# Praesidia > Authenticate, govern, and monitor every interaction between your apps, AI agents, and MCP servers. Praesidia is a multi-tenant control plane for AI agents and MCP (Model Context Protocol) servers. It provides authentication, authorization, content guardrails, budget and rate policies, audit logging, trust scoring, agent-to-agent (A2A) communication, federation, and compliance (GDPR, EU AI Act). This file indexes Praesidia's public content for LLMs and AI agents. ## Key facts - What it is: an AI control plane that authenticates, governs, and monitors every interaction between applications, AI agents, and MCP servers. - Entity types governed: Applications, AI Agents, and MCP (Model Context Protocol) Servers. - Six control domains: identity & access, guardrails & content safety, governance & compliance, cost & FinOps, observability & audit, and connect/build/orchestrate. - Pricing: Free ($0/mo, no credit card), Individual ($9/mo), Advanced ($49/mo), Enterprise ($1,999/mo). Free during beta; open-source core is Apache-licensed. - Identity & access: SSO (SAML and OIDC), SCIM 2.0 provisioning, MFA (TOTP), passkeys (WebAuthn), and role-based access control. - Guardrails: bidirectional content inspection that can block, redact, or warn on prompt injection, PII, and policy violations. - Cost controls: per-agent/team/workflow spend attribution with budget policies and hard spend caps. - Compliance frameworks: SOC 2, GDPR, EU AI Act, ISO/IEC 42001, NIST AI RMF, and the OWASP Top 10 for LLMs. - Protocols & integrations: MCP and agent-to-agent (A2A), bring-your-own-key (model-agnostic LLMs), OpenTelemetry (OTLP) export, SIEM forwarding, and signed webhooks. - Deploy agents to: Heroku, Render, Hetzner, and Scalingo (one-click). - SDK & API: Python SDK (pip install praesidia-server-sdk), CLI, and an OpenAPI-described REST API. - Hosting: European infrastructure with EU data residency. Sign up at https://app.praesidia.ai. ## Core pages - [Platform overview](https://praesidia.ai/): What Praesidia does - [Platform](https://praesidia.ai/platform): The six control domains — identity, guardrails, governance, cost, observability, and orchestration — on one control plane - [Security & Compliance](https://praesidia.ai/security): Security controls and audit evidence mapped to SOC 2, GDPR, the EU AI Act, ISO 42001, NIST AI RMF, and the OWASP LLM Top 10 - [Integrations](https://praesidia.ai/integrations): Model-agnostic BYOK, MCP and A2A protocols, SSO/SCIM, OTLP observability, and SIEM forwarding - [Pricing](https://praesidia.ai/pricing): Free ($0), Individual ($9/mo), Advanced ($49/mo), Enterprise ($1,999/mo); open-source core is Apache-licensed - [Documentation](https://praesidia.ai/docs): Guides and concepts - [AI Governance Maturity Assessment](https://praesidia.ai/assessment): Free interactive self-assessment across six control dimensions - [AI Agent Cost Calculator](https://praesidia.ai/tools/ai-cost-calculator): Estimate AI agent fleet spend and runaway-cost exposure - [Glossary](https://praesidia.ai/glossary): Definitions of AI governance and agent security terms - [FAQ](https://praesidia.ai/faq): Common questions - [About](https://praesidia.ai/about): Company and mission ## Cornerstone guides - [AI Agent Security: The Definitive Guide](https://praesidia.ai/guides/ai-agent-security): A comprehensive guide to securing AI agents: identity, authorization, guardrails, trust scoring, A2A communication, audit logging, and incident response. - [AI FinOps: The Complete Guide to Controlling AI Agent Costs](https://praesidia.ai/guides/ai-finops): Learn how to attribute, budget, forecast, and enforce AI agent spend across your organization — the complete FinOps discipline for agentic AI. - [AI Governance: The Complete Guide](https://praesidia.ai/guides/ai-governance): The complete reference on AI governance: control points, guardrails, human-in-the-loop oversight, audit trails, and regulatory compliance for AI agents. - [Identity and Access for AI: The Complete Guide](https://praesidia.ai/guides/identity-access-for-ai): A complete guide to identity and access management for AI: human SSO, SCIM, MFA, RBAC, agent identity, scoped credentials, least privilege, and revocation. - [MCP Server Governance: The Complete Guide](https://praesidia.ai/guides/mcp-server-governance): The authoritative reference for bringing MCP servers under governance: security model, authentication, tool scoping, rate limits, monitoring, and hardening. - [The AI Control Plane: A Complete Guide](https://praesidia.ai/guides/ai-control-plane): What an AI control plane is, why it emerged, how it differs from API gateways, and the core capabilities every enterprise AI deployment needs. ## Documentation - [Getting Started](https://praesidia.ai/docs/getting-started): Get up and running with Praesidia in minutes. Register your first entity, create a connection, and secure your AI infrastructure. - [Entity Types](https://praesidia.ai/docs/entities): Learn about the three entity types in Praesidia: Applications, MCP Servers, and Agents. - [Connections](https://praesidia.ai/docs/connections): Learn how connections work in Praesidia. Define trusted relationships between entities with security controls. - [Guardrails](https://praesidia.ai/docs/guardrails): Configure content-level controls on connections between AI entities. Guardrails define what can be communicated. - [Policies](https://praesidia.ai/docs/policies): Configure operational controls on connections. Set rate limits, geographic restrictions, time-based access, and more. ## Blog by topic ### AI Agent Security - [AI Agent Security hub](https://praesidia.ai/blog/category/ai-agent-security): Identity, authorization, guardrails, and trust for autonomous AI agents. - [An AI Agent Incident Readiness Checklist](https://praesidia.ai/blog/ai-incident-readiness-checklist): A practical checklist for AI agent incident readiness: inventory, instant revocation, tamper-evident audit trails, runbooks, and communication templates. - [The OWASP LLM Top 10, Applied to AI Agents](https://praesidia.ai/blog/owasp-llm-top-10-for-agents): How each OWASP LLM Top 10 risk category maps to agentic AI deployments — and the governance controls that address them at the infrastructure layer. - [Threat Model: Agent-to-Agent Delegation Abuse](https://praesidia.ai/blog/threat-model-a2a-delegation-abuse): When AI agents delegate tasks to each other, the delegation chain becomes an attack surface. How to threat-model and contain A2A delegation abuse. - [Threat Model: Indirect Prompt Injection](https://praesidia.ai/blog/threat-model-indirect-prompt-injection): Indirect prompt injection hijacks tool-using AI agents through poisoned external content. Learn the attack vectors and layered controls that contain them. - [How to Detect and Defend Against Prompt Injection](https://praesidia.ai/blog/how-to-detect-prompt-injection): Practical detection signals and layered defenses for direct and indirect prompt injection in AI agents — from input scanning to output validation and runtime policy. - [Securing AI Coding Agents](https://praesidia.ai/blog/securing-ai-coding-agents): AI coding agents read files, run tools, and push code autonomously. Learn the specific risks they introduce — prompt injection, supply-chain exposure, secret leakage — and how to contain them. - [AI Agent Security for Startups](https://praesidia.ai/blog/ai-agent-security-for-startups): A pragmatic guide to AI agent security for startups: the controls that matter most when you are moving fast and have limited security resources. - [Trust Scores vs Allow-Lists for Agent Authorization](https://praesidia.ai/blog/trust-score-vs-allowlist): Static allow-lists gate identity; dynamic trust scores gate scope. Learn how each works, where each falls short, and why mature programs combine both. - [A2A vs MCP: What's the Difference?](https://praesidia.ai/blog/a2a-vs-mcp-whats-the-difference): MCP connects agents to tools; A2A connects agents to each other. Understand how both protocols divide labor and what security controls each one demands. - [Securing the AI Agent Supply Chain](https://praesidia.ai/blog/securing-the-agent-supply-chain): Provenance, attestation, and runtime verification protect AI deployments from compromised third-party agents and tools — and how supply chain security works. - [Incident Response for AI Agent Breaches](https://praesidia.ai/blog/incident-response-for-ai-agent-breaches): A practical incident response runbook for AI agent breaches: contain damage, revoke scoped credentials, investigate with tamper-evident audit trails, and recover. - [Federated AI: Sharing Agents Without Sharing Data](https://praesidia.ai/blog/federated-ai-sharing-agents-without-sharing-data): How signed trust manifests and scoped admission controls let organizations share AI agents across boundaries without exposing data or credentials. - [Trust Scoring Models for Autonomous Agents](https://praesidia.ai/blog/trust-scoring-models-autonomous-agents): How agent trust scoring models aggregate identity, behavior, and attestation signals into a runtime gate that controls what autonomous agents are permitted to do. - [Tool-Use Safety: Sandboxing Agent Actions](https://praesidia.ai/blog/tool-use-safety-sandboxing-agent-actions): Contain what AI agent tools can do: tool-level scoping, allow-lists, dry-runs, and human approval gates for high-consequence irreversible actions. - [Secrets Management for AI Agents](https://praesidia.ai/blog/secrets-management-for-ai-agents): Keep API keys and credentials out of agent prompts and source code. The four pillars of secrets management: storage, delivery, access control, and rotation. - [Agent-to-Agent Protocols and Interoperability](https://praesidia.ai/blog/agent-to-agent-protocols-a2a-interop): How to design safe A2A interoperability: agent cards, secure discovery, scoped credentials, and cross-org trust — in under 8 minutes. - [Data Exfiltration Risks in Agentic AI](https://praesidia.ai/blog/data-exfiltration-risks-agentic-ai): Agentic AI creates novel data exfiltration paths via over-broad tool access, chatty outputs, and prompt injection. Learn how to contain each risk layer. - [Prompt Injection: Threats and Defenses](https://praesidia.ai/blog/prompt-injection-threats-and-defenses): Prompt injection embeds malicious instructions in content AI agents process. How direct and indirect variants work — and what layered defenses reduce the risk. - [Zero Trust for AI Agents](https://praesidia.ai/blog/zero-trust-for-ai-agents): Zero trust for AI agents means verifying every identity, enforcing least-privilege policy at every hop, and using behavioral trust scores as a runtime gate — not just at login. - [Why AI Infrastructure Needs a New Security Model](https://praesidia.ai/blog/why-ai-infrastructure-needs-new-security-model): Traditional IAM secures human users, not AI agents making thousands of calls per minute. Here is why a connection-centric security model is the right foundation for AI infrastructure. - [AI Agent Security: The Complete Guide](https://praesidia.ai/blog/ai-agent-security-complete-guide): The complete guide to AI agent security: identity, authorization, connection policies, content guardrails, monitoring, and incident response in one place. - [The Rise of Shadow AI: Why Governance Matters](https://praesidia.ai/blog/rise-of-shadow-ai-why-governance-matters): Shadow AI grows faster than shadow IT. The three risk categories it creates and how a governance framework closes the visibility gap before incidents occur. - [AI Agent Identity: Why Agents Need Their Own Credentials](https://praesidia.ai/blog/ai-agent-identity-why-agents-need-credentials): Agents running on borrowed human credentials create accountability gaps and excess privilege. Learn why agent-native identity changes the security calculus. - [Inside the Agent Management Console](https://praesidia.ai/blog/agent-management-console): Register, configure, version, and debug every AI agent in your fleet from a single governed control surface with full audit trails and per-agent access control. - [Agent-to-Agent (A2A) Communication, Governed](https://praesidia.ai/blog/agent-to-agent-a2a-communication-governed): Governed A2A communication ensures every inter-agent call is authenticated, scoped, and audited — with agent cards, least-privilege identity, and bidirectional guardrails. - [Governed Connections Between Agents and Resources](https://praesidia.ai/blog/governed-agent-resource-connections): Turn implicit agent-to-resource links into policy-bound connections with rate limits, spend caps, trust gates, and guardrails enforced at dispatch. - [Securely Sharing AI Agents Across Organizations](https://praesidia.ai/blog/securely-sharing-ai-agents-across-orgs): Share AI agents with partner organizations under explicit policies — request caps, expiry, and instant revocation — without handing over credentials or duplicating infrastructure. - [Cross-Org Agent Federation with Trust Manifests](https://praesidia.ai/blog/cross-org-agent-federation-trust-manifests): How signed trust manifests let organizations share AI agents across boundaries without shared secrets — every cross-org delegation is explicit, verifiable, and revocable. - [Trust Scores and Attestations: Deciding Which Agents to Trust](https://praesidia.ai/blog/trust-scores-attestations-agents): Learn how agent trust scores combine behavioral signals, compliance state, and cryptographic attestations into an auditable dispatch gate for AI agents. ### Identity & Access - [Identity & Access hub](https://praesidia.ai/blog/category/identity-access): SSO, SCIM, MFA, RBAC, and tenancy — who can touch your AI systems, and how. - [Threat Model: Agent Credential Theft](https://praesidia.ai/blog/threat-model-agent-credential-theft): How AI agent credentials get stolen and abused, and the controls that limit blast radius: credential scoping, short lifetimes, rotation, and fast revocation. - [How to Implement Least Privilege for AI Agents](https://praesidia.ai/blog/how-to-implement-least-privilege-for-agents): Apply least privilege to AI agents with scoped credentials, per-connection policies, and delegation constraints that shrink your blast radius. - [How to Give an AI Agent Its Own Identity](https://praesidia.ai/blog/how-to-give-an-agent-an-identity): Why AI agents need first-class identity and how to model it so every action is attributable, governed, and revocable without disrupting other systems. - [How to Authenticate AI Agents](https://praesidia.ai/blog/how-to-authenticate-ai-agents): How to authenticate AI agents using API keys, short-lived tokens, and scoped credentials — so every agent action is attributable and revocable. - [SSO and SCIM: Enterprise Identity for AI Tools](https://praesidia.ai/blog/sso-scim-enterprise-identity-for-ai-tools): SSO and SCIM give enterprises full control over AI tool access — federated authentication plus automated lifecycle management that keeps access current. - [RBAC vs ABAC for AI Platforms](https://praesidia.ai/blog/rbac-vs-abac-for-ai-platforms): RBAC governs who can configure agents; ABAC governs what agents can do per request. Learn which model fits each authorization decision on an AI platform. - [User Account Self-Service and Admin Controls](https://praesidia.ai/blog/user-account-self-service-admin-controls): How splitting user self-service from admin controls reduces the attack surface of an AI platform and keeps account hygiene manageable at scale. - [Security Policies: Passwords, Sessions, and IP Restrictions](https://praesidia.ai/blog/security-policies-passwords-sessions-ip): Per-org security policies let tenants enforce password complexity, session timeouts, MFA mandates, and IP allow-lists — enforced server-side on every request. - [RBAC and Custom Roles for AI Operations](https://praesidia.ai/blog/rbac-custom-roles-ai-operations): Fine-grained RBAC and custom roles let AI operations teams enforce least privilege across agents, workflows, and security settings — without broad admin grants. - [Organizing Access with Teams](https://praesidia.ai/blog/organizing-access-with-teams): Teams add a functional access layer beneath org-level roles — scoping agents, enforcing per-team budgets, and integrating with SCIM for automated provisioning. - [Multi-Tenant Organizations and Membership](https://praesidia.ai/blog/multi-tenant-organizations-membership): How multi-tenant org isolation protects AI agents and data, with invite flows, role lifecycle, and layered enforcement that prevents cross-tenant data leakage. - [Automating User Lifecycle with SCIM 2.0](https://praesidia.ai/blog/scim-provisioning-ai-tools): SCIM 2.0 automates user lifecycle for AI platforms — collapsing the access-change window from days to minutes and enforcing token revocation on deprovision. - [Single Sign-On for AI Agent Management: SAML and OIDC](https://praesidia.ai/blog/sso-saml-oidc-for-ai-agent-management): How enterprise SSO with SAML and OIDC maps IdP identities into org-scoped access for AI platforms — and why federated authentication matters for AI tooling. - [Passkeys and WebAuthn for AI Platforms](https://praesidia.ai/blog/passkeys-webauthn-for-ai-platforms): Passkeys eliminate phishing risk on AI control planes by binding credentials to the device. How the WebAuthn ceremony works and what to verify in any platform. - [MFA for AI Control Planes: TOTP and Backup Codes](https://praesidia.ai/blog/mfa-totp-backup-codes-ai-platform): How TOTP and backup codes protect AI control planes from credential theft, plus forced enrollment, step-up auth, and replay prevention for high-risk agent actions. - [How Praesidia Authenticates Apps, Agents, and MCP Servers](https://praesidia.ai/blog/authenticate-apps-agents-mcp-servers): How a unified identity layer authenticates users, apps, AI agents, and MCP servers through one governed front door with MFA, scoped credentials, and audit logging. ### AI Governance & Compliance - [AI Governance & Compliance hub](https://praesidia.ai/blog/category/ai-governance-compliance): Policies, audit trails, GDPR, and EU AI Act readiness for agentic AI. - [Data Residency and Sovereignty for AI Agents](https://praesidia.ai/blog/data-residency-for-ai-agents): How to keep AI agent data within jurisdictional boundaries, satisfy GDPR and cross-border transfer rules, and produce the evidence regulators expect. - [ISO/IEC 42001 for AI Management Systems](https://praesidia.ai/blog/iso-42001-for-ai-management): ISO/IEC 42001 sets requirements for AI management systems. See what the standard expects and how agent governance controls map directly to its Annex A clauses. - [Applying the NIST AI RMF to AI Agents](https://praesidia.ai/blog/nist-ai-rmf-for-agents): Apply the NIST AI RMF to AI agents: map GOVERN, MAP, MEASURE, and MANAGE to concrete controls — agent inventories, threat models, audit trails, and revocation. - [How to Keep PII Out of Agent Prompts and Logs](https://praesidia.ai/blog/how-to-redact-pii-from-agent-prompts): Keep PII out of AI agent prompts, responses, and logs using detection-and-redaction controls that satisfy GDPR, HIPAA, and audit requirements. - [How to Audit AI Agent Activity](https://praesidia.ai/blog/how-to-audit-ai-agent-activity): What to log for AI agents, how to keep audit trails credible and tamper-evident, and how to reconstruct any agent action for compliance or forensics. - [Governing AI Customer-Support Agents](https://praesidia.ai/blog/governing-customer-support-agents): Govern AI customer-support agents: PII detection, response guardrails, escalation triggers, and tamper-evident audit logs regulators expect. - [AI Agent Governance for Healthcare](https://praesidia.ai/blog/ai-agent-governance-healthcare): How healthcare organizations protect PHI, enforce least privilege, and prove AI agent controls to satisfy HIPAA, the EU AI Act, and auditors. - [AI Agent Governance for Financial Services](https://praesidia.ai/blog/ai-agent-governance-financial-services): The controls regulated financial firms need for AI agents: tamper-evident audit trails, scoped identity, human approval gates, and on-demand regulatory evidence. - [Guardrails vs Evals vs Monitoring](https://praesidia.ai/blog/guardrails-vs-evals-vs-monitoring): Guardrails, evals, and monitoring each close a different AI safety gap at a different lifecycle stage — learn how to use all three correctly. - [AI Guardrails vs LLM Firewall: Terms and Trade-offs](https://praesidia.ai/blog/ai-guardrails-vs-llm-firewall): AI guardrails and LLM firewalls both inspect content but solve different problems. Learn the distinctions, evaluation approaches, and fail-mode trade-offs. - [An AI Agent Compliance Checklist for 2026](https://praesidia.ai/blog/ai-agent-compliance-checklist-2026): A practical AI agent compliance checklist covering identity, tamper-evident audit trails, GDPR erasure, EU AI Act risk tiers, and vendor due diligence. - [A Glossary of AI Governance and Agent Security Terms](https://praesidia.ai/blog/ai-governance-agent-security-glossary): Precise definitions of AI governance and agent security terms — guardrail, control plane, A2A, attestation, trust score — for specs and vendor evaluations. - [An AI Governance Maturity Model](https://praesidia.ai/blog/ai-governance-maturity-model): Five stages of AI governance maturity for AI agents — from ad-hoc to optimized — with concrete indicators and the specific work needed to advance each stage. - [PII Detection and Redaction in AI Pipelines](https://praesidia.ai/blog/pii-detection-redaction-ai-pipelines): Detect and redact PII before it reaches AI models or persists in logs — covering entry points, detection techniques, redaction strategies, and compliance. - [Designing Guardrails: Block, Redact, or Warn?](https://praesidia.ai/blog/designing-guardrails-block-redact-warn): Choose the right enforcement action for AI agent guardrails — block, redact, or warn — and understand the fail-open vs fail-closed security trade-off. - [Audit Trails That Hold Up: Cryptographic Integrity](https://praesidia.ai/blog/audit-trails-that-hold-up): What makes an audit trail credible to an auditor or court: hash-chaining, per-row digital signatures, and external anchoring explained for engineering teams. - [Human-in-the-Loop Approvals for High-Risk Agent Actions](https://praesidia.ai/blog/human-in-the-loop-approvals-agents): Human-in-the-loop approvals pause AI agents before high-risk actions, preserve throughput with async queues, and build an auditable approval trail. - [SOC 2 for AI Platforms: What Auditors Look For](https://praesidia.ai/blog/soc2-for-ai-platforms): SOC 2 auditors scrutinize AI platforms harder than traditional SaaS. Learn which controls matter most—from tamper-evident audit trails to agent access management. - [GDPR for AI Systems: Data Subject Rights and Erasure](https://praesidia.ai/blog/gdpr-for-ai-systems-erasure-rights): How GDPR data subject rights apply to AI pipelines, what Article 17 erasure requires technically, and the design patterns that make compliance tractable. - [The EU AI Act Explained for Engineering Teams](https://praesidia.ai/blog/eu-ai-act-explained-for-engineers): What the EU AI Act actually requires of engineering teams: risk tiers, mandatory logging, human oversight, and a concrete four-step readiness path. - [Building an AI Agent Inventory](https://praesidia.ai/blog/building-an-ai-agent-inventory): How to discover, register, and maintain every AI agent you deploy — the foundational inventory that access policies, spend caps, and audit trails depend on. - [What Is AI Agent Governance?](https://praesidia.ai/blog/what-is-ai-agent-governance): AI agent governance defines the runtime controls — identity, authorization, guardrails, budgets, and audit trails — that keep autonomous agents accountable. - [Tamper-Evident Audit Logs with Cryptographic Proofs](https://praesidia.ai/blog/tamper-evident-audit-logs-cryptographic-proofs): Hash-chained, cryptographically signed audit logs with Merkle inclusion proofs give compliance teams independently verifiable records—no platform access required. - [GDPR Erasure and EU AI Act Readiness](https://praesidia.ai/blog/gdpr-erasure-eu-ai-act-readiness): How AI control planes handle GDPR right-to-erasure mechanics and map each agent to EU AI Act risk tiers — with evidence collection built in for auditors. - [Tenant Isolation and Row-Level Security](https://praesidia.ai/blog/tenant-isolation-row-level-security): How app-layer org scoping and database row-level security combine to prevent cross-tenant data leaks in multi-tenant AI platforms—and where each layer fits. - [Content Guardrails for AI Agents](https://praesidia.ai/blog/content-guardrails-for-ai-agents): How content guardrails enforce policy on every AI agent interaction — blocking, redacting, or escalating PII, secrets, and violations before they cross a trust boundary. ### AI FinOps - [AI FinOps hub](https://praesidia.ai/blog/category/ai-finops): Attribute, budget, and cap the cost of AI agents, tokens, and tool calls. - [Threat Model: Runaway Agent Spend](https://praesidia.ai/blog/threat-model-runaway-agent-spend): Loop-and-burn failures drain AI budgets fast. Learn the blast radius, five root conditions, and the layered controls that stop runaway spend before the invoice. - [How to Set Budgets for AI Agents](https://praesidia.ai/blog/how-to-set-budgets-for-ai-agents): Set enforceable AI agent budgets with reservation-based enforcement, graduated thresholds, and clear attribution — before overruns reach your invoice. - [Budgets vs Rate Limits: Controlling Agent Consumption](https://praesidia.ai/blog/budgets-vs-rate-limits): Spend caps and request throttling are different levers for controlling runaway AI agents. Learn when each applies, how they compose, and why you need both. - [Budgets and Quotas: Preventing Runaway Agent Costs](https://praesidia.ai/blog/budgets-quotas-preventing-runaway-agent-costs): Design budget policies and hard spend caps that stop a looping or misconfigured AI agent before it runs up an unbounded bill, using reservation-based enforcement. - [Cost Control for LLM Applications](https://praesidia.ai/blog/cost-control-for-llm-applications): Where LLM costs hide in agentic applications, how to attribute them per agent and run, and the reservation-based enforcement that stops overspend at dispatch. - [FinOps for AI Agents: Controlling Token and Tool Costs](https://praesidia.ai/blog/finops-for-ai-agents): A practical FinOps loop for agentic AI: attribute token and tool costs, set multi-level budgets, trigger alerts early, and enforce hard spend limits. - [Reliable Billing: Stripe Webhooks, Reconciliation, and Dunning](https://praesidia.ai/blog/reliable-billing-stripe-webhooks-dunning): Signed webhook verification, idempotent handlers, reconciliation, and a dunning state machine are the four layers that keep billing state correct. - [Tracking Per-Connection AI Usage and Cost](https://praesidia.ai/blog/per-connection-usage-cost-tracking): Per-connection usage tracking attributes every AI request and dollar to its source, enabling accurate chargebacks, capacity planning, and anomaly detection. - [Revenue Monitoring and Payouts for AI Marketplaces](https://praesidia.ai/blog/revenue-monitoring-payouts-ai-marketplaces): How AI marketplaces track MRR, ARR, and per-agent earnings, and manage partner payouts — the outbound money flow that billing dashboards miss. - [Budget Policies: Hard Spend Caps for AI Agents](https://praesidia.ai/blog/budget-policies-hard-spend-caps): Hard spend caps that actually stop AI agents: scoped budget policies, graduated threshold actions, and reservation accounting that prevents cost overruns. - [Credits and Cost Monitoring for Agent Spend](https://praesidia.ai/blog/credits-cost-monitoring-agent-spend): A prepaid credit ledger with per-agent usage records gives you real-time visibility into AI spend and a hard gate that stops agents before they overspend. - [Subscriptions, Invoices, and Contracts for AI Platforms](https://praesidia.ai/blog/subscriptions-invoices-contracts-ai-platform): How subscription plans, metered usage, invoices, and enterprise contracts work together so AI token and tool costs map cleanly to billing—no billing surprises. ### Platform & Operations - [Platform & Operations hub](https://praesidia.ai/blog/category/platform-operations): MCP servers, workflows, observability, and the control-plane engineering behind it. - [Threat Model: Over-Broad MCP Tool Scope](https://praesidia.ai/blog/threat-model-over-broad-mcp-tool-scope): Over-broad MCP tool permissions give attackers an amplified attack surface. Learn the failure modes and control classes that shrink the blast radius. - [How to Rate-Limit AI Agents](https://praesidia.ai/blog/how-to-rate-limit-ai-agents): Design abuse-resistant rate limits for AI agents: choose the right unit, window shape, and enforcement scope to protect costs and downstream systems. - [How to Monitor MCP Tool Calls](https://praesidia.ai/blog/how-to-monitor-mcp-tool-calls): Gain full visibility into every MCP tool call an AI agent makes — with attribution, policy decisions, and cost data needed for security and compliance. - [Evaluating AI Agent Observability Tooling](https://praesidia.ai/blog/agent-observability-tools-evaluation): A practical guide to what AI agent observability must cover — cost, behavior, and policy compliance — and the key criteria for choosing the right tooling. - [MCP Gateway: What to Look For](https://praesidia.ai/blog/mcp-gateway-what-to-look-for): Evaluate MCP gateways on four criteria that actually matter: agent authentication, per-tool scoping, rate limits, and forensic audit logging. - [Webhook Security: Signing and Verifying Events](https://praesidia.ai/blog/webhook-security-signing-verifying-events): HMAC signatures plus timestamp replay windows are the minimum bar for secure webhooks — here's why unsigned endpoints are dangerous and how to fix them. - [Versioning and Rollback for AI Agents](https://praesidia.ai/blog/versioning-rollback-for-ai-agents): Version AI agent workflows like code, diff changes between snapshots, and roll back safely when a new version causes regressions or runaway costs in production. - [Orchestration Patterns for Multi-Agent Systems](https://praesidia.ai/blog/orchestration-patterns-multi-agent-systems): Compare pipeline, hub-and-spoke, and blackboard orchestration patterns for multi-agent AI — with security, cost, and auditability trade-offs for each. - [Observability for AI Agents: Logs, Metrics, and Traces](https://praesidia.ai/blog/observability-for-ai-agents): How logs, metrics, and distributed traces apply to AI agents — what to instrument, where costs hide, and how to connect all three pillars for fast incident triage. - [Rate Limiting and Abuse Prevention for AI APIs](https://praesidia.ai/blog/rate-limiting-abuse-prevention-ai-apis): Request counts alone don't protect AI APIs. The layered controls — per-connection limits, spend caps, tool allow-lists, and trust gates — that actually work. - [MCP Server Authentication: OAuth 2.1 vs API Keys](https://praesidia.ai/blog/mcp-server-authentication-oauth-vs-api-keys): OAuth 2.1 vs API keys for MCP server auth: a practical comparison of security trade-offs, blast radius, and when to use each in production AI agent deployments. - [Securing MCP Servers: An Authentication Guide](https://praesidia.ai/blog/securing-mcp-servers-authentication-guide): Most MCP servers ship with no built-in authentication. Learn how to add identity verification, per-caller tool scoping, and bidirectional guardrails to production MCP deployments. - [Scoping MCP Tool Permissions: Least Privilege for Tools](https://praesidia.ai/blog/scoping-mcp-tool-permissions): Grant AI agents the minimum MCP tool access they need — no more. Learn how allow-lists, per-tool rate limits, and policy gates prevent blast-radius breaches. - [MCP Server Security: A Complete Checklist](https://praesidia.ai/blog/mcp-server-security-checklist): A practical MCP server security checklist covering authentication, tool-level authorization, rate limits, forensic logging, and monitoring for agentic AI systems. - [What Is the Model Context Protocol (MCP)? A Practical Guide](https://praesidia.ai/blog/what-is-model-context-protocol-mcp): MCP gives AI agents a standard way to call external tools and retrieve context. Learn what it is, how it works, and what security controls a production deployment requires. - [API-First: The Praesidia API Surface](https://praesidia.ai/blog/api-first-praesidia-api-surface): Every platform action is an API call. Learn how Praesidia's OpenAPI-described surface lets you automate governance, integrate tooling, and extend the platform. - [The Platform Admin Console](https://praesidia.ai/blog/platform-admin-console): The platform admin console gives super-admins cross-tenant visibility, DLQ triage, two-person governance controls, and GDPR erasure on a separate access plane. - [Real-Time Events over WebSocket](https://praesidia.ai/blog/real-time-events-over-websocket): A persistent, authenticated WebSocket stream replaces polling for agent tasks, workflow runs, and budget alerts — and what safe multi-tenant fan-out requires. - [Health Probes and Readiness for AI Infrastructure](https://praesidia.ai/blog/health-probes-readiness-ai-infra): How to design liveness and readiness probes for AI services — what to check, how to avoid false positives, and what a production health surface should look like. - [Webhooks and SIEM Forwarding](https://praesidia.ai/blog/webhooks-and-siem-forwarding): Stream AI agent events to your own systems and forward security signals to a SIEM — so agent activity is visible in the tooling your team already uses. - [Organization API Keys and Scopes](https://praesidia.ai/blog/organization-api-keys-and-scopes): Issue, scope, and rotate organization API keys to give each integration only the access it needs — and limit blast radius when a credential is exposed. - [Closing the Loop with a Product Feedback Board](https://praesidia.ai/blog/product-feedback-board): Turn scattered user requests into ranked roadmap signal with a built-in feedback board that supports voting, moderation, and multi-tenant visibility. - [Slack and Multi-Channel Alerting](https://praesidia.ai/blog/slack-multi-channel-alerting): Route AI agent budget alerts, guardrail violations, and task failures to Slack and other channels with a reliable, tenant-isolated dispatcher pattern. - [Unsubscribe, Suppression, and Preference Centers](https://praesidia.ai/blog/unsubscribe-suppression-preference-center): Build a compliant email opt-out system with enforced suppression lists, per-category preferences, and automatic bounce handling — and keep your sender reputation intact. - [Transactional Email and Templates](https://praesidia.ai/blog/transactional-email-and-templates): Reliable transactional email for AI platforms: how consistent templates, authenticated sending, and delivery safeguards keep security and billing flows intact. - [Web Push Alerts for AI Operations](https://praesidia.ai/blog/web-push-alerts-ai-operations): Browser push notifications deliver agent failures and budget alerts to operators the moment they happen — no open tab or email check required. - [In-App Notifications That Cut Through](https://praesidia.ai/blog/in-app-notifications): How a purpose-built in-app notification system keeps AI platform operators informed of critical agent events and alerts without noise or alert fatigue. - [Auth Monitoring and Login Security](https://praesidia.ai/blog/auth-monitoring-login-security): How to capture, aggregate, and act on authentication events in your AI platform so credential attacks surface in minutes, not days. - [Visualizing AI Usage and Cost](https://praesidia.ai/blog/visualizing-ai-usage-and-cost): Charts, dashboards, and cost breakdowns that make AI agent spend legible — from real-time KPIs to anomaly detection and per-team attribution. - [Prometheus Metrics and Observability](https://praesidia.ai/blog/prometheus-metrics-observability): Praesidia exposes a standard Prometheus metrics endpoint so you can monitor AI agent task throughput, latency, and spend using the tools your team already runs. - [Global Search Across Your AI Estate](https://praesidia.ai/blog/global-search-across-ai-estate): Search across agents, tasks, connections, workflows, and audit logs from a single entry point — find any resource in your AI estate instantly. - [Saved Views for Faster Operations](https://praesidia.ai/blog/saved-views-faster-operations): Saved views let AI operations teams restore any dashboard state in one click — cutting investigation setup time and reducing filter errors under pressure. - [Service Level Objectives for AI Services](https://praesidia.ai/blog/slo-service-level-objectives-ai-services): Set measurable SLOs for task success rate, latency, and agent availability — then alert before users notice. A practical guide to SLOs for AI agent deployments. - [Executive Reports for AI Governance](https://praesidia.ai/blog/executive-reports-ai-governance): Turn AI activity into board-ready governance reports covering usage, cost, and risk — with scheduled delivery and export for compliance teams. - [The Operations Dashboard for Your AI Estate](https://praesidia.ai/blog/operations-dashboard-ai-estate): How an AI operations dashboard correlates agent counts, spend, trust scores, and security events in one view — and what to do when the numbers look wrong. - [Advanced Analytics for AI Operations](https://praesidia.ai/blog/advanced-analytics-ai-operations): Go beyond basic dashboards: model comparison, cost-per-team allocation, anomaly detection, and compliance analytics for AI operations teams. - [Analytics and the Event Stream](https://praesidia.ai/blog/analytics-and-the-event-stream): How a per-interaction event model powers AI agent dashboards, cost attribution, and forensic investigation — without additional collection infrastructure. - [Per-Org Feature Overrides and Canary Rollouts](https://praesidia.ai/blog/per-org-feature-overrides-canary): Per-org feature overrides let you enable a capability for one tenant, observe real behavior, and expand gradually — without touching your deployment pipeline. - [Plan Gating and Feature Flags](https://praesidia.ai/blog/plan-gating-feature-flags): Plan-based feature flags gate capabilities by subscription tier while per-org overrides enable safe canary rollouts — no deployment pipeline changes required. - [Real-Time Collaborative Workflow Editing](https://praesidia.ai/blog/real-time-collaborative-workflow-editing): How real-time collaboration on AI workflow canvases works: CRDTs for conflict-free edits, durable working documents, presence, and per-edit authorization. - [Bring Your Own Key: Managing LLM Configurations](https://praesidia.ai/blog/byok-managing-llm-configurations): Register your own LLM provider keys in one encrypted registry, route workloads to the right model, and eliminate key sprawl — without platform lock-in. - [Registering and Governing MCP Servers](https://praesidia.ai/blog/registering-governing-mcp-servers): Register MCP servers centrally, enforce per-tool permissions and rate limits, and log every invocation for audit — governance that unmanaged connections lack. - [Reusable Workflow Templates](https://praesidia.ai/blog/reusable-workflow-templates): Workflow templates let teams deploy proven agent pipeline patterns in one click — spreading best practices and simplifying governance across the organization. - [Chat-to-Build: Generating Workflows with AI](https://praesidia.ai/blog/chat-to-build-ai-workflow-generation): Turn a plain-language description into a reviewable multi-agent workflow draft in seconds. Learn how AI generation works and where human review stays essential. - [Triggering Workflows: Scheduled, Webhook, and Event](https://praesidia.ai/blog/triggering-workflows-scheduled-webhook-event): Learn the three ways to start an AI workflow — cron schedules, signed webhooks, and internal platform events — and which trigger fits each operational pattern. - [Executing and Monitoring Workflow Runs](https://praesidia.ai/blog/executing-monitoring-workflow-runs): How workflow runs execute node-by-node, how per-run spend caps prevent cost overruns, and how to observe, pause, cancel, and retry runs in real time. - [Designing AI Workflows on a Visual Canvas](https://praesidia.ai/blog/designing-ai-workflows-visual-canvas): A node-and-edge visual canvas lets you compose, version, and audit multi-step AI agent workflows before anything runs — catching gaps that code reviews miss. - [Managing API Consumers with Applications](https://praesidia.ai/blog/managing-api-consumers-applications): Register every API consumer as a named Application with scoped credentials and per-agent access controls — so you always know what each integration can do and can revoke it instantly. ### AI Strategy - [AI Strategy hub](https://praesidia.ai/blog/category/ai-strategy): How to think about adopting, governing, and getting ROI from AI agents. - [How to Roll Out AI Agents Safely](https://praesidia.ai/blog/how-to-roll-out-ai-agents-safely): A staged rollout playbook for AI agents: inventory risk, run a scoped pilot with guardrails in place, define go/no-go criteria, and expand on evidence. - [AI Agent Governance for Enterprises](https://praesidia.ai/blog/ai-agent-governance-for-enterprises): Enterprise AI agent governance at scale requires SSO, custom RBAC, delegated administration, and centralized policy enforcement across every team. - [AI Agent Governance for SaaS Companies](https://praesidia.ai/blog/ai-agent-governance-saas): How SaaS teams embedding AI agents keep multi-tenant data isolated, costs attributed per customer, and agent behavior governed at scale across tenants. - [An AI Governance Platform RFP Checklist](https://praesidia.ai/blog/ai-governance-platform-rfp-checklist): A ready-to-use RFP checklist for evaluating AI governance platforms — covering identity, policy enforcement, guardrails, spend controls, audit, and compliance. - [AI Agent Governance: Build vs Buy](https://praesidia.ai/blog/ai-agent-governance-build-vs-buy): An honest framework for deciding whether to build AI agent governance in-house or buy a platform, weighed by risk, team capacity, and time-to-value. - [AI Control Plane vs API Gateway: What's the Difference?](https://praesidia.ai/blog/ai-control-plane-vs-api-gateway): An API gateway manages traffic; an AI control plane governs agents. Learn the five critical gaps gateways leave open and what a control plane adds. - [How to Choose an AI Agent Governance Platform](https://praesidia.ai/blog/best-ai-agent-governance-platforms): A criteria-driven framework for evaluating AI agent governance platforms across identity, guardrails, cost controls, audit trails, and multi-agent trust. - [Measuring the ROI of AI Agents](https://praesidia.ai/blog/measuring-roi-of-ai-agents): Practical frameworks for quantifying AI agent ROI — cost per outcome, time recovered, and deflection rate — so you can move beyond vanity usage metrics. - [What Is an AI Control Plane?](https://praesidia.ai/blog/what-is-an-ai-control-plane): An AI control plane unifies identity, policy, guardrails, and audit across your entire agent fleet — so you govern every AI interaction from one place. - [Self-Hosted vs Managed AI Governance](https://praesidia.ai/blog/self-hosted-vs-managed-ai-governance): Self-hosted AI governance gives full data residency control; managed shifts operational burden to the vendor. Here is how to choose based on your team's actual constraints. - [Choosing an AI Agent Management Platform: A Buyer's Guide](https://praesidia.ai/blog/choosing-ai-agent-management-platform): A structured buyer's framework for evaluating AI agent management platforms across identity, governance, cost control, observability, and compliance evidence. - [Guardrails vs Policies: Understanding AI Infrastructure Controls](https://praesidia.ai/blog/guardrails-vs-policies-understanding-ai-controls): Guardrails check content appropriateness; policies enforce rate limits and time windows. Both layers are required — neither substitutes for the other. - [Building Secure Multi-Agent Workflows](https://praesidia.ai/blog/building-secure-multi-agent-workflows): Secure multi-agent workflows with authentication at every hop, scoped delegation tokens, and content guardrails on every inter-agent message — three patterns explained. ## Glossary terms - [Agent Identity](https://praesidia.ai/glossary#agent-identity): A verifiable, machine-readable identity assigned to an AI agent so its actions can be authenticated and attributed. Agent identity distinguishes one agent from another and from human users, enabling access control, audit trails, and revocation. Treating agents as first-class identities is foundational to securing autonomous systems. - [Agent Orchestration](https://praesidia.ai/glossary#agent-orchestration): The coordination of multiple AI agents and tools to accomplish a complex goal, managing how tasks are routed, sequenced, and combined. Agent orchestration handles delegation, communication, and error handling across agents, turning individual capabilities into reliable multi-step processes while keeping the overall flow governable and observable. - [Agent Trust Score](https://praesidia.ai/glossary#agent-trust-score): A dynamic rating that estimates how trustworthy an AI agent is based on signals such as identity verification, behavior history, attestation, and policy compliance. A trust score helps systems decide whether to grant an agent access or require additional checks, supporting risk-based, adaptive control over autonomous actors. - [Agent-to-Agent Communication](https://praesidia.ai/glossary#agent-to-agent-communication): Direct interaction between autonomous AI agents that exchange tasks, data, or results without a human intermediary. Agent-to-agent (A2A) communication enables multi-agent collaboration but expands the attack surface, so each agent must verify the identity and permissions of others before trusting their requests. - [Agentic AI](https://praesidia.ai/glossary#agentic-ai): A class of AI systems that act with autonomy, breaking down goals into steps, using tools, and adapting based on results rather than producing a single response. Agentic AI can take real actions in the world, so it introduces new security, governance, and cost-control challenges compared with traditional request-response AI applications. - [AI Agent](https://praesidia.ai/glossary#ai-agent): A software system that uses a large language model to pursue goals autonomously, making decisions and calling tools, APIs, or other agents with limited human direction. Unlike a simple chatbot, an agent plans multi-step actions and can change external state, which makes its identity, permissions, and oversight critical to manage. - [AI Control Plane](https://praesidia.ai/glossary#ai-control-plane): A centralized layer that authenticates, authorizes, governs, and monitors interactions between applications, AI agents, and external tools or services. It enforces consistent policy, identity, and observability across many models and integrations, giving organizations a single place to manage and secure AI usage rather than scattering controls across individual apps. - [AI FinOps](https://praesidia.ai/glossary#ai-finops): The practice of managing and optimizing the financial cost of AI workloads through visibility, accountability, and control. AI FinOps applies cloud cost-management discipline to model usage, attributing spend to teams and use cases, forecasting expenses, and enforcing budgets so organizations can scale AI without losing control of costs. - [Attestation](https://praesidia.ai/glossary#attestation): A verifiable claim about the properties or state of a system, agent, or workload, often backed by cryptographic evidence. Attestation lets one party prove what code it is running or which identity it holds so another party can decide whether to trust it, strengthening security in distributed and agent-driven environments. - [Attribute-Based Access Control](https://praesidia.ai/glossary#attribute-based-access-control): An access model that decides permissions by evaluating attributes of the user, resource, action, and context, such as department, sensitivity, or time. Attribute-based access control (ABAC) enables fine-grained, dynamic policies that adapt to circumstances, going beyond static roles to express richer rules for who can access what and when. - [Audit Log](https://praesidia.ai/glossary#audit-log): A chronological, tamper-resistant record of significant events in a system, such as logins, access changes, and AI actions. Audit logs capture who did what, when, and from where, providing the evidence needed for security investigations, accountability, and compliance with frameworks that require traceability of decisions and access. - [Bidirectional Guardrails](https://praesidia.ai/glossary#bidirectional-guardrails): Content controls applied to both what an entity sends and what it receives. Inspecting both directions catches a malicious or malformed request before it reaches a downstream tool, and stops unsafe or non-compliant output — such as leaked secrets or PII — before it returns to the caller. - [Blast Radius](https://praesidia.ai/glossary#blast-radius): The extent of damage that can result if a system, credential, or AI agent is compromised. A smaller blast radius means a breach affects fewer resources. Limiting it through least privilege, isolation, and scoped permissions is a core defensive strategy, especially for autonomous agents that can act broadly. - [Budget Policy](https://praesidia.ai/glossary#budget-policy): A rule that sets and enforces spending limits on AI usage for a team, project, or agent over a defined period. A budget policy can warn, throttle, or block activity when costs approach a cap, giving organizations predictable AI spend and preventing runaway expenses from autonomous or high-volume workloads. - [BYOK](https://praesidia.ai/glossary#byok): Bring Your Own Key, a model in which customers supply and control their own encryption keys or third-party API credentials rather than relying solely on the provider's. For AI platforms, BYOK often means using your own model-provider keys, giving direct control over billing, data handling, and provider relationships. - [Capability Token](https://praesidia.ai/glossary#capability-token): A credential that grants the bearer specific, limited permissions to perform defined actions, often with an expiry and constrained scope. Rather than relying on broad identity, a capability token encodes exactly what is allowed. This fine-grained, short-lived approach is well suited to securing AI agents and tool access. - [Connection](https://praesidia.ai/glossary#connection): In an AI control plane, a connection is the governed relationship between two entities — for example an application and an agent, or an agent and an MCP server. The connection, not the individual entity, is where identity, guardrails, and policies are applied, so security travels with the interaction itself rather than living on any single component. - [Context Window](https://praesidia.ai/glossary#context-window): The maximum amount of text, measured in tokens, that a model can consider at once — covering the prompt, any retrieved context, and the response. Larger windows let agents reason over more information, but they also raise cost and create more room for injected or malicious content. - [Credential Rotation](https://praesidia.ai/glossary#credential-rotation): The practice of periodically replacing secrets such as keys, tokens, and passwords so that a leaked or stale credential has a limited useful lifetime. Automated rotation shrinks the window an attacker can exploit and is a baseline control for machine identities like agents. - [Data Loss Prevention](https://praesidia.ai/glossary#data-loss-prevention): Controls that detect and stop sensitive information — credentials, personal data, regulated records — from leaving a trusted boundary. For AI agents, DLP commonly means inspecting prompts and responses to redact or block protected data before it is sent to a model or returned to a user. - [Data Residency](https://praesidia.ai/glossary#data-residency): The requirement that data be stored and processed within a specific geographic or legal jurisdiction, such as the European Union. Data residency is a common condition of privacy regulations and enterprise contracts, and it shapes where a platform can run and which sub-processors it may use. - [Dunning](https://praesidia.ai/glossary#dunning): The automated process of recovering failed or overdue payments — for example retrying a declined card and notifying the customer — before suspending access. In a usage-based AI platform, dunning protects revenue while giving customers a chance to fix billing problems without an abrupt cutoff. - [Entity](https://praesidia.ai/glossary#entity): A first-class participant in an AI system that can be registered, credentialed, and governed — typically an application, an AI agent, or an MCP server. Treating each as an entity lets a control plane apply identity, permissions, and monitoring uniformly, no matter which one is acting as the caller or the callee. - [EU AI Act](https://praesidia.ai/glossary#eu-ai-act): A European Union regulation that governs artificial intelligence using a risk-based approach, imposing stricter obligations on higher-risk systems. The EU AI Act sets requirements for transparency, human oversight, documentation, and risk management, and applies to providers and deployers whose AI affects people in the EU, shaping global AI compliance practices. - [Federation](https://praesidia.ai/glossary#federation): An arrangement in which separate organizations or systems establish mutual trust so identities and agents from one domain can interact securely with another. Federation relies on agreed standards and verifiable credentials, enabling cross-boundary collaboration, such as agents working across companies, without merging directories or sharing raw secrets. - [GDPR](https://praesidia.ai/glossary#gdpr): The General Data Protection Regulation, a European Union law governing how personal data is collected, processed, and protected. GDPR grants individuals rights over their data and requires lawful basis, transparency, and safeguards. For AI, it constrains how personal information may be used in prompts, training, and storage, with significant penalties for violations. - [Guardrail](https://praesidia.ai/glossary#guardrail): A policy or technical control that constrains what an AI model or agent can input, output, or do. Guardrails block harmful, unsafe, or out-of-scope behavior, such as leaking secrets or executing forbidden actions. They turn high-level safety and compliance requirements into enforceable limits around AI systems. - [Hallucination](https://praesidia.ai/glossary#hallucination): When a language model produces confident output that is factually wrong, fabricated, or unsupported by its inputs. Hallucinations are a core reliability risk for agents that act on their own output, which is why grounding, verification, and human review matter for high-stakes decisions. - [Human-in-the-Loop](https://praesidia.ai/glossary#human-in-the-loop): A design where a person reviews, approves, or can override an AI system's decisions before or during execution. Human-in-the-loop oversight is used for high-risk or irreversible actions, balancing automation with accountability and providing a control point required by many AI governance frameworks and regulations. - [Indirect Prompt Injection](https://praesidia.ai/glossary#indirect-prompt-injection): A prompt injection where malicious instructions are hidden in external content an AI agent retrieves, such as a web page, document, or email, rather than typed by the attacker directly. When the agent reads that content, it may execute the embedded commands, making this attack stealthy and dangerous for tool-using agents. - [ISO 42001](https://praesidia.ai/glossary#iso-42001): An international standard that specifies requirements for an AI management system, helping organizations govern the development and use of AI responsibly. ISO 42001 provides a certifiable framework covering risk, accountability, and continual improvement, letting organizations demonstrate structured oversight of their AI systems to customers, regulators, and partners. - [Jailbreak](https://praesidia.ai/glossary#jailbreak): An attempt to manipulate a model into ignoring its safety instructions or policy constraints, often through crafted prompts that reframe, role-play around, or override the system rules. Jailbreaks are a primary way attackers try to make an agent perform forbidden actions or reveal protected information. - [Least Privilege](https://praesidia.ai/glossary#least-privilege): A security principle that grants each user, service, or AI agent only the minimum permissions needed to perform its task, and nothing more. Limiting privileges shrinks the blast radius of a compromised account or agent and is a cornerstone of zero-trust and modern access design. - [LLM Configuration](https://praesidia.ai/glossary#llm-configuration): The settings that determine how a large language model is invoked, including the model choice, provider, credentials, temperature, token limits, and routing rules. Centralizing LLM configuration lets an organization standardize behavior, swap providers, and apply governance consistently instead of hardcoding model details inside individual applications. - [MCP Server](https://praesidia.ai/glossary#mcp-server): A service that exposes tools, data, or resources to AI applications using the Model Context Protocol. An MCP server advertises the actions a model can invoke and handles their execution. Because these servers grant agents real capabilities, they must enforce authentication, scoped permissions, and logging to prevent misuse. - [Merkle Tree](https://praesidia.ai/glossary#merkle-tree): A data structure that hashes records in pairs up to a single root hash, so any change to a record changes the root. Merkle trees enable efficient verification that a piece of data belongs to a set and that a log has not been altered, underpinning tamper-evident logs and transparency systems. - [Model Context Protocol](https://praesidia.ai/glossary#model-context-protocol): An open standard that defines how AI applications connect to external data sources and tools through a common interface. Model Context Protocol (MCP) lets models discover and call capabilities exposed by servers in a uniform way, reducing custom integration work and creating a consistent surface to secure, audit, and govern. - [Model-Agnostic](https://praesidia.ai/glossary#model-agnostic): A design that is not tied to any single model or provider, letting teams switch or combine LLMs without re-architecting. Model-agnostic platforms govern the agent and its behavior rather than the model, so bring-your-own-key and multi-vendor strategies stay possible. - [Multi-Factor Authentication](https://praesidia.ai/glossary#multi-factor-authentication): An authentication method that requires two or more independent factors to verify identity, typically something you know, have, or are. Multi-factor authentication (MFA) sharply reduces account takeover risk because a stolen password alone is not enough to gain access, making it a baseline control for sensitive systems. - [Multi-Tenancy](https://praesidia.ai/glossary#multi-tenancy): An architecture in which a single software instance serves multiple customers, or tenants, while keeping each tenant's data and configuration logically separate. Multi-tenancy improves efficiency and scalability but demands strict isolation controls so that one tenant can never access another's data, the central trust requirement for SaaS platforms. - [NIST AI RMF](https://praesidia.ai/glossary#nist-ai-rmf): The NIST AI Risk Management Framework, a voluntary guidance from the U.S. National Institute of Standards and Technology for identifying, assessing, and managing risks of AI systems. It organizes practices around governing, mapping, measuring, and managing risk, helping organizations build trustworthy AI in a structured, repeatable way. - [Observability](https://praesidia.ai/glossary#observability): The ability to understand a system's internal state from the data it emits, typically logs, metrics, and traces. For AI systems, observability reveals what agents did, how models performed, and where costs or errors arise, enabling debugging, monitoring, and accountability across complex, distributed, autonomous workloads. - [OpenID Connect](https://praesidia.ai/glossary#openid-connect): An identity layer built on top of the OAuth 2.0 authorization framework that lets applications verify a user's identity and obtain basic profile information. OpenID Connect (OIDC) issues signed identity tokens, making it a modern, JSON-based standard for single sign-on across web, mobile, and API-driven services. - [OWASP LLM Top 10](https://praesidia.ai/glossary#owasp-llm-top-10): A community-maintained list from the OWASP project cataloguing the most critical security risks specific to large-language-model applications — including prompt injection, sensitive-information disclosure, and excessive agency. It gives security teams a shared vocabulary for assessing and hardening AI systems. - [Passkey](https://praesidia.ai/glossary#passkey): A passwordless credential based on public-key cryptography that authenticates users with a device-bound private key, often unlocked by biometrics. Built on the WebAuthn standard, passkeys resist phishing and credential theft because no shared secret is transmitted or stored on the server, offering stronger and simpler authentication than passwords. - [PII Redaction](https://praesidia.ai/glossary#pii-redaction): The automatic detection and removal or masking of personally identifiable information, such as names, emails, or card numbers, from data flowing to or from AI models. PII redaction reduces privacy risk and helps meet regulations like GDPR by preventing sensitive personal data from being exposed, stored, or used to train models. - [Policy Enforcement](https://praesidia.ai/glossary#policy-enforcement): The runtime application of rules that decide whether an action is allowed, denied, or modified. Policy enforcement evaluates each request against defined controls, for access, content, spending, or safety, and acts on the result. It turns written governance into automated, consistent behavior that cannot be bypassed by individual users or agents. - [Prompt Injection](https://praesidia.ai/glossary#prompt-injection): An attack that embeds malicious instructions into the input an AI model processes, tricking it into ignoring its original directives or performing unintended actions. Because models follow natural-language instructions, prompt injection can hijack agents, exfiltrate data, or bypass guardrails, making it a top security risk for AI applications. - [Rate Limiting](https://praesidia.ai/glossary#rate-limiting): A control that caps how many requests a client, user, or agent can make to a service in a given time window. Rate limiting protects systems from overload and abuse, ensures fair resource sharing, and helps contain runaway costs from automated callers such as AI agents. - [Retrieval-Augmented Generation](https://praesidia.ai/glossary#retrieval-augmented-generation): A technique that grounds a model response in relevant documents fetched at query time, instead of relying only on what the model memorized during training. RAG improves accuracy and freshness and reduces hallucination, but it also widens the input surface that guardrails must inspect. - [Role-Based Access Control](https://praesidia.ai/glossary#role-based-access-control): An access model that grants permissions based on roles assigned to users or services rather than to individuals directly. Role-based access control (RBAC) simplifies administration by bundling related permissions, making it easier to enforce least privilege and audit who can do what across an organization. - [Row-Level Security](https://praesidia.ai/glossary#row-level-security): A database capability that restricts which rows a query can read or modify based on the identity or attributes of the requester. Row-level security enforces data access rules close to the data itself, providing a strong, hard-to-bypass mechanism for tenant isolation and fine-grained authorization in multi-tenant systems. - [SAML](https://praesidia.ai/glossary#saml): Security Assertion Markup Language, an XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML is widely used for enterprise single sign-on, letting users authenticate once and access multiple applications without sharing passwords with each one. - [Sandboxing](https://praesidia.ai/glossary#sandboxing): Running an agent or its tool calls in a restricted environment that limits what it can access, change, or reach on the network. Sandboxing contains the damage a compromised or misbehaving agent can do, keeping its blast radius small. - [SCIM](https://praesidia.ai/glossary#scim): System for Cross-domain Identity Management, an open standard for automatically provisioning and deprovisioning user accounts across applications. SCIM lets an identity provider create, update, and disable users in connected systems through a common API, keeping access current and removing stale accounts that pose security risks. - [Scope](https://praesidia.ai/glossary#scope): The defined boundary of permissions or access that a token, credential, or agent is granted. Scope specifies which resources and actions are permitted, limiting what the holder can do even if authenticated. Narrow scopes enforce least privilege and reduce the impact of leaked or misused credentials. - [Service Discovery](https://praesidia.ai/glossary#service-discovery): The mechanism by which agents and tools find and connect to one another, often through a registry that lists available services and how to reach them. Discoverable services make it possible to compose multi-agent systems, while access controls decide who may actually connect. - [Shadow AI](https://praesidia.ai/glossary#shadow-ai): The use of AI tools, models, or agents by employees without the knowledge or approval of the organization's security and governance teams. Shadow AI creates blind spots where sensitive data may leak, costs go untracked, and policies go unenforced, making discovery and centralized control a priority for enterprises. - [Single Sign-On](https://praesidia.ai/glossary#single-sign-on): An authentication method that lets users access multiple applications with one set of credentials and a single login. Single sign-on (SSO) reduces password fatigue and centralizes authentication policy, so organizations can enforce strong controls and quickly revoke access across all connected services from one place. - [SOC 2](https://praesidia.ai/glossary#soc-2): An auditing standard and report that evaluates how a service organization manages data according to trust principles such as security, availability, confidentiality, and privacy. A SOC 2 report, produced by an independent auditor, gives customers assurance that a provider has effective controls, and is widely expected of SaaS and AI vendors. - [Spend Cap](https://praesidia.ai/glossary#spend-cap): A hard upper limit on how much can be spent on AI services within a scope or time window. When the cap is reached, further usage is paused or denied. Spend caps protect against billing surprises from runaway agents, abuse, or unexpected demand, and are a key control in AI cost governance. - [Tamper-Evident Log](https://praesidia.ai/glossary#tamper-evident-log): A log designed so that any alteration, deletion, or insertion of past entries can be detected. Tamper-evident logs commonly use cryptographic hashing to chain records together, so changing one entry breaks the chain. They provide stronger integrity guarantees than ordinary logs for audits, forensics, and regulatory evidence. - [Tenant Isolation](https://praesidia.ai/glossary#tenant-isolation): The set of controls that prevent one customer in a multi-tenant system from accessing, modifying, or even observing another customer's data and resources. Tenant isolation can be enforced at the data, network, and application layers, and is essential to maintaining trust, privacy, and compliance in shared platforms. - [Token Bucket](https://praesidia.ai/glossary#token-bucket): A common rate-limiting algorithm in which requests consume tokens from a bucket that refills at a fixed rate; when the bucket is empty, further requests are throttled or rejected. It allows short bursts while bounding sustained throughput — useful for protecting downstream models and tools from overload. - [Token Cost](https://praesidia.ai/glossary#token-cost): The price incurred for the tokens, units of text, that a language model reads as input and produces as output. Because providers bill per token, token cost drives the economics of AI applications. Tracking it per request, user, or agent is essential for forecasting, optimizing, and controlling AI spend. - [Trigger](https://praesidia.ai/glossary#trigger): An event or condition that automatically starts a workflow or agent action. Triggers can be scheduled by time, fired by an incoming webhook, or raised by an event such as a new record. They let automation respond to the world without manual initiation, which makes securing and validating their sources important. - [Webhook](https://praesidia.ai/glossary#webhook): An HTTP callback that delivers an event from one system to another as it happens, so the receiver does not have to poll. Signing webhooks lets the receiver verify each event genuinely originated from the sender and was not forged or replayed. - [Workflow](https://praesidia.ai/glossary#workflow): A defined sequence of steps, decisions, and actions that automates a process from start to finish. In AI platforms, workflows connect agents, tools, triggers, and approvals into repeatable pipelines, making complex automation predictable, auditable, and easier to govern than ad hoc, one-off agent invocations. - [Zero Trust](https://praesidia.ai/glossary#zero-trust): A security model that assumes no user, device, or agent is trusted by default, even inside the network. Zero trust requires every request to be authenticated, authorized, and continuously verified against policy. Applied to AI, it means treating each agent as untrusted until its identity and permissions are proven for that action. ## Optional - [Full text of all docs and articles](https://praesidia.ai/llms-full.txt) - [RSS feed](https://praesidia.ai/feed.xml)