What Is the Gatekeeper Agent?
The Gatekeeper agent controls access to external services across your organisation. It determines which services your team can interact with, enforces usage rules, and prevents unauthorised service usage. It is the access control layer for your organisation’s interactions with external services.How It Works
Gatekeeper evaluates every trace against your configured service rules. When someone in your organisation interacts with a service, the agent checks whether that service is permitted, restricted, or blocked. It then produces an intent based on your allowlist and blocklist configuration. You define the rules. Gatekeeper enforces them consistently across every workspace and every user.Key Capabilities
| Capability | Description |
|---|---|
| Allowlisting | Specify which services are approved for use. Only traces directed at allowed services proceed without issue. |
| Blocklisting | Explicitly block specific services. Traces directed at blocked services are flagged or stopped. |
| Service Catalogue Integration | Works with your service catalogue to maintain a current view of approved and restricted services. |
| Rule Enforcement | Applies your access rules uniformly, regardless of which team or individual initiates the trace. |
Common Scenarios
An employee uses an unapproved service
An employee uses an unapproved service
Gatekeeper detects that the trace targets a service not on your allowlist. Depending on the role, the trace is logged, the employee is notified, or the interaction is blocked entirely.
Your organisation standardizes on specific providers
Your organisation standardizes on specific providers
You add your approved providers to the allowlist and enable Enforcer mode. Gatekeeper ensures that only approved services receive traces, keeping your organisation aligned with vendor agreements and security reviews.
A new service appears that hasn't been vetted
A new service appears that hasn't been vetted
Gatekeeper flags the unknown service. In Enforcer mode, the trace is held for review so your team can decide whether to approve or block the service going forward.
A restricted service is used in a sensitive workspace
A restricted service is used in a sensitive workspace
Even if a service is generally allowed, Gatekeeper can enforce workspace-specific restrictions. A service permitted for marketing might be blocked in your finance workspace.
How It Works with Other Agents
Gatekeeper operates independently from the other four agents, but its findings complement theirs. A trace might pass Gatekeeper’s service check but still be flagged by Data Protection for containing sensitive information. Each agent evaluates the trace from its own perspective.When to Use Enforcer Mode
Promote Gatekeeper to Enforcer when your organisation has completed its service review process and has a clear allowlist of approved services. Enforcer mode is especially useful in regulated industries where unapproved vendor usage can create compliance exposure. If you’re still evaluating which services to permit, start with Observer mode to understand your current usage patterns.Next Steps
Configuring Agents
Set up allowlists and blocklists for your organisation.
Roles and Intents
How Gatekeeper’s role determines its enforcement behaviour.