AI agent governance · pre-1.0

Identity and audit.
Built for the compliance wave.

Cullis Mastio gives every AI agent in your organization a cryptographic identity, enforces policy before each call, and writes a tamper-evident audit chain. Designed for EU AI Act high-risk systems, Colorado AI Act, NIST AI RMF, and ISO 42001. Self-hosted, open source, drop-in for Claude, GPT, Mistral, and any MCP-compatible tool.

Schedule a walk-through Try the sandbox
Open source FSL-1.1 · Apache-2.0 Read the docs Quickstart · ADR · API
cullis · mastio · /overview ONLINE
Mastio overview dashboard
intra-org · per-agent identity
audit chain · externally verifiable
02 Mastio · org control point

One container.
Every agent. Every call.

One Docker container per organization. Authority over AI agent identity. Policy enforced before the LLM call lands. An append-only chain of every action, externally verifiable by your auditor or regulator.

  1. 01

    Cryptographic identity, per agent

    x509 cert and SPIFFE ID per agent process. The caller authenticated at the gateway is the agent itself, not a shared API key reused by twelve services. Identity rotates on its own schedule, revocation propagates in seconds.

    Identity model →
  2. 02

    Policy enforced pre-call

    PDP fires before the LLM API or MCP tool. Per-principal scopes (this agent can read claim files, that agent cannot). Decisions logged with reason. OPA-compatible bundles or built-in DSL.

    Policy model →
  3. 03

    Tamper-evident audit chain

    Every event (auth, enroll, message, tool call, LLM token) hashed and chained. RFC 3161 anchoring optional. Your auditor verifies the chain externally without trusting Cullis or your IT team.

    Audit chain →
cullis · mastio · /pki
Mastio PKI management Mastio policy management Mastio audit log
03 Drop-in integration

Wherever your agent lives.

Your AI agents are already running in different places: laptops, browsers, backend services, containers. Mastio attaches without you rewriting them.

  • Connector laptop daemon · Claude Desktop, Cursor, Cline, LibreChat, Cherry Studio · macOS, Linux, Windows
  • Cullis Chat browser SPA · single power user or multi-user SSO deployment
  • SDK backend services · in-process Python · MCP-compatible
  • SPIRE / K8s Kubernetes workloads · existing identity fabric

↳ For cross-organization agent-to-agent routing, see Cullis Court (Day-2 federation layer).

04 Use cases

One infrastructure.
Many compliance regimes.

The same identity-policy-audit pattern serves regulated industries across Europe and the United States. Pick your use case.

Insurance · EU

Claim handling under AI Act high-risk

Claim intake agents, fraud detection, senior adjuster override, reassurer signoff. Every decision auditable end-to-end under AI Act Annex III and IDD Art. 17.

Read the scenario →
Banking · EU + US

KYC automation under DORA / SR 11-7

Customer service agents, KYC document review, transaction monitoring. Audit trail aligned with DORA Art. 28-30 and Fed SR 11-7 model risk management.

Coming soon
Healthcare · EU + US

Clinical decision support under HIPAA / MDR

Triage agents, diagnosis assistance, prescription review. Audit trail mapped to HIPAA 164.312(b) integrity controls and MDR post-market surveillance.

Coming soon
Public sector · EU + US

Citizen services under NIS2 / Colorado AI Act

Citizen-facing agents in social services, taxation, public procurement. Sovereign deployment, audit chain mappable to NIS2 essential-entity obligations and Colorado AI Act.

Coming soon
05 Compliance mapping

The control map.
Every framework, every clause.

Compliance teams need to map Cullis capabilities to specific clauses in their framework. We have done the mapping for you.

Framework Article / clause Cullis capability
EU AI Act Art. 12, 15, 72 Tamper-evident audit chain, model run logging, post-market traceability
DORA Art. 28, 30 Self-hosted deployment, append-only ICT third-party audit trail
NIST AI RMF MEASURE 2.7, GOVERN 1.7 Standardized audit log export, per-agent identity, role separation
Colorado AI Act Consumer disclosure for high-risk AI Decision logging with reason, per-decision provenance
ISO 42001 AI Management System controls Operational governance, lifecycle controls, audit evidence
HIPAA 164.312(b) audit controls Append-only audit chain, integrity controls, external verification
SR 11-7 Model risk management Model run traceability, override logging, accountable identity

Capability mapping reflects Cullis Mastio current release. Specific compliance assessment for a regulated deployment remains the responsibility of the deploying organization.

Read the research on mazzolad.com →
06 Quickstart

From zero to a full network, in one command.

Boot Mastio with example agents, MCP servers, and a second org for federation preview. Pre-wired with SPIRE, Keycloak, Vault, Postgres. 

git clone https://github.com/cullis-security/cullis
cd cullis
./sandbox/demo.sh full

Then replay intra-org MCP tool calls and cross-org A2A messages: 

./sandbox/demo.sh mcp-catalog     # intra-org: agent → MCP tool call (Org A)
./sandbox/demo.sh mcp-inventory   # intra-org: agent → MCP tool call (Org B)
./sandbox/demo.sh oneshot-a-to-b  # cross-org: encrypted A2A message A → B
./sandbox/demo.sh oneshot-b-to-a  # cross-org: encrypted A2A message B → A
07 Continue

Talk to us. Or read the code.

We are early. We want to talk with security and compliance teams running their first AI agents in production. Schedule a call, read the research, or dive into the architecture.

Schedule a call Read the research GitHub