supported producers:

Tool-name convention is stable across providers: llm:{provider}:{model} for direct LLM SDKs, aws-bedrock:{operation} for Bedrock, {framework}:{kind}:{name} for framework producers. Allowlists in ancilis.yaml use these names directly.

One line turns security controls into compliance evidence. Add a certification target to your config:

agent:
  name: payment-agent
certification_targets:
  - soc2
my_agent_handles:
  - credit_cards
  - personal_info

SOC 2 and PCI-DSS overlays activate automatically from the data declaration. No framework selection, no crosswalk mapping.

ancilis status

Ancilis — payment-agent
  Mode: audit
  Controls: 26 active, all passing
  SOC 2 Type II: active — triggered by certification target
  PCI-DSS v4: active — triggered by credit_cards declaration
  GDPR: active — triggered by personal_info declaration

ancilis report --format markdown

Generates a compliance posture report with per-control results, evidence chain integrity verification, and framework-specific readiness scores.

Your agent calls a tool
       ↓
Producer normalizes the call (MCP, CLI, HTTP, LLM SDK, or framework callback)
       ↓
Engine evaluates against 26 AKSI security controls
       ↓
Evidence record written to local DuckDB (SHA-256 hash chain)
       ↓
CLI reads the store → posture reports, compliance readiness

Producers translate protocol-specific invocations into a common Action object. The engine evaluates every Action against active controls and writes the result. The CLI reads the evidence store to generate reports. No external services, no network calls, no data leaves your machine.

Declare what data your agent handles. The right regulatory overlays activate automatically.

23 data types supported across 19 overlay profiles. Full list in docs/configuration.md.

Roadmap: automatic classification. Today you declare what data your agent handles in config. We're building runtime classification that detects data types automatically from tool call payloads and responses — regex patterns, Luhn checksums, co-occurrence analysis. When the SDK detects health records flowing through an agent you declared as general-purpose, it surfaces the finding for you to confirm. Confirmed findings activate the right overlays without config changes. Declaration gets you started; auto-classification keeps you accurate.

ancilis status                    Current posture
ancilis status --verbose          Per-control detail
ancilis report                    Terminal report
ancilis report --format markdown  Markdown for review
ancilis report --format pdf       PDF for audit (requires pandoc)
ancilis config validate           Check your config
ancilis approve-tool <name>       Approve a discovered tool
ancilis doctor                    First-run setup check

Check agent posture on every pull request with the GitHub Action:

- uses: ancilis/scan-action@v1
  with:
    fail-on: high
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Posts posture results as a PR comment and fails the build if findings exceed your threshold. Or skip the action and call the CLI directly: pip install ancilis && ancilis scan --ci.

Each level adds one concept. You don't need level 2 to get value from level 1.

Preview — Python is the primary path. TypeScript includes the core engine, evidence store, producers, CLI, and reporting, with full parity for the LLM SDK and agent framework producers.

npm install ancilis
npx ancilis doctor

import { loadConfig, Engine, EvidenceStore, ToolActionProducer } from "ancilis";

const config = loadConfig({
  raw: {
    agent: { name: "my-agent" },
    security: { mode: "enforce", tools: { allowed: ["read_data"] } },
  },
});

const store = new EvidenceStore(config, { inMemory: true });
const producer = new ToolActionProducer(config, new Engine(config), undefined, store);
const result = await producer.execute(readData, "my-agent", ["id-123"], undefined, "read_data");

LLM SDK + framework producers also ship in the TypeScript package — AnthropicActionProducer, OpenAIActionProducer, GeminiActionProducer, plus LangChainCallbackHandler, CrewAIActionProducer, AutoGenActionProducer, SemanticKernelActionProducer, and autoRegister(config, engine) for whichever upstream SDKs are installed. Same shape as the Python producers.

• 12 of 26 controls have runtime evaluators. The other 14 are defined in the framework and appear in reports as SKIP until evaluators ship. No false positives.
• 19 overlay profiles, all mapping 26 controls. SOC 2, HIPAA, PCI-DSS, EU AI Act, GDPR, CCPA, CMMC, GLBA, DORA, NIS2, FedRAMP, ISO 27001, ISO 42001, NIST CSF, NIST AI RMF, Colorado AI Act, Singapore IMDA MGF, Securities MNPI, MAS TRM.
• Evidence integrity depends on protecting the DB. The hash chain detects tampering after the fact. It doesn't prevent replacing the entire database.
• HTTP wrapping is explicit. Ancilis doesn't monkey-patch HTTP libraries. You wrap the calls you want evaluated.
• PDF export requires pandoc and xelatex. Falls back to markdown without them.

• Examples — certification-driven, data-classification, MCP middleware, CLI agent
• Configuration reference
• Security policy — security@ancilis.ai
• Contributing
• License — GNU Affero General Public License v3.0 or later. Commercial licensing available; contact licensing@ancilis.ai.